From 39297a0a171ef534127221643a3d036aa75a377b Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Wed, 18 Aug 2021 21:19:01 -0400 Subject: [PATCH 01/41] rewrite of overview; moving tables to new articles --- .../apps-in-windows-10.md | 803 +----------------- .../msix-app-packaging-tool.md | 2 + .../provisioned-apps-windows-client-os.md | 475 +++++++++++ .../system-apps-windows-client-os.md | 356 ++++++++ windows/application-management/toc.yml | 9 +- 5 files changed, 885 insertions(+), 760 deletions(-) create mode 100644 windows/application-management/provisioned-apps-windows-client-os.md create mode 100644 windows/application-management/system-apps-windows-client-os.md diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 3d8a9d9f4d..ee83c505d7 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -12,13 +12,29 @@ author: greg-lindsay ms.localizationpriority: medium ms.topic: article --- -# Understand the different apps included in Windows 10 ->Applies to: Windows 10 +# Overview of apps on Windows client devices -On your Windows 10 devices, you can run the following app types: +> Applies to: +> +> - Windows 10 -- **Windows apps**: These apps are included with the Windows OS, and are also installed from the Microsoft Store app. There are two categories: +## App types + +There are different types of apps that can run on your Windows client devices. This section lists some of the common apps used on Windows devices. + +- **Microsoft 365 apps**: These apps are used for business and productivity, and include Outlook, Word, Teams, OneNote, and more. + + [Transform your enterprise with Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans) + +- **Power Apps**: These apps connect to business data available online and on-premises, and can run in a web browser, and on mobile devices. They can be created by business analysts and professional developers. For more information, see [What is Power Apps?](/powerapps/powerapps-overview). + +- **.NET apps**: These apps can be desktop apps that run on the device, or web apps. Some common .NET apps include: + + - **Windows Presentation Foundation (WPF)**: Using .NET, you can create a WPF desktop app that runs on the device, or create a WPF web app. This app is commonly used by organizations that create line of business (LOB) desktop apps. For more information, see [WPF Application Development](/dotnet/desktop/wpf/app-development). + - **Windows Forms (WinForm)**: Using .NET, you can create a Windows Forms desktop app that runs on the device, and doesn't require a web browser or internet access. Just like Win32 apps, WinForm apps can access the local hardware and file system of the computer where the app is running. For more information, see [Desktop Guide (Windows Forms .NET)](/dotnet/desktop/winforms/overview). + +- **Windows apps**: These apps are included with the Windows OS, and can also installed from the Microsoft Store. There are two categories: - **Apps**: All apps installed in `C:\Program Files\WindowsApps`. There are two classes of apps: @@ -28,776 +44,47 @@ On your Windows 10 devices, you can run the following app types: - **System apps**: Apps installed in the `C:\Windows\` directory. These apps are part of the Windows OS. - **Universal Windows Platform (UWP) apps**: These apps run and can be installed on many Windows platforms, including tablets, Microsoft HoloLens, Xbox, and more. All UWP apps are Windows apps. But, not all Windows apps are UWP apps. -- **Win32 apps**: These apps are traditional Windows applications. -This article lists the provisioned Windows apps and system apps installed on a standard Windows 10 Enterprise device. If you use custom images, your specific apps might be different. + For more information, see [What's a Universal Windows Platform (UWP) app?](/windows/uwp/get-started/universal-application-platform-guide). -Some of the apps show up in multiple areas. That's because their status changed between versions. Make sure to check the version column for the version you're currently running. +- **Web apps** and **Progressive web apps (PWA)**: These apps run on a server, and don't run on the end user device. To use these apps, users must use a web browser and have internet access. **Progressive web apps** are designed to work for all users, work with any browser, and work on any platform. -## Provisioned Windows apps + Web apps are typically created in Visual Studio, and can be created with different languages. For more information, see [Create a Web App](https://azure.microsoft.com/get-started/web-app/). When the app is created and ready to be used, you deploy the web app to a web server. Using Azure, you can host your web apps in the cloud, instead of on-premises. For more information, see [App Service overview](/azure/app-service/overview). -The first time a user signs into a Windows device, some apps are automatically provisioned. To get a list of all provisioned Windows apps, run the following Windows PowerShell command: + Use MDM to create shortcut on devices -```Powershell -Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName -``` +- **Win32 apps**: These apps are traditional Windows apps that run on the device, and are often called desktop apps. They require direct access to Windows and the device hardware, and typically don't require a web browser. These apps run in 32-bit mode on 64-bit devices, and don't depend on a managed runtime environment, like .NET. -The following information lists the provisioned apps on the supported Windows 10 OS versions: + For more information, see [Get started developing apps for Windows desktop](/windows/apps/get-started) and [Make your apps great on Windows 11](/windows/apps/get-started/make-apps-great-for-windows). -- [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | Package name: Microsoft.3DBuilder - - Supported versions: +> [!TIP] +> Starting with Windows 10, you can use the **Windows UI Library (WinUI 3)** to create .NET, Win32 desktop, and UWP apps. This library includes native Windows UI controls and other user interface elements familiar to Windows users. For more information, see [Windows UI Library (WinUI)](/windows/apps/winui/). - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ✔️ | ✔️ | | | | | | +## Add or deploy apps to devices - --- +When your apps are ready, you can add or deploy these apps to your Windows devices. -- [Bing Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | Package name: Microsoft.BingWeather - - Supported versions: +- **Manually install**: On your devices, users can install apps from the Microsoft Store and from the internet. These apps, and more, are listed in **Settings** > **Apps and Features**. - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| +- **Mobile device management (MDM)**: Use a MDM provider, such as Microsoft Intune (cloud) or Configuration Manager (on-premises), to deploy and configure apps. For example, you can create app policies that deploy Microsoft 365 apps, deploy Win32 apps, create shortcuts to web apps, add store apps, and more. - --- + For more information, see: -- [Desktop App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | Package name: Microsoft.DesktopAppInstaller - - Supported versions: + - [Add apps to Microsoft Intune](/mem/intune/apps/apps-add) + - [Application management in Configuration Manager](/mem/configmgr/apps/understand/introduction-to-application-management) - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | Use Settings App | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| +- Settings > Apps & features: Provisioned apps, apps installed by users, and apps installed by MDM providers are listed in **Settings** > **Apps and Features**. +- Use Store +- Windows Package Manager: https://docs.microsoft.com/en-us/windows/package-manager + - Can install apps from store, or from package. It's a developer tool. + - Only for Windows - --- +- App-V: + - app-v server: might not support Win11. It's a separate download. + - app-v client: does support Win11. The OS ships with client installs. -- [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | Package name: Microsoft.GetHelp - - Supported versions: + Goal: Stop using app-v, and get on Azure Virtual desktop with msix app attach - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| - --- - -- [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | Package name: Microsoft.Getstarted - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| - - --- - -- [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | Package name: Microsoft.HEIFImageExtension - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| - - --- - -- [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | Package name:Microsoft.Messaging - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| | ✔️| ✔️| ✔️| - - --- - -- [Microsoft 3D Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | Package name: Microsoft.Microsoft3DViewer - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | Package name: Microsoft.MicrosoftOfficeHub - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ✔️ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | Package name: Microsoft.MicrosoftSolitaireCollection - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ✔️ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | Package name: Microsoft.MicrosoftStickyNotes - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | Package name: Microsoft.MixedReality.Portal - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | Package name: Microsoft.MSPaint - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | Package name: Microsoft.Office.OneNote - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ✔️ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | Package name: Microsoft.OneConnect - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| | ✔️| ✔️| ✔️| - - --- - -- Microsoft.Outlook.DesktopIntegrationServices - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | | ✔️ | ✔️| | ✔️| | | - - --- - -- [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | Package name: Microsoft.People - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | Package name: Microsoft.Print3D - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| | ✔️| ✔️| ✔️| - - --- - -- [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | Package name: Microsoft.ScreenSketch - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | Package name: Microsoft.SkypeApp - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | Package name: Microsoft.StorePurchaseApp - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- Microsoft.VP9VideoExtensions - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | Package name: Microsoft.Wallet - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | Package name: Microsoft.WebMediaExtensions - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | Package name: Microsoft.WebpImageExtension - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | Package name: Microsoft.Windows.Photos - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | Package name: Microsoft.WindowsAlarms - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | Package name: Microsoft.WindowsCalculator - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | Package name: Microsoft.WindowsCamera - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | Package name: microsoft.windowscommunicationsapps - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | Package name: Microsoft.WindowsFeedbackHub - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | Package name: Microsoft.WindowsMaps - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | Package name: Microsoft.WindowsSoundRecorder - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | Package name: Microsoft.WindowsStore - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - - - The Store app shouldn't be removed. If you remove the Store app, and want to reinstall it, you can restore your system from a backup, or reset your system. Instead of removing the Store app, use group policies to hide or disable it. - -- [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | Package name: Microsoft.Xbox.TCUI - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | Package name: Microsoft.XboxApp - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | Package name: Microsoft.XboxGameOverlay - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | Package name: Microsoft.XboxGamingOverlay - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | Package name: Microsoft.XboxIdentityProvider - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- Microsoft.XboxSpeechToTextOverlay - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | Package name: Microsoft.YourPhone - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | Package name: Microsoft.ZuneMusic - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -- [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | Package name: Microsoft.ZuneVideo - - Supported versions: - - --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| - - --- - -## System apps - -System apps are used by the operating system. To get a list of all the system apps, run the following Windows PowerShell command: - -```Powershell -Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation -``` - -The following information lists the system apps on some Windows 10 OS versions: - -- File Picker | Package name: 1527c705-839a-4832-9118-54d4Bd6a0c89 - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- File Explorer | Package name: c5e2524a-ea46-4f67-841f-6a9465d9d515 - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- App Resolver UX | Package name: E2A4F912-2574-4A75-9BB0-0D023378592B - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Add Suggested Folders To Library | Package name: F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- InputApp - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | | | ✔️ | - - --- - -- Microsoft.AAD.Broker.Plugin | Package name: Microsoft.AAD.Broker.Plugin - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Microsoft.AccountsControl | Package name: Microsoft.AccountsControl - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Microsoft.AsyncTextService | Package name: Microsoft.AsyncTextService - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Hello setup UI | Package name: Microsoft.BioEnrollment - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Microsoft.CredDialogHost - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Microsoft.ECApp - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Microsoft.LockApp - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Microsoft Edge | Package name: Microsoft.MicrosoftEdge - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Microsoft.MicrosoftEdgeDevToolsClient - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Microsoft.PPIProjection - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | | | ✔️ | - - --- - -- Microsoft.Win32WebViewHost - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Microsoft.Windows.Apprep.ChxApp - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Microsoft.Windows.AssignedAccessLockApp - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Microsoft.Windows.CapturePicker - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Microsoft.Windows.CloudExperienceHost - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Microsoft.Windows.ContentDeliveryManager - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Cortana | Package name: Microsoft.Windows.Cortana - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | | | ✔️ | - - --- - -- Microsoft.Windows.OOBENetworkCaptivePort - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Microsoft.Windows.OOBENetworkConnectionFlow - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Microsoft.Windows.ParentalControls - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- People Hub | Package name: Microsoft.Windows.PeopleExperienceHost - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Microsoft.Windows.PinningConfirmationDialog - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Microsoft.Windows.SecHealthUI - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Microsoft.Windows.SecureAssessmentBrowser - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Start | Package name: Microsoft.Windows.ShellExperienceHost - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Microsoft.XboxGameCallableUI - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Windows.CBSPreview - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Settings | Package name: Windows.immersivecontrolpanel - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Print 3D | Package name: Windows.Print3D - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ✔️ | | | ✔️ | - - --- - -- Print UI | Package name: Windows.PrintDialog - - --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | - - --- +## Remove apps diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md index 96e4e52e60..97a832c6e9 100644 --- a/windows/application-management/msix-app-packaging-tool.md +++ b/windows/application-management/msix-app-packaging-tool.md @@ -12,6 +12,8 @@ ms.date: 12/03/2018 ms.reviewer: manager: dansimp author: greg-lindsay + +ROBOTS: NOINDEX --- # Repackage existing win32 applications to the MSIX format diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md new file mode 100644 index 0000000000..c426de223d --- /dev/null +++ b/windows/application-management/provisioned-apps-windows-client-os.md @@ -0,0 +1,475 @@ +--- +title: Get the provisioned apps on Windows client operating system | Microsoft Docs +ms.reviewer: +manager: dougeby +description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: mobile +ms.author: mandia +author: MandiOhlinger +ms.localizationpriority: medium +ms.topic: article +--- + +# Provisioned apps installed with the Windows client OS + +> Applies to: +> +> - Windows 10 + +Provisioned apps are included with the OS, and automatically installed when a user signs into a Windows device the first time. They are per-user apps, and typically installed in the `C:\Program Files\WindowsApps` folder. On your Windows devices, you can use Windows PowerShell to see the provisioned apps automatically installed. + +This article lists some of the built-in provisioned apps on the different Windows client OS versions, and lists the Windows Powershell command to get a list. + +## Use Windows Powershell + +To get a list of all the provisioned apps, use Windows PowerShell: + +1. Open the Windows PowerShell app as administrator. +2. Run the following script: + + ```Powershell + Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName + ``` + +The output lists all the provisioned apps, and their package names. For more information on this command, see [Get-AppxProvisionedPackage](/powershell/module/dism/get-appxprovisionedpackage) (opens another Microsoft website). + +## Built-in provisioned apps list + +The following information lists some of the provisioned apps on the different Windows Enterprise client OS versions. Your specific OS version and image may have different apps. To confirm your app list, run the [PowerShell Get-AppxProvisionedPackage command](#use-windows-powershell) (in this article). + +Provisioned apps are also listed in **Settings** > **Apps and Features**. + +- [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | Package name: Microsoft.3DBuilder + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ✔️ | ✔️ | | | | | | + + --- + +- [Bing Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | Package name: Microsoft.BingWeather + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + + --- + +- [Desktop App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | Package name: Microsoft.DesktopAppInstaller + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | Use Settings App | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + + --- + +- [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | Package name: Microsoft.GetHelp + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + + --- + +- [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | Package name: Microsoft.Getstarted + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + + --- + +- [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | Package name: Microsoft.HEIFImageExtension + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + + --- + +- [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | Package name:Microsoft.Messaging + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| | ✔️| ✔️| ✔️| + + --- + +- [Microsoft 3D Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | Package name: Microsoft.Microsoft3DViewer + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | Package name: Microsoft.MicrosoftOfficeHub + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ✔️ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | Package name: Microsoft.MicrosoftSolitaireCollection + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ✔️ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | Package name: Microsoft.MicrosoftStickyNotes + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | Package name: Microsoft.MixedReality.Portal + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | Package name: Microsoft.MSPaint + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | Package name: Microsoft.Office.OneNote + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ✔️ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | Package name: Microsoft.OneConnect + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| | ✔️| ✔️| ✔️| + + --- + +- Microsoft.Outlook.DesktopIntegrationServices + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | | ✔️ | ✔️| | ✔️| | | + + --- + +- [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | Package name: Microsoft.People + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | Package name: Microsoft.Print3D + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| | ✔️| ✔️| ✔️| + + --- + +- [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | Package name: Microsoft.ScreenSketch + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | Package name: Microsoft.SkypeApp + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | Package name: Microsoft.StorePurchaseApp + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- Microsoft.VP9VideoExtensions + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | Package name: Microsoft.Wallet + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | Package name: Microsoft.WebMediaExtensions + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | Package name: Microsoft.WebpImageExtension + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | Package name: Microsoft.Windows.Photos + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | Package name: Microsoft.WindowsAlarms + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | Package name: Microsoft.WindowsCalculator + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | Package name: Microsoft.WindowsCamera + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | Package name: microsoft.windowscommunicationsapps + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | Package name: Microsoft.WindowsFeedbackHub + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | Package name: Microsoft.WindowsMaps + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | Package name: Microsoft.WindowsSoundRecorder + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | Package name: Microsoft.WindowsStore + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + + - The Store app shouldn't be removed. If you remove the Store app, and want to reinstall it, you can restore your system from a backup, or reset your system. Instead of removing the Store app, use group policies to hide or disable it. + +- [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | Package name: Microsoft.Xbox.TCUI + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | Package name: Microsoft.XboxApp + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | Package name: Microsoft.XboxGameOverlay + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | Package name: Microsoft.XboxGamingOverlay + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | Package name: Microsoft.XboxIdentityProvider + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- Microsoft.XboxSpeechToTextOverlay + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | Package name: Microsoft.YourPhone + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | Package name: Microsoft.ZuneMusic + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- + +- [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | Package name: Microsoft.ZuneVideo + - Supported versions: + + --- + | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + + --- diff --git a/windows/application-management/system-apps-windows-client-os.md b/windows/application-management/system-apps-windows-client-os.md new file mode 100644 index 0000000000..0ac52b682f --- /dev/null +++ b/windows/application-management/system-apps-windows-client-os.md @@ -0,0 +1,356 @@ +--- +title: Get the system apps on Windows client operating system | Microsoft Docs +ms.reviewer: +manager: dougeby +description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: mobile +ms.author: mandia +author: MandiOhlinger +ms.localizationpriority: medium +ms.topic: article +--- + +# System apps installed with the Windows client OS + +> Applies to: +> +> - Windows 10 + +On all Windows devices, the OS automatically installs some apps. These apps are called system apps, and are typically installed in the `C:\Windows\` folder. On your Windows devices, you can use Windows PowerShell to see the system apps automatically installed. + +This article lists the built-in system apps on some Windows OS versions, and lists the Windows Powershell command to get a list. + +## Use Windows Powershell + +To get a list of all the system apps, use Windows PowerShell: + +1. Open the Windows PowerShell app as administrator. +2. Run the following script: + + ```Powershell + Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation + ``` + +The output lists all the system apps, and their installation location. For more information on this command, see [Get-AppxPackage](/powershell/module/appx/get-appxpackage) (opens another Microsoft website). + +## Built-in system apps list + +The following information lists the system apps on some Windows Enterprise OS versions. Your specific OS version and image may have different apps. To confirm your app list, run the [PowerShell Get-AppxPackage command](#use-windows-powershell) (in this article). + +- File Picker | Package name: 1527c705-839a-4832-9118-54d4Bd6a0c89 + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- File Explorer | Package name: c5e2524a-ea46-4f67-841f-6a9465d9d515 + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- App Resolver UX | Package name: E2A4F912-2574-4A75-9BB0-0D023378592B + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Add Suggested Folders To Library | Package name: F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- InputApp + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | | | ✔️ | + + --- + +- Microsoft.AAD.Broker.Plugin | Package name: Microsoft.AAD.Broker.Plugin + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Microsoft.AccountsControl | Package name: Microsoft.AccountsControl + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Microsoft.AsyncTextService | Package name: Microsoft.AsyncTextService + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Hello setup UI | Package name: Microsoft.BioEnrollment + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Microsoft.CredDialogHost + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Microsoft.ECApp + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Microsoft.LockApp + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Microsoft Edge | Package name: Microsoft.MicrosoftEdge + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Microsoft.MicrosoftEdgeDevToolsClient + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Microsoft.PPIProjection + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | | | ✔️ | + + --- + +- Microsoft.Win32WebViewHost + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Microsoft.Windows.Apprep.ChxApp + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Microsoft.Windows.AssignedAccessLockApp + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Microsoft.Windows.CapturePicker + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Microsoft.Windows.CloudExperienceHost + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Microsoft.Windows.ContentDeliveryManager + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Cortana | Package name: Microsoft.Windows.Cortana + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | | | ✔️ | + + --- + +- Microsoft.Windows.OOBENetworkCaptivePort + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Microsoft.Windows.OOBENetworkConnectionFlow + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Microsoft.Windows.ParentalControls + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- People Hub | Package name: Microsoft.Windows.PeopleExperienceHost + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Microsoft.Windows.PinningConfirmationDialog + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Microsoft.Windows.SecHealthUI + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Microsoft.Windows.SecureAssessmentBrowser + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Start | Package name: Microsoft.Windows.ShellExperienceHost + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Microsoft.XboxGameCallableUI + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Windows.CBSPreview + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Settings | Package name: Windows.immersivecontrolpanel + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- + +- Print 3D | Package name: Windows.Print3D + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ✔️ | | | ✔️ | + + --- + +- Print UI | Package name: Windows.PrintDialog + + --- + | Uninstall through UI? | 21H1 | 20H2 | 1809 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️ | + + --- diff --git a/windows/application-management/toc.yml b/windows/application-management/toc.yml index 5b921380b9..8e5fd3acd8 100644 --- a/windows/application-management/toc.yml +++ b/windows/application-management/toc.yml @@ -3,8 +3,13 @@ items: href: index.yml - name: Application management items: - - name: Apps in Windows 10 + - name: Apps in Windows client OS href: apps-in-windows-10.md + items: + - name: Provisioned apps in Windows client OS + href: provisioned-apps-windows-client-os.md + - name: System apps in Windows client OS + href: system-apps-windows-client-os.md - name: Add apps and features in Windows 10 href: add-apps-and-features.md - name: Sideload apps @@ -13,7 +18,7 @@ items: href: enterprise-background-activity-controls.md - name: Enable or block Windows Mixed Reality apps in the enterprise href: manage-windows-mixed-reality.md - - name: Repackage win32 apps in the MSIX format + - name: Repackage win32 apps in the MSIX format - DELETE href: msix-app-packaging-tool.md - name: Application Virtualization (App-V) items: From 713b3a0ef9a3836c76569fa4ca671ab1c51d2660 Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Thu, 19 Aug 2021 21:19:28 -0400 Subject: [PATCH 02/41] adding deploy section --- .../apps-in-windows-10.md | 79 ++++++++++++++++--- 1 file changed, 67 insertions(+), 12 deletions(-) diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index ee83c505d7..0b8ebbf7c7 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -19,6 +19,16 @@ ms.topic: article > > - Windows 10 +## Before you begin + +As organizations become more global, and to support employees working from anywhere, it's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. For Microsoft, that includes using Microsoft Endpoint Manager. Endpoint Manager includes Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises. + +In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started: + +- [Microsoft Endpoint Manager overview](mem/endpoint-manager-overview) +- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide) +- [What is Configuration Manager?](/mem/configmgr/core/understand/introduction) + ## App types There are different types of apps that can run on your Windows client devices. This section lists some of the common apps used on Windows devices. @@ -34,7 +44,7 @@ There are different types of apps that can run on your Windows client devices. T - **Windows Presentation Foundation (WPF)**: Using .NET, you can create a WPF desktop app that runs on the device, or create a WPF web app. This app is commonly used by organizations that create line of business (LOB) desktop apps. For more information, see [WPF Application Development](/dotnet/desktop/wpf/app-development). - **Windows Forms (WinForm)**: Using .NET, you can create a Windows Forms desktop app that runs on the device, and doesn't require a web browser or internet access. Just like Win32 apps, WinForm apps can access the local hardware and file system of the computer where the app is running. For more information, see [Desktop Guide (Windows Forms .NET)](/dotnet/desktop/winforms/overview). -- **Windows apps**: These apps are included with the Windows OS, and can also installed from the Microsoft Store. There are two categories: +- **Windows apps**: These apps are included with the Windows OS, and can also be installed from the Microsoft Store. There are two categories: - **Apps**: All apps installed in `C:\Program Files\WindowsApps`. There are two classes of apps: @@ -62,29 +72,74 @@ There are different types of apps that can run on your Windows client devices. T ## Add or deploy apps to devices -When your apps are ready, you can add or deploy these apps to your Windows devices. +When your apps are ready, you can add or deploy these apps to your Windows devices. This section lists some common options. - **Manually install**: On your devices, users can install apps from the Microsoft Store and from the internet. These apps, and more, are listed in **Settings** > **Apps and Features**. -- **Mobile device management (MDM)**: Use a MDM provider, such as Microsoft Intune (cloud) or Configuration Manager (on-premises), to deploy and configure apps. For example, you can create app policies that deploy Microsoft 365 apps, deploy Win32 apps, create shortcuts to web apps, add store apps, and more. + If you want to prevent users from downloading apps on organization owned devices, you can use an MDM provider, like Microsoft Intune. For example, you can create a policy that allows or prevents users from sideloading apps, only allow the private store, and more. For more information on the features you can restrict, see [Windows 10 (and newer) device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10). + + For an overview of the different types of device policies you can create, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles). + +- **Mobile device management (MDM)**: Use a MDM provider, like Microsoft Intune (cloud) or Configuration Manager (on-premises), to deploy apps. For example, you can create app policies that deploy Microsoft 365 apps, deploy Win32 apps, create shortcuts to web apps, add Store apps, and more. For more information, see: - [Add apps to Microsoft Intune](/mem/intune/apps/apps-add) - [Application management in Configuration Manager](/mem/configmgr/apps/understand/introduction-to-application-management) -- Settings > Apps & features: Provisioned apps, apps installed by users, and apps installed by MDM providers are listed in **Settings** > **Apps and Features**. -- Use Store -- Windows Package Manager: https://docs.microsoft.com/en-us/windows/package-manager - - Can install apps from store, or from package. It's a developer tool. - - Only for Windows +- **Microsoft Store**: Using the Microsoft Store app, Windows users can download apps from the public store, and download apps provided by your organization, which is called the "private store". If your organization creates its own apps, you can use **Windows Package Manager** to add apps to the private store. -- App-V: - - app-v server: might not support Win11. It's a separate download. - - app-v client: does support Win11. The OS ships with client installs. + To help manage the Microsoft Store on your devices, you can use policies: - Goal: Stop using app-v, and get on Azure Virtual desktop with msix app attach + - On premises, you can use Administrative Templates in group policy to control access to the Microsoft Store app (`User Configuration\Administrative Templates\Windows Components\Store`). + - Using Microsoft Intune, you can use [Administrative Templates](/mem/intune/configuration/administrative-templates-windows) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) to control access to the Microsoft Store app. + For more information, see: + + - [Microsoft Store for Business and Education](/microsoft-store/) + - [Evolving the Microsoft Store for Business and Education](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-the-microsoft-store-for-business-and-education/ba-p/2569423) + +- **MSIX for desktop apps**: MSIX packages your UWP, Win32, WPF, and WinForm desktop application files. MSIX reliably installs apps, helps optimize disk storage space, and reduces duplicate files. If your organization typically uses `.EXE` or `.MSI` files to install desktop apps, then you should look into MSIX. + + To deploy MSIX packages and their apps, you can: + + - Use an MDM provider, like Microsoft Intune and Configuration Manager. + - Use an App Installer so users double-click an installer file, or select a link on a web page. + - And more. + + For more information, see: + + - [What is MSIX?](/windows/msix/overview) + - [MSIX app distribution for enterprises](/windows/msix/desktop/managing-your-msix-deployment-enterprise) + +- **Windows Package Manager**: Windows Package Manager is a command line tool commonly used by developers to install Windows apps. Using the command line, you can can get apps from the Microsoft Store or from GitHub (and more), and install these apps on Windows devices. It's helpful if you want to bypass user interfaces for getting apps from organizations and from developers. + + If your organization uses `.EXE`, `.MSIX`, or `.MSI` files, then Windows Package Manager might be the right deployment option for your organization. + + For more information, see [Windows Package Manager](/windows/package-manager). + +- **Azure Virtual desktop with MSIX app attach**: With Azure virtual desktop, you can virtualize the Windows client OS desktop, and use virtual apps on this desktop. With MSIX app attach, you dynamically deliver MSIX packaged apps to users and user groups. + + The benefit is to use the cloud to deliver virtual apps in real time, and as-needed. Users use the apps as if they were installed locally. + + If you currently use App-V, and want to decrease your on-premises footprint, then **Azure Virtual desktop with MSIX app attach** might be the right deployment for your organization. + + For more information, see: + + - [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview) + - [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal) + +- **Application Virtualization (App-V)**: App-V allows Win32 apps to be used as virtual apps. On an on-premises server, you install and configure the App-V server components, and then install your Win32 apps. On Windows Enterprise client devices, you use the App-V client components to run the virtualized apps. They allow users to open the virtual apps using the icons and file names they're familiar with. Users use the apps as if they were installed locally. + + The benefit is to deliver virtual apps in real time, and as-needed. For more information, see [Application Virtualization (App-V) for Windows overview](./app-v/appv-for-windows.md). + + To help manage App-V on your devices, you can use policies: + + - On premises, you can use Administrative Templates in group policy to deploy App-V policies (`Computer Configuration\Administrative Templates\System\App-V`). + - Using Microsoft Intune, you can use [Administrative Templates](/mem/intune/configuration/administrative-templates-windows) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) to deploy App-V policies. + + > [!TIP] + > If you want to decrease your on-premises footprint, then **Azure Virtual desktop with MSIX app attach** might be the better deployment for your organization. ## Remove apps From 17262985e69fb1a1f623b0794c6258b34b1076b5 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Sat, 21 Aug 2021 13:08:01 -0700 Subject: [PATCH 03/41] Add periods to alt text No other changes --- CONTRIBUTING.md | 10 +- ...ct-data-using-enterprise-site-discovery.md | 14 +- ...rprise-mode-logging-and-data-collection.md | 18 +- ...-on-enterprise-mode-and-use-a-site-list.md | 4 +- ...control-and-logging-for-enterprise-mode.md | 4 +- ...ct-data-using-enterprise-site-discovery.md | 14 +- .../deprecated-document-modes.md | 2 +- ...doc-modes-and-enterprise-mode-site-list.md | 6 +- .../out-of-date-activex-control-blocking.md | 6 +- ...-the-default-browser-using-group-policy.md | 2 +- ...rprise-mode-logging-and-data-collection.md | 18 +- ...s-and-tricks-to-manage-ie-compatibility.md | 4 +- ...-on-enterprise-mode-and-use-a-site-list.md | 4 +- ...control-and-logging-for-enterprise-mode.md | 4 +- .../licensing-version-and-features-ieak11.md | 52 ++--- .../educator-tib-get-started.md | 62 +++--- education/trial-in-a-box/index.md | 4 +- .../trial-in-a-box/itadmin-tib-get-started.md | 46 ++--- education/trial-in-a-box/support-options.md | 12 +- education/windows/autopilot-reset.md | 8 +- education/windows/change-to-pro-education.md | 20 +- .../windows/chromebook-migration-guide.md | 4 +- .../configure-windows-for-education.md | 10 +- .../deploy-windows-10-in-a-school-district.md | 16 +- .../windows/deploy-windows-10-in-a-school.md | 14 +- .../windows/edu-deployment-recommendations.md | 12 +- .../education-scenarios-store-for-business.md | 4 +- .../windows/get-minecraft-for-education.md | 6 +- education/windows/index.md | 10 +- education/windows/school-get-minecraft.md | 46 ++--- .../set-up-school-pcs-azure-ad-join.md | 2 +- .../set-up-students-pcs-to-join-domain.md | 2 +- .../windows/set-up-students-pcs-with-apps.md | 26 +-- education/windows/set-up-windows-10.md | 2 +- education/windows/take-a-test-multiple-pcs.md | 14 +- education/windows/take-a-test-single-pc.md | 4 +- education/windows/take-tests-in-windows-10.md | 2 +- education/windows/teacher-get-minecraft.md | 22 +- .../windows/use-set-up-school-pcs-app.md | 2 +- smb/cloud-mode-business-setup.md | 92 ++++----- smb/index.md | 6 +- ...quire-apps-microsoft-store-for-business.md | 2 +- .../billing-understand-your-invoice-msfb.md | 6 +- ...or-business-education-powershell-module.md | 2 +- ...oubleshoot-microsoft-store-for-business.md | 10 +- ...-new-microsoft-store-business-education.md | 4 +- .../working-with-line-of-business-apps.md | 2 +- ...ation-publishing-and-client-interaction.md | 6 +- .../app-v/appv-deployment-checklist.md | 6 +- .../app-v/appv-install-the-sequencer.md | 2 +- .../app-v/appv-planning-checklist.md | 12 +- ...enterprise-background-activity-controls.md | 6 +- .../per-user-services-in-windows.md | 14 +- .../svchost-service-refactoring.md | 8 +- .../administrative-tools-in-windows-10.md | 4 +- ...nced-troubleshooting-802-authentication.md | 20 +- .../advanced-troubleshooting-boot-problems.md | 2 +- ...eshooting-wireless-network-connectivity.md | 4 +- ...t-removal-policy-external-storage-media.md | 2 +- .../connect-to-remote-aadj-pc.md | 4 +- .../client-management/img-boot-sequence.md | 2 +- .../introduction-page-file.md | 6 +- ...e-device-installation-with-group-policy.md | 38 ++-- .../manage-settings-app-with-group-policy.md | 2 +- ...-in-your-organization-modern-management.md | 2 +- .../mandatory-user-profile.md | 16 +- .../mdm/accountmanagement-csp.md | 2 +- ...ure-ad-tenant-and-azure-ad-subscription.md | 32 +-- .../client-management/mdm/applocker-csp.md | 6 +- .../mdm/appv-deploy-and-config.md | 2 +- ...e-active-directory-integration-with-mdm.md | 6 +- ...omatic-mdm-enrollment-in-the-new-portal.md | 4 +- .../client-management/mdm/bootstrap-csp.md | 2 +- .../mdm/browserfavorite-csp.md | 2 +- ...ollment-using-windows-provisioning-tool.md | 16 +- .../mdm/cellularsettings-csp.md | 2 +- .../mdm/cm-cellularentries-csp.md | 2 +- ...onfiguration-service-provider-reference.md | 60 +++--- .../mdm/device-update-management.md | 14 +- .../mdm/deviceinstanceservice-csp.md | 2 +- .../client-management/mdm/devicelock-csp.md | 2 +- .../diagnose-mdm-failures-in-windows-10.md | 20 +- .../disconnecting-from-mdm-unenrollment.md | 2 +- .../mdm/eap-configuration.md | 22 +- .../mdm/enable-admx-backed-policies-in-mdm.md | 12 +- ...dded-8-1-handheld-devices-to-windows-10.md | 44 ++-- ...device-automatically-using-group-policy.md | 44 ++-- .../mdm/enterprise-app-management.md | 2 +- .../mdm/enterpriseappmanagement-csp.md | 2 +- .../client-management/mdm/filesystem-csp.md | 2 +- .../mdm/healthattestation-csp.md | 2 +- windows/client-management/mdm/hotspot-csp.md | 2 +- ...rver-side-mobile-application-management.md | 2 +- ...ent-tool-for-windows-store-for-business.md | 6 +- .../mdm/mdm-enrollment-of-windows-devices.md | 76 +++---- .../client-management/mdm/messaging-csp.md | 2 +- .../mdm/mobile-device-enrollment.md | 2 +- windows/client-management/mdm/napdef-csp.md | 4 +- ...ew-in-windows-mdm-enrollment-management.md | 10 +- .../mdm/passportforwork-csp.md | 4 +- .../policy-configuration-service-provider.md | 2 +- .../mdm/policy-csp-deviceinstallation.md | 8 +- .../mdm/push-notification-windows-mdm.md | 16 +- .../client-management/mdm/pxlogical-csp.md | 4 +- ...ree-azure-active-directory-subscription.md | 6 +- .../mdm/securitypolicy-csp.md | 2 +- .../mdm/understanding-admx-backed-policies.md | 4 +- .../mdm/unifiedwritefilter-csp.md | 2 +- windows/client-management/mdm/vpn-csp.md | 2 +- .../mdm/w4-application-csp.md | 2 +- .../mdm/w7-application-csp.md | 2 +- windows/client-management/mdm/wifi-csp.md | 2 +- .../mdm/windows-mdm-enterprise-settings.md | 2 +- .../windowsadvancedthreatprotection-csp.md | 2 +- .../mdm/wmi-providers-supported-in-windows.md | 60 +++--- windows/client-management/quick-assist.md | 2 +- .../troubleshoot-inaccessible-boot-device.md | 16 +- .../troubleshoot-stop-errors.md | 4 +- .../troubleshoot-tcpip-connectivity.md | 16 +- .../troubleshoot-tcpip-netmon.md | 8 +- .../troubleshoot-tcpip-port-exhaust.md | 18 +- .../troubleshoot-tcpip-rpc-errors.md | 10 +- .../windows-version-search.md | 10 +- .../configure-windows-10-taskbar.md | 16 +- .../cortana-at-work/cortana-at-work-crm.md | 4 +- .../cortana-at-work-powerbi.md | 26 +-- .../cortana-at-work-voice-commands.md | 2 +- .../customize-and-export-start-layout.md | 2 +- ...-10-start-screens-by-using-group-policy.md | 4 +- ...-by-using-provisioning-packages-and-icd.md | 2 +- ...ation-user-model-id-of-an-installed-app.md | 2 +- windows/configuration/kiosk-methods.md | 12 +- windows/configuration/kiosk-prepare.md | 4 +- windows/configuration/kiosk-shelllauncher.md | 2 +- windows/configuration/kiosk-single-app.md | 10 +- windows/configuration/kiosk-troubleshoot.md | 2 +- .../lock-down-windows-10-applocker.md | 8 +- .../lock-down-windows-10-to-specific-apps.md | 14 +- .../manage-wifi-sense-in-enterprise.md | 6 +- .../mobile-devices/lockdown-xml.md | 30 +-- .../mobile-lockdown-designer.md | 28 +-- .../provisioning-configure-mobile.md | 6 +- .../mobile-devices/provisioning-nfc.md | 2 +- ...kiosk-for-windows-10-for-mobile-edition.md | 12 +- .../mobile-devices/start-layout-xml-mobile.md | 2 +- windows/configuration/provisioning-apn.md | 4 +- ...can-use-configuration-service-providers.md | 10 +- .../provision-pcs-for-initial-deployment.md | 6 +- ...rovision-pcs-with-apps-and-certificates.md | 8 +- .../provision-pcs-with-apps.md | 10 +- .../provisioning-apply-package.md | 14 +- .../provisioning-create-package.md | 10 +- .../provisioning-install-icd.md | 2 +- .../provisioning-multivariant.md | 2 +- .../provisioning-packages.md | 2 +- .../provisioning-script-to-install-app.md | 4 +- .../set-up-shared-or-guest-pc.md | 8 +- .../start-layout-troubleshoot.md | 14 +- .../configuration/start-secondary-tiles.md | 8 +- .../uev-deploy-uev-for-custom-applications.md | 2 +- windows/configuration/ue-v/uev-for-windows.md | 4 +- .../ue-v/uev-prepare-for-deployment.md | 16 +- .../uev-upgrade-uev-from-previous-releases.md | 2 +- .../configuration/wcd/wcd-admxingestion.md | 4 +- ...ws-10-start-layout-options-and-policies.md | 4 +- windows/configuration/windows-spotlight.md | 8 +- .../deployment/deploy-enterprise-licenses.md | 6 +- windows/deployment/deploy-m365.md | 4 +- windows/deployment/deploy-whats-new.md | 2 +- ...ystem-image-using-configuration-manager.md | 4 +- ...-windows-pe-using-configuration-manager.md | 16 +- ...e-boot-image-with-configuration-manager.md | 10 +- ...ence-with-configuration-manager-and-mdt.md | 4 +- ...-windows-10-using-configuration-manager.md | 4 +- ...-10-using-pxe-and-configuration-manager.md | 30 +-- ...0-deployment-with-configuration-manager.md | 12 +- ...f-windows-10-with-configuration-manager.md | 22 +- ...-windows-10-using-configuration-manager.md | 22 +- ...-windows-10-using-configuration-manager.md | 24 +-- ...to-windows-10-with-configuraton-manager.md | 16 +- .../assign-applications-using-roles-in-mdt.md | 6 +- ...d-environment-for-windows-10-deployment.md | 10 +- .../configure-mdt-settings.md | 2 +- .../create-a-windows-10-reference-image.md | 28 +-- .../deploy-a-windows-10-image-using-mdt.md | 38 ++-- ...d-with-the-microsoft-deployment-toolkit.md | 8 +- ...prepare-for-windows-deployment-with-mdt.md | 10 +- ...sh-a-windows-7-computer-with-windows-10.md | 6 +- ...s-7-computer-with-a-windows-10-computer.md | 12 +- .../set-up-mdt-for-bitlocker.md | 6 +- ...ows-10-deployment-in-a-test-environment.md | 4 +- ...0-with-the-microsoft-deployment-toolkit.md | 8 +- .../use-orchestrator-runbooks-with-mdt.md | 20 +- ...stage-windows-10-deployment-information.md | 8 +- .../use-web-services-in-mdt.md | 16 +- windows/deployment/mbr-to-gpt.md | 2 +- ...compatibility-administrator-users-guide.md | 2 +- ...oyment-considerations-for-windows-to-go.md | 12 +- ...rstanding-and-using-compatibility-fixes.md | 4 +- .../deployment/planning/using-the-sua-tool.md | 2 +- .../planning/using-the-sua-wizard.md | 2 +- .../windows-10-infrastructure-requirements.md | 2 +- windows/deployment/s-mode.md | 4 +- windows/deployment/update/PSFxWhitepaper.md | 8 +- windows/deployment/update/WIP4Biz-intro.md | 2 +- .../deployment/update/check-release-health.md | 12 +- .../update/deployment-service-overview.md | 4 +- .../get-started-updates-channels-tools.md | 12 +- .../update/how-windows-update-works.md | 14 +- .../deployment/update/media-dynamic-update.md | 2 +- .../olympia/olympia-enrollment-guidelines.md | 14 +- .../deployment/update/plan-define-strategy.md | 4 +- windows/deployment/update/safeguard-holds.md | 2 +- ...update-compliance-delivery-optimization.md | 2 +- ...update-compliance-feature-update-status.md | 2 +- .../update-compliance-need-attention.md | 2 +- ...pdate-compliance-security-update-status.md | 2 +- .../update/update-compliance-using.md | 8 +- .../deployment/update/waas-configure-wufb.md | 2 +- .../waas-delivery-optimization-setup.md | 2 +- .../update/waas-delivery-optimization.md | 2 +- ...aas-deployment-rings-windows-10-updates.md | 12 +- .../deployment/update/waas-integrate-wufb.md | 2 +- .../update/waas-manage-updates-wsus.md | 48 ++--- .../update/waas-manage-updates-wufb.md | 14 +- .../waas-optimize-windows-10-updates.md | 16 +- windows/deployment/update/waas-overview.md | 14 +- windows/deployment/update/waas-restart.md | 18 +- ...s-servicing-channels-windows-10-updates.md | 24 +-- .../update/waas-servicing-differences.md | 6 +- ...s-servicing-strategy-windows-10-updates.md | 14 +- .../deployment/update/waas-wufb-csp-mdm.md | 18 +- .../update/waas-wufb-group-policy.md | 18 +- windows/deployment/update/waas-wufb-intune.md | 20 +- .../deployment/update/windows-update-logs.md | 10 +- .../update/windows-update-overview.md | 2 +- .../update/wufb-compliancedeadlines.md | 12 +- .../deployment/update/wufb-manageupdate.md | 2 +- windows/deployment/upgrade/quick-fixes.md | 8 +- windows/deployment/upgrade/setupdiag.md | 4 +- windows/deployment/upgrade/submit-errors.md | 4 +- .../upgrade/troubleshoot-upgrade-errors.md | 14 +- .../upgrade/windows-10-edition-upgrades.md | 42 ++-- .../upgrade/windows-error-reporting.md | 2 +- .../usmt/migration-store-types-overview.md | 2 +- .../usmt/usmt-common-migration-scenarios.md | 4 +- ...ctive-directory-based-activation-client.md | 12 +- ...ivate-using-key-management-service-vamt.md | 12 +- .../activate-windows-10-clients-vamt.md | 4 +- .../add-remove-computers-vamt.md | 2 +- .../configure-client-computers-vamt.md | 2 +- .../volume-activation/install-vamt.md | 4 +- .../volume-activation/introduction-vamt.md | 4 +- .../plan-for-volume-activation-client.md | 6 +- .../scenario-online-activation-vamt.md | 2 +- .../scenario-proxy-activation-vamt.md | 2 +- ...olume-activation-management-tool-client.md | 4 +- .../volume-activation/vamt-known-issues.md | 2 +- .../windows-10-deployment-posters.md | 4 +- windows/deployment/windows-10-media.md | 4 +- windows/deployment/windows-10-poc-mdt.md | 4 +- .../windows-10-poc-sc-config-mgr.md | 18 +- windows/deployment/windows-10-poc.md | 16 +- .../windows-10-subscription-activation.md | 14 +- .../demonstrate-deployment-on-vm.md | 128 ++++++------ .../windows-deployment-scenarios-and-tools.md | 28 +-- .../privacy/Microsoft-DiagnosticDataViewer.md | 4 +- .../diagnostic-data-viewer-overview.md | 16 +- ...system-components-to-microsoft-services.md | 192 +++++++++--------- .../active-directory-accounts.md | 30 +-- .../access-control/local-accounts.md | 16 +- .../access-control/security-identifiers.md | 2 +- .../access-control/security-principals.md | 2 +- .../identity-protection/configure-s-mime.md | 8 +- .../credential-guard-how-it-works.md | 2 +- .../credential-guard-manage.md | 4 +- .../enterprise-certificate-pinning.md | 12 +- .../feature-multifactor-unlock.md | 4 +- .../hello-adequate-domain-controllers.md | 10 +- .../hello-cert-trust-adfs.md | 20 +- .../hello-cert-trust-validate-ad-prereq.md | 2 +- .../hello-deployment-rdp-certs.md | 6 +- .../hello-errors-during-pin-creation.md | 2 +- .../hello-feature-pin-reset.md | 8 +- .../hello-feature-remote-desktop.md | 2 +- .../hello-how-it-works-authentication.md | 10 +- .../hello-how-it-works-provisioning.md | 12 +- .../hello-hybrid-aadj-sso-base.md | 52 ++--- .../hello-hybrid-aadj-sso-cert.md | 94 ++++----- .../hello-hybrid-cert-trust-devreg.md | 18 +- .../hello-hybrid-cert-whfb-provision.md | 8 +- .../hello-hybrid-key-whfb-provision.md | 8 +- .../hello-key-trust-adfs.md | 20 +- .../hello-for-business/hello-overview.md | 2 +- .../hello-prepare-people-to-use.md | 6 +- .../passwordless-strategy.md | 20 +- .../retired/hello-how-it-works.md | 2 +- .../remote-credential-guard.md | 6 +- .../smart-card-and-remote-desktop-services.md | 2 +- .../smart-cards/smart-card-architecture.md | 8 +- ...rt-card-certificate-propagation-service.md | 2 +- ...ertificate-requirements-and-enumeration.md | 12 +- .../smart-card-removal-policy-service.md | 2 +- .../how-user-account-control-works.md | 10 +- ...l-smart-card-deploy-virtual-smart-cards.md | 2 +- .../virtual-smart-card-evaluate-security.md | 2 +- .../virtual-smart-card-get-started.md | 22 +- ...tual-smart-card-use-virtual-smart-cards.md | 2 +- .../vpn/vpn-authentication.md | 2 +- .../vpn/vpn-auto-trigger-profile.md | 4 +- .../vpn/vpn-conditional-access.md | 2 +- .../vpn/vpn-connection-type.md | 6 +- .../vpn/vpn-name-resolution.md | 2 +- .../vpn/vpn-profile-options.md | 2 +- .../identity-protection/vpn/vpn-routing.md | 4 +- .../vpn/vpn-security-features.md | 2 +- ...dential-theft-mitigation-guide-abstract.md | 2 +- .../bitlocker/bitlocker-countermeasures.md | 4 +- .../bitlocker-deployment-comparison.md | 48 ++--- .../bitlocker-recovery-guide-plan.md | 16 +- ...ve-encryption-tools-to-manage-bitlocker.md | 2 +- .../bitlocker/troubleshoot-bitlocker.md | 4 +- .../ts-bitlocker-cannot-encrypt-issues.md | 4 +- .../ts-bitlocker-decode-measured-boot-logs.md | 16 +- .../bitlocker/ts-bitlocker-intune-issues.md | 38 ++-- .../kernel-dma-protection-for-thunderbolt.md | 10 +- .../secure-the-windows-10-boot-process.md | 4 +- .../tpm/how-windows-uses-the-tpm.md | 4 +- ...reate-and-verify-an-efs-dra-certificate.md | 2 +- ...e-vpn-and-wip-policy-using-intune-azure.md | 8 +- .../create-wip-policy-using-configmgr.md | 40 ++-- .../create-wip-policy-using-intune-azure.md | 56 ++--- .../deploy-wip-policy-using-intune-azure.md | 2 +- .../wip-app-enterprise-context.md | 4 +- .../wip-learning.md | 8 +- ...tion-based-protection-of-code-integrity.md | 4 +- .../coordinated-malware-eradication.md | 2 +- .../intelligence/fileless-threats.md | 4 +- .../intelligence/malware-naming.md | 2 +- .../intelligence/phishing.md | 2 +- .../portal-submission-troubleshooting.md | 14 +- .../intelligence/worms-malware.md | 2 +- .../mbsa-removal-and-guidance.md | 4 +- .../install-md-app-guard.md | 6 +- .../md-app-guard-overview.md | 2 +- .../test-scenarios-md-app-guard.md | 34 ++-- ...microsoft-defender-smartscreen-overview.md | 2 +- ...ender-smartscreen-set-individual-device.md | 2 +- ...tions-for-app-related-security-policies.md | 6 +- ...iew-of-threat-mitigations-in-windows-10.md | 4 +- ...-the-health-of-windows-10-based-devices.md | 26 +-- ...-information-when-the-session-is-locked.md | 2 +- .../security-policy-settings.md | 8 +- ...arding-to-assist-in-intrusion-detection.md | 8 +- .../windows-10-mobile-security-guide.md | 2 +- .../LOB-win32-apps-on-s.md | 6 +- .../plan-for-applocker-policy-management.md | 2 +- ...ent-setting-inheritance-in-group-policy.md | 2 +- ...the-applocker-policy-deployment-process.md | 2 +- ...s-defender-application-control-policies.md | 2 +- ...s-defender-application-control-policies.md | 2 +- ...or-windows-defender-application-control.md | 8 +- ...rt-windows-defender-application-control.md | 20 +- ...ion-control-policies-using-group-policy.md | 6 +- ...plication-control-policies-using-intune.md | 2 +- ...defender-application-control-management.md | 2 +- .../wdac-wizard-create-base-policy.md | 10 +- .../wdac-wizard-create-supplemental-policy.md | 12 +- .../wdac-wizard-editing-policy.md | 4 +- .../wdac-wizard-merging-policies.md | 2 +- .../wdsc-account-protection.md | 2 +- .../wdsc-app-browser-control.md | 2 +- .../wdsc-customize-contact-information.md | 4 +- .../wdsc-device-performance-health.md | 2 +- .../wdsc-device-security.md | 2 +- .../wdsc-family-options.md | 2 +- .../wdsc-firewall-network-protection.md | 2 +- .../wdsc-virus-threat-protection.md | 2 +- .../wdsc-windows-10-in-s-mode.md | 2 +- .../windows-defender-security-center.md | 10 +- ...sed-root-of-trust-helps-protect-windows.md | 4 +- ...-guard-secure-launch-and-smm-protection.md | 8 +- .../best-practices-configuring.md | 14 +- .../windows-firewall/boundary-zone.md | 2 +- ...create-windows-firewall-rules-in-intune.md | 2 +- .../domain-isolation-policy-design-example.md | 2 +- .../domain-isolation-policy-design.md | 2 +- .../filter-origin-documentation.md | 10 +- .../firewall-policy-design-example.md | 2 +- ...wall-with-advanced-security-design-plan.md | 2 +- .../windows-firewall/quarantine.md | 4 +- ...n-accessing-sensitive-network-resources.md | 2 +- ...cess-to-only-specified-users-or-devices.md | 2 +- ...restrict-access-to-only-trusted-devices.md | 2 +- ...to-end-ipsec-connections-by-using-ikev2.md | 6 +- .../server-isolation-policy-design-example.md | 2 +- .../server-isolation-policy-design.md | 2 +- ...-administration-with-windows-powershell.md | 4 +- .../windows-security-baselines.md | 6 +- .../windows-security-baselines.md | 6 +- windows/whats-new/contribute-to-a-topic.md | 10 +- .../ltsc/whats-new-windows-10-2019.md | 20 +- .../whats-new-windows-10-version-1703.md | 8 +- .../whats-new-windows-10-version-1809.md | 36 ++-- .../whats-new-windows-10-version-1903.md | 2 +- .../whats-new-windows-10-version-2004.md | 2 +- 406 files changed, 2100 insertions(+), 2100 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 75cb7255c8..ef3a69ff52 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -20,7 +20,7 @@ We've tried to make editing an existing, public file as simple as possible. 1. Go to the page on docs.microsoft.com that you want to update, and then click **Edit**. - ![GitHub Web, showing the Edit link](images/contribute-link.png) + ![GitHub Web, showing the Edit link.](images/contribute-link.png) 2. Log into (or sign up for) a GitHub account. @@ -28,7 +28,7 @@ We've tried to make editing an existing, public file as simple as possible. 3. Click the **Pencil** icon (in the red box) to edit the content. - ![GitHub Web, showing the Pencil icon in the red box](images/pencil-icon.png) + ![GitHub Web, showing the Pencil icon in the red box.](images/pencil-icon.png) 4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see: - **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring) @@ -37,11 +37,11 @@ We've tried to make editing an existing, public file as simple as possible. 5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct. - ![GitHub Web, showing the Preview Changes tab](images/preview-changes.png) + ![GitHub Web, showing the Preview Changes tab.](images/preview-changes.png) 6. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change** to create a fork in your personal GitHub account. - ![GitHub Web, showing the Propose file change button](images/propose-file-change.png) + ![GitHub Web, showing the Propose file change button.](images/propose-file-change.png) The **Comparing changes** screen appears to see what the changes are between your fork and the original content. @@ -49,7 +49,7 @@ We've tried to make editing an existing, public file as simple as possible. If there are no problems, you’ll see the message, **Able to merge**. - ![GitHub Web, showing the Comparing changes screen](images/compare-changes.png) + ![GitHub Web, showing the Comparing changes screen.](images/compare-changes.png) 8. Click **Create pull request**. diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md index 4fc4fb1ecc..d4f9600d8b 100644 --- a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md +++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md @@ -34,11 +34,11 @@ Before you start, you need to make sure you have the following: 1. Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**. - ![microsoft security bulletin techcenter](images/securitybulletin-filter.png) + ![microsoft security bulletin techcenter.](images/securitybulletin-filter.png) 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table. - ![affected software section](images/affectedsoftware.png) + ![affected software section.](images/affectedsoftware.png) 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section. @@ -280,13 +280,13 @@ You can collect your hardware inventory using the MOF Editor, while you’re con 1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. - ![Configuration Manager, showing the hardware inventory settings for client computers](images/configmgrhardwareinventory.png) + ![Configuration Manager, showing the hardware inventory settings for client computers.](images/configmgrhardwareinventory.png) 2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes. 3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**. - ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box](images/ie11-inventory-addclassconnectscreen.png) + ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box.](images/ie11-inventory-addclassconnectscreen.png) 4. Select the check boxes next to the following classes, and then click **OK**: @@ -393,12 +393,12 @@ The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sam ### SCCM Report Sample – ActiveX.rdl Gives you a list of all of the ActiveX-related sites visited by the client computer. -![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer](images/configmgractivexreport.png) +![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer.](images/configmgractivexreport.png) ### SCCM Report Sample – Site Discovery.rdl Gives you a list of all of the sites visited by the client computer. -![Site Discovery.rdl report, lists all websites visited by the client computer](images/ie-site-discovery-sample-report.png) +![Site Discovery.rdl report, lists all websites visited by the client computer.](images/ie-site-discovery-sample-report.png) ## View the collected XML data After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like: @@ -436,7 +436,7 @@ You can import this XML data into the correct version of the Enterprise Mode Sit 1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**. - ![Enterprise Mode Site List Manager with Bulk add from file option](images/bulkadd-emiesitelistmgr.png) + ![Enterprise Mode Site List Manager with Bulk add from file option.](images/bulkadd-emiesitelistmgr.png) 2. Go to your XML file to add the included sites to the tool, and then click **Open**.
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md index 47322f0c03..923d4dfe04 100644 --- a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md +++ b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md @@ -27,11 +27,11 @@ ms.date: 07/27/2017 Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu. -![enterprise mode option on the tools menu](images/ie-emie-toolsmenu.png) +![enterprise mode option on the tools menu.](images/ie-emie-toolsmenu.png) The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic. -![group policy to turn on enterprise mode](images/ie-emie-grouppolicy.png) +![group policy to turn on enterprise mode.](images/ie-emie-grouppolicy.png) Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system. @@ -47,11 +47,11 @@ This lets you create an ASP form that accepts the incoming POST messages. 3. Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port. - ![IIS Manager, editing website bindings](images/ie-emie-editbindings.png) + ![IIS Manager, editing website bindings.](images/ie-emie-editbindings.png) 4. Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box. - ![IIS Manager, setting logging options](images/ie-emie-logging.png) + ![IIS Manager, setting logging options.](images/ie-emie-logging.png) 5. Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.

Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users. @@ -72,7 +72,7 @@ This code logs your POST fields to your IIS log file, where you can review all o ### IIS log file information This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode. -![Enterprise Mode log file](images/ie-emie-logfile.png) +![Enterprise Mode log file.](images/ie-emie-logfile.png) ## Using the GitHub sample to collect your data @@ -99,14 +99,14 @@ The required packages are automatically downloaded and included in the solution. 1. Right-click on the name, PhoneHomeSample, and click **Publish**. - ![Visual Studio, Publish menu](images/ie-emie-publishsolution.png) + ![Visual Studio, Publish menu.](images/ie-emie-publishsolution.png) 2. In the **Publish Web** wizard, pick the publishing target and options that work for your organization. **Important**
Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website.  - ![Visual Studio, Publish Web wizard](images/ie-emie-publishweb.png) + ![Visual Studio, Publish Web wizard.](images/ie-emie-publishweb.png) After you finish the publishing process, you need to test to make sure the app deployed successfully. @@ -131,7 +131,7 @@ The required packages are automatically downloaded and included in the solution. - Go to `https:///List` to see the report results.

If you’re already on the webpage, you’ll need to refresh the page to see the results. - ![Enterprise Mode Result report with details](images/ie-emie-reportwdetails.png) + ![Enterprise Mode Result report with details.](images/ie-emie-reportwdetails.png) ### Troubleshooting publishing errors @@ -141,7 +141,7 @@ If you have errors while you’re publishing your project, you should try to upd 1. From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**. - ![Nuget Package Manager for package updates](images/ie-emie-packageupdate.png) + ![Nuget Package Manager for package updates.](images/ie-emie-packageupdate.png) 2. Click **Updates** on the left side of the tool, and click the **Update All** button.

You may need to do some additional package cleanup to remove older package versions. diff --git a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md index 4651adf5cf..4573423115 100644 --- a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md +++ b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md @@ -9,7 +9,7 @@ centralized control, you can create one global list of websites that render usin 1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Enterprise Mode Site List** setting.

Turning this setting on also requires you to create and store a site list. 2. Click **Enabled**, and then in the **Options** area, type the location to your site list. @@ -24,7 +24,7 @@ All of your managed devices must have access to this location if you want them t 2. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file.

For example: + ![Enterprise mode with site list in the registry.](../edge/images/enterprise-mode-value-data.png) --> - **HTTPS location:** `"SiteList"="https://localhost:8080/sites.xml"` diff --git a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md index b34f9be63f..c8ef3d030c 100644 --- a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md +++ b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md @@ -33,7 +33,7 @@ Besides turning on this feature, you also have the option to provide a URL for E 1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting. - ![group policy editor with emie setting](images/ie-emie-editpolicy.png) + ![group policy editor with emie setting.](images/ie-emie-editpolicy.png) 2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu. @@ -45,7 +45,7 @@ Besides turning on this feature, you also have the option to provide a URL for E 3. Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates. - ![edit registry string for data collection location](images/ie-emie-editregistrystring.png) + ![edit registry string for data collection location.](images/ie-emie-editregistrystring.png) Your **Value data** location can be any of the following types: diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md index 1acd936993..65fbb8eaaf 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md +++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md @@ -38,11 +38,11 @@ Before you start, you need to make sure you have the following: 1. Go to the [Microsoft Security Bulletin](/security-updates/) page, and change the filter to **Windows Internet Explorer 11**. - ![microsoft security bulletin techcenter](images/securitybulletin-filter.png) + ![microsoft security bulletin techcenter.](images/securitybulletin-filter.png) 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table. - ![affected software section](images/affectedsoftware.png) + ![affected software section.](images/affectedsoftware.png) 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section. @@ -284,13 +284,13 @@ You can collect your hardware inventory using the MOF Editor, while you’re con 1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. - ![Configuration Manager, showing the hardware inventory settings for client computers](images/configmgrhardwareinventory.png) + ![Configuration Manager, showing the hardware inventory settings for client computers.](images/configmgrhardwareinventory.png) 2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes. 3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**. - ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box](images/ie11-inventory-addclassconnectscreen.png) + ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box.](images/ie11-inventory-addclassconnectscreen.png) 4. Select the check boxes next to the following classes, and then click **OK**: @@ -397,12 +397,12 @@ The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sam ### SCCM Report Sample – ActiveX.rdl Gives you a list of all of the ActiveX-related sites visited by the client computer. -![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer](images/configmgractivexreport.png) +![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer.](images/configmgractivexreport.png) ### SCCM Report Sample – Site Discovery.rdl Gives you a list of all of the sites visited by the client computer. -![Site Discovery.rdl report, lists all websites visited by the client computer](images/ie-site-discovery-sample-report.png) +![Site Discovery.rdl report, lists all websites visited by the client computer.](images/ie-site-discovery-sample-report.png) ## View the collected XML data After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like: @@ -440,7 +440,7 @@ You can import this XML data into the correct version of the Enterprise Mode Sit 1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**. - ![Enterprise Mode Site List Manager with Bulk add from file option](images/bulkadd-emiesitelistmgr.png) + ![Enterprise Mode Site List Manager with Bulk add from file option.](images/bulkadd-emiesitelistmgr.png) 2. Go to your XML file to add the included sites to the tool, and then click **Open**.
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). diff --git a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md index e8d1ec3d7d..5cfa201d18 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md +++ b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md @@ -48,7 +48,7 @@ The compatibility improvements made in IE11 lets older websites just work in the ## Document mode selection flowchart This flowchart shows how IE11 works when document modes are used. -![Flowchart detailing how document modes are chosen in IE11](images/docmode-decisions-sm.png)
+![Flowchart detailing how document modes are chosen in IE11.](images/docmode-decisions-sm.png)
[Click this link to enlarge image](img-ie11-docmode-lg.md) ## Known Issues with Internet Explorer 8 document mode in Enterprise Mode diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md index 333686dc07..9ec7ddf862 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md @@ -45,7 +45,7 @@ To see if this fix might help you, run through this process one step at a time, 1. Go to a site having compatibility problems, press **F12** to open the **F12 Developer Tools**, and go to the **Emulation** tool. - ![Emulation tool showing document mode selection](images/docmode-f12.png) + ![Emulation tool showing document mode selection.](images/docmode-f12.png) 2. Starting with the **11 (Default)** option, test your broken scenario.
If that doesn’t work, continue down to the next lowest document mode, stopping as soon as you find a document mode that fixes your problems. For more information about the Emulation tool, see [Emulate browsers, screen sizes, and GPS locations](/previous-versions/windows/internet-explorer/ie-developer/samples/dn255001(v=vs.85)). @@ -62,7 +62,7 @@ There are two versions of the Enterprise Mode site list schema and the Enterpris 1. Open the Enterprise Mode Site List Manager, and click **Add**. - ![Enterprise Mode Site List Manager, showing the available modes](images/emie-listmgr.png) + ![Enterprise Mode Site List Manager, showing the available modes.](images/emie-listmgr.png) 2. Add the **URL** and pick the document mode from the **Launch in** box. This should be the same document mode you found fixed your problems while testing the site.
Similar to Enterprise Mode, you can specify a document mode for a particular web path—such as contoso.com/ERP—or at a domain level. In the above, the entire contoso.com domain loads in Enterprise Mode, while microsoft.com is forced to load into IE8 Document Mode and bing.com loads in IE11. @@ -74,7 +74,7 @@ For more information about Enterprise Mode, see [What is Enterprise Mode?](what- ### Review your Enterprise Mode site list Take a look at your Enterprise Mode site list and make sure everything is the way you want it. The next step will be to turn the list on and start to use it in your company. The Enterprise Mode Site List Manager will look something like: -![Enterprise Mode Site List Manager, showing the different modes](images/emie-sitelistmgr.png) +![Enterprise Mode Site List Manager, showing the different modes.](images/emie-sitelistmgr.png) And the underlying XML code will look something like: diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md index 75283c1f64..4eed39657f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md +++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md @@ -62,15 +62,15 @@ When IE blocks an outdated ActiveX control, you’ll see a notification bar simi **Internet Explorer 9 through Internet Explorer 11** -![Warning about outdated activex controls (ie9+)](images/outdatedcontrolwarning.png) +![Warning about outdated activex controls (ie9+).](images/outdatedcontrolwarning.png) **Windows Internet Explorer 8** -![Warning about outdated activex controls (ie8)](images/ieoutdatedcontrolwarning.png) +![Warning about outdated activex controls (ie8).](images/ieoutdatedcontrolwarning.png) Out-of-date ActiveX control blocking also gives you a security warning that tells you if a webpage tries to launch specific outdated apps, outside of IE: -![Warning about outdated activex controls outside ie](images/ieoutdatedcontroloutsideofie.png) +![Warning about outdated activex controls outside ie.](images/ieoutdatedcontroloutsideofie.png) ## How do I fix an outdated ActiveX control or app? diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md index 6edccdda73..9424e5e32f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md @@ -27,7 +27,7 @@ You can use the Group Policy setting, **Set a default associations configuration 1. Open your Group Policy editor and go to the **Computer Configuration\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.

Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268). - ![set default associations group policy setting](images/setdefaultbrowsergp.png) + ![set default associations group policy setting.](images/setdefaultbrowsergp.png) 2. Click **Enabled**, and then in the **Options** area, type the location to your default associations configuration file.

If this setting is turned on and your employee's device is domain-joined, this file is processed and default associations are applied at logon. If this setting isn't configured or is turned off, or if your employee's device isn't domain-joined, no default associations are applied at logon. diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md index dd26f8e369..b42426f1d7 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md @@ -31,11 +31,11 @@ ms.date: 07/27/2017 Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu. -![enterprise mode option on the tools menu](images/ie-emie-toolsmenu.png) +![enterprise mode option on the tools menu.](images/ie-emie-toolsmenu.png) The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic. -![group policy to turn on enterprise mode](images/ie-emie-grouppolicy.png) +![group policy to turn on enterprise mode.](images/ie-emie-grouppolicy.png) Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system. @@ -51,11 +51,11 @@ When you turn logging on, you need a valid URL that points to a server that can 3. Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port. - ![IIS Manager, editing website bindings](images/ie-emie-editbindings.png) + ![IIS Manager, editing website bindings.](images/ie-emie-editbindings.png) 4. Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box. - ![IIS Manager, setting logging options](images/ie-emie-logging.png) + ![IIS Manager, setting logging options.](images/ie-emie-logging.png) 5. Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.

Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users. @@ -76,7 +76,7 @@ When you turn logging on, you need a valid URL that points to a server that can ### IIS log file information This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode. -![Enterprise Mode log file](images/ie-emie-logfile.png) +![Enterprise Mode log file.](images/ie-emie-logfile.png) ## Using the GitHub sample to collect your data @@ -103,14 +103,14 @@ For logging, you’re going to need a valid URL that points to a server that can 5. Right-click on the name, PhoneHomeSample, and click **Publish**. - ![Visual Studio, Publish menu](images/ie-emie-publishsolution.png) + ![Visual Studio, Publish menu.](images/ie-emie-publishsolution.png) 6. In the **Publish Web** wizard, pick the publishing target and options that work for your organization. **Important**
Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website.  - ![Visual Studio, Publish Web wizard](images/ie-emie-publishweb.png) + ![Visual Studio, Publish Web wizard.](images/ie-emie-publishweb.png) After you finish the publishing process, you need to test to make sure the app deployed successfully. @@ -135,7 +135,7 @@ For logging, you’re going to need a valid URL that points to a server that can - Go to `https:///List` to see the report results.

If you’re already on the webpage, you’ll need to refresh the page to see the results. - ![Enterprise Mode Result report with details](images/ie-emie-reportwdetails.png) + ![Enterprise Mode Result report with details.](images/ie-emie-reportwdetails.png) ### Troubleshooting publishing errors @@ -145,7 +145,7 @@ If you have errors while you’re publishing your project, you should try to upd 1. From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**. - ![Nuget Package Manager for package updates](images/ie-emie-packageupdate.png) + ![Nuget Package Manager for package updates.](images/ie-emie-packageupdate.png) 2. Click **Updates** on the left side of the tool, and click the **Update All** button.

You may need to do some additional package cleanup to remove older package versions. diff --git a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md index 14bd40e745..ec77071c73 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md +++ b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md @@ -28,7 +28,7 @@ Jump to: [Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md) can be very effective in providing backward compatibility for older web apps. The Enterprise Mode Site List includes the ability to put any web app in any document mode, include IE8 and IE7 Enterprise Modes, without changing a single line of code on the website. -![Internet Explorer Enterprise Modes and document modes](images/img-enterprise-mode-site-list-xml.jpg) +![Internet Explorer Enterprise Modes and document modes.](images/img-enterprise-mode-site-list-xml.jpg) Sites in the \ section can be rendered in any document mode, as shown in blue above. Some sites designed for older versions of Internet Explorer may require better backward compatibility, and these can leverage the \ section of the Enterprise Mode Site List. IE8 Enterprise Mode provides higher-fidelity emulation for Internet Explorer 8 by using, among other improvements, the original Internet Explorer 8 user agent string. IE7 Enterprise Mode further improves emulation by adding Compatibility View. @@ -84,7 +84,7 @@ To see if the site works in the Internet Explorer 5, Internet Explorer 7, Intern - Open the site in Internet Explorer 11, load the F12 tools by pressing the **F12** key or by selecting **F12 Developer Tools** from the **Tools** menu, and select the **Emulation** tab. - ![F12 Developer Tools Emulation tab](images/img-f12-developer-tools-emulation.jpg) + ![F12 Developer Tools Emulation tab.](images/img-f12-developer-tools-emulation.jpg) - Run the site in each document mode until you find the mode in which the site works. diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md index 8c84054dc3..1b32fa64ad 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md @@ -39,7 +39,7 @@ Before you can use a site list with Enterprise Mode, you need to turn the functi 1. Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list` setting.

Turning this setting on also requires you to create and store a site list. For more information about creating your site list, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics. - ![local group policy editor for using a site list](images/ie-emie-grouppolicysitelist.png) + ![local group policy editor for using a site list.](images/ie-emie-grouppolicysitelist.png) 2. Click **Enabled**, and then in the **Options** area, type the location to your site list. @@ -51,7 +51,7 @@ Before you can use a site list with Enterprise Mode, you need to turn the functi 4. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file. For example: - ![enterprise mode with site list in the registry](images/ie-emie-registrysitelist.png) + ![enterprise mode with site list in the registry.](images/ie-emie-registrysitelist.png) - **HTTPS location**: `"SiteList"="https://localhost:8080/sites.xml"` diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md index b4db0fb7a4..897b27ceed 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md @@ -37,7 +37,7 @@ Besides turning on this feature, you also have the option to provide a URL for E 1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting. - ![group policy editor with emie setting](images/ie-emie-editpolicy.png) + ![group policy editor with emie setting.](images/ie-emie-editpolicy.png) 2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu. @@ -49,7 +49,7 @@ Besides turning on this feature, you also have the option to provide a URL for E 5. Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates. - ![edit registry string for data collection location](images/ie-emie-editregistrystring.png) + ![edit registry string for data collection location.](images/ie-emie-editregistrystring.png) Your **Value data** location can be any of the following types: diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md index fd6904f4a8..54ae269373 100644 --- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md @@ -33,32 +33,32 @@ During installation, you must pick a version of IEAK 11, either **External** or | Feature | Internal | External | |-------------------------------------------|:--------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------:| -| Welcome screen | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| File locations | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Platform selection | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Language selection | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Package type selection | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Feature selection | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Automatic Version Synchronization (AVS) | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Custom components | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Internal install | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | -| User experience | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | -| Browser user interface | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Search providers | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Important URLs – Home page and support | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Accelerators | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Favorites, Favorites bar, and feeds | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Browsing options | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | -| First Run wizard and Welcome page options | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Connection manager | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Connection settings | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Automatic configuration | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | -| Proxy settings | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Security and privacy settings | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | -| Add a root certificate | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | -| Programs | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Additional settings | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | -| Wizard complete | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Welcome screen | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| File locations | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Platform selection | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Language selection | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Package type selection | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Feature selection | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Automatic Version Synchronization (AVS) | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Custom components | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Internal install | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | +| User experience | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | +| Browser user interface | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Search providers | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Important URLs – Home page and support | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Accelerators | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Favorites, Favorites bar, and feeds | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Browsing options | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | +| First Run wizard and Welcome page options | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Connection manager | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Connection settings | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Automatic configuration | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | +| Proxy settings | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Security and privacy settings | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | +| Add a root certificate | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | +| Programs | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Additional settings | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | +| Wizard complete | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | --- diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md index d0251e80ba..bbf1be6015 100644 --- a/education/trial-in-a-box/educator-tib-get-started.md +++ b/education/trial-in-a-box/educator-tib-get-started.md @@ -24,13 +24,13 @@ manager: dansimp | Tool | Description | | :---: |:--- | -| [![Connect the device to Wi-Fi](images/edu-TIB-setp-1-v3.png)](#edu-task1) | [Log in](#edu-task1) to **Device A** with your Teacher credentials and connect to the school network. | -| [![Try Learning Tools Immersive Reader](images/edu-TIB-setp-2-v3.png)](#edu-task2) | **Interested in significantly improving your students' reading speed and comprehension?[1](#footnote1)**
Try the [Learning Tools Immersive Reader](#edu-task2) to see how kids can learn to read faster, using text read aloud, and highlighting words for syntax. | -| [![Launch Microsoft Teams](images/edu-TIB-setp-3-v3.png)](#edu-task3) | **Looking to foster collaboration, communication, and critical thinking in the classroom?**
Launch [Microsoft Teams](#edu-task3) and learn how to set up digital classroom discussions, respond to student questions, and organize class content. | -| [![Open OneNote](images/edu-TIB-setp-4-v3.png)](#edu-task4) | **Trying to expand classroom creativity and interaction between students?**
Open [OneNote](#edu-task4) and create an example group project for your class. | -| [![Try Photos app](images/edu-tib-setp-5-v4.png)](#edu-task5) | **Curious about telling stories through video?**
Try the [Photos app](#edu-task5) to make your own example video. | -| [![Play with Minecraft: Education Edition](images/edu-tib-setp-6-v4.png)](#edu-task6) | **Want to teach kids to further collaborate and problem solve?**
Play with [Minecraft: Education Edition](#edu-task6) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. | -| [![Do Math with Windows Ink](images/edu-tib-setp-7-v1.png)](#edu-task7) | **Want to provide a personal math tutor for your students?**
Use [Windows Ink and the Math Assistant feature](#edu-task7) in OneNote to give students step-by-step instructions and interactive 2D graphs for math problems. | +| [![Connect the device to Wi-Fi.](images/edu-TIB-setp-1-v3.png)](#edu-task1) | [Log in](#edu-task1) to **Device A** with your Teacher credentials and connect to the school network. | +| [![Try Learning Tools Immersive Reader.](images/edu-TIB-setp-2-v3.png)](#edu-task2) | **Interested in significantly improving your students' reading speed and comprehension?[1](#footnote1)**
Try the [Learning Tools Immersive Reader](#edu-task2) to see how kids can learn to read faster, using text read aloud, and highlighting words for syntax. | +| [![Launch Microsoft Teams.](images/edu-TIB-setp-3-v3.png)](#edu-task3) | **Looking to foster collaboration, communication, and critical thinking in the classroom?**
Launch [Microsoft Teams](#edu-task3) and learn how to set up digital classroom discussions, respond to student questions, and organize class content. | +| [![Open OneNote.](images/edu-TIB-setp-4-v3.png)](#edu-task4) | **Trying to expand classroom creativity and interaction between students?**
Open [OneNote](#edu-task4) and create an example group project for your class. | +| [![Try Photos app.](images/edu-tib-setp-5-v4.png)](#edu-task5) | **Curious about telling stories through video?**
Try the [Photos app](#edu-task5) to make your own example video. | +| [![Play with Minecraft: Education Edition.](images/edu-tib-setp-6-v4.png)](#edu-task6) | **Want to teach kids to further collaborate and problem solve?**
Play with [Minecraft: Education Edition](#edu-task6) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. | +| [![Do Math with Windows Ink.](images/edu-tib-setp-7-v1.png)](#edu-task7) | **Want to provide a personal math tutor for your students?**
Use [Windows Ink and the Math Assistant feature](#edu-task7) in OneNote to give students step-by-step instructions and interactive 2D graphs for math problems. |
@@ -41,7 +41,7 @@ manager: dansimp
-![Log in to Device A and connect to the school network](images/edu-TIB-setp-1-jump.png) +![Log in to Device A and connect to the school network.](images/edu-TIB-setp-1-jump.png) ## 1. Log in and connect to the school network To try out the educator tasks, start by logging in as a teacher. @@ -55,7 +55,7 @@ To try out the educator tasks, start by logging in as a teacher.

-![Improve student reading speed and comprehension](images/edu-TIB-setp-2-jump.png) +![Improve student reading speed and comprehension.](images/edu-TIB-setp-2-jump.png) ## 2. Significantly improve student reading speed and comprehension > [!VIDEO https://www.youtube.com/embed/GCzSAslq_2Y] @@ -78,7 +78,7 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse 4. Select the **Immersive Reader** button. - ![Word's Immersive Reader](images/word_online_immersive_reader.png) + ![Word's Immersive Reader.](images/word_online_immersive_reader.png) 5. Press the **Play** button to hear text read aloud. @@ -86,14 +86,14 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse | Text to Speech | Text Preferences | Grammar Options | Line Focus | | :------------: | :--------------: | :-------------: | :--------: | - | ![Word Text to Speech](images/wordonline_tts.png) | ![Word Text Preferences](images/wordonline_text_preferences.png) | ![Word Grammar Options](images/wordonline_grammar_options.png) | ![Word Line Focus](images/wordonline_line_focus.png) | + | ![Word Text to Speech.](images/wordonline_tts.png) | ![Word Text Preferences](images/wordonline_text_preferences.png) | ![Word Grammar Options](images/wordonline_grammar_options.png) | ![Word Line Focus](images/wordonline_line_focus.png) |

-![Spark communication, critical thinking, and creativity with Microsoft Teams](images/edu-TIB-setp-3-jump.png) +![Spark communication, critical thinking, and creativity with Microsoft Teams.](images/edu-TIB-setp-3-jump.png) ## 3. Spark communication, critical thinking, and creativity in the classroom > [!VIDEO https://www.youtube.com/embed/riQr4Dqb8B8] @@ -114,7 +114,7 @@ Take a guided tour of Microsoft Teams and test drive this digital hub.

-![Expand classroom collaboration and interaction with OneNote](images/edu-TIB-setp-4-jump.png) +![Expand classroom collaboration and interaction with OneNote.](images/edu-TIB-setp-4-jump.png) ## 4. Expand classroom collaboration and interaction between students > [!VIDEO https://www.youtube.com/embed/dzDSWMb_fIE] @@ -135,16 +135,16 @@ When you're not using the pen, just use the magnet to stick it to the left side 3. Follow the instructions for the project. Look for the **Try this!** callouts to experiment with these engaging activities. - Discover the power of digital ink by selecting the Draw tab. Choose your pen and get scribbling. - ![OneNote Draw tab](images/onenote_draw.png) + ![OneNote Draw tab.](images/onenote_draw.png) - Type anywhere on the page! Just click your cursor where you want to place text. - Use the checkmark in the **Home** tab to keep track of completed tasks. - ![OneNote To Do Tag](images/onenote_checkmark.png) + ![OneNote To Do Tag.](images/onenote_checkmark.png) - To find information without leaving OneNote, use the Researcher tool found under the Insert tab. - ![OneNote Researcher](images/onenote_researcher.png) + ![OneNote Researcher.](images/onenote_researcher.png)

@@ -178,7 +178,7 @@ Use video to create a project summary. 8. Drag the videos to the Storyboard, one by one. Your project should look roughly like this: - ![Photos app layout showing videos added in previous steps](images/photo_app_1.png) + ![Photos app layout showing videos added in previous steps.](images/photo_app_1.png) 9. Select the first card in the Storyboard (the video of the project materials) and select **Text**, type a title in, a text style, a layout, and select **Done**. @@ -191,7 +191,7 @@ Use video to create a project summary. 4. Play back your effect. 5. Select **Done** when you have it where you want it. - ![Lighting bolt effect being added to a video clip](images/photo_app_2.png) + ![Lighting bolt effect being added to a video clip.](images/photo_app_2.png) 12. Select **Music** and select a track from the **Recommended** music collection. 1. The music will update automatically to match the length of your video project, even as you make changes. @@ -208,7 +208,7 @@ Check out this use case video of the Photos team partnering with the Bureau Of F

-![Further collaborate and problem solve with Minecraft: Education Edition](images/edu-TIB-setp-5-jump.png) +![Further collaborate and problem solve with Minecraft: Education Edition.](images/edu-TIB-setp-5-jump.png) ## 6. Get kids to further collaborate and problem solve > [!VIDEO https://www.youtube.com/embed/QI_bRNUugog] @@ -226,7 +226,7 @@ Today, we'll explore a Minecraft world through the eyes of a student. 3. Scroll down to the **Details** section and select **Download World**. - ![Select the download world link](images/mcee_downloadworld.png) + ![Select the download world link.](images/mcee_downloadworld.png) 4. When prompted, save the world. @@ -250,7 +250,7 @@ Today, we'll explore a Minecraft world through the eyes of a student. To try more advanced movements or building within Minecraft, use the Minecraft Controls Diagram. - ![Minecraft mouse and keyboard controls](images/mcee_keyboard_mouse_controls.png) + ![Minecraft mouse and keyboard controls.](images/mcee_keyboard_mouse_controls.png) 12. Access and adapt over 300 lesson plans, spanning all grades and subjects, to meet your needs. Enjoy exploring new worlds and happy crafting. @@ -260,13 +260,13 @@ Today, we'll explore a Minecraft world through the eyes of a student. 2. Click **Class Resources**. 3. Click **Find a Lesson**. - ![Access and adapt over 300 Minecraft lesson plans](images/minecraft_lesson_plans.png) + ![Access and adapt over 300 Minecraft lesson plans.](images/minecraft_lesson_plans.png)


-![Help students understand new math concepts with the Math Assistant in OneNote](images/Inking.png) +![Help students understand new math concepts with the Math Assistant in OneNote.](images/Inking.png) ## 7. Use Windows Ink to provide a personal math tutor for your students The **Math Assistant** and **Ink Replay** features available in the OneNote app give your students step-by-step instructions on how to solve their math problems and help them visualize math functions on an interactive 2D graph. @@ -275,15 +275,15 @@ The **Math Assistant** and **Ink Replay** features available in the OneNote app To get started: 1. Open the OneNote app for Windows 10 (not OneNote 2016). - ![OneNote icon](images/OneNote_logo.png) + ![OneNote icon.](images/OneNote_logo.png) 2. In the top left corner, click on the **<** arrow to access your notebooks and pages. - ![OneNote back arrow navigation button](images/left_arrow.png) + ![OneNote back arrow navigation button.](images/left_arrow.png) 3. Click **Add Page** to launch a blank work space. - ![Select add page button](images/plus-page.png) + ![Select add page button.](images/plus-page.png) 4. Make sure your pen is paired to the device. To pair, see Connect to Bluetooth devices. @@ -292,26 +292,26 @@ To solve the equation 3x+4=7, follow these instructions: 2. If you wrote the equation using digital ink, use the **Lasso tool** to circle the equation. If you typed the equation, highlight it using your mouse. - ![Lasso button](images/lasso.png) + ![Lasso button.](images/lasso.png) 3. On the **Draw** tab, click the **Math** button. - ![Math button](images/math-button.png) + ![Math button.](images/math-button.png) 4. From the drop-down menu in the **Math** pane, select the option to **Solve for x**. You can now see the final solution of the equation. - ![Solve for x menu](images/solve-for-x.png) + ![Solve for x menu.](images/solve-for-x.png) 5. From the second drop-down below, choose **Steps for Solving Linear Formula**, which shows you the step-by-step solution of this equation. 6. On the **View** tab, click the **Replay** button. Use your mouse to select the written equation and watch your text in replay. Replay is great for students to review how the teacher solved the equation and for teachers to review how students approached a problem. - ![Replay button](images/replay.png) + ![Replay button.](images/replay.png) To graph the equation 3x+4=7, follow these instructions: 1. From the drop-down menu in the **Math** pane, select the option to **Graph Both Sides in 2D**. You can play with the interactive graph of your equation - use a single finger to move the graph position or two fingers to change the **zoom** level. - ![Graph both sides in 2D](images/graph-for-x.png) + ![Graph both sides in 2D.](images/graph-for-x.png) 2. Click the **Insert on Page** button below the graph to add a screenshot of the graph to your page.
diff --git a/education/trial-in-a-box/index.md b/education/trial-in-a-box/index.md index f21a0ddcf4..5f1c865bce 100644 --- a/education/trial-in-a-box/index.md +++ b/education/trial-in-a-box/index.md @@ -16,7 +16,7 @@ ms.date: 12/11/2017 # Microsoft Education Trial in a Box -![Microsoft Education Trial in a Box - Unlock Limitless Learning](images/Unlock-Limitless-Learning.png) +![Microsoft Education Trial in a Box - Unlock Limitless Learning.](images/Unlock-Limitless-Learning.png)
@@ -28,7 +28,7 @@ Welcome to Microsoft Education Trial in a Box. We built this trial to make it ea
-| [![Get started for Educators](images/teacher_rotated_resized.png)](educator-tib-get-started.md) | [![Get started for IT Admins](images/itadmin_rotated_resized.png)](itadmin-tib-get-started.md) | +| [![Get started for Educators.](images/teacher_rotated_resized.png)](educator-tib-get-started.md) | [![Get started for IT Admins](images/itadmin_rotated_resized.png)](itadmin-tib-get-started.md) | | :---: | :---: | | **Educator**
Enhance students of all abilities by unleashing their creativity, collaboration, and improving problem-solving skills.
[Get started](educator-tib-get-started.md) | **IT Admin**
Quickly implement and deploy a full cloud infrastructure that's secure and easy to manage.
[Get started](itadmin-tib-get-started.md) | diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md index be9a131941..d0ba6a05b3 100644 --- a/education/trial-in-a-box/itadmin-tib-get-started.md +++ b/education/trial-in-a-box/itadmin-tib-get-started.md @@ -24,11 +24,11 @@ manager: dansimp |  |  | | :---: |:--- | -| [![Log in to Device A](images/admin-TIB-setp-1-v3.png)](#it-task1) | [Log in](#it-task1) to **Device A** with your IT Admin credentials and connect to your school's network. | -| [![Configure Device B with Set up School PCs](images/admin-TIB-setp-2-v3.png)](#it-task2) | [Configure Device B](#it-task2) with the Set up School PCs app. | -| [![Configure Intune for Education](images/admin-TIB-setp-3-v3.png)](#it-task3) | [Express configure Intune for Education](#it-task3) to manage devices, users, and policies. | -| [![Find and deploy apps](images/admin-TIB-setp-4-v3.png)](#it-task4) | [Find apps from the Microsoft Store for Education](#it-task4) and deploy them to manage devices in your tenant. | -| [![Create custom folders](images/admin-TIB-setp-5-v3.png)](#it-task5) | [Create custom folders](#it-task5) that will appear on each managed device's **Start** menu. | +| [![Log in to Device A.](images/admin-TIB-setp-1-v3.png)](#it-task1) | [Log in](#it-task1) to **Device A** with your IT Admin credentials and connect to your school's network. | +| [![Configure Device B with Set up School PCs.](images/admin-TIB-setp-2-v3.png)](#it-task2) | [Configure Device B](#it-task2) with the Set up School PCs app. | +| [![Configure Intune for Education.](images/admin-TIB-setp-3-v3.png)](#it-task3) | [Express configure Intune for Education](#it-task3) to manage devices, users, and policies. | +| [![Find and deploy apps.](images/admin-TIB-setp-4-v3.png)](#it-task4) | [Find apps from the Microsoft Store for Education](#it-task4) and deploy them to manage devices in your tenant. | +| [![Create custom folders.](images/admin-TIB-setp-5-v3.png)](#it-task5) | [Create custom folders](#it-task5) that will appear on each managed device's **Start** menu. |
@@ -42,7 +42,7 @@ If you run into any problems while following the steps in this guide, or you hav
-![Log in to Device A](images/admin-TIB-setp-1-jump.png) +![Log in to Device A.](images/admin-TIB-setp-1-jump.png) ## 1. Log in to Device A with your IT Admin credentials and connect to the school network To try out the IT admin tasks, start by logging in as an IT admin. @@ -56,7 +56,7 @@ To try out the IT admin tasks, start by logging in as an IT admin.
-![Configure Device B with Set up School PCs](images/admin-TIB-setp-2-jump.png) +![Configure Device B with Set up School PCs.](images/admin-TIB-setp-2-jump.png) ## 2. Configure Device B with Set up School PCs Now you're ready to learn how to configure a brand new device. You will start on **Device A** by downloading and running the Set up School PCs app. Then, you will configure **Device B**. @@ -66,11 +66,11 @@ If you've previously used Set up School PCs to provision student devices, you ca 1. From the **Start** menu, find and then click **Microsoft Store** to launch the Store. - ![Microsoft Store from the Start menu](images/start_microsoft_store.png) + ![Microsoft Store from the Start menu.](images/start_microsoft_store.png) 2. Search for the **Set up School PCs** app. - ![Set up School PCs on Microsoft Store](images/microsoft_store_suspc_install.png) + ![Set up School PCs on Microsoft Store.](images/microsoft_store_suspc_install.png) 3. Click **Install**. @@ -78,7 +78,7 @@ If you've previously used Set up School PCs to provision student devices, you ca 1. On **Device A**, launch the Set up School PCs app. - ![Launch the Set up School PCs app](images/suspc_start.png) + ![Launch the Set up School PCs app.](images/suspc_start.png) 2. Click **Get started**. 3. Select **Sign-in**. @@ -95,7 +95,7 @@ If you've previously used Set up School PCs to provision student devices, you ca We recommend checking the highlighted settings below: - ![Configure student PC settings](images/suspc_configure_pcsettings_selected.png) + ![Configure student PC settings.](images/suspc_configure_pcsettings_selected.png) - **Remove apps pre-installed by the device manufacturer** - If you select this option, this will reset the machine and the provisioning process will take longer (about 30 minutes). - **Allow local storage (not recommended for shared devices)** lets students save files to the **Desktop** and **Documents** folder on the student PC. @@ -108,7 +108,7 @@ If you've previously used Set up School PCs to provision student devices, you ca 7. **Set up the Take a Test app** configures the device for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. Windows will lock down the student PC so that students can't access anything else while taking the test. - ![Configure the Take a Test app](images/suspc_takeatest.png) + ![Configure the Take a Test app.](images/suspc_takeatest.png) 1. Specify if you want to create a Take a Test button on the students' sign-in screens. 2. Select **Advanced settings** to allow keyboard text suggestions to appear and to allow teachers to monitor online tests. @@ -120,7 +120,7 @@ If you've previously used Set up School PCs to provision student devices, you ca 8. **Add recommended apps** lets you choose from a set of recommended Microsoft Store apps to provision. - ![Recommended apps in Set up School PCs package configuration](images/suspc_configure_recommendedapps_v2.png) + ![Recommended apps in Set up School PCs package configuration.](images/suspc_configure_recommendedapps_v2.png) The recommended apps include the following: * **Office 365 for Windows 10 S (Education Preview)** - Optional. This works well for the Trial in a Box PCs running Windows 10 S. However, if you try to install this app on other editions of Windows 10, setup will fail. Also note that if you select **Office 365 for Windows 10 S (Education Preview)**, it will take about 30-45 minutes longer for Set up School PCs to create the provisioning package as the app downloads Office 365 for Windows 10 S (Education Preview) from the Microsoft Store. @@ -131,7 +131,7 @@ If you've previously used Set up School PCs to provision student devices, you ca To change any of the settings, select the page or section (such as **Sign-in** or **Settings**) to go back to that page and make your changes. - ![Select the section or page name to make a change](images/suspc_review_summary.png) + ![Select the section or page name to make a change.](images/suspc_review_summary.png) 10. Accept the summary and then insert a USB drive in **Device A**. Use the USB drive that came in the Trial in a Box accessories box to save the provisioning package. 11. Select the drive and then **Save** to create the provisioning package. @@ -153,7 +153,7 @@ A provisioning package is a method for applying settings to Windows 10 without n 1. Start with **Device B** turned off or with the PC on the first-run setup screen. In Windows 10 S Fall Creators Update, the first-run setup screen says **Let's start with region. Is this right?**. - ![The first screen to set up a new PC in Windows 10 Fall Creators Update](images/win10_oobe_firstscreen.png) + ![The first screen to set up a new PC in Windows 10 Fall Creators Update.](images/win10_oobe_firstscreen.png) If you go past the region selection screen, select **Ctrl + Shift + F3** which will prompt the "System Preparation Tool." Select **Okay** in the tool to return to the region selection screen. If this doesn't work, reset the PC by going to **Settings > Update & Security > Recovery > Reset this PC.** @@ -166,20 +166,20 @@ You can complete the rest of the IT admin tasks using **Device A**.
-![Express configure Intune for Education](images/admin-TIB-setp-3-jump.png) +![Express configure Intune for Education.](images/admin-TIB-setp-3-jump.png) ## 3. Express configure Intune for Education to manage devices, users, and policies Intune for Education provides an **Express configuration** option so you can get going right away. We'll use that option here. 1. Log into the Intune for Education console. 2. On the Intune for Education dashboard, click **Launch Express Configuration** or select the **Express configuration**. - ![Intune for Education dashboard](images/i4e_dashboard_expressconfig.png) + ![Intune for Education dashboard.](images/i4e_dashboard_expressconfig.png) 3. In the **Welcome to Intune for Education** screen, click **Get started** and follow the prompts until you get to the **Choose group** screen. 4. In the **Choose group** screen, select **All Users** so that all apps and settings that we select during express setup will apply to this group. 5. In the **Choose apps** screen, you will see a selection of desktop (Win32) apps, Web apps, and Microsoft Store apps. - ![Choose apps you want to provision to the group](images/i4e_expressconfig_chooseapps.png) + ![Choose apps you want to provision to the group.](images/i4e_expressconfig_chooseapps.png) 6. Add or remove apps by clicking on them. A blue checkmark means the app is added and will be installed for all members of the group selected in step 5. @@ -197,7 +197,7 @@ Intune for Education provides an **Express configuration** option so you can get
-![Find apps from the Microsoft Store for Education](images/admin-TIB-setp-4-jump.png) +![Find apps from the Microsoft Store for Education.](images/admin-TIB-setp-4-jump.png) ## 4. Find apps from the Microsoft Store for Education and deploy them to managed devices in your tenant The Microsoft Store for Education is where you can shop for more apps for your school. @@ -205,7 +205,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s 2. In the **Store apps** section, select **+ New app** to go to the Microsoft Store for Education. 3. Select **Sign in** and start shopping for apps for your school. - ![Microsoft Store for Education site](images/msfe_portal.png) + ![Microsoft Store for Education site.](images/msfe_portal.png) 4. Check some of the categories for suggested apps or search the Store for a free educational or reference app. Find ones that you haven't already installed during express configuration for Intune for Education. For example, these apps are free: - Duolingo - Learn Languages for Free @@ -222,7 +222,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s The apps will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant. - ![List of apps bought for the school](images/msfe_boughtapps.png) + ![List of apps bought for the school.](images/msfe_boughtapps.png) In the **Private store** column of the **Products & services** page, the status for some apps will indicate that it's "In private store" while others will say "Adding to private store" or "Not applicable". Learn more about this in Distribute apps using your private store. @@ -231,7 +231,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s
-![Create custom folders that appear on managed devices](images/admin-TIB-setp-5-jump.png) +![Create custom folders that appear on managed devices.](images/admin-TIB-setp-5-jump.png) ## 5. Create custom folders that will appear on each managed device's Start menu Update settings for all devices in your tenant by adding the **Documents** and **Downloads** folders to all devices managed in Intune for Education. @@ -239,7 +239,7 @@ Update settings for all devices in your tenant by adding the **Documents** and * 2. Select **Group > All Devices > Settings** and expand **Windows interface settings**. 3. In **Choose folders that appear in the Start menu**, select **Documents** and **Downloads**. - ![Choose folders that appear in the Start menu](images/screenshot-bug.png) + ![Choose folders that appear in the Start menu.](images/screenshot-bug.png) 4. **Save** your changes. diff --git a/education/trial-in-a-box/support-options.md b/education/trial-in-a-box/support-options.md index 9cb32351de..627a78c9ef 100644 --- a/education/trial-in-a-box/support-options.md +++ b/education/trial-in-a-box/support-options.md @@ -38,7 +38,7 @@ For more information about checking for updates, and how to optionally turn on a > [!NOTE] > For the alternate email address, make sure you use a different address from your Office 365 email address. - ![Complete your contact details](images/o365_adminaccountinfo.png) + ![Complete your contact details.](images/o365_adminaccountinfo.png) 4. Click **Save**. @@ -46,17 +46,17 @@ For more information about checking for updates, and how to optionally turn on a 1. Click the **Need help?** button in the lower right-hand corner of the Office 365 console. - ![Select Need help to get support](images/o365_needhelp.png) + ![Select Need help to get support.](images/o365_needhelp.png) You will see a sidebar window open up on the right-hand side of the screen. - ![Option to have a support representative call you](images/o365_needhelp_callingoption.png) + ![Option to have a support representative call you.](images/o365_needhelp_callingoption.png) If you chose to have a support representative call you, a new support ticket will be opened and you can track these in **Support tickets**. - ![Track your support tickets](images/o365_needhelp_supporttickets.png) + ![Track your support tickets.](images/o365_needhelp_supporttickets.png) -2. Click the **question button** ![Question button](images/o365_needhelp_questionbutton.png) in the top navigation of the sidebar window. +2. Click the **question button** ![Question button.](images/o365_needhelp_questionbutton.png) in the top navigation of the sidebar window. 3. In the field below **Need help?**, enter a description of your help request. 4. Click the **Get help button**. 5. In the **Let us call you** section, enter a phone number where you can be reached. @@ -69,7 +69,7 @@ Forget your password? Follow these steps to recover it. 1. Go to https://portal.office.com 2. Select **Can't access your account** and follow the prompts to get back into your account. - ![Recover your account](images/officeportal_cantaccessaccount.png) + ![Recover your account.](images/officeportal_cantaccessaccount.png) diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index 00b99a4c75..c0ac95e03e 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -61,7 +61,7 @@ You can set the policy using one of these methods: - When using [Set up School PCs](use-set-up-school-pcs-app.md), in the **Configure student PC settings** screen, select **Enable Windows 10 Autopilot Reset** among the list of settings for the student PC as shown in the following example: - ![Configure student PC settings in Set up School PCs](images/suspc_configure_pc2.jpg) + ![Configure student PC settings in Set up School PCs.](images/suspc_configure_pc2.jpg) ## Trigger Autopilot Reset Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it's done, the device is again ready for use. @@ -70,7 +70,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo 1. From the Windows device lock screen, enter the keystroke: **CTRL + Windows key + R**. - ![Enter CTRL+Windows key+R on the Windows lockscreen](images/autopilot-reset-lockscreen.png) + ![Enter CTRL+Windows key+R on the Windows lockscreen.](images/autopilot-reset-lockscreen.png) This will open up a custom login screen for Autopilot Reset. The screen serves two purposes: @@ -78,7 +78,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo 2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process. - ![Custom login screen for Autopilot Reset](images/autopilot-reset-customlogin.png) + ![Custom login screen for Autopilot Reset.](images/autopilot-reset-customlogin.png) 2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger Autopilot Reset. @@ -97,7 +97,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo - Is returned to a known good managed state, connected to Azure AD and MDM. - ![Notification that provisioning is complete](images/autopilot-reset-provisioningcomplete.png) + ![Notification that provisioning is complete.](images/autopilot-reset-provisioningcomplete.png) Once provisioning is complete, the device is again ready for use. diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index b104042dbc..ea30225b3e 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -65,7 +65,7 @@ See [change using Microsoft Store for Education](#change-using-microsoft-store-f **Figure 1** - Enter the details for the Windows edition change - ![Enter the details for the Windows edition change](images/i4e_editionupgrade.png) + ![Enter the details for the Windows edition change.](images/i4e_editionupgrade.png) 3. The change will automatically be applied to the group you selected. @@ -78,7 +78,7 @@ You can use Windows Configuration Designer to create a provisioning package that **Figure 2** - Enter the license key - ![Enter the license key to change to Windows 10 Pro Education](images/wcd_productkey.png) + ![Enter the license key to change to Windows 10 Pro Education.](images/wcd_productkey.png) 3. Complete the rest of the process for creating a provisioning package and then apply the package to the devices you want to change to Windows 10 Pro Education. @@ -123,7 +123,7 @@ Once you enable the setting to change to Windows 10 Pro Education, the change wi **Figure 3** - Check the box to confirm - ![Check the box to confirm](images/msfe_manage_benefits_checktoconfirm.png) + ![Check the box to confirm.](images/msfe_manage_benefits_checktoconfirm.png) 5. Click **Change all my devices**. @@ -169,13 +169,13 @@ If the Windows device is running Windows 10, version 1703, follow these steps. **Figure 4** - Select how you'd like to set up the device - ![Select how you'd like to set up the device](images/1_howtosetup.png) + ![Select how you'd like to set up the device.](images/1_howtosetup.png) 2. On the **Sign in with Microsoft** page, enter the username and password to use with Office 365 or other services from Microsoft, and then click **Next**. **Figure 5** - Enter the account details - ![Enter the account details you use with Office 365 or other Microsoft services](images/2_signinwithms.png) + ![Enter the account details you use with Office 365 or other Microsoft services.](images/2_signinwithms.png) 3. Go through the rest of Windows device setup. Once you're done, the device will be Azure AD joined to your school's subscription. @@ -188,21 +188,21 @@ If the Windows device is running Windows 10, version 1703, follow these steps. **Figure 6** - Go to **Access work or school** in Settings - ![Go to Access work or school in Settings](images/settings_workorschool_1.png) + ![Go to Access work or school in Settings.](images/settings_workorschool_1.png) 2. In **Access work or school**, click **Connect**. 3. In the **Set up a work or school account** window, click the **Join this device to Azure Active Directory** option at the bottom. **Figure 7** - Select the option to join the device to Azure Active Directory - ![Select the option to join the device to Azure Active Directory](images/settings_setupworkorschoolaccount_2.png) + ![Select the option to join the device to Azure Active Directory.](images/settings_setupworkorschoolaccount_2.png) 4. On the **Let's get you signed in** window, enter the Azure AD credentials (username and password) and sign in. This will join the device to the school's Azure AD. 5. To verify that the device was successfully joined to Azure AD, go back to **Settings > Accounts > Access work or school**. You should now see a connection under the **Connect to work or school** section that indicates the device is connected to Azure AD. **Figure 8** - Verify the device connected to Azure AD - ![Verify the device is connected to Azure AD](images/settings_connectedtoazuread_3.png) + ![Verify the device is connected to Azure AD.](images/settings_connectedtoazuread_3.png) #### Step 2: Sign in using Azure AD account @@ -286,7 +286,7 @@ Once the automatic change to Windows 10 Pro Education is turned off, the change **Figure 12** - Revert to Windows 10 Pro - ![Revert to Windows 10 Pro](images/msfe_manage_reverttowin10pro.png) + ![Revert to Windows 10 Pro.](images/msfe_manage_reverttowin10pro.png) 4. You will be asked if you're sure that you want to turn off automatic changes to Windows 10 Pro Education. Click **Yes**. 5. Click **Close** in the **Success** page. @@ -304,7 +304,7 @@ You need to synchronize these identities so that users will have a *single ident **Figure 13** - On-premises AD DS integrated with Azure AD -![Illustration of Azure Active Directory Connect](images/windows-ad-connect.png) +![Illustration of Azure Active Directory Connect.](images/windows-ad-connect.png) For more information about integrating on-premises AD DS domains with Azure AD, see these resources: - [Integrating your on-premises identities with Azure Active Directory](/azure/active-directory/hybrid/whatis-hybrid-identity) diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 59da859362..d927aef072 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -118,7 +118,7 @@ At the end of this section, you should have a list of Chromebook user and device You use the Google Admin Console (as shown in Figure 1) to manage user and device settings. These settings are applied to all the Chromebook devices in your institution that are enrolled in the Google Admin Console. Review the user and device settings in the Google Admin Console and determine which settings are appropriate for your Windows devices. -![figure 1](images/chromebook-fig1-googleadmin.png) +![figure 1.](images/chromebook-fig1-googleadmin.png) Figure 1. Google Admin Console @@ -221,7 +221,7 @@ Table 3. Settings in the Security node in the Google Admin Console In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you will migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2). -![figure 2](images/fig2-locallyconfig.png) +![figure 2.](images/fig2-locallyconfig.png) Figure 2. Locally-configured settings on Chromebook diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index f662b8ac78..27b3806af5 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -94,19 +94,19 @@ Use one of these methods to set this policy. - Data type: Integer - Value: 0 - ![Create an OMA URI for AllowCortana](images/allowcortana_omauri.png) + ![Create an OMA URI for AllowCortana.](images/allowcortana_omauri.png) ### Group Policy Set **Computer Configuration > Administrative Templates > Windows Components > Search > AllowCortana** to **Disabled**. -![Set AllowCortana to disabled through Group Policy](images/allowcortana_gp.png) +![Set AllowCortana to disabled through Group Policy.](images/allowcortana_gp.png) ### Provisioning tools - [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates. - [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - Under **Runtime settings**, click the **Policies** settings group, set **Experience > Cortana** to **No**. - ![Set AllowCortana to No in Windows Configuration Designer](images/allowcortana_wcd.png) + ![Set AllowCortana to No in Windows Configuration Designer.](images/allowcortana_wcd.png) ## SetEduPolicies **SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It is a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp). @@ -123,7 +123,7 @@ Use one of these methods to set this policy. - Data type: Boolean - Value: true - ![Create an OMA URI for SetEduPolices](images/setedupolicies_omauri.png) + ![Create an OMA URI for SetEduPolices.](images/setedupolicies_omauri.png) ### Group Policy **SetEduPolicies** is not natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc). @@ -147,7 +147,7 @@ For example: - [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - Under **Runtime settings**, click the **SharedPC** settings group, set **PolicyCustomization > SetEduPolicies** to **True**. - ![Set SetEduPolicies to True in Windows Configuration Designer](images/setedupolicies_wcd.png) + ![Set SetEduPolicies to True in Windows Configuration Designer.](images/setedupolicies_wcd.png) ## Ad-free search with Bing Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index 5ca4cb7ea0..9dcdd7ca81 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -34,21 +34,21 @@ Proper preparation is essential for a successful district deployment. To avoid c As part of preparing for your district deployment, you need to plan your district configuration — the focus of this guide. Figure 1 illustrates a typical finished district configuration that you can use as a model (the blueprint in our builder analogy) for the finished state. > [!div class="mx-imgBorder"] -> ![Typical district configuration for this guide](images/edu-districtdeploy-fig1.png "Typical district configuration for this guide") +> ![Typical district configuration for this guide.](images/edu-districtdeploy-fig1.png "Typical district configuration for this guide") *Figure 1. Typical district configuration for this guide* A *district* consists of multiple schools, typically at different physical locations. Figure 2 illustrates a typical school configuration within the district that this guide uses. > [!div class="mx-imgBorder"] -> ![Typical school configuration for this guide](images/edu-districtdeploy-fig2.png "Typical school configuration for this guide") +> ![Typical school configuration for this guide.](images/edu-districtdeploy-fig2.png "Typical school configuration for this guide") *Figure 2. Typical school configuration for this guide* Finally, each school consists of multiple classrooms. Figure 3 shows the classroom configuration this guide uses. > [!div class="mx-imgBorder"] -> ![Typical classroom configuration in a school](images/edu-districtdeploy-fig3.png "Typical classroom configuration in a school") +> ![Typical classroom configuration in a school.](images/edu-districtdeploy-fig3.png "Typical classroom configuration in a school") *Figure 3. Typical classroom configuration in a school* @@ -181,7 +181,7 @@ The high-level process for deploying and configuring devices within individual c 9. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS–Azure AD integration. > [!div class="mx-imgBorder"] -> ![How district configuration works](images/edu-districtdeploy-fig4.png "How district configuration works") +> ![How district configuration works.](images/edu-districtdeploy-fig4.png "How district configuration works") *Figure 4. How district configuration works* @@ -768,7 +768,7 @@ In this method, you have an on-premises AD DS domain. As shown in Figure 5, the > Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)). > [!div class="mx-imgBorder"] -> ![Automatic synchronization between AD DS and Azure AD](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Azure AD") +> ![Automatic synchronization between AD DS and Azure AD.](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Azure AD") *Figure 5. Automatic synchronization between AD DS and Azure AD* @@ -779,7 +779,7 @@ For more information about how to perform this step, see the [Integrate on-premi In this method, you have no on-premises AD DS domain. As shown in Figure 6, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies. > [!div class="mx-imgBorder"] -> ![Bulk import into Azure AD from other sources](images/edu-districtdeploy-fig6.png "Bulk import into Azure AD from other sources") +> ![Bulk import into Azure AD from other sources.](images/edu-districtdeploy-fig6.png "Bulk import into Azure AD from other sources") *Figure 6. Bulk import into Azure AD from other sources* @@ -812,14 +812,14 @@ You can deploy the Azure AD Connect tool: - **On premises.** As shown in Figure 7, Azure AD Connect runs on premises, which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server. > [!div class="mx-imgBorder"] - > ![Azure AD Connect on premises](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises") + > ![Azure AD Connect on premises.](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises") *Figure 7. Azure AD Connect on premises* - **In Azure.** As shown in Figure 8, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises. > [!div class="mx-imgBorder"] - > ![Azure AD Connect in Azure](images/edu-districtdeploy-fig8.png "Azure AD Connect in Azure") + > ![Azure AD Connect in Azure.](images/edu-districtdeploy-fig8.png "Azure AD Connect in Azure") *Figure 8. Azure AD Connect in Azure* diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index 3b464f9fa6..318b892188 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -30,13 +30,13 @@ Proper preparation is essential for a successful school deployment. To avoid com As part of preparing for your school deployment, you need to plan your configuration—the focus of this guide. Figure 1 illustrates a typical finished school configuration that you can use as a model (the blueprint in our builder analogy) for the finished state. -![fig 1](images/deploy-win-10-school-figure1.png) +![fig 1.](images/deploy-win-10-school-figure1.png) *Figure 1. Typical school configuration for this guide* Figure 2 shows the classroom configuration this guide uses. -![fig 2](images/deploy-win-10-school-figure2.png) +![fig 2.](images/deploy-win-10-school-figure2.png) *Figure 2. Typical classroom configuration in a school* @@ -112,7 +112,7 @@ The high-level process for deploying and configuring devices within individual c 6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10. 7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Azure AD integration. -![fig 3](images/deploy-win-10-school-figure3.png) +![fig 3.](images/deploy-win-10-school-figure3.png) *Figure 3. How school configuration works* @@ -346,7 +346,7 @@ In this method, you have an on-premises AD DS domain. As shown in Figure 4, the **Note**  Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)?f=255&MSPPError=-2147217396). -![fig 4](images/deploy-win-10-school-figure4.png) +![fig 4.](images/deploy-win-10-school-figure4.png) *Figure 4. Automatic synchronization between AD DS and Azure AD* @@ -356,7 +356,7 @@ For more information about how to perform this step, see the [Integrate on-premi In this method, you have no on-premises AD DS domain. As shown in Figure 5, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies. -![fig 5](images/deploy-win-10-school-figure5.png) +![fig 5.](images/deploy-win-10-school-figure5.png) *Figure 5. Bulk import into Azure AD from other sources* @@ -383,13 +383,13 @@ You can deploy the Azure AD Connect tool by using one of the following methods: - **On premises.** As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server. - ![fig 6](images/deploy-win-10-school-figure6.png) + ![fig 6.](images/deploy-win-10-school-figure6.png) *Figure 6. Azure AD Connect on premises* - **In Azure**. As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises. - ![fig 7](images/deploy-win-10-school-figure7.png) + ![fig 7.](images/deploy-win-10-school-figure7.png) *Figure 7. Azure AD Connect in Azure* diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md index eaa2f7c35b..03a761c858 100644 --- a/education/windows/edu-deployment-recommendations.md +++ b/education/windows/edu-deployment-recommendations.md @@ -55,11 +55,11 @@ To turn off access to contacts for all apps on individual Windows devices: 1. On the computer, go to **Settings** and select **Privacy**. - ![Privacy settings](images/win10_settings_privacy.png) + ![Privacy settings.](images/win10_settings_privacy.png) 2. Under the list of **Privacy** areas, select **Contacts**. - ![Contacts privacy settings](images/win10_settings_privacy_contacts.png) + ![Contacts privacy settings.](images/win10_settings_privacy_contacts.png) 3. Turn off **Let apps access my contacts**. @@ -73,7 +73,7 @@ For IT-managed Windows devices, you can use a Group Policy to turn off the setti If you want to allow only certain apps to have access to contacts, you can use the switch for each app to specify which ones you want on or off. -![Choose apps with access to contacts](images/win10_settings_privacy_contacts_apps.png) +![Choose apps with access to contacts.](images/win10_settings_privacy_contacts_apps.png) The list of apps on the Windows-based device may vary from the above example. The list depends on what apps you have installed and which of these apps access contacts. @@ -83,7 +83,7 @@ To allow only certain apps to have access to contacts, you can: * Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** and then specify the default for each app by adding the app's Package Family Name under the default behavior you want to enforce. - ![App privacy Group Policy](images/gp_letwinappsaccesscontacts.png) + ![App privacy Group Policy.](images/gp_letwinappsaccesscontacts.png) ## Skype and Xbox settings @@ -109,7 +109,7 @@ Skype uses the user’s contact details to deliver important information about t To manage and edit your profile in the Skype UWP app, follow these steps: -1. In the Skype UWP app, select the user profile icon ![Skype profile icon](images/skype_uwp_userprofile_icon.png) to go to the user’s profile page. +1. In the Skype UWP app, select the user profile icon ![Skype profile icon.](images/skype_uwp_userprofile_icon.png) to go to the user’s profile page. 2. In the account page, select **Manage account** for the Skype account that you want to change. This will take you to the online Skype portal. @@ -127,7 +127,7 @@ To manage and edit your profile in the Skype UWP app, follow these steps: 6. To change the profile picture, go to the Skype app and click on the current profile picture or avatar. The **Manage Profile Picture** window pops up. - ![Skype profile icon](images/skype_uwp_manageprofilepic.png) + ![Skype profile icon.](images/skype_uwp_manageprofilepic.png) * To take a new picture, click the camera icon in the pop up window. To upload a new picture, click the three dots (**...**). diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md index 586d6ea6b8..f4ea0cf4ef 100644 --- a/education/windows/education-scenarios-store-for-business.md +++ b/education/windows/education-scenarios-store-for-business.md @@ -39,7 +39,7 @@ Admins can control whether or not teachers are automatically assigned the **Basi 2. Click **Manage**, and then click **Settings**. 3. On **Shop**, select or clear **Make everyone a Basic Purchaser**. -![manage settings to control Basic Purchaser role assignment](images/sfe-make-everyone-bp.png) +![manage settings to control Basic Purchaser role assignment.](images/sfe-make-everyone-bp.png) > [!NOTE] > **Make everyone a Basic Purchaser** is on by default. @@ -52,7 +52,7 @@ When **Make everyone a Basic Purchaser** is turned off, admins can manually assi 2. Click **Manage**, and then choose **Permissions**. 3. On **Roles**, click **Assign roles**, type and select a name, choose the role you want to assign, and then click **Save**. - ![Permission page for Microsoft Store for Business](images/sfe-roles.png) + ![Permission page for Microsoft Store for Business.](images/sfe-roles.png) **Blocked Basic Purchasers** diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 78f1759c45..a89e29de02 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -29,7 +29,7 @@ ms.topic: conceptual Teachers and IT administrators can now get early access to **Minecraft: Education Edition** and add it their Microsoft Store for Business for distribution. - + ## Prerequisites @@ -39,11 +39,11 @@ Teachers and IT administrators can now get early access to **Minecraft: Educatio - Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://products.office.com/academic/office-365-education-plan) - If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](/windows/client-management/mdm/register-your-free-azure-active-directory-subscription) - + [Learn how teachers can get and distribute **Minecraft: Education Edition**](teacher-get-minecraft.md) - + [Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft. \ No newline at end of file diff --git a/education/windows/index.md b/education/windows/index.md index 81e3f97634..cf961bfe83 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -14,15 +14,15 @@ ms.date: 10/13/2017 # Windows 10 for Education -![Windows 10 Education and Windows 10 Pro Education](images/windows-10-for-education-banner.png) +![Windows 10 Education and Windows 10 Pro Education.](images/windows-10-for-education-banner.png) -## ![Learn more about Windows](images/education.png) Learn +## ![Learn more about Windows.](images/education.png) Learn

Windows 10 editions for education customers
Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.

Compare each Windows edition
Find out more about the features and functionality we support in each edition of Windows.

Get Windows 10 Education or Windows 10 Pro Education
When you've made your decision, find out how to buy Windows for your school.

-## ![Plan for Windows 10 in your school](images/clipboard.png) Plan +## ![Plan for Windows 10 in your school.](images/clipboard.png) Plan

Windows 10 configuration recommendations for education customers
Provides guidance on ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.

Deployment recommendations for school IT administrators
Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.

@@ -30,14 +30,14 @@ ms.date: 10/13/2017

Take tests in Windows 10
Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.

Chromebook migration guide
Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.

-## ![Deploy Windows 10 for Education](images/PCicon.png) Deploy +## ![Deploy Windows 10 for Education.](images/PCicon.png) Deploy

Set up Windows devices for education
Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.

Deploy Windows 10 in a school
Get step-by-step guidance to help you deploy Windows 10 in a school environment.

Deploy Windows 10 in a school district
Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.

Test Windows 10 S on existing Windows 10 education devices
Test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us.

-## ![Switch to Windows 10 for Education](images/windows.png) Switch +## ![Switch to Windows 10 for Education.](images/windows.png) Switch

Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S
If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.

diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index e3900603b6..a728b75a41 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -50,15 +50,15 @@ If you’ve been approved and are part of the Enrollment for Education Solutions 1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **GET STARTED**. - + 2. Enter your email address, and select Educator, Administrator, or Student.
If your email address isn't associated to an Azure AD or Office 365 Education tenant, you'll be asked to create one. - + 3. Select **Get the app**. This will take you to the Microsoft Store for Education to download the app. You will also receive an email with instructions and a link to the Store. - + 4. Sign in to Microsoft Store for Education with your email address. @@ -66,7 +66,7 @@ If you’ve been approved and are part of the Enrollment for Education Solutions 6. **Minecraft: Education Edition** opens in the Microsoft Store for Education. Select **Get the app**. This places **Minecraft: Education Edition** in your Store inventory. - + Now that the app is in your Microsoft Store for Education inventory, you can choose how to distribute Minecraft. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft). @@ -113,11 +113,11 @@ After you've finished the purchase, you can find your invoice by checking **Mine 2. Click **Minecraft: Education Edition** in the list of apps. 3. On **Minecraft: Education Edition**, click **View Bills**. - ![Minecraft: Education Edition app details page with view bills link highlighted](images/mcee-view-bills.png) + ![Minecraft: Education Edition app details page with view bills link highlighted.](images/mcee-view-bills.png) 4. On **Invoice Bills**, click the invoice number to view and download your invoice. It downloads as a .pdf. - ![Minecraft: Education Edition app details page with view bills link highlighted](images/mcee-invoice-bills.png) + ![Minecraft: Education Edition app details page with view bills link highlighted.](images/mcee-invoice-bills.png) The **Payment Instructions** section on the first page of the invoice has information on invoice amount, due date, and how to pay with electronic funds transfer, or with a check. @@ -133,11 +133,11 @@ Admins can also add Minecraft: Education Edition to the private store. This allo ### Configure automatic subscription assignment @@ -168,7 +168,7 @@ You can install the app on your PC. This gives you a chance to test the app and 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then click **Install**. - + 3. Click **Install**. @@ -180,33 +180,33 @@ Enter email addresses for your students, and each student will get an email with 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**. - ![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png) + ![Minecraft Education Edition product page.](images/mc-install-for-me-teacher.png) 3. Click **Invite people**. 4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**. You can only assign the app to students with work or school accounts. If you don't find the student, you might need to add a work or school account for the student. - ![Assign to people showing student name](images/minecraft-assign-to-people-name.png) + ![Assign to people showing student name.](images/minecraft-assign-to-people-name.png) **To finish Minecraft install (for students)** 1. Students will receive an email with a link that will install the app on their PC.
- ![Email with Get the app link](images/minecraft-student-install-email.png) + ![Email with Get the app link.](images/minecraft-student-install-email.png) 2. Click **Get the app** to start the app install in Microsoft Store app. 3. In Microsoft Store app, click **Install**. - ![Microsoft Store app with Minecraft page](images/minecraft-in-windows-store-app.png) + ![Microsoft Store app with Minecraft page.](images/minecraft-in-windows-store-app.png) After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**. Microsoft Store app is preinstalled with Windows 10. - ![Microsoft Store app showing access to My Library](images/minecraft-private-store.png) + ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png) When students click **My Library** they'll find apps assigned to them. - ![My Library for example student](images/minecraft-my-library.png) + ![My Library for example student.](images/minecraft-my-library.png) ### Download for others Download for others allows teachers or IT admins to download an app that they can install on PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when: @@ -225,11 +225,11 @@ Minecraft: Education Edition will not install if there are updates pending for o 1. Start Microsoft Store app on the PC (click **Start**, and type **Store**). 2. Click the account button, and then click **Downloads and updates**. - ![Microsoft Store app showing access to My Library](images/minecraft-private-store.png) + ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png) 3. Click **Check for updates**, and install all available updates. - ![Microsoft Store app showing access to My Library](images/mc-check-for-updates.png) + ![Microsoft Store app showing access to My Library.](images/mc-check-for-updates.png) 4. Restart the computer before installing Minecraft: Education Edition. @@ -238,7 +238,7 @@ You'll download a .zip file, extract the files, and then use one of the files to 1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**. - ![Microsoft Store app showing access to My Library](images/mc-dnld-others-teacher.png) + ![Microsoft Store app showing access to My Library.](images/mc-dnld-others-teacher.png) 2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**. 3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC. @@ -257,7 +257,7 @@ However, tenant admins can control whether or not teachers automatically sign up To prevent educators from automatically signing up for Microsoft Store for Business 1. In Microsoft Store for Business, click **Settings**, and then click **Permissions**. - ![Permission page for Microsoft Store for Business](images/minecraft-admin-permissions.png) + ![Permission page for Microsoft Store for Business.](images/minecraft-admin-permissions.png) 2. Click **Allow educators in my organization to sign up for the Microsoft Store for Business.** @@ -269,7 +269,7 @@ Minecraft: Education Edition adds a new role for teachers: **Basic Purchaser**. - Acquire and manage the app - Info on Support page (including links to documentation and access to support through customer service) - ![assign roles to manage Minecraft permissions](images/minecraft-perms.png) + ![assign roles to manage Minecraft permissions.](images/minecraft-perms.png) **To assign Basic Purchaser role** @@ -280,15 +280,15 @@ Minecraft: Education Edition adds a new role for teachers: **Basic Purchaser**. 2. Click **Settings**, and then choose **Permissions**. - ![Permission page for Microsoft Store for Business](images/minecraft-admin-permissions.png) + ![Permission page for Microsoft Store for Business.](images/minecraft-admin-permissions.png) 3. Click **Add people**, type a name, select the correct person, choose the role you want to assign, and click **Save**. - ![Permission page for Microsoft Store for Business](images/minecraft-assign-roles.png) + ![Permission page for Microsoft Store for Business.](images/minecraft-assign-roles.png) Microsoft Store for Business updates the list of people and permissions. - ![Permission page for Microsoft Store for Business](images/minecraft-assign-roles-2.png) + ![Permission page for Microsoft Store for Business.](images/minecraft-assign-roles-2.png) --> diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md index 6d62b6bb55..02198518ca 100644 --- a/education/windows/set-up-school-pcs-azure-ad-join.md +++ b/education/windows/set-up-school-pcs-azure-ad-join.md @@ -48,7 +48,7 @@ Active Directory** \> **Devices** \> **Device settings**. for Azure AD by selecting **All** or **Selected**. If you choose the latter option, select the teachers and IT staff to allow them to connect to Azure AD. -![Select the users you want to let join devices to Azure AD](images/suspc-enable-shared-pc-1807.png) +![Select the users you want to let join devices to Azure AD.](images/suspc-enable-shared-pc-1807.png) You can also create an account that holds the exclusive rights to join devices. When a student PC needs to be set up, provide the account credentials to the appropriate teachers or staff. diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index 22d45b09fc..328b2f80a1 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -43,7 +43,7 @@ Follow the steps in [Provision PCs with common settings for initial deployment ( **Figure 7** - Add the account to use for test-taking - ![Add the account to use for test-taking](images/wcd_settings_assignedaccess.png) + ![Add the account to use for test-taking.](images/wcd_settings_assignedaccess.png) The account can be in one of the following formats: - username diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md index 7d803777e5..f0bb65fa78 100644 --- a/education/windows/set-up-students-pcs-with-apps.md +++ b/education/windows/set-up-students-pcs-with-apps.md @@ -35,7 +35,7 @@ You can apply a provisioning package on a USB drive to off-the-shelf devices dur 2. 2. On the **Finish** page, select **Switch to advanced editor**. - ![Switch to advanced editor](images/icd-school-adv-edit.png) + ![Switch to advanced editor.](images/icd-school-adv-edit.png) **Next steps** - [Add a desktop app to your package](#add-a-desktop-app-to-your-package) @@ -52,7 +52,7 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi 2. Click **Advanced provisioning**. - ![ICD start options](images/icdstart-option.png) + ![ICD start options.](images/icdstart-option.png) 3. Name your project and click **Next**. @@ -89,17 +89,17 @@ Universal apps that you can distribute in the provisioning package can be line-o 2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page. - ![details for offline app package](images/uwp-family.png) + ![details for offline app package.](images/uwp-family.png) 3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). 4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. - ![required frameworks for offline app package](images/uwp-dependencies.png) + ![required frameworks for offline app package.](images/uwp-dependencies.png) 5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Microsoft Store for Business, you generate the license for the app on the app's download page. - ![generate license for offline app](images/uwp-license.png) + ![generate license for offline app.](images/uwp-license.png) [Learn more about distributing offline apps from the Microsoft Store for Business.](/microsoft-store/distribute-offline-apps) @@ -168,7 +168,7 @@ If your build is successful, the name of the provisioning package, output direct **During initial setup, from a USB drive** 1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. - ![The first screen to set up a new PC](images/oobe.jpg) + ![The first screen to set up a new PC.](images/oobe.jpg) 2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**. @@ -176,11 +176,11 @@ If your build is successful, the name of the provisioning package, output direct 3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. - ![Provision this device](images/prov.jpg) + ![Provision this device.](images/prov.jpg) 4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. - ![Choose a package](images/choose-package.png) + ![Choose a package.](images/choose-package.png) 5. Select **Yes, add it**. @@ -188,11 +188,11 @@ If your build is successful, the name of the provisioning package, output direct 6. Read and accept the Microsoft Software License Terms. - ![Sign in](images/license-terms.png) + ![Sign in.](images/license-terms.png) 7. Select **Use Express settings**. - ![Get going fast](images/express-settings.png) + ![Get going fast.](images/express-settings.png) 8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**. @@ -200,18 +200,18 @@ If your build is successful, the name of the provisioning package, output direct 9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**. - ![Connect to Azure AD](images/connect-aad.png) + ![Connect to Azure AD.](images/connect-aad.png) 10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive. - ![Sign in](images/sign-in-prov.png) + ![Sign in.](images/sign-in-prov.png) **After setup, from a USB drive, network folder, or SharePoint site** On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and select the package to install. -![add a package option](images/package.png) +![add a package option.](images/package.png) --> diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md index b401df97ef..e1acdf9f1d 100644 --- a/education/windows/set-up-windows-10.md +++ b/education/windows/set-up-windows-10.md @@ -27,7 +27,7 @@ Choose the tool that is appropriate for how your students will sign in (Active D You can use the following diagram to compare the tools. -![Which tool to use to set up Windows 10](images/suspc_wcd_featureslist.png) +![Which tool to use to set up Windows 10.](images/suspc_wcd_featureslist.png) ## In this section diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index 3044c770e5..10e2d2f7e0 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -39,7 +39,7 @@ If you set up Take a Test, this adds a **Take a Test** button on the student PC' **Figure 1** - Configure Take a Test in the Set up School PCs app -![Configure Take a Test in the Set up School PCs app](images/suspc_choosesettings_setuptakeatest.png) +![Configure Take a Test in the Set up School PCs app.](images/suspc_choosesettings_setuptakeatest.png) ### Set up a test account in Intune for Education You can set up a test-taking account in Intune for Education. To do this, follow these steps: @@ -49,7 +49,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow **Figure 2** - Add a test profile in Intune for Education - ![Add a test profile in Intune for Education](images/i4e_takeatestprofile_addnewprofile.png) + ![Add a test profile in Intune for Education.](images/i4e_takeatestprofile_addnewprofile.png) 3. In the new profile page: 1. Enter a name for the profile. @@ -60,7 +60,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow **Figure 3** - Add information about the test profile - ![Add information about the test profile](images/i4e_takeatestprofile_newtestaccount.png) + ![Add information about the test profile.](images/i4e_takeatestprofile_newtestaccount.png) After you save the test profile, you will see a summary of the settings that you configured for Take a Test. Next, you'll need to assign the test profile to a group that will be using the test account. @@ -68,13 +68,13 @@ You can set up a test-taking account in Intune for Education. To do this, follow **Figure 4** - Assign the test account to a group - ![Assign the test account to a group](images/i4e_takeatestprofile_accountsummary.png) + ![Assign the test account to a group.](images/i4e_takeatestprofile_accountsummary.png) 5. In the **Groups** page, click **Change group assignments**. **Figure 5** - Change group assignments - ![Change group assignments](images/i4e_takeatestprofile_groups_changegroupassignments.png) + ![Change group assignments.](images/i4e_takeatestprofile_groups_changegroupassignments.png) 6. In the **Change group assignments** page: 1. Select a group from the right column and click **Add Members** to select the group and assign the test-taking account to that group. You can select more than one group. @@ -82,7 +82,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow **Figure 6** - Select the group(s) that will use the test account - ![Select the groups that will use the test account](images/i4e_takeatestprofile_groupassignment_selected.png) + ![Select the groups that will use the test account.](images/i4e_takeatestprofile_groupassignment_selected.png) And that's it! When the students from the selected group sign in to the student PCs using the Take a Test user name that you selected, the PC will be locked down and Take a Test will open the assessment URL and students can start taking tests. @@ -136,7 +136,7 @@ To set up a test account through Windows Configuration Designer, follow these st **Figure 7** - Add the account to use for test-taking - ![Add the account to use for test-taking](images/wcd_settings_assignedaccess.png) + ![Add the account to use for test-taking.](images/wcd_settings_assignedaccess.png) The account can be in one of the following formats: - username diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index 1286a5aec8..9d26301975 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -30,13 +30,13 @@ To configure the assessment URL and a dedicated testing account on a single PC, **Figure 1** - Use the Settings app to set up a test-taking account - ![Use the Settings app to set up a test-taking account](images/tat_settingsapp_workorschoolaccess_setuptestaccount.png) + ![Use the Settings app to set up a test-taking account.](images/tat_settingsapp_workorschoolaccess_setuptestaccount.png) 4. In the **Set up an account for taking tests** window, choose an existing account to use as the dedicated testing account. **Figure 2** - Choose the test-taking account - ![Choose the test-taking account](images/tat_settingsapp_setuptesttakingaccount_1703.png) + ![Choose the test-taking account.](images/tat_settingsapp_setuptesttakingaccount_1703.png) > [!NOTE] > If you don't have an account on the device, you can create a new account. To do this, go to **Settings > Accounts > Other people > Add someone else to this PC > I don’t have this person’s sign-in information > Add a user without a Microsoft account**. diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index 7e016c22c0..f9ba6a9479 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -32,7 +32,7 @@ Many schools use online testing for formative and summative assessments. It's cr ## How to use Take a Test -![Set up and user flow for the Take a Test app](images/take_a_test_flow_dark.png) +![Set up and user flow for the Take a Test app.](images/take_a_test_flow_dark.png) There are several ways to configure devices for assessments, depending on your use case: diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 136499ee4c..6f0d1d4341 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -65,7 +65,7 @@ After Minecraft: Education Edition licenses have been purchased, either directly - You can assign the app to others. - You can download the app to distribute. - + ### Install for me You can install the app on your PC. This gives you a chance to work with the app before using it with your students. @@ -73,7 +73,7 @@ You can install the app on your PC. This gives you a chance to work with the app 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then click **Install**. - + 3. Click **Install**. @@ -84,13 +84,13 @@ Enter email addresses for your students, and each student will get an email with 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**. - + 3. Click **Invite people**. 4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**. - ![Assign to people showing student name](images/minecraft-assign-to-people-name.png) + ![Assign to people showing student name.](images/minecraft-assign-to-people-name.png) You can assign the app to students with work or school accounts.
If you don't find the student, you can still assign the app to them if self-service sign up is supported for your domain. Students will receive an email with a link to Microsoft 365 admin center where they can create an account, and then install **Minecraft: Education Edition**. Questions about self-service sign up? Check with your admin. @@ -100,20 +100,20 @@ Enter email addresses for your students, and each student will get an email with Students will receive an email with a link that will install the app on their PC. -![Email with Get the app link](images/minecraft-student-install-email.png) +![Email with Get the app link.](images/minecraft-student-install-email.png) 1. Click **Get the app** to start the app install in Microsoft Store app. 2. In Microsoft Store app, click **Install**. - ![Microsoft Store app with Minecraft page](images/minecraft-in-windows-store-app.png) + ![Microsoft Store app with Minecraft page.](images/minecraft-in-windows-store-app.png) After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**. - ![Microsoft Store app showing access to My Library](images/minecraft-private-store.png) + ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png) When students click **My Library** they'll find apps assigned to them. - ![My Library for example student](images/minecraft-my-library.png) + ![My Library for example student.](images/minecraft-my-library.png) ### Download for others Download for others allows teachers or IT admins to download a packages that they can install on student PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when: @@ -132,11 +132,11 @@ Minecraft: Education Edition will not install if there are updates pending for o 1. Start Microsoft Store app on the PC (click **Start**, and type **Store**). 2. Click the account button, and then click **Downloads and updates**. - ![Microsoft Store app showing access to My Library](images/minecraft-private-store.png) + ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png) 3. Click **Check for updates**, and install all available updates. - ![Microsoft Store app showing access to My Library](images/mc-check-for-updates.png) + ![Microsoft Store app showing access to My Library.](images/mc-check-for-updates.png) 4. Restart the computer before installing Minecraft: Education Edition. @@ -145,7 +145,7 @@ You'll download a .zip file, extract the files, and then use one of the files to 1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**. - ![Microsoft Store app showing access to My Library](images/mc-dnld-others-teacher.png) + ![Microsoft Store app showing access to My Library.](images/mc-dnld-others-teacher.png) 2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**. 3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC. diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 3f31119391..ca36e12e5a 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -103,7 +103,7 @@ We strongly recommend that you avoid changing preset policies. Changes can slow The **Set up School PCs** app guides you through the configuration choices for the student PCs. To begin, open the app on your PC and click **Get started**. - ![Launch the Set up School PCs app](images/suspc_getstarted_050817.png) + ![Launch the Set up School PCs app.](images/suspc_getstarted_050817.png) ### Package name Type a unique name to help distinguish your school's provisioning packages. The name appears: diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md index 4294d7199e..3b6a109ef3 100644 --- a/smb/cloud-mode-business-setup.md +++ b/smb/cloud-mode-business-setup.md @@ -18,7 +18,7 @@ ms.topic: conceptual # Get started: Deploy and manage a full cloud IT solution for your business -![Learn how to set up a full cloud infrastructure for your business](images/business-cloud-mode.png) +![Learn how to set up a full cloud infrastructure for your business.](images/business-cloud-mode.png) **Applies to:** @@ -61,7 +61,7 @@ If this is the first time you're setting this up, and you'd like to see how it's **Figure 1** - Try or buy Office 365 - ![Office 365 for business sign up](images/office365_tryorbuy_now.png) + ![Office 365 for business sign up.](images/office365_tryorbuy_now.png) 2. Fill out the sign up form and provide information about you and your company. 3. Create a user ID and password to use to sign into your account. @@ -76,7 +76,7 @@ If this is the first time you're setting this up, and you'd like to see how it's **Figure 2** - Microsoft 365 admin center - ![Microsoft 365 admin center](images/office365_portal.png) + ![Microsoft 365 admin center.](images/office365_portal.png) 6. Select the **Admin** tile to go to the admin center. @@ -86,7 +86,7 @@ If this is the first time you're setting this up, and you'd like to see how it's **Figure 3** - Admin center - ![Microsoft 365 admin center](images/office365_admin_portal.png) + ![Microsoft 365 admin center.](images/office365_admin_portal.png) 8. Go back to the admin center to add or buy a domain. @@ -94,14 +94,14 @@ If this is the first time you're setting this up, and you'd like to see how it's **Figure 4** - Option to add or buy a domain - ![Add or buy a domain in admin center](images/office365_buy_domain.png) + ![Add or buy a domain in admin center.](images/office365_buy_domain.png) 2. In the **Home > Domains** page, you will see the Microsoft-provided domain, such as *fabrikamdesign.onmicrosoft.com*. **Figure 5** - Microsoft-provided domain - ![Microsoft-provided domain](images/office365_ms_provided_domain.png) + ![Microsoft-provided domain.](images/office365_ms_provided_domain.png) - If you already have a domain, select **+ Add domain** to add your existing domain. If you select this option, you'll be required to verify that you own the domain. Follow the steps in the wizard to verify your domain. - If you don't already own a domain, select **+ Buy domain**. If you're using a trial plan, you'll be required to upgrade your trial plan in order to buy a domain. Choose the subscription plan to use for your business and provide the details to complete your order. @@ -110,7 +110,7 @@ If this is the first time you're setting this up, and you'd like to see how it's **Figure 6** - Domains - ![Verify your domains in the admin center](images/office365_additional_domain.png) + ![Verify your domains in the admin center.](images/office365_additional_domain.png) ### 1.2 Add users and assign product licenses Once you've set up Office and added your domain, it's time to add users so they have access to Office 365. People in your organization need an account before they can sign in and access Office 365. The easiest way to add users is to add them one at a time in the Microsoft 365 admin center. @@ -123,7 +123,7 @@ When adding users, you can also assign admin privileges to certain users in your **Figure 7** - Add users - ![Add Office 365 users](images/office365_users.png) + ![Add Office 365 users.](images/office365_users.png) 2. In the **Home > Active users** page, add users individually or in bulk. - To add users one at a time, select **+ Add a user**. @@ -132,7 +132,7 @@ When adding users, you can also assign admin privileges to certain users in your **Figure 8** - Add an individual user - ![Add an individual user](images/office365_add_individual_user.png) + ![Add an individual user.](images/office365_add_individual_user.png) - To add multiple users at once, select **More** and then choose **+ Import multiple users**. If you select this option, you'll need to create and upload a CSV file containing the list of users. @@ -140,13 +140,13 @@ When adding users, you can also assign admin privileges to certain users in your **Figure 9** - Import multiple users - ![Import multiple users](images/office365_import_multiple_users.png) + ![Import multiple users.](images/office365_import_multiple_users.png) 3. Verify that all the users you added appear in the list of **Active users**. The **Status** should indicate the product licenses that were assigned to them. **Figure 10** - List of active users - ![Verify users and assigned product licenses](images/o365_active_users.png) + ![Verify users and assigned product licenses.](images/o365_active_users.png) ### 1.3 Add Microsoft Intune Microsoft Intune provides mobile device management, app management, and PC management capabilities from the cloud. Using Intune, organizations can provide their employees with access to apps, data, and corporate resources from anywhere on almost any device while helping to keep corporate information secure. To learn more, see What is Intune? @@ -160,14 +160,14 @@ Microsoft Intune provides mobile device management, app management, and PC manag **Figure 11** - Assign Intune licenses - ![Assign Microsoft Intune licenses to users](images/o365_assign_intune_license.png) + ![Assign Microsoft Intune licenses to users.](images/o365_assign_intune_license.png) 5. In the admin center, confirm that **Intune** shows up in the list under **Admin centers**. If it doesn't, sign out and then sign back in and then check again. 6. Select **Intune**. This will take you to the Intune management portal. **Figure 12** - Microsoft Intune management portal - ![Microsoft Intune management portal](images/intune_portal_home.png) + ![Microsoft Intune management portal.](images/intune_portal_home.png) Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Microsoft Store for Business for app distribution](#17-configure-microsoft-store-for-business-for-app-distribution). @@ -185,21 +185,21 @@ Microsoft Azure is an open and flexible cloud platform that enables you to quick **Figure 13** - Access to Azure AD is not available - ![Access to Azure AD not available](images/azure_ad_access_not_available.png) + ![Access to Azure AD not available.](images/azure_ad_access_not_available.png) 3. From the error message, select the country/region for your business. This should match with the location you specified when you signed up for Office 365. 4. Click **Azure subscription**. This will take you to a free trial sign up screen. **Figure 14** - Sign up for Microsoft Azure - ![Sign up for Microsoft Azure](images/azure_ad_sign_up_screen.png) + ![Sign up for Microsoft Azure.](images/azure_ad_sign_up_screen.png) 5. In the **Free trial sign up** screen, fill in the required information and then click **Sign up**. 6. After you sign up, you should see the message that your subscription is ready. Click **Start managing my service**. **Figure 15** - Start managing your Azure subscription - ![Start managing your Azure subscription](images/azure_ad_successful_signup.png) + ![Start managing your Azure subscription.](images/azure_ad_successful_signup.png) This will take you to the Microsoft Azure portal. @@ -216,26 +216,26 @@ To add Azure AD group(s), we will use the Microsoft Store for Business using the same tenant account that you used to sign into Intune. 4. Accept the EULA. @@ -312,20 +312,20 @@ In this part of the walkthrough, we'll be working on the Intune management portal, select **Admin > Mobile Device Management**, expand **Windows**, and then choose **Store for Business**. 8. In the **Microsoft Store for Business** page, select **Configure Sync** to sync your Store for Business volume-purchased apps with Intune. **Figure 26** - Configure Store for Business sync in Intune - ![Configure Store for Business sync in Intune](images/intune_admin_mdm_store_sync.png) + ![Configure Store for Business sync in Intune.](images/intune_admin_mdm_store_sync.png) 9. In the **Configure Microsoft Store for Business app sync** dialog box, check **Enable Microsoft Store for Business sync**. In the **Language** dropdown list, choose the language in which you want apps from the Store to be displayed in the Intune console and then click **OK**. **Figure 27** - Enable Microsoft Store for Business sync in Intune - ![Enable Store for Business sync in Intune](images/intune_configure_store_app_sync_dialog.png) + ![Enable Store for Business sync in Intune.](images/intune_configure_store_app_sync_dialog.png) The **Microsoft Store for Business** page will refresh and it will show the details from the sync. @@ -348,7 +348,7 @@ In the following example, we'll show you how to buy apps through the Microsoft S **Figure 28** - Shop for Store apps - ![Shop for Store apps](images/wsfb_shop_microsoft_apps.png) + ![Shop for Store apps.](images/wsfb_shop_microsoft_apps.png) 2. Click to select an app, such as **Reader**. This opens the app page. 3. In the app's Store page, click **Get the app**. You should see a dialog that confirms your order. Click **Close**. This will refresh the app's Store page. @@ -358,7 +358,7 @@ In the following example, we'll show you how to buy apps through the Microsoft S **Figure 29** - App inventory shows the purchased apps - ![Confirm that your inventory shows purchased apps](images/wsfb_manage_inventory_newapps.png) + ![Confirm that your inventory shows purchased apps.](images/wsfb_manage_inventory_newapps.png) > [!NOTE] > Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune to sync all your purchased apps. You can force a sync to make this process happen faster. For more info, see [To sync recently purchased apps](#forceappsync). @@ -372,7 +372,7 @@ If you need to sync your most recently purchased apps and have it appear in your **Figure 30** - Force a sync in Intune - ![Force a sync in Intune](images/intune_admin_mdm_forcesync.png) + ![Force a sync in Intune.](images/intune_admin_mdm_forcesync.png) **To view purchased apps** - In the Intune management portal, select **Apps > Apps** and then choose **Volume-Purchased Apps** to see the list of available apps. Verify that the apps you purchased were imported correctly. @@ -393,7 +393,7 @@ To set up new Windows devices, go through the Windows initial device setup or fi **Figure 31** - First screen in Windows device setup - ![First screen in Windows device setup](images/win10_hithere.png) + ![First screen in Windows device setup.](images/win10_hithere.png) > [!NOTE] > During setup, if you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired/Ethernet connection. @@ -403,13 +403,13 @@ To set up new Windows devices, go through the Windows initial device setup or fi **Figure 32** - Choose how you'll connect your Windows device - ![Choose how you'll connect the Windows device](images/win10_choosehowtoconnect.png) + ![Choose how you'll connect the Windows device.](images/win10_choosehowtoconnect.png) 4. In the **Let's get you signed in** screen, sign in using one of the user accounts you added in section [1.2 Add users and assign product licenses](#12-add-users-and-assign-product-licenses). We suggest signing in as one of the global administrators. Later, sign in on another device using one of the non-admin accounts. **Figure 33** - Sign in using one of the accounts you added - ![Sign in using one of the accounts you added](images/win10_signin_admin_account.png) + ![Sign in using one of the accounts you added.](images/win10_signin_admin_account.png) 5. If this is the first time you're signing in, you will be asked to update your password. Update the password and continue with sign-in and setup. @@ -430,7 +430,7 @@ In the Intune management **Figure 34** - Check the PC name on your device - ![Check the PC name on your device](images/win10_settings_pcname.png) + ![Check the PC name on your device.](images/win10_settings_pcname.png) 2. Log in to the Intune management portal. 3. Select **Groups** and then go to **Devices**. @@ -441,7 +441,7 @@ In the Intune management **Figure 35** - Check that the device appears in Intune - ![Check that the device appears in Intune](images/intune_groups_devices_list.png) + ![Check that the device appears in Intune.](images/intune_groups_devices_list.png) ## 3. Manage device settings and features You can use Microsoft Intune admin settings and policies to manage features on your organization's mobile devices and computers. For more info, see [Manage settings and features on your devices with Microsoft Intune policies](/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). @@ -460,7 +460,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the **Figure 36** - Reconfigure an app's deployment setting in Intune - ![Reconfigure app deployment settings in Intune](images/intune_apps_deploymentaction.png) + ![Reconfigure app deployment settings in Intune.](images/intune_apps_deploymentaction.png) 6. Click **Finish**. 7. Repeat steps 2-6 for other apps that you want to deploy to the device(s) as soon as possible. @@ -470,7 +470,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the **Figure 37** - Confirm that additional apps were deployed to the device - ![Confirm that additional apps were deployed to the device](images/win10_deploy_apps_immediately.png) + ![Confirm that additional apps were deployed to the device.](images/win10_deploy_apps_immediately.png) ### 3.2 Configure other settings in Intune @@ -486,7 +486,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the **Figure 38** - Add a configuration policy - ![Add a configuration policy](images/intune_policy_disablecamera.png) + ![Add a configuration policy.](images/intune_policy_disablecamera.png) 7. Click **Save Policy**. A confirmation window will pop up. 8. On the **Deploy Policy** confirmation window, select **Yes** to deploy the policy now. @@ -495,7 +495,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the **Figure 39** - The new policy should appear in the **Policies** list. - ![New policy appears on the list](images/intune_policies_newpolicy_deployed.png) + ![New policy appears on the list.](images/intune_policies_newpolicy_deployed.png) **To turn off Windows Hello and PINs during device setup** 1. In the Intune management portal, select **Admin**. @@ -504,7 +504,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the **Figure 40** - Policy to disable Windows Hello for Business - ![Disable Windows Hello for Business](images/intune_policy_disable_windowshello.png) + ![Disable Windows Hello for Business.](images/intune_policy_disable_windowshello.png) 4. Click **Save**. @@ -531,32 +531,32 @@ For other devices, such as those personally-owned by employees who need to conne **Figure 41** - Add an Azure AD account to the device - ![Add an Azure AD account to the device](images/win10_add_new_user_join_aad.png) + ![Add an Azure AD account to the device.](images/win10_add_new_user_join_aad.png) 4. In the **Let's get you signed in** window, enter the work credentials for the account and then click **Sign in** to authenticate the user. **Figure 42** - Enter the account details - ![Enter the account details](images/win10_add_new_user_account_aadwork.png) + ![Enter the account details.](images/win10_add_new_user_account_aadwork.png) 5. You will be asked to update the password so enter a new password. 6. Verify the details to make sure you're connecting to the right organization and then click **Join**. **Figure 43** - Make sure this is your organization - ![Make sure this is your organization](images/win10_confirm_organization_details.png) + ![Make sure this is your organization.](images/win10_confirm_organization_details.png) 7. You will see a confirmation window that says the device is now connected to your organization. Click **Done**. **Figure 44** - Confirmation that the device is now connected - ![Confirmation that the device is now connected](images/win10_confirm_device_connected_to_org.png) + ![Confirmation that the device is now connected.](images/win10_confirm_device_connected_to_org.png) 8. The **Connect to work or school** window will refresh and will now include an entry that shows you're connected to your organization's Azure AD. This means the device is now registered in Azure AD and enrolled in MDM and the account should have access to the organization's resources. **Figure 45** - Device is now enrolled in Azure AD - ![Device is enrolled in Azure AD](images/win10_device_enrolled_in_aad.png) + ![Device is enrolled in Azure AD.](images/win10_device_enrolled_in_aad.png) 9. You can confirm that the new device and user are showing up as Intune-managed by going to the Intune management portal and following the steps in [2.3 Verify the device is Azure AD joined](#23-verify-the-device-is-azure-ad-joined). It may take several minutes before the new device shows up so check again later. diff --git a/smb/index.md b/smb/index.md index cc4c596a1c..a6ae7f1200 100644 --- a/smb/index.md +++ b/smb/index.md @@ -17,16 +17,16 @@ audience: itpro # Windows 10 for SMB -![Windows 10 for SMB](images/smb_portal_banner.png) +![Windows 10 for SMB.](images/smb_portal_banner.png) -## ![Learn more about Windows and other resources for SMBs](images/learn.png) Learn +## ![Learn more about Windows and other resources for SMBs.](images/learn.png) Learn

Windows 10 for business
Learn how Windows 10 and Windows devices can help your business.

SMB blog
Read about the latest stories, technology insights, and business strategies for SMBs.

How to buy
Go here when you're ready to buy or want to learn more about Microsoft products you can use to help transform your business.

-## ![Deploy a Microsoft solution for your business](images/deploy.png) Deploy +## ![Deploy a Microsoft solution for your business.](images/deploy.png) Deploy

Get started: Deploy and manage a full cloud IT solution for your business
Find out how easy it is to deploy and manage a full cloud IT solution for your small to midsize business using Microsoft cloud services and tools.

diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md index 73c2ce1f3d..882b7e57ba 100644 --- a/store-for-business/acquire-apps-microsoft-store-for-business.md +++ b/store-for-business/acquire-apps-microsoft-store-for-business.md @@ -55,7 +55,7 @@ There are a couple of things we need to know when you pay for apps. You can add 2. Select **Manage**, and then select **Settings**. 3. On **Shop**, , under **Shopping behavior**, turn on or turn off **Allow users to shop**. -![manage settings to control Basic Purchaser role assignment](images/sfb-allow-shop-setting.png) +![manage settings to control Basic Purchaser role assignment.](images/sfb-allow-shop-setting.png) ## Allow app requests diff --git a/store-for-business/billing-understand-your-invoice-msfb.md b/store-for-business/billing-understand-your-invoice-msfb.md index 26bb2598f8..bee1e82435 100644 --- a/store-for-business/billing-understand-your-invoice-msfb.md +++ b/store-for-business/billing-understand-your-invoice-msfb.md @@ -51,7 +51,7 @@ invoice and descriptions for each term. The **Invoice Summary** is on the top of the first page and shows information about your billing profile and how you pay. -![Invoice summary section](images/invoicesummary.png) +![Invoice summary section.](images/invoicesummary.png) | Term | Description | @@ -68,7 +68,7 @@ The **Invoice Summary** is on the top of the first page and shows information ab The **Billing Summary** shows the charges against the billing profile since the previous billing period, any credits that were applied, tax, and the total amount due. -![Billing summary section](images/billingsummary.png) +![Billing summary section.](images/billingsummary.png) | Term | Description | | --- | --- | @@ -91,7 +91,7 @@ The total amount due for each service family is calculated by subtracting Azure `Total = Charges/Credits - Azure Credit + Tax` -![Details by invoice section](images/invoicesectiondetails.png) +![Details by invoice section.](images/invoicesectiondetails.png) | Term |Description | | --- | --- | diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md index bb29be21a9..3bdd7d61bc 100644 --- a/store-for-business/microsoft-store-for-business-education-powershell-module.md +++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md @@ -91,7 +91,7 @@ Get-MSStoreInventory >1. Sign in to [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845) or [Microsoft Store for Education](https://businessstore.microsoft.com/). >2. Click **Manage** and then choose **Apps & software**. >3. Click the line-of-business app. The URL of the page will contain the product ID and SKU as part of the URL. For example: ->![Url after apps/ is product id and next is SKU](images/lob-sku.png) +>![Url after apps/ is product id and next is SKU.](images/lob-sku.png) ## View people assigned to a product Most items in **Products and Services** in **Microsoft Store for Business and Education** need to be assigned to people in your org. You can view the people in your org assigned to a specific product by using these commands: diff --git a/store-for-business/troubleshoot-microsoft-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md index 784e422a8a..0a66d2a739 100644 --- a/store-for-business/troubleshoot-microsoft-store-for-business.md +++ b/store-for-business/troubleshoot-microsoft-store-for-business.md @@ -36,23 +36,23 @@ The private store for your organization is a page in Microsoft Store app that co 1. Click the people icon in Microsoft Store app, and click **Sign in**. - ![Sign in to Store app with a different account](images/wsfb-wsappsignin.png) + ![Sign in to Store app with a different account.](images/wsfb-wsappsignin.png) 2. Click **Add account**, and then click **Work or school account**. - ![Choose an account to use](images/wsfb-wsappaddacct.png) + ![Choose an account to use.](images/wsfb-wsappaddacct.png) 3. Type the email account and password, and click **Sign in**. - ![Sign in for work or school account](images/wsfb-wsappworkacct.png) + ![Sign in for work or school account.](images/wsfb-wsappworkacct.png) 4. You should see the private store for your organization. In our example, the page is named **Contoso publishing**. - ![Private store with name highlighted](images/wsfb-wsappprivatestore.png) + ![Private store with name highlighted.](images/wsfb-wsappprivatestore.png) Click the private store to see apps in your private store. - ![Private store for Contoso publishing](images/wsfb-privatestoreapps.png) + ![Private store for Contoso publishing.](images/wsfb-privatestoreapps.png) ## Troubleshooting Microsoft Store for Business integration with Microsoft Endpoint Configuration Manager diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index 66f34fdabe..4b0cd1e47d 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -26,7 +26,7 @@ Microsoft Store for Business and Education regularly releases new and improved f :::row::: :::column span="1"::: - ![Security groups](images/security-groups-icon.png) + ![Security groups.](images/security-groups-icon.png) :::column-end::: :::column span="1"::: **Use security groups with Private store apps**

On the details page for apps in your private store, you can set **Private store availability**. This allows you to choose which security groups can see an app in the private store.

[Get more info](./app-inventory-management-microsoft-store-for-business.md#private-store-availability)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education @@ -38,7 +38,7 @@ Microsoft Store for Business and Education regularly releases new and improved f We’ve been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new features! | | | |-----------------------|---------------------------------| -| ![Private store performance icon](images/perf-improvement-icon.png) |**Performance improvements in private store**

We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them.

[Get more info](./manage-private-store-settings.md#private-store-performance)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | +| ![Private store performance icon.](images/perf-improvement-icon.png) |**Performance improvements in private store**

We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them.

[Get more info](./manage-private-store-settings.md#private-store-performance)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | | | **Manage Windows device deployment with Windows Autopilot Deployment**

In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device.

[Get more info](add-profile-to-devices.md)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | | ![Microsoft Store for Business Settings page, Distribute tab showing app requests setting.](images/msfb-wn-1709-app-request.png) |**Request an app**

People in your organization can request additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases.

[Get more info](./acquire-apps-microsoft-store-for-business.md#request-apps)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | || ![Image showing Add a Collection.](images/msfb-add-collection.png) |**Private store collections**

You can groups of apps in your private store with **Collections**. This can help you organize apps and help people find apps for their job or classroom.

[Get more info](https://review.docs.microsoft.com/microsoft-store/manage-private-store-settings?branch=msfb-14856406#add-a-collection)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md index 2150c9e7c3..8efc8effad 100644 --- a/store-for-business/working-with-line-of-business-apps.md +++ b/store-for-business/working-with-line-of-business-apps.md @@ -46,7 +46,7 @@ You'll need to set up: - LOB publishers need to have an app in Microsoft Store, or have an app ready to submit to the Store. The process and timing look like this: -![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for MSFB admin, LOB publisher, and Developer](images/lob-workflow.png) +![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for MSFB admin, LOB publisher, and Developer.](images/lob-workflow.png) ## Add an LOB publisher (Admin) Admins need to invite developer or ISVs to become an LOB publisher. diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md index b0bdee5283..130ad633ee 100644 --- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md +++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md @@ -423,7 +423,7 @@ The process then configures the client for package or connection group additions This completes an App-V package add for the publishing refresh process. The next step is publishing the package to a specific target (machine or user). -![Package add file and registry data](images/packageaddfileandregistrydata.png) +![Package add file and registry data.](images/packageaddfileandregistrydata.png) **Package add file and registry data** @@ -454,7 +454,7 @@ During the Publishing Refresh operation, the specific publishing operation, **Pu Publishing an App-V Package that is part of a Connection Group is very similar to the above process. For connection groups, the path that stores the specific catalog information includes PackageGroups as a child of the Catalog Directory. Review the Machine and User Catalog information in the preceding sections for details. -![package add file and registry data - global](images/packageaddfileandregistrydata-global.png) +![package add file and registry data - global.](images/packageaddfileandregistrydata-global.png) **Package add file and registry data—global** @@ -481,7 +481,7 @@ After the Publishing Refresh process, the user launches and then relaunches an A 7. The Application launches. For any missing files in the package store (sparse files), App-V will stream fault the files on an as-needed basis. - ![package add file and registry data - stream](images/packageaddfileandregistrydata-stream.png) + ![package add file and registry data - stream.](images/packageaddfileandregistrydata-stream.png) **Package add file and registry data—stream** diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md index 501a6eae9f..4183212c31 100644 --- a/windows/application-management/app-v/appv-deployment-checklist.md +++ b/windows/application-management/app-v/appv-deployment-checklist.md @@ -20,9 +20,9 @@ This checklist outlines the recommended steps and items to consider when deployi |Status|Task|References|Notes| |---|---|---|---| -|![Checklist box](../app-v/images/checklistbox.gif)|Prepare the computing environment for App-V deployment during your planning phase.|[App-V planning checklist](appv-planning-checklist.md)|| -|![Checklist box](../app-v/images/checklistbox.gif)|Review App-V's supported configurations.|[App-V supported configurations](appv-supported-configurations.md)|| -|![Checklist box](../app-v/images/checklistbox.gif)|Run App-V Setup to deploy the required App-V features for your environment.|[How to install the sequencer](appv-install-the-sequencer.md)
[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)
[How to deploy the App-V server](appv-deploy-the-appv-server.md)|| +|![Checklist box.](../app-v/images/checklistbox.gif)|Prepare the computing environment for App-V deployment during your planning phase.|[App-V planning checklist](appv-planning-checklist.md)|| +|![Checklist box.](../app-v/images/checklistbox.gif)|Review App-V's supported configurations.|[App-V supported configurations](appv-supported-configurations.md)|| +|![Checklist box.](../app-v/images/checklistbox.gif)|Run App-V Setup to deploy the required App-V features for your environment.|[How to install the sequencer](appv-install-the-sequencer.md)
[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)
[How to deploy the App-V server](appv-deploy-the-appv-server.md)|| >[!NOTE] >Keep track of server names and associated URLs you create during installation. You'll need this information throughout the installation process. diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md index e8785b3d7f..9bde5d0531 100644 --- a/windows/application-management/app-v/appv-install-the-sequencer.md +++ b/windows/application-management/app-v/appv-install-the-sequencer.md @@ -28,7 +28,7 @@ The App-V Sequencer is included in the Windows 10 Assessment and Deployment Kit 1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). 2. Select the **Get Windows ADK for Windows 10** button on the page to start the ADK installer. Make sure that **Microsoft Application Virtualization (App-V) Sequencer** is selected during the installation. - ![Selecting APP-V features in ADK](images/app-v-in-adk.png) + ![Selecting APP-V features in ADK.](images/app-v-in-adk.png) 3. To open the Sequencer, go to the **Start** menu and select **Microsoft Application Virtualization (App-V) Sequencer**. See [Creating and managing virtual applications](appv-creating-and-managing-virtualized-applications.md) and the [Application Virtualization Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V%205.0%20Sequencing%20Guide.docx) for information about creating virtual applications with the Sequencer. diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md index e838f04c45..50887ca724 100644 --- a/windows/application-management/app-v/appv-planning-checklist.md +++ b/windows/application-management/app-v/appv-planning-checklist.md @@ -23,12 +23,12 @@ This checklist can be used to help you plan for preparing your organization for |Status|Task|References|Notes| |---|---|---|---| -|![Checklist box](../app-v/images/checklistbox.gif)|Review the getting started information about App-V to gain a basic understanding of the product before beginning deployment planning.|[Getting started with App-V](appv-getting-started.md)|| -|![Checklist box](../app-v/images/checklistbox.gif)|Plan for App-V deployment prerequisites and prepare your computing environment.|[App-V prerequisites](appv-prerequisites.md)|| -|![Checklist box](../app-v/images/checklistbox.gif)|If you plan to use the App-V management server, plan for the required roles.|[Planning for the App-V server deployment](appv-planning-for-appv-server-deployment.md)|| -|![Checklist box](../app-v/images/checklistbox.gif)|Plan for the App-V sequencer and client to create and run virtualized applications.|[Planning for the App-V Sequencer and client deployment](appv-planning-for-sequencer-and-client-deployment.md)|| -|![Checklist box](../app-v/images/checklistbox.gif)|If applicable, review the options and steps for migrating from a previous version of App-V.|[Migrating to App-V from a previous version](appv-migrating-to-appv-from-a-previous-version.md)|| -|![Checklist box](../app-v/images/checklistbox.gif)|Decide whether to configure App-V clients in Shared Content Store mode.|[Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md)|| +|![Checklist box.](../app-v/images/checklistbox.gif)|Review the getting started information about App-V to gain a basic understanding of the product before beginning deployment planning.|[Getting started with App-V](appv-getting-started.md)|| +|![Checklist box.](../app-v/images/checklistbox.gif)|Plan for App-V deployment prerequisites and prepare your computing environment.|[App-V prerequisites](appv-prerequisites.md)|| +|![Checklist box.](../app-v/images/checklistbox.gif)|If you plan to use the App-V management server, plan for the required roles.|[Planning for the App-V server deployment](appv-planning-for-appv-server-deployment.md)|| +|![Checklist box.](../app-v/images/checklistbox.gif)|Plan for the App-V sequencer and client to create and run virtualized applications.|[Planning for the App-V Sequencer and client deployment](appv-planning-for-sequencer-and-client-deployment.md)|| +|![Checklist box.](../app-v/images/checklistbox.gif)|If applicable, review the options and steps for migrating from a previous version of App-V.|[Migrating to App-V from a previous version](appv-migrating-to-appv-from-a-previous-version.md)|| +|![Checklist box.](../app-v/images/checklistbox.gif)|Decide whether to configure App-V clients in Shared Content Store mode.|[Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md)|| diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index d123957cd1..0a72c19e87 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -23,15 +23,15 @@ Enterprise users want the same ability to enable or limit background activity. I Users have the ability to control background activity for their device through two interfaces in the **Settings** app: the **Background apps** page and the **Battery usage by app** page. The **Background apps** page has a master switch to turn background activity on or off for all apps, and provides individual switches to control each app's ability to run in the background.  -![Background apps settings page](images/backgroundapps-setting.png) +![Background apps settings page.](images/backgroundapps-setting.png) The **Battery usage by app** page allows fine-grained tuning of background activity. Users have the ability to set background activity to by **Managed By Windows**, as well as turning it on or off for each app. Only devices with a battery have this page available in the **Settings** app. Here is the set of available controls on desktop:  -![Battery usage by app on desktop](images/battery-usage-by-app-desktop.png) +![Battery usage by app on desktop.](images/battery-usage-by-app-desktop.png) Here is the set of available controls for mobile devices:  -![Battery usage by app on mobile](images/battery-usage-by-app-mobile.png) +![Battery usage by app on mobile.](images/battery-usage-by-app-mobile.png) Although the user interface differs across editions of the operating system, the policy and developer interface is consistent across Windows 10. For more information about these controls, see [Optimize background activity](/windows/uwp/debug-test-perf/optimize-background-activity). diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index 0cda2dc8c9..4483687ba8 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -102,19 +102,19 @@ If a per-user service can't be disabled using a the security template, you can d 5. Right-click **Registry** > **New** > **Registry Item**. - ![Group Policy preferences disabling per-user services](media/gpp-per-user-services.png) + ![Group Policy preferences disabling per-user services.](media/gpp-per-user-services.png) 6. Make sure that HKEY_Local_Machine is selected for Hive and then click ... (the ellipses) next to Key Path. - ![Choose HKLM](media/gpp-hklm.png) + ![Choose HKLM.](media/gpp-hklm.png) 7. Browse to **System\CurrentControlSet\Services\PimIndexMaintenanceSvc**. In the list of values, highlight **Start** and click **Select**. - ![Select Start](media/gpp-svc-start.png) + ![Select Start.](media/gpp-svc-start.png) 8. Change **Value data** from **00000003** to **00000004** and click **OK**. Note setting the Value data to **4** = **Disabled**. - ![Startup Type is Disabled](media/gpp-svc-disabled.png) + ![Startup Type is Disabled.](media/gpp-svc-disabled.png) 9. To add the other services that cannot be managed with a Group Policy templates, edit the policy and repeat steps 5-8. @@ -140,14 +140,14 @@ REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t RE If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the template services, change the Startup Type for each service to 4 (disabled): -![Using Regedit to change servive Starup Type](media/regedit-change-service-startup-type.png) +![Using Regedit to change servive Starup Type.](media/regedit-change-service-startup-type.png) > [!CAUTION] > We recommend that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the Registry Editor or by the Windows operating system before they are applied. As a result, incorrect values can be stored, and this can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as the Microsoft Management Console (MMC) to accomplish tasks. If you must edit the registry, use extreme caution. Beginning with Windows 10, version 1709 and Windows Server, version 1709, you can prevent the per-user service from being created by setting **UserServiceFlags** to 0 under the same service configuration in the registry: -![Create per-user services in disabled state](media/user-service-flag.png) +![Create per-user services in disabled state.](media/user-service-flag.png) ### Manage template services by modifying the Windows image @@ -186,4 +186,4 @@ For example, you might see the following per-user services listed in the Service You can query the service configuration from the command line. The **Type** value indicates whether the service is a user-service template or user-service instance. -![Use sc.exe to view service type](media/cmd-type.png) \ No newline at end of file +![Use sc.exe to view service type.](media/cmd-type.png) \ No newline at end of file diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md index 4130fde7e5..8482a3497c 100644 --- a/windows/application-management/svchost-service-refactoring.md +++ b/windows/application-management/svchost-service-refactoring.md @@ -48,11 +48,11 @@ Refactoring also makes it easier to view running processes in Task Manager. You For example, here are the running processes displayed in Task Manager in Windows 10 version 1607: -![Running processes in Task Manager, version 1607](media/svchost-grouped-processes.png) +![Running processes in Task Manager, version 1607.](media/svchost-grouped-processes.png) Compare that to the same view of running processes in Windows 10 version 1703: -![Running processes in Task Manager, version 1703](media/svchost-separated-processes.png) +![Running processes in Task Manager, version 1703.](media/svchost-separated-processes.png) @@ -66,7 +66,7 @@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. The default value of **1** prevents the service from being split. For example, this is the registry key configuration for BFE: -![Example of a service that cannot be separated](media/svchost-separation-disabled.png) +![Example of a service that cannot be separated.](media/svchost-separation-disabled.png) ## Memory footprint @@ -77,7 +77,7 @@ Consider the following: |Grouped Services (< 3.5GB) | Split Services (3.5GB+) |--------------------------------------- | ------------------------------------------ | -|![Memory utilization for grouped services](media/svchost-grouped-utilization.png) |![Memory utilization for separated services](media/svchost-separated-utilization.png) | +|![Memory utilization for grouped services.](media/svchost-grouped-utilization.png) |![Memory utilization for separated services](media/svchost-separated-utilization.png) | > [!NOTE] > The above represents the peak observed values. diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index 260944a53c..6da0fdfdb9 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -23,11 +23,11 @@ ms.topic: article Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. -![Screenshot of Control Panel](images/admin-tools.png) +![Screenshot of Control Panel.](images/admin-tools.png) The tools in the folder might vary depending on which edition of Windows you are using. -![Screenshot of folder of admin tools](images/admin-tools-folder.png) +![Screenshot of folder of admin tools.](images/admin-tools-folder.png) These tools were included in previous versions of Windows. The associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders. diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index ac96c101cf..c2a8ea0c57 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -41,53 +41,53 @@ Check Windows Security Event log on the NPS Server for NPS events that correspon In the event message, scroll to the very bottom, and then check the [Reason Code](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it. - ![example of an audit failure](images/auditfailure.png) + ![example of an audit failure.](images/auditfailure.png) *Example: event ID 6273 (Audit Failure)*

‎ - ![example of an audit success](images/auditsuccess.png) + ![example of an audit success.](images/auditsuccess.png) *Example: event ID 6272 (Audit Success)*
‎The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one. On the client side, go to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, go to **..\Wired-AutoConfig/Operational**. See the following example: -![event viewer screenshot showing wired-autoconfig and WLAN autoconfig](images/eventviewer.png) +![event viewer screenshot showing wired-autoconfig and WLAN autoconfig.](images/eventviewer.png) Most 802.1X authentication issues are because of problems with the certificate that's used for client or server authentication. Examples include invalid certificate, expiration, chain verification failure, and revocation check failure. First, validate the type of EAP method that's used: -![eap authentication type comparison](images/comparisontable.png) +![eap authentication type comparison.](images/comparisontable.png) If a certificate is used for its authentication method, check whether the certificate is valid. For the server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Select and hold (or right-click) the policy, and then select **Properties**. In the pop-up window, go to the **Constraints** tab, and then select the **Authentication Methods** section. -![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png) +![Constraints tab of the secure wireless connections properties.](images/eappropertymenu.png) The CAPI2 event log is useful for troubleshooting certificate-related issues. By default, this log isn't enabled. To enable this log, expand **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, select and hold (or right-click) **Operational**, and then select **Enable Log**. -![screenshot of event viewer](images/capi.png) +![screenshot of event viewer.](images/capi.png) For information about how to analyze CAPI2 event logs, see [Troubleshooting PKI Problems on Windows Vista](/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29). When troubleshooting complex 802.1X authentication issues, it's important to understand the 802.1X authentication process. Here's an example of wireless connection process with 802.1X authentication: -![authenticator flow chart](images/authenticator_flow_chart.png) +![authenticator flow chart.](images/authenticator_flow_chart.png) If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter for a client-side capture, and **EAP** for an NPS-side capture. See the following examples: -![client-side packet capture data](images/clientsidepacket_cap_data.png) +![client-side packet capture data.](images/clientsidepacket_cap_data.png) *Client-side packet capture data*

-![NPS-side packet capture data](images/NPS_sidepacket_capture_data.png) +![NPS-side packet capture data.](images/NPS_sidepacket_capture_data.png) *NPS-side packet capture data*
‎ > [!NOTE] > If you have a wireless trace, you can also [view ETL files with network monitor](/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. If you need to load the required [parser](/archive/blogs/netmon/parser-profiles-in-network-monitor-3-4), see the instructions under the **Help** menu in Network Monitor. Here's an example: -![ETL parse](images/etl.png) +![ETL parse.](images/etl.png) ## Audit policy diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md index 646585085e..d039c10c17 100644 --- a/windows/client-management/advanced-troubleshooting-boot-problems.md +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -50,7 +50,7 @@ The kernel passes control to the session manager process (Smss.exe) which initia Here is a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement. -![thumbnail of boot sequence flowchart](images/boot-sequence-thumb.png)
+![thumbnail of boot sequence flowchart.](images/boot-sequence-thumb.png)
[Click to enlarge](img-boot-sequence.md)
diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md index ce4154396e..57d2cc10a8 100644 --- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md +++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md @@ -152,7 +152,7 @@ The important components of the MSM include: - Security Manager (SecMgr) - handles all pre and post-connection security operations. - Authentication Engine (AuthMgr) – Manages 802.1x auth requests - ![MSM details](images/msmdetails.png) + ![MSM details.](images/msmdetails.png) Each of these components has their own individual state machines which follow specific transitions. Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** filters in TextAnalysisTool for more detail. @@ -327,4 +327,4 @@ Copy and paste all the lines below and save them into a text file named "wifi.ta In the following example, the **View** settings are configured to **Show Only Filtered Lines**. -![TAT filter example](images/tat.png) \ No newline at end of file +![TAT filter example.](images/tat.png) \ No newline at end of file diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/change-default-removal-policy-external-storage-media.md index 69fa51d4e4..d59710d70b 100644 --- a/windows/client-management/change-default-removal-policy-external-storage-media.md +++ b/windows/client-management/change-default-removal-policy-external-storage-media.md @@ -54,4 +54,4 @@ To change the policy for an external storage device: 7. Select the policy that you want to use. - ![Policy options for disk management](./images/change-def-rem-policy-2.png) + ![Policy options for disk management.](./images/change-def-rem-policy-2.png) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 275869bf99..4d8f35673e 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -24,7 +24,7 @@ ms.topic: article From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). -![Remote Desktop Connection client](images/rdp.png) +![Remote Desktop Connection client.](images/rdp.png) ## Set up @@ -40,7 +40,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu 2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. - ![Allow remote connections to this computer](images/allow-rdp.png) + ![Allow remote connections to this computer.](images/allow-rdp.png) 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies: diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md index b1077e5be6..6ce343dade 100644 --- a/windows/client-management/img-boot-sequence.md +++ b/windows/client-management/img-boot-sequence.md @@ -14,4 +14,4 @@ ms.prod: w10 Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
-![Full-sized boot sequence flowchart](images/boot-sequence.png) +![Full-sized boot sequence flowchart.](images/boot-sequence.png) diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md index 376916c1d3..9354d9c8c9 100644 --- a/windows/client-management/introduction-page-file.md +++ b/windows/client-management/introduction-page-file.md @@ -56,13 +56,13 @@ Page files extend how much "committed memory" (also known as "virtual memory") i The system commit memory limit is the sum of physical memory and all page files combined. It represents the maximum system-committed memory (also known as the "system commit charge") that the system can support. -![Task manager](images/task-manager.png) +![Task manager.](images/task-manager.png) The system commit charge is the total committed or "promised" memory of all committed virtual memory in the system. If the system commit charge reaches the system commit limit, the system and processes might not get committed memory. This condition can cause freezing, crashing, and other malfunctions. Therefore, make sure that you set the system commit limit high enough to support the system commit charge during peak usage. -![Out of memory](images/out-of-memory.png) +![Out of memory.](images/out-of-memory.png) -![Task Manager](images/task-manager-commit.png) +![Task Manager.](images/task-manager-commit.png) The system committed charge and system committed limit can be measured on the **Performance** tab in Task Manager or by using the "\Memory\Committed Bytes" and "\Memory\Commit Limit" performance counters. The \Memory\% Committed Bytes In Use counter is a ratio of \Memory\Committed Bytes to \Memory\Commit Limit values. diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md index 263dd24430..db00986ab0 100644 --- a/windows/client-management/manage-device-installation-with-group-policy.md +++ b/windows/client-management/manage-device-installation-with-group-policy.md @@ -212,7 +212,7 @@ This policy setting will change the evaluation order in which Allow and Prevent Some of these policies take precedence over other policies. The flowchart shown below illustrates how Windows processes them to determine whether a user can install a device or not, as shown in Figure below. -![Device Installation policies flow chart](images/device-installation-flowchart.png)
_Device Installation policies flow chart_ +![Device Installation policies flow chart.](images/device-installation-flowchart.png)
_Device Installation policies flow chart_ @@ -261,17 +261,17 @@ To find device identification strings using Device Manager 4. Find the “Printers” section and find the target printer - ![Selecting the printer in Device Manager](images/device-installation-dm-printer-by-device.png)
_Selecting the printer in Device Manager_ + ![Selecting the printer in Device Manager.](images/device-installation-dm-printer-by-device.png)
_Selecting the printer in Device Manager_ 5. Double-click the printer and move to the ‘Details’ tab. - ![‘Details’ tab](images/device-installation-dm-printer-details-screen.png)
_Open the ‘Details’ tab to look for the device identifiers_ + ![‘Details’ tab.](images/device-installation-dm-printer-details-screen.png)
_Open the ‘Details’ tab to look for the device identifiers_ 6. From the ‘Value’ window, copy the most detailed Hardware ID – we will use this in the policies. - ![HWID](images/device-installation-dm-printer-hardware-ids.png) + ![HWID.](images/device-installation-dm-printer-hardware-ids.png) - ![Compatible ID](images/device-installation-dm-printer-compatible-ids.png)
_HWID and Compatible ID_ + ![Compatible ID.](images/device-installation-dm-printer-compatible-ids.png)
_HWID and Compatible ID_ > [!TIP] > You can also determine your device identification strings by using the PnPUtil command-line utility. For more information, see [PnPUtil - Windows drivers](/windows-hardware/drivers/devtest/pnputil) in Microsoft Docs. @@ -360,7 +360,7 @@ Creating the policy to prevent all printers from being installed: 6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} - ![List of prevent Class GUIDs](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ + ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ 7. Click ‘OK’. @@ -399,7 +399,7 @@ Getting the right device identifier to prevent it from being installed: 1. Get your printer’s Hardware ID – in this example we will use the identifier we found previously - ![Printer Hardware ID identifier](images/device-installation-dm-printer-hardware-ids.png)
_Printer Hardware ID_ + ![Printer Hardware ID identifier.](images/device-installation-dm-printer-hardware-ids.png)
_Printer Hardware ID_ 2. Write down the device ID (in this case Hardware ID) – WSDPRINT\CanonMX920_seriesC1A0; Take the more specific identifier to make sure you block a specific printer and not a family of printers @@ -417,7 +417,7 @@ Creating the policy to prevent a single printer from being installed: 5. Enter the printer device ID you found above – WSDPRINT\CanonMX920_seriesC1A0 - ![Prevent Device ID list](images/device-installation-gpo-prevent-device-id-list-printer.png)
_Prevent Device ID list_ + ![Prevent Device ID list.](images/device-installation-gpo-prevent-device-id-list-printer.png)
_Prevent Device ID list_ 6. Click ‘OK’. @@ -477,7 +477,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} - ![List of prevent Class GUIDs](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ + ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ 7. Click ‘OK’. @@ -489,7 +489,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one ![Image of Local Group Policy Editor that shows the policies under "Device Installation Restrictions" and the policy named in this step.](images/device-installation-apply-layered_policy-1.png) - ![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria."](images/device-installation-apply-layered-policy-2.png)
_Apply layered order of evaluation policy_ + ![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.".](images/device-installation-apply-layered-policy-2.png)
_Apply layered order of evaluation policy_ 9. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. @@ -497,7 +497,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 11. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0. - ![Allow Printer Hardware ID](images/device-installation-gpo-allow-device-id-list-printer.png)
_Allow Printer Hardware ID_ + ![Allow Printer Hardware ID.](images/device-installation-gpo-allow-device-id-list-printer.png)
_Allow Printer Hardware ID_ 12. Click ‘OK’. @@ -532,22 +532,22 @@ Getting the right device identifier to prevent it from being installed and its l 3. Find the USB thumb-drive and select it. - ![Selecting the usb thumb-drive in Device Manager](images/device-installation-dm-usb-by-device.png)
_Selecting the usb thumb-drive in Device Manager_ + ![Selecting the usb thumb-drive in Device Manager.](images/device-installation-dm-usb-by-device.png)
_Selecting the usb thumb-drive in Device Manager_ 4. Change View (in the top menu) to ‘Devices by connections’. This view represents the way devices are installed in the PnP tree. - ![Changing view in Device Manager to see the PnP connection tree](images/device-installation-dm-usb-by-connection.png)
_Changing view in Device Manager to see the PnP connection tree_ + ![Changing view in Device Manager to see the PnP connection tree.](images/device-installation-dm-usb-by-connection.png)
_Changing view in Device Manager to see the PnP connection tree_ > [!NOTE] > When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a “Generic USB Hub” from being installed, all the devices that lay below a “Generic USB Hub” will be blocked. - ![Blocking nested devices from the root](images/device-installation-dm-usb-by-connection-blocked.png)
_When blocking one device, all the devices that are nested below it will be blocked as well_ + ![Blocking nested devices from the root.](images/device-installation-dm-usb-by-connection-blocked.png)
_When blocking one device, all the devices that are nested below it will be blocked as well_ 5. Double-click the USB thumb-drive and move to the ‘Details’ tab. 6. From the ‘Value’ window, copy the most detailed Hardware ID—we will use this in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07 - ![USB device hardware IDs](images/device-installation-dm-usb-hwid.png)
_USB device hardware IDs_ + ![USB device hardware IDs.](images/device-installation-dm-usb-hwid.png)
_USB device hardware IDs_ Creating the policy to prevent a single USB thumb-drive from being installed: @@ -563,7 +563,7 @@ Creating the policy to prevent a single USB thumb-drive from being installed: 5. Enter the USB thumb-drive device ID you found above – USBSTOR\DiskGeneric_Flash_Disk______8.07 - ![Prevent Device IDs list](images/device-installation-gpo-prevent-device-id-list-usb.png)
_Prevent Device IDs list_ + ![Prevent Device IDs list.](images/device-installation-gpo-prevent-device-id-list-usb.png)
_Prevent Device IDs list_ 6. Click ‘OK’. @@ -620,7 +620,7 @@ As mentioned in scenario #4, it is not enough to enable only a single hardware I - “USB Root Hub (USB 3.0)” -> USB\ROOT_HUB30 - “Generic USB Hub” -> USB\USB20_HUB -![USB devices nested in the PnP tree](images/device-installation-dm-usb-by-connection-layering.png)
_USB devices nested under each other in the PnP tree_ +![USB devices nested in the PnP tree.](images/device-installation-dm-usb-by-connection-layering.png)
_USB devices nested under each other in the PnP tree_ These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them should not enable any external/peripheral device from being installed on the machine. @@ -663,7 +663,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 9. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it – this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device. - ![Apply layered order of evaluation policy](images/device-installation-apply-layered_policy-1.png)
_Apply layered order of evaluation policy_ + ![Apply layered order of evaluation policy.](images/device-installation-apply-layered_policy-1.png)
_Apply layered order of evaluation policy_ 10. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. @@ -671,7 +671,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 12. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation – USBSTOR\DiskGeneric_Flash_Disk______8.07 - ![Image of an example list of devices that have been configured for the policy "Allow installation of devices that match any of these Device IDs."](images/device-installation-gpo-allow-device-id-list-usb.png)
_Allowed USB Device IDs list_ + ![Image of an example list of devices that have been configured for the policy "Allow installation of devices that match any of these Device IDs.".](images/device-installation-gpo-allow-device-id-list-usb.png)
_Allowed USB Device IDs list_ 13. Click ‘OK’. diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md index a177277d07..f64ee0de0c 100644 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ b/windows/client-management/manage-settings-app-with-group-policy.md @@ -35,7 +35,7 @@ Policy paths: **User Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. -![Settings page visibility policy](images/settings-page-visibility-gp.png) +![Settings page visibility policy.](images/settings-page-visibility-gp.png) ## Configuring the Group Policy diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 22ba2d74a8..0e9dd8a789 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -92,7 +92,7 @@ For more information about how Windows 10 and Azure AD optimize access to work r As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD. -![Decision tree for device authentication options](images/windows-10-management-cyod-byod-flow.png) +![Decision tree for device authentication options.](images/windows-10-management-cyod-byod-flow.png) ## Settings and Configuration diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index b5b30659d6..7b77f47742 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -75,7 +75,7 @@ First, you create a default user profile with the customizations that you want, > [!TIP] > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following: > - > ![Microsoft Bing Translator package error](images/sysprep-error.png) + > ![Microsoft Bing Translator package error.](images/sysprep-error.png) > > Use the [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true) and [Remove-AppxPackage -AllUsers](/powershell/module/appx/remove-appxpackage?view=win10-ps&preserve-view=true) cmdlet in Windows PowerShell to uninstall the app that is listed in the log. @@ -86,11 +86,11 @@ First, you create a default user profile with the customizations that you want, 1. In **User Profiles**, click **Default Profile**, and then click **Copy To**. - ![Example of User Profiles UI](images/copy-to.png) + ![Example of User Profiles UI.](images/copy-to.png) 1. In **Copy To**, under **Permitted to use**, click **Change**. - ![Example of Copy To UI](images/copy-to-change.png) + ![Example of Copy To UI.](images/copy-to-change.png) 1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**. @@ -98,11 +98,11 @@ First, you create a default user profile with the customizations that you want, - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path. - ![Example of Copy profile to](images/copy-to-path.png) + ![Example of Copy profile to.](images/copy-to-path.png) - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location. - ![Example of Copy To UI with UNC path](images/copy-to-path.png) + ![Example of Copy To UI with UNC path.](images/copy-to-path.png) 1. Click **OK** to copy the default user profile. @@ -139,9 +139,9 @@ When a user is configured with a mandatory profile, Windows 10 starts as though | Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 | | --- | --- | --- | --- | --- | -| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | -| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | -| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | +| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | +| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | +| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported.](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | > [!NOTE] > The Group Policy settings above can be applied in Windows 10 Professional edition. diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md index 930343209f..42722f7bd7 100644 --- a/windows/client-management/mdm/accountmanagement-csp.md +++ b/windows/client-management/mdm/accountmanagement-csp.md @@ -22,7 +22,7 @@ AccountManagement CSP is used to configure setting in the Account Manager servic The following diagram shows the AccountManagement configuration service provider in tree format. -![accountmanagement csp](images/provisioning-csp-accountmanagement.png) +![accountmanagement csp.](images/provisioning-csp-accountmanagement.png) **./Vendor/MSFT/AccountManagement** Root node for the AccountManagement configuration service provider. diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md index 34f60116f4..64394a6989 100644 --- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md +++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md @@ -21,45 +21,45 @@ Here's a step-by-step guide to adding an Azure Active Directory tenant, adding a 1. Sign up for Azure AD tenant from [this website](https://account.windowsazure.com/organization) by creating an administrator account for your organization. - ![sign up for azure ad tenant](images/azure-ad-add-tenant1.png) + ![sign up for azure ad tenant.](images/azure-ad-add-tenant1.png) 2. Enter the information for your organization. Select **check availability** to verify that domain name that you selected is available. - ![sign up for azure ad](images/azure-ad-add-tenant2.png) + ![sign up for azure ad.](images/azure-ad-add-tenant2.png) 3. Complete the login and country information. Enter a valid phone number, then select **Send text message** or **Call me**. - ![create azure account](images/azure-ad-add-tenant3.png) + ![create azure account.](images/azure-ad-add-tenant3.png) 4. Enter the code that you receive and then select **Verify code**. After the code is verified and the continue button turns green, select **continue**. - ![add aad tenant](images/azure-ad-add-tenant3-b.png) + ![add aad tenant.](images/azure-ad-add-tenant3-b.png) 5. After you finish creating your Azure account, you can add an Azure AD subscription. If you don't have a paid subscription to any Microsoft service, you can purchase an Azure AD premium subscription. Go to the Office 356 portal at https://portal.office.com/, and then sign in using the admin account that you created in Step 4 (for example, user1@contosoltd.onmicrosoftcom). - ![login to office 365](images/azure-ad-add-tenant4.png) + ![login to office 365.](images/azure-ad-add-tenant4.png) 6. Select **Install software**. - ![login to office 365](images/azure-ad-add-tenant5.png) + ![login to office 365.](images/azure-ad-add-tenant5.png) 7. In the Microsoft 365 admin center, select **Purchase Services** from the left navigation. - ![purchase service option in admin center menu](images/azure-ad-add-tenant6.png) + ![purchase service option in admin center menu.](images/azure-ad-add-tenant6.png) 8. On the **Purchase services** page, scroll down until you see **Azure Active Directory Premium**, then select to purchase. - ![azure active directory option in purchase services page](images/azure-ad-add-tenant7.png) + ![azure active directory option in purchase services page.](images/azure-ad-add-tenant7.png) 9. Continue with your purchase. - ![azure active directory premium payment page](images/azure-ad-add-tenant8.png) + ![azure active directory premium payment page.](images/azure-ad-add-tenant8.png) 10. After the purchase is completed, you can log in to your Office 365 Admin Portal and you will see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint, Exchange, etc....). - ![admin center left navigation menu](images/azure-ad-add-tenant9.png) + ![admin center left navigation menu.](images/azure-ad-add-tenant9.png) When you choose Azure AD, it will take you to the Azure AD portal where you can manage your Azure AD applications. @@ -69,27 +69,27 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent 1. Sign in to the Microsoft 365 admin center at using your organization's account. - ![register azuread](images/azure-ad-add-tenant10.png) + ![register azuread.](images/azure-ad-add-tenant10.png) 2. On the **Home** page, select on the Admin tools icon. - ![register azuread](images/azure-ad-add-tenant11.png) + ![register azuread.](images/azure-ad-add-tenant11.png) 3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information. - ![register azuread](images/azure-ad-add-tenant12.png) + ![register azuread.](images/azure-ad-add-tenant12.png) 4. On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**. - ![register azuread](images/azure-ad-add-tenant13.png) + ![register azuread.](images/azure-ad-add-tenant13.png) 5. It may take a few minutes to process the request. - ![register azuread](images/azure-ad-add-tenant14.png) + ![register azuread.](images/azure-ad-add-tenant14.png) 6. You will see a welcome page when the process completes. - ![register azuread](images/azure-ad-add-tenant15.png) + ![register azuread.](images/azure-ad-add-tenant15.png) diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 3df830bda7..5669fcf0f8 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -263,16 +263,16 @@ Supported operations are Get, Add, Delete, and Replace. The **Device Portal** page opens on your browser. - ![device portal screenshot](images/applocker-screenshot1.png) + ![device portal screenshot.](images/applocker-screenshot1.png) 8. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**. 9. On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps. - ![device portal app manager](images/applocker-screenshot3.png) + ![device portal app manager.](images/applocker-screenshot3.png) 10. If you do not see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. - ![app manager](images/applocker-screenshot2.png) + ![app manager.](images/applocker-screenshot2.png) The following table shows the mapping of information to the AppLocker publisher rule field. diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index 157bf6f4d0..4c8f6eaecd 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -23,7 +23,7 @@ manager: dansimp [EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md) -![enterpriseappvmanagement csp](images/provisioning-csp-enterpriseappvmanagement.png) +![enterpriseappvmanagement csp.](images/provisioning-csp-enterpriseappvmanagement.png)

(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.

diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 82a11f3eb6..97f22aae88 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -90,7 +90,7 @@ After the users accepts the Terms of Use, the device is registered in Azure AD a The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Subsequently, the device is enrolled for management with the MDM. This is done by calling the enrollment endpoint and requesting enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is made available to the MDM in the form of claims within an access token presented at the enrollment endpoint. -![azure ad enrollment flow](images/azure-ad-enrollment-flow.png) +![azure ad enrollment flow.](images/azure-ad-enrollment-flow.png) The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this topic. @@ -173,7 +173,7 @@ IT administrators use the Azure AD app gallery to add an MDM for their organizat The following image illustrates how MDM applications will show up in the Azure app gallery in a category dedicated to MDM software. -![azure ad add an app for mdm](images/azure-ad-app-gallery.png) +![azure ad add an app for mdm.](images/azure-ad-app-gallery.png) ### Add cloud-based MDM to the app gallery @@ -732,7 +732,7 @@ Response: When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data. -![aadj unenrollment](images/azure-ad-unenrollment.png) +![aadj unenrollment.](images/azure-ad-unenrollment.png) ## Error codes diff --git a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index 21499425a9..ce25592491 100644 --- a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -20,10 +20,10 @@ manager: dansimp 2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app. 3. Select **Microsoft Intune** and configure the blade. -![How to get to the Blade](images/azure-mdm-intune.png) +![How to get to the Blade.](images/azure-mdm-intune.png) Configure the blade -![Configure the Blade](images/azure-intune-configure-scope.png) +![Configure the Blade.](images/azure-intune-configure-scope.png) You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users). diff --git a/windows/client-management/mdm/bootstrap-csp.md b/windows/client-management/mdm/bootstrap-csp.md index 0bb9326924..e07354fa81 100644 --- a/windows/client-management/mdm/bootstrap-csp.md +++ b/windows/client-management/mdm/bootstrap-csp.md @@ -27,7 +27,7 @@ The BOOTSTRAP configuration service provider sets the Trusted Provisioning Serve The following image shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. -![bootstrap csp (cp)](images/provisioning-csp-bootstrap-cp.png) +![bootstrap csp (cp).](images/provisioning-csp-bootstrap-cp.png) **CONTEXT-ALLOW** Optional. Specifies a context for the TPS. Only one context is supported, so this parameter is ignored and "0" is assumed for its value. diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md index 46ee3a5e98..15a939f7eb 100644 --- a/windows/client-management/mdm/browserfavorite-csp.md +++ b/windows/client-management/mdm/browserfavorite-csp.md @@ -30,7 +30,7 @@ This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID The following diagram shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. -![browserfavorite csp (cp)](images/provisioning-csp-browserfavorite-cp.png) +![browserfavorite csp (cp).](images/provisioning-csp-browserfavorite-cp.png) ***favorite name*** Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer. diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index 4fabdbc971..d1db6d514e 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -57,7 +57,7 @@ Using the WCD, create a provisioning package using the enrollment information re 1. Open the WCD tool. 2. Click **Advanced Provisioning**. - ![icd start page](images/bulk-enrollment7.png) + ![icd start page.](images/bulk-enrollment7.png) 3. Enter a project name and click **Next**. 4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then click **Next**. 5. Skip **Import a provisioning package (optional)** and click **Finish**. @@ -74,20 +74,20 @@ Using the WCD, create a provisioning package using the enrollment information re For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md). Here is the screenshot of the WCD at this point. - ![bulk enrollment screenshot](images/bulk-enrollment.png) + ![bulk enrollment screenshot.](images/bulk-enrollment.png) 9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). 10. When you are done adding all the settings, on the **File** menu, click **Save**. 11. On the main menu click **Export** > **Provisioning package**. - ![icd menu for export](images/bulk-enrollment2.png) + ![icd menu for export.](images/bulk-enrollment2.png) 12. Enter the values for your package and specify the package output location. - ![enter package information](images/bulk-enrollment3.png) - ![enter additional information for package information](images/bulk-enrollment4.png) - ![specify file location](images/bulk-enrollment6.png) + ![enter package information.](images/bulk-enrollment3.png) + ![enter additional information for package information.](images/bulk-enrollment4.png) + ![specify file location.](images/bulk-enrollment6.png) 13. Click **Build**. - ![icb build window](images/bulk-enrollment5.png) + ![icb build window.](images/bulk-enrollment5.png) 14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). 15. Apply the package to your devices. @@ -108,7 +108,7 @@ Using the WCD, create a provisioning package using the enrollment information re 5. Set **ExportCertificate** to False. 6. For **KeyLocation**, select **Software only**. - ![icd certificates section](images/bulk-enrollment8.png) + ![icd certificates section.](images/bulk-enrollment8.png) 7. Specify the workplace settings. 1. Got to **Workplace** > **Enrollments**. 2. Enter the **UPN** for the enrollment and then click **Add**. diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md index 64372f26a8..ab4cb97c8f 100644 --- a/windows/client-management/mdm/cellularsettings-csp.md +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -21,7 +21,7 @@ The CellularSettings configuration service provider is used to configure cellula The following image shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider. -![provisioning for cellular settings](images/provisioning-csp-cellularsettings.png) +![provisioning for cellular settings.](images/provisioning-csp-cellularsettings.png) **DataRoam**

Optional. Integer. Specifies the default roaming value. Valid values are:

diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 5063181c3f..1d42413872 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -20,7 +20,7 @@ This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capa The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider. -![cm\-cellularentries csp](images/provisioning-csp-cm-cellularentries.png) +![cm\-cellularentries csp.](images/provisioning-csp-cm-cellularentries.png) ***entryname***

Defines the name of the connection.

diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index cce8060fe3..d4793c91e6 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2555,36 +2555,36 @@ The following list shows the CSPs supported in HoloLens devices: | Configuration service provider | HoloLens (1st gen) Development Edition | HoloLens (1st gen) Commercial Suite | HoloLens 2 | |------|--------|--------|--------| -| [AccountManagement CSP](accountmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) -| [Accounts CSP](accounts-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [ApplicationControl CSP](applicationcontrol-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | -| [AppLocker CSP](applocker-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![cross mark](images/crossmark.png) | -| [AssignedAccess CSP](assignedaccess-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | -| [CertificateStore CSP](certificatestore-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)| ![check mark](images/checkmark.png) | -| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DevDetail CSP](devdetail-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DeveloperSetup CSP](developersetup-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 2 (runtime provisioning via provisioning packages only; no MDM support)| ![check mark](images/checkmark.png) | -| [DeviceManageability CSP](devicemanageability-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | -| [DeviceStatus CSP](devicestatus-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DevInfo CSP](devinfo-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DiagnosticLog CSP](diagnosticlog-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DMAcc CSP](dmacc-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DMClient CSP](dmclient-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | -| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [NetworkProxy CSP](networkproxy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | -| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 8| -| [NodeCache CSP](nodecache-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -[PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [Policy CSP](policy-configuration-service-provider.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | -| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | -| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | -| [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [VPNv2 CSP](vpnv2-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [WiFi CSP](wifi-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [WindowsLicensing CSP](windowslicensing-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![cross mark](images/crossmark.png) | +| [AccountManagement CSP](accountmanagement-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) +| [Accounts CSP](accounts-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [ApplicationControl CSP](applicationcontrol-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [AppLocker CSP](applocker-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![cross mark](images/crossmark.png) | +| [AssignedAccess CSP](assignedaccess-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | +| [CertificateStore CSP](certificatestore-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png)| ![check mark](images/checkmark.png) | +| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DevDetail CSP](devdetail-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DeveloperSetup CSP](developersetup-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) 2 (runtime provisioning via provisioning packages only; no MDM support)| ![check mark](images/checkmark.png) | +| [DeviceManageability CSP](devicemanageability-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [DeviceStatus CSP](devicestatus-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DevInfo CSP](devinfo-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DiagnosticLog CSP](diagnosticlog-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DMAcc CSP](dmacc-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DMClient CSP](dmclient-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | +| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [NetworkProxy CSP](networkproxy-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 8| +| [NodeCache CSP](nodecache-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +[PassportForWork CSP](passportforwork-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [Policy CSP](policy-configuration-service-provider.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [RemoteFind CSP](remotefind-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | +| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | +| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | +| [Update CSP](update-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [VPNv2 CSP](vpnv2-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [WiFi CSP](wifi-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [WindowsLicensing CSP](windowslicensing-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![cross mark](images/crossmark.png) | ## CSPs supported in Microsoft Surface Hub diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index 8e886f3661..cc589f1f13 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -42,7 +42,7 @@ For more information about the CSPs, see [Update CSP](update-csp.md) and the upd The following diagram provides a conceptual overview of how this works: -![mobile device update management](images/mdm-update-sync.png) +![mobile device update management.](images/mdm-update-sync.png) The diagram can be roughly divided into three areas: @@ -56,7 +56,7 @@ The Microsoft Update Catalog is huge and contains many updates that are not need This section describes how this is done. The following diagram shows the server-server sync protocol process. -![mdm server-server sync](images/deviceupdateprocess2.png) +![mdm server-server sync.](images/deviceupdateprocess2.png) MSDN provides much information about the Server-Server sync protocol. In particular: @@ -140,7 +140,7 @@ The enterprise IT can configure auto-update polices via OMA DM using the [Policy The following diagram shows the Update policies in a tree format. -![update policies](images/update-policies.png) +![update policies.](images/update-policies.png) **Update/ActiveHoursEnd** > [!NOTE] @@ -676,7 +676,7 @@ Example The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following diagram shows the Update CSP in tree format.. -![provisioning csp update](images/provisioning-csp-update.png) +![provisioning csp update.](images/provisioning-csp-update.png) **Update** The root node. @@ -889,9 +889,9 @@ Here is the list of older policies that are still supported for backward compati The following screenshots of the administrator console show the list of update titles, approval status, and additional metadata fields. -![mdm update management screenshot](images/deviceupdatescreenshot1.png) +![mdm update management screenshot.](images/deviceupdatescreenshot1.png) -![mdm update management metadata screenshot](images/deviceupdatescreenshot2.png) +![mdm update management metadata screenshot.](images/deviceupdatescreenshot2.png) ## SyncML example @@ -945,5 +945,5 @@ Set auto update to notify and defer. The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog. -![mdm device update management screenshot3](images/deviceupdatescreenshot3.png)![mdm device update management screenshot4](images/deviceupdatescreenshot4.png)![mdm device update management screenshot5](images/deviceupdatescreenshot5.png)![mdm device update management screenshot6](images/deviceupdatescreenshot6.png)![mdm device update management screenshot7](images/deviceupdatescreenshot7.png)![mdm device update management screenshot8](images/deviceupdatescreenshot8.png)![mdm device update management screenshot9](images/deviceupdatescreenshot9.png) +![mdm device update management screenshot3.](images/deviceupdatescreenshot3.png)![mdm device update management screenshot4](images/deviceupdatescreenshot4.png)![mdm device update management screenshot5](images/deviceupdatescreenshot5.png)![mdm device update management screenshot6](images/deviceupdatescreenshot6.png)![mdm device update management screenshot7](images/deviceupdatescreenshot7.png)![mdm device update management screenshot8](images/deviceupdatescreenshot8.png)![mdm device update management screenshot9](images/deviceupdatescreenshot9.png) diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md index f24564545c..0db22bf159 100644 --- a/windows/client-management/mdm/deviceinstanceservice-csp.md +++ b/windows/client-management/mdm/deviceinstanceservice-csp.md @@ -26,7 +26,7 @@ The DeviceInstance CSP is only supported in Windows 10 Mobile. The following diagram shows the DeviceInstanceService configuration service provider in tree format. -![provisioning\-csp\-deviceinstanceservice](images/provisioning-csp-deviceinstanceservice.png) +![provisioning\-csp\-deviceinstanceservice.](images/provisioning-csp-deviceinstanceservice.png) **Roaming** A boolean value that specifies the roaming status of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/Roaming is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/Roaming. diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md index cef65071ec..9933e58a23 100644 --- a/windows/client-management/mdm/devicelock-csp.md +++ b/windows/client-management/mdm/devicelock-csp.md @@ -32,7 +32,7 @@ The DevicePasswordEnabled setting must be set to 0 (device password is enabled) The following image shows the DeviceLock configuration service provider in tree format. -![devicelock csp](images/provisioning-csp-devicelock.png) +![devicelock csp.](images/provisioning-csp-devicelock.png) **Provider** Required. An interior node to group all policy providers. Scope is permanent. Supported operation is Get. diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index 6043b61d8c..92ed52968c 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -20,13 +20,13 @@ To help diagnose enrollment or device management issues in Windows 10 devices m 1. On your managed device go to **Settings** > **Accounts** > **Access work or school**. 1. Click your work or school account, then click **Info.** - ![Access work or school page in Settings](images/diagnose-mdm-failures15.png) + ![Access work or school page in Settings.](images/diagnose-mdm-failures15.png) 1. At the bottom of the **Settings** page, click **Create report**. - ![Access work or school page and then Create report](images/diagnose-mdm-failures16.png) + ![Access work or school page and then Create report.](images/diagnose-mdm-failures16.png) 1. A window opens that shows the path to the log files. Click **Export**. - ![Access work or school log files](images/diagnose-mdm-failures17.png) + ![Access work or school log files.](images/diagnose-mdm-failures17.png) 1. In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report. @@ -59,7 +59,7 @@ Starting with the Windows 10, version 1511, MDM logs are captured in the Event Here's a screenshot: -![mdm event viewer](images/diagnose-mdm-failures1.png) +![mdm event viewer.](images/diagnose-mdm-failures1.png) In this location, the **Admin** channel logs events by default. However, if you need more details logs you can enable **Debug** logs by choosing **Show Analytic and Debug** logs option in **View** menu in Event Viewer. @@ -238,26 +238,26 @@ For best results, ensure that the PC or VM on which you are viewing logs matches 1. Open eventvwr.msc. 2. Right-click on **Event Viewer(Local)** and select **Open Saved Log**. - ![event viewer screenshot](images/diagnose-mdm-failures9.png) + ![event viewer screenshot.](images/diagnose-mdm-failures9.png) 3. Navigate to the etl file that you got from the device and then open the file. 4. Click **Yes** when prompted to save it to the new log format. - ![event viewer prompt](images/diagnose-mdm-failures10.png) + ![event viewer prompt.](images/diagnose-mdm-failures10.png) - ![diagnose mdm failures](images/diagnose-mdm-failures11.png) + ![diagnose mdm failures.](images/diagnose-mdm-failures11.png) 5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu. - ![event viewer actions](images/diagnose-mdm-failures12.png) + ![event viewer actions.](images/diagnose-mdm-failures12.png) 6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**. - ![event filter for Device Management](images/diagnose-mdm-failures13.png) + ![event filter for Device Management.](images/diagnose-mdm-failures13.png) 7. Now you are ready to start reviewing the logs. - ![event viewer review logs](images/diagnose-mdm-failures14.png) + ![event viewer review logs.](images/diagnose-mdm-failures14.png) ## Collect device state data diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index 35fe6568b0..5f48d033a0 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -137,7 +137,7 @@ You can only use the Work Access page to unenroll under the following conditions When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data. -![aadj unenerollment](images/azure-ad-unenrollment.png) +![aadj unenerollment.](images/azure-ad-unenrollment.png) When a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be re-imaged. When devices are remotely unenrolled from MDM, the AAD association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state. diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md index 43882781ec..2ef69ad6c3 100644 --- a/windows/client-management/mdm/eap-configuration.md +++ b/windows/client-management/mdm/eap-configuration.md @@ -24,35 +24,35 @@ To get the EAP configuration from your desktop using the rasphone tool that is s 1. Run rasphone.exe. - ![vpnv2 rasphone](images/vpnv2-csp-rasphone.png) + ![vpnv2 rasphone.](images/vpnv2-csp-rasphone.png) 1. If you don't currently have a VPN connection and you see the following message, select **OK**. - ![vpnv2 csp network connections](images/vpnv2-csp-networkconnections.png) + ![vpnv2 csp network connections.](images/vpnv2-csp-networkconnections.png) 1. In the wizard, select **Workplace network**. - ![vpnv2 csp set up connection](images/vpnv2-csp-setupnewconnection.png) + ![vpnv2 csp set up connection.](images/vpnv2-csp-setupnewconnection.png) 1. Enter an Internet address and connection name. These can be fake since it does not impact the authentication parameters. - ![vpnv2 csp set up connection 2](images/vpnv2-csp-setupnewconnection2.png) + ![vpnv2 csp set up connection 2.](images/vpnv2-csp-setupnewconnection2.png) 1. Create a fake VPN connection. In the UI shown here, select **Properties**. - ![vpnv2 csp choose nw connection](images/vpnv2-csp-choosenetworkconnection.png) + ![vpnv2 csp choose nw connection.](images/vpnv2-csp-choosenetworkconnection.png) 1. In the **Test Properties** dialog, select the **Security** tab. - ![vpnv2 csp test props](images/vpnv2-csp-testproperties.png) + ![vpnv2 csp test props.](images/vpnv2-csp-testproperties.png) 1. On the **Security** tab, select **Use Extensible Authentication Protocol (EAP)**. - ![vpnv2 csp test props2](images/vpnv2-csp-testproperties2.png) + ![vpnv2 csp test props2.](images/vpnv2-csp-testproperties2.png) 1. From the drop-down menu, select the EAP method that you want to configure, and then select **Properties** to configure as needed. - ![vpnv2 csp test props3](images/vpnv2-csp-testproperties3.png)![vpnv2 csp test props4](images/vpnv2-csp-testproperties4.png) + ![vpnv2 csp test props3.](images/vpnv2-csp-testproperties3.png)![vpnv2 csp test props4](images/vpnv2-csp-testproperties4.png) 1. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML. @@ -267,7 +267,7 @@ Alternatively, you can use the following procedure to create an EAP configuratio 1. Follow steps 1 through 7 in the EAP configuration article. 1. In the **Microsoft VPN SelfHost Properties** dialog box, select **Microsoft: Smart Card or other Certificate** from the drop-down menu (this selects EAP TLS). - ![vpn self host properties window](images/certfiltering1.png) + ![vpn self host properties window.](images/certfiltering1.png) > [!NOTE] > For PEAP or TTLS, select the appropriate method and continue following this procedure. @@ -277,11 +277,11 @@ Alternatively, you can use the following procedure to create an EAP configuratio 1. Select the **Properties** button underneath the drop-down menu. 1. On the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. - ![smart card or other certificate properties window](images/certfiltering2.png) + ![smart card or other certificate properties window.](images/certfiltering2.png) 1. On the **Configure Certificate Selection** menu, adjust the filters as needed. - ![configure certificate window](images/certfiltering3.png) + ![configure certificate window.](images/certfiltering3.png) 1. Select **OK** to close the windows and get back to the main rasphone.exe dialog box. 1. Close the rasphone dialog box. diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index d6a0127bab..cfc9928a0b 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -47,19 +47,19 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune]( 2. Under **Best match**, click **Edit group policy** to launch it. - ![GPEdit search](images/admx-gpedit-search.png) + ![GPEdit search.](images/admx-gpedit-search.png) 3. In **Local Computer Policy** navigate to the policy you want to configure. In this example, navigate to **Administrative Templates > System > App-V**. - ![App-V policies](images/admx-appv.png) + ![App-V policies.](images/admx-appv.png) 4. Double-click **Enable App-V Client**. The **Options** section is empty, which means there are no parameters necessary to enable the policy. If the **Options** section is not empty, follow the procedure in [Enable a policy that requires parameters](#enable-a-policy-that-requires-parameters) - ![Enable App-V client](images/admx-appv-enableapp-vclient.png) + ![Enable App-V client.](images/admx-appv-enableapp-vclient.png) 3. Create the SyncML to enable the policy that does not require any parameter. @@ -99,15 +99,15 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune]( 1. Double-click **Publishing Server 2 Settings** to see the parameters you need to configure when you enable this policy. - ![Enable publishing server 2 policy](images/admx-appv-publishingserver2.png) + ![Enable publishing server 2 policy.](images/admx-appv-publishingserver2.png) - ![Enable publishing server 2 settings](images/admx-app-v-enablepublishingserver2settings.png) + ![Enable publishing server 2 settings.](images/admx-app-v-enablepublishingserver2settings.png) 2. Find the variable names of the parameters in the ADMX file. You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](policy-configuration-service-provider.md#appvirtualization-publishingallowserver2). - ![Publishing server 2 policy description](images/admx-appv-policy-description.png) + ![Publishing server 2 policy description.](images/admx-appv-policy-description.png) 3. Navigate to **C:\Windows\PolicyDefinitions** (default location of the admx files) and open appv.admx. diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md index f4c951af17..bab52cb7fd 100644 --- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md +++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md @@ -84,7 +84,7 @@ After the upgrade to Windows 10 is complete, if you decide to push down a new we The following diagram shows a high-level overview of the process. -![update process for windows embedded 8.1 devices](images/windowsembedded-update.png) +![update process for windows embedded 8.1 devices.](images/windowsembedded-update.png) ## Step 1: Prepare a test device to download updates from Microsoft Update @@ -107,15 +107,15 @@ Trigger the device to check for updates either manually or using Microsoft Endpo 1. Remotely trigger a scan of the test device by deploying a Trigger Scan configuration baseline. - ![device scan using Configuration Manager](images/windowsembedded-update2.png) + ![device scan using Configuration Manager.](images/windowsembedded-update2.png) 2. Set the value of this OMA-URI by going to **Configuration Item**, and then selecting the newly created Trigger Scan settings from the previous step. - ![device scan using Configuration Manager](images/windowsembedded-update3.png) + ![device scan using Configuration Manager.](images/windowsembedded-update3.png) 3. Ensure that the value that is specified for this URI is greater than the value on the device(s), and that the **Remediate noncompliant rules when supported** option is selected. For the first time, any value that is greater than 0 will work, but for subsequent configurations, ensure that you specify an incremented value. - ![device scan using Configuration Manager](images/windowsembedded-update4.png) + ![device scan using Configuration Manager.](images/windowsembedded-update4.png) 4. Create a configuration baseline for Trigger Scan and Deploy. We recommend that this configuration baseline be deployed after the Controlled Updates baseline has been applied to the device. (The corresponding files are deployed on the device through a device sync session.) 5. Follow the prompts for downloading the updates, but do not install the updates on the device. @@ -216,11 +216,11 @@ The deployment process has three parts: 1. Create a configuration item. In the **Browse Settings** window, select **Device File** as a filter, and then select **Select**. - ![embedded device update](images/windowsembedded-update18.png) + ![embedded device update.](images/windowsembedded-update18.png) 2. Browse to the DUControlledUpdates.xml that was created from the test device, and then specify the file path and name on the device as `NonPersistent\DUControlledUpdates.xml`. - ![embedded device update](images/windowsembedded-update19.png) + ![embedded device update.](images/windowsembedded-update19.png) 3. Select **Remediate noncompliant settings**, and then select **OK**. @@ -231,7 +231,7 @@ The deployment process has three parts: 1. Create a configuration item and specify the file path and name on the device as `NonPersistent\DUCustomContentURIs.xml` 2. Select **Remediate noncompliant settings**. - ![embedded device update](images/windowsembedded-update21.png) + ![embedded device update.](images/windowsembedded-update21.png) 3. Select **OK**. @@ -242,11 +242,11 @@ The deployment process has three parts: 1. Create a configuration baseline item and give it a name (such as ControlledUpdates). 2. Add the DUControlledUpdates and DUCustomContentURIs configuration items, and then select **OK**. - ![embedded device update](images/windowsembedded-update22.png) + ![embedded device update.](images/windowsembedded-update22.png) 3. Deploy the configuration baseline to the appropriate device or device collection. - ![embedded device update](images/windowsembedded-update23.png) + ![embedded device update.](images/windowsembedded-update23.png) 4. Select **OK**. @@ -472,57 +472,57 @@ Use this procedure for pre-GDR1 devices: 2. In Microsoft Endpoint Configuration Manager, under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Items**. 3. Select **Create Configuration Item**. - ![device update using Configuration Manager](images/windowsembedded-update5.png) + ![device update using Configuration Manager.](images/windowsembedded-update5.png) 4. Enter a filename (such as GetDUReport), and then select **Mobile Device**. 5. On the **Mobile Device Settings** page, select **Configure Additional Settings that are not in the default settings group**, and then select **Next**. - ![device update using Configuration Manager](images/windowsembedded-update6.png) + ![device update using Configuration Manager.](images/windowsembedded-update6.png) 6. On the **Additional Settings** page, select **Add**. - ![device update using Configuration Manager](images/windowsembedded-update7.png) + ![device update using Configuration Manager.](images/windowsembedded-update7.png) 7. On the **Browse Settings** page, select **Create Setting**. - ![device update](images/windowsembedded-update8.png) + ![device update.](images/windowsembedded-update8.png) 8. Enter a unique **Name**. For **Setting type**, select **OMA-URI**, and for **Data type**, select **String**. 9. In the **OMA-URI** text box, enter `./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml`, and then select **OK**. - ![handheld device update](images/windowsembedded-update9.png) + ![handheld device update.](images/windowsembedded-update9.png) 10. On the **Browse Settings** page, select **Close**. 11. On the **Create Configuration Item Wizard** page, select **All Windows Embedded 8.1 Handheld** as the supported platform, and then select **Next**. - ![embedded device update](images/windowsembedded-update10.png) + ![embedded device update.](images/windowsembedded-update10.png) 12. Close the **Create Configuration Item Wizard** page. 13. Right-click on the newly create configuration item, and then select the **Compliance Rules** tab. 14. Select the new created mobile device setting (such as DUReport), and then select **Select**. 15. Enter a dummy value (such as zzz) that is different from the one on the device. - ![embedded device update](images/windowsembedded-update11.png) + ![embedded device update.](images/windowsembedded-update11.png) 16. Disable remediation by deselecting the **Remediate noncompliant rules when supported** option. 17. Select **OK** to close the **Edit Rule** page. 18. Create a new configuration baseline. Under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Baselines**. 19. Select **Create Configuration Item**. - ![embedded device update](images/windowsembedded-update12.png) + ![embedded device update.](images/windowsembedded-update12.png) 20. Enter a baseline name (such as RetrieveDUReport). 21. Add the configuration item that you just created. Select **Add**, and then select the configuration item that you just created (such as DUReport). - ![embedded device update](images/windowsembedded-update13.png) + ![embedded device update.](images/windowsembedded-update13.png) 22. Select **OK**, and then select **OK** again to complete the configuration baseline. 23. Deploy the newly created configuration baseline to the appropriate device collection. Right-click on the configuration baseline that you created, and then select **Deploy**. - ![embedded device update](images/windowsembedded-update14.png) + ![embedded device update.](images/windowsembedded-update14.png) 24. Select **Remediate noncompliant rules when supported**. 25. Select the appropriate device collection and define the schedule. - ![device update](images/windowsembedded-update15.png) + ![device update.](images/windowsembedded-update15.png) 26. To view the DUReport content, select the appropriate deployment for the configuration baseline that you created. Right-click on the deployment, and then select **View Status**. 27. Select **Run Summarization**, and then select **Refresh**. The test device(s) should be listed on the **Non-Compliant** tab. 28. Under **Asset Details**, right-click on the test device, and then select **Mode Details**. - ![device update](images/windowsembedded-update16.png) + ![device update.](images/windowsembedded-update16.png) 29. On the **Non-compliant** tab, you can see the DUReport, but you cannot retrieve the content from here. - ![device update](images/windowsembedded-update17.png) + ![device update.](images/windowsembedded-update17.png) 30. To retrieve the DUReport, open C:\\Program Files\\SMS\_CCM\\SMS\_DM.log. 31. In the log file, search from the bottom for "./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml" RuleExression="Equals zzz," where zzz is the dummy value. Just above this, copy the information for UpdateData and use this information to create the DUControlledUpdates.xml. diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 322e4dbc40..c9f13235e0 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -46,11 +46,11 @@ To ensure that the auto-enrollment feature is working as expected, you must veri The following steps demonstrate required settings using the Intune service: 1. Verify that the user who is going to enroll the device has a valid Intune license. - ![Intune license verification](images/auto-enrollment-intune-license-verification.png) + ![Intune license verification.](images/auto-enrollment-intune-license-verification.png) 2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). - ![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png) + ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png) > [!IMPORTANT] > For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled. @@ -62,23 +62,23 @@ The following steps demonstrate required settings using the Intune service: You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**. - ![Auto-enrollment device status result](images/auto-enrollment-device-status-result.png) + ![Auto-enrollment device status result.](images/auto-enrollment-device-status-result.png) Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**. - ![Auto-enrollment Azure AD prt verification](images/auto-enrollment-azureadprt-verification.png) + ![Auto-enrollment Azure AD prt verification.](images/auto-enrollment-azureadprt-verification.png) This information can also be found on the Azure AD device list. - ![Azure AD device list](images/azure-ad-device-list.png) + ![Azure AD device list.](images/azure-ad-device-list.png) 5. Verify that the MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc - ![MDM discovery URL](images/auto-enrollment-mdm-discovery-url.png) + ![MDM discovery URL.](images/auto-enrollment-mdm-discovery-url.png) 6. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**. - ![Mobility setting MDM intune](images/auto-enrollment-microsoft-intune-setting.png) + ![Mobility setting MDM intune.](images/auto-enrollment-microsoft-intune-setting.png) 7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully. @@ -87,7 +87,7 @@ You may contact your domain administrators to verify if the group policy has bee 9. Verify that Microsoft Intune should allow enrollment of Windows devices. - ![Enrollment of Windows devices](images/auto-enrollment-enrollment-of-windows-devices.png) + ![Enrollment of Windows devices.](images/auto-enrollment-enrollment-of-windows-devices.png) ## Configure the auto-enrollment Group Policy for a single PC @@ -102,18 +102,18 @@ Requirements: Click Start, then in the text box type gpedit. - ![GPEdit desktop app search result](images/autoenrollment-gpedit.png) + ![GPEdit desktop app search result.](images/autoenrollment-gpedit.png) 2. Under **Best match**, click **Edit group policy** to launch it. 3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**. > [!div class="mx-imgBorder"] - > ![MDM policies](images/autoenrollment-mdm-policies.png) + > ![MDM policies.](images/autoenrollment-mdm-policies.png) 4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use. - ![MDM autoenrollment policy](images/autoenrollment-policy.png) + ![MDM autoenrollment policy.](images/autoenrollment-policy.png) 5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**. @@ -129,7 +129,7 @@ Requirements: If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot. - ![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png) + ![Two-factor authentication notification.](images/autoenrollment-2-factor-auth.png) > [!Tip] > You can avoid this behavior by using Conditional Access Policies in Azure AD. @@ -139,7 +139,7 @@ Requirements: 7. Click **Info** to see the MDM enrollment information. - ![Work School Settings](images/autoenrollment-settings-work-school.png) + ![Work School Settings.](images/autoenrollment-settings-work-school.png) If you do not see the **Info** button or the enrollment information, it is possible that the enrollment failed. Check the status in [Task Scheduler app](#task-scheduler-app). @@ -148,13 +148,13 @@ Requirements: 1. Click **Start**, then in the text box type **task scheduler**. - ![Task Scheduler search result](images/autoenrollment-task-schedulerapp.png) + ![Task Scheduler search result.](images/autoenrollment-task-schedulerapp.png) 2. Under **Best match**, click **Task Scheduler** to launch it. 3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**. - ![Auto-enrollment scheduled task](images/autoenrollment-scheduled-task.png) + ![Auto-enrollment scheduled task.](images/autoenrollment-scheduled-task.png) To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab. @@ -239,13 +239,13 @@ To collect Event Viewer logs: 3. Search for event ID 75, which represents a successful auto-enrollment. Here is an example screenshot that shows the auto-enrollment completed successfully: - ![Event ID 75](images/auto-enrollment-troubleshooting-event-id-75.png) + ![Event ID 75.](images/auto-enrollment-troubleshooting-event-id-75.png) If you cannot find event ID 75 in the logs, it indicates that the auto-enrollment failed. This can happen because of the following reasons: - The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here is an example screenshot that shows that the auto-enrollment failed: - ![Event ID 76](images/auto-enrollment-troubleshooting-event-id-76.png) + ![Event ID 76.](images/auto-enrollment-troubleshooting-event-id-76.png) To troubleshoot, check the error code that appears in the event. See [Troubleshooting Windows device enrollment problems in Microsoft Intune](https://support.microsoft.com/en-ph/help/4469913/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for more information. @@ -253,7 +253,7 @@ To collect Event Viewer logs: The auto-enrollment process is triggered by a task (**Microsoft > Windows > EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is successfully deployed to the target machine as shown in the following screenshot: - ![Task scheduler](images/auto-enrollment-task-scheduler.png) + ![Task scheduler.](images/auto-enrollment-task-scheduler.png) > [!Note] > This task isn't visible to standard users - run Scheduled Tasks with administrative credentials to find the task. @@ -262,24 +262,24 @@ To collect Event Viewer logs: **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from AAD is triggered by event ID 107. - ![Event ID 107](images/auto-enrollment-event-id-107.png) + ![Event ID 107.](images/auto-enrollment-event-id-107.png) When the task is completed, a new event ID 102 is logged. - ![Event ID 102](images/auto-enrollment-event-id-102.png) + ![Event ID 102.](images/auto-enrollment-event-id-102.png) Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment. If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required. One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen: - ![Outdated enrollment entries](images/auto-enrollment-outdated-enrollment-entries.png) + ![Outdated enrollment entries.](images/auto-enrollment-outdated-enrollment-entries.png) By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016. A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot: - ![Manually deleted entries](images/auto-enrollment-activation-verification-less-entries.png) + ![Manually deleted entries.](images/auto-enrollment-activation-verification-less-entries.png) ### Related topics diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md index b809041a65..c29e2047ad 100644 --- a/windows/client-management/mdm/enterprise-app-management.md +++ b/windows/client-management/mdm/enterprise-app-management.md @@ -41,7 +41,7 @@ These classifications are represented as nodes in the EnterpriseModernAppManagem The following diagram shows the EnterpriseModernAppManagement CSP in a tree format. -![enterprisemodernappmanagement csp diagram](images/provisioning-csp-enterprisemodernappmanagement.png) +![enterprisemodernappmanagement csp diagram.](images/provisioning-csp-enterprisemodernappmanagement.png) Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System). diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md index 51c1a6581f..98249aad50 100644 --- a/windows/client-management/mdm/enterpriseappmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md @@ -23,7 +23,7 @@ The EnterpriseAppManagement enterprise configuration service provider is used to The following diagram shows the EnterpriseAppManagement configuration service provider in tree format. -![enterpriseappmanagement csp](images/provisioning-csp-enterpriseappmanagement.png) +![enterpriseappmanagement csp.](images/provisioning-csp-enterpriseappmanagement.png) ***EnterpriseID*** Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications. diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md index 12547591ba..3df7b51be2 100644 --- a/windows/client-management/mdm/filesystem-csp.md +++ b/windows/client-management/mdm/filesystem-csp.md @@ -24,7 +24,7 @@ The FileSystem configuration service provider is used to query, add, modify, and The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider. -![filesystem csp (dm)](images/provisioning-csp-filesystem-dm.png) +![filesystem csp (dm).](images/provisioning-csp-filesystem-dm.png) **FileSystem** Required. Defines the root of the file system management object. It functions as the root directory for file system queries. diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 9f691cab8c..03fb5b432d 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -104,7 +104,7 @@ The following is a list of functions performed by the Device HealthAttestation C - Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device - Receives attestation requests (DHA-Requests) from a DHA-Enabled-MDM, and replies with a device health report (DHA-Report) -![healthattestation service diagram](images/healthattestation_2.png) +![healthattestation service diagram.](images/healthattestation_2.png) diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md index 36a979715e..af7934b674 100644 --- a/windows/client-management/mdm/hotspot-csp.md +++ b/windows/client-management/mdm/hotspot-csp.md @@ -27,7 +27,7 @@ The HotSpot configuration service provider is used to configure and enable Inter The following diagram shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider. -![hotspot csp (cp)](images/provisioning-csp-hotspot-cp.png) +![hotspot csp (cp).](images/provisioning-csp-hotspot-cp.png) **Enabled** Required. Specifies whether to enable Internet sharing on the device. The default is false. diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index 08a455f462..68633b48af 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -44,7 +44,7 @@ To make applications WIP-aware, app developers need to include the following dat MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.  -![Mobile application management app](images/implement-server-side-mobile-application-management.png) +![Mobile application management app.](images/implement-server-side-mobile-application-management.png) MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. Please note: if the MDM service in an organization is not integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.  diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index 12e50c7af7..875c7d0ded 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -59,13 +59,13 @@ The Store for Business provides services that enable a management tool to synchr The following diagram provides an overview of app distribution from acquisition of an offline-licensed application to distribution to a client. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. -![business store offline app distribution](images/businessstoreportalservices2.png) +![business store offline app distribution.](images/businessstoreportalservices2.png) ### Online-licensed application distribution The following diagram provides an overview of app distribution from acquisition of an online-licensed application to distribution to a client. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. For online-licensed applications, the management tool calls back into the Store for Business management services to assign an application prior to issuing the policy to install the application. -![business store online app distribution](images/businessstoreportalservices3.png) +![business store online app distribution.](images/businessstoreportalservices3.png) ## Integrate with Azure Active Directory @@ -105,7 +105,7 @@ After registering your management tool with Azure AD, the management tool can ca The diagram below shows the call patterns for acquiring a new or updated application. -![business store portal service flow diagram](images/businessstoreportalservicesflow.png) +![business store portal service flow diagram.](images/businessstoreportalservicesflow.png) **Here is the list of available operations**: diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index d1e7b033f2..6dbe747d92 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -25,7 +25,7 @@ In today’s cloud-first world, enterprise IT departments increasingly want to l You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 does not require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain. -![active directory azure ad signin](images/unifiedenrollment-rs1-1.png) +![active directory azure ad signin.](images/unifiedenrollment-rs1-1.png) ### Connect your device to an Active Directory domain (join a domain) @@ -40,15 +40,15 @@ Joining your device to an Active Directory domain during the out-of-box-experien 1. On the **Who Owns this PC?** page, select **My work or school owns it**. - ![oobe local account creation](images/unifiedenrollment-rs1-2.png) + ![oobe local account creation.](images/unifiedenrollment-rs1-2.png) 2. Next, select **Join a domain**. - ![select domain or azure ad](images/unifiedenrollment-rs1-3.png) + ![select domain or azure ad.](images/unifiedenrollment-rs1-3.png) 3. You'll see a prompt to set up a local account on the device. Enter your local account details, and then select **Next** to continue. - ![create pc account](images/unifiedenrollment-rs1-4.png) + ![create pc account.](images/unifiedenrollment-rs1-4.png) ### Use the Settings app @@ -56,27 +56,27 @@ To create a local account and connect the device: 1. Launch the Settings app. - ![windows settings page](images/unifiedenrollment-rs1-5.png) + ![windows settings page.](images/unifiedenrollment-rs1-5.png) 2. Next, select **Accounts**. - ![windows settings accounts select](images/unifiedenrollment-rs1-6.png) + ![windows settings accounts select.](images/unifiedenrollment-rs1-6.png) 3. Navigate to **Access work or school**. - ![select access work or school](images/unifiedenrollment-rs1-7.png) + ![select access work or school.](images/unifiedenrollment-rs1-7.png) 4. Select **Connect**. - ![connect to work or school](images/unifiedenrollment-rs1-8.png) + ![connect to work or school.](images/unifiedenrollment-rs1-8.png) 5. Under **Alternate actions**, select **Join this device to a local Active Directory domain**. - ![join account to active directory domain](images/unifiedenrollment-rs1-9.png) + ![join account to active directory domain.](images/unifiedenrollment-rs1-9.png) 6. Type in your domain name, follow the instructions, and then select **Next** to continue. After you complete the flow and restart your device, it should be connected to your Active Directory domain. You can now sign in to the device using your domain credentials. - ![type in domain name](images/unifiedenrollment-rs1-10.png) + ![type in domain name.](images/unifiedenrollment-rs1-10.png) ### Help with connecting to an Active Directory domain @@ -101,11 +101,11 @@ To join a domain: 1. Select **My work or school owns it**, then select **Next.** - ![oobe local account creation](images/unifiedenrollment-rs1-11.png) + ![oobe local account creation.](images/unifiedenrollment-rs1-11.png) 2. Select **Join Azure AD**, and then select **Next.** - ![select domain or azure ad](images/unifiedenrollment-rs1-12.png) + ![select domain or azure ad.](images/unifiedenrollment-rs1-12.png) 3. Type in your Azure AD username. This is the email address you use to log into Microsoft Office 365 and similar services. @@ -113,7 +113,7 @@ To join a domain: Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization’s Azure AD domain. - ![azure ad signin](images/unifiedenrollment-rs1-13.png) + ![azure ad signin.](images/unifiedenrollment-rs1-13.png) ### Use the Settings app @@ -121,27 +121,27 @@ To create a local account and connect the device: 1. Launch the Settings app. - ![windows settings page](images/unifiedenrollment-rs1-14.png) + ![windows settings page.](images/unifiedenrollment-rs1-14.png) 2. Next, navigate to **Accounts**. - ![windows settings accounts select](images/unifiedenrollment-rs1-15.png) + ![windows settings accounts select.](images/unifiedenrollment-rs1-15.png) 3. Navigate to **Access work or school**. - ![select access work or school](images/unifiedenrollment-rs1-16.png) + ![select access work or school.](images/unifiedenrollment-rs1-16.png) 4. Select **Connect**. - ![connect to work or school](images/unifiedenrollment-rs1-17.png) + ![connect to work or school.](images/unifiedenrollment-rs1-17.png) 5. Under **Alternate Actions**, selct **Join this device to Azure Active Directory**. - ![join work or school account to azure ad](images/unifiedenrollment-rs1-18.png) + ![join work or school account to azure ad.](images/unifiedenrollment-rs1-18.png) 6. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services. - ![azure ad sign in](images/unifiedenrollment-rs1-19.png) + ![azure ad sign in.](images/unifiedenrollment-rs1-19.png) 7. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication. @@ -151,7 +151,7 @@ To create a local account and connect the device: After you reach the end of the flow, your device should be connected to your organization’s Azure AD domain. You may now log out of your current account and sign in using your Azure AD username. - ![corporate sign in](images/unifiedenrollment-rs1-20.png) + ![corporate sign in.](images/unifiedenrollment-rs1-20.png) ### Help with connecting to an Azure AD domain @@ -183,19 +183,19 @@ To create a local account and connect the device: 1. Launch the Settings app, and then select **Accounts** >**Start** > **Settings** > **Accounts**. - ![windows settings page](images/unifiedenrollment-rs1-21-b.png) + ![windows settings page.](images/unifiedenrollment-rs1-21-b.png) 2. Navigate to **Access work or school**. - ![select access work or school](images/unifiedenrollment-rs1-23-b.png) + ![select access work or school.](images/unifiedenrollment-rs1-23-b.png) 3. Select **Connect**. - ![connect to work or school](images/unifiedenrollment-rs1-24-b.png) + ![connect to work or school.](images/unifiedenrollment-rs1-24-b.png) 4. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services. - ![join work or school account to azure ad](images/unifiedenrollment-rs1-25-b.png) + ![join work or school account to azure ad.](images/unifiedenrollment-rs1-25-b.png) 5. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication. @@ -205,11 +205,11 @@ To create a local account and connect the device: Starting in Windows 10, version 1709, you will see the status page that shows the progress of your device being set up. - ![corporate sign in](images/unifiedenrollment-rs1-26.png) + ![corporate sign in.](images/unifiedenrollment-rs1-26.png) 6. After you complete the flow, your Microsoft account will be connected to your work or school account. - ![account successfully added](images/unifiedenrollment-rs1-27.png) + ![account successfully added.](images/unifiedenrollment-rs1-27.png) ### Connect to MDM on a desktop (enrolling in device management) @@ -221,29 +221,29 @@ To create a local account and connect the device: 1. Launch the Settings app. - ![windows settings page](images/unifiedenrollment-rs1-28.png) + ![windows settings page.](images/unifiedenrollment-rs1-28.png) 2. Next, navigate to **Accounts**. - ![windows settings accounts page](images/unifiedenrollment-rs1-29.png) + ![windows settings accounts page.](images/unifiedenrollment-rs1-29.png) 3. Navigate to **Access work or school**. - ![access work or school](images/unifiedenrollment-rs1-30.png) + ![access work or school.](images/unifiedenrollment-rs1-30.png) 4. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link). - ![connect to work or school](images/unifiedenrollment-rs1-31.png) + ![connect to work or school.](images/unifiedenrollment-rs1-31.png) 5. Type in your work email address. - ![set up work or school account](images/unifiedenrollment-rs1-32.png) + ![set up work or school account.](images/unifiedenrollment-rs1-32.png) 6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you will see the enrollment progress on screen. - ![corporate sign in](images/unifiedenrollment-rs1-33-b.png) + ![corporate sign in.](images/unifiedenrollment-rs1-33-b.png) After you complete the flow, your device will be connected to your organization’s MDM. @@ -300,7 +300,7 @@ To connect your devices to MDM using deep links: - IT admins can add this link to a welcome email that users can select to enroll into MDM. - ![using enrollment deeplink in email](images/deeplinkenrollment1.png) + ![using enrollment deeplink in email.](images/deeplinkenrollment1.png) - IT admins can also add this link to an internal web page that users refer to enrollment instructions. @@ -308,20 +308,20 @@ To connect your devices to MDM using deep links: Type in your work email address. - ![set up work or school account](images/deeplinkenrollment3.png) + ![set up work or school account.](images/deeplinkenrollment3.png) 3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. After you complete the flow, your device will be connected to your organization's MDM. - ![corporate sign in](images/deeplinkenrollment4.png) + ![corporate sign in.](images/deeplinkenrollment4.png) ## Manage connections To manage your work or school connections, select **Settings** > **Accounts** > **Access work or school**. Your connections will show on this page and selecting one will expand options for that connection. -![managing work or school account](images/unifiedenrollment-rs1-34-b.png) +![managing work or school account.](images/unifiedenrollment-rs1-34-b.png) ### Info @@ -335,7 +335,7 @@ Selecting the **Info** button will open a new page in the Settings app that prov Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screenshot. -![work or school info](images/unifiedenrollment-rs1-35-b.png) +![work or school info.](images/unifiedenrollment-rs1-35-b.png) > [!NOTE] > Starting in Windows 10, version 1709, the **Manage** button is no longer available. @@ -357,7 +357,7 @@ You can collect diagnostic logs around your work connections by going to **Setti Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you will see the button to create a report, as shown here. -![collecting enrollment management log files](images/unifiedenrollment-rs1-37-c.png) +![collecting enrollment management log files.](images/unifiedenrollment-rs1-37-c.png) diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md index e9383e871f..ad2d4edddc 100644 --- a/windows/client-management/mdm/messaging-csp.md +++ b/windows/client-management/mdm/messaging-csp.md @@ -17,7 +17,7 @@ The Messaging configuration service provider is used to configure the ability to The following diagram shows the Messaging configuration service provider in tree format. -![messaging csp](images/provisioning-csp-messaging.png) +![messaging csp.](images/provisioning-csp-messaging.png) **./User/Vendor/MSFT/Messaging** diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index 32f9b5ee66..6c898afe02 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -68,7 +68,7 @@ Devices that are joined to an on-premises Active Directory can enroll into MDM v Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**. -![Disable MDM enrollment policy in GP Editor](images/mdm-enrollment-disable-policy.png) +![Disable MDM enrollment policy in GP Editor.](images/mdm-enrollment-disable-policy.png) Here is the corresponding registry key: diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md index 1b5f5ecdd4..0b715c1a53 100644 --- a/windows/client-management/mdm/napdef-csp.md +++ b/windows/client-management/mdm/napdef-csp.md @@ -27,11 +27,11 @@ The NAPDEF configuration service provider is used to add, modify, or delete WAP The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider. -![napdef csp (cp) (initial bootstrapping)](images/provisioning-csp-napdef-cp.png) +![napdef csp (cp) (initial bootstrapping).](images/provisioning-csp-napdef-cp.png) The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider. -![napdef csp (cp) (update bootstrapping)](images/provisioning-csp-napdef-cp-2.png) +![napdef csp (cp) (update bootstrapping).](images/provisioning-csp-napdef-cp-2.png) **NAPAUTHINFO** Defines a group of authentication settings. diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index ce79fdb702..272489e4a8 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -240,7 +240,7 @@ Passing CDATA in data in SyncML to ConfigManager and CSPs does not work in Windo The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10. In Windows Phone 8.1, when you set the client certificate to "Accept," it works fine. -![ssl settings](images/ssl-settings.png) +![ssl settings.](images/ssl-settings.png) ### MDM enrollment fails on the mobile device when traffic is going through proxy @@ -439,7 +439,7 @@ Alternatively you can use the following procedure to create an EAP Configuration 1. Follow steps 1 through 7 in the [EAP configuration](eap-configuration.md) article. 2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop down (this selects EAP TLS.) - ![vpn selfhost properties window](images/certfiltering1.png) + ![vpn selfhost properties window.](images/certfiltering1.png) > [!NOTE] > For PEAP or TTLS, select the appropriate method and continue following this procedure. @@ -447,10 +447,10 @@ Alternatively you can use the following procedure to create an EAP Configuration 3. Click the **Properties** button underneath the drop down menu. 4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. - ![smart card or other certificate properties window](images/certfiltering2.png) + ![smart card or other certificate properties window.](images/certfiltering2.png) 5. In the **Configure Certificate Selection** menu, adjust the filters as needed. - ![configure certificate selection window](images/certfiltering3.png) + ![configure certificate selection window.](images/certfiltering3.png) 6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box. 7. Close the rasphone dialog box. 8. Continue following the procedure in the [EAP configuration](eap-configuration.md) article from Step 9 to get an EAP TLS profile with appropriate filtering. @@ -492,7 +492,7 @@ No. Only one MDM is allowed. 4. Click **Configure**. 5. Set quota to unlimited. - ![aad maximum joined devices](images/faq-max-devices.png) + ![aad maximum joined devices.](images/faq-max-devices.png) ### **What is dmwappushsvc?** diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index c73d5fdc8d..84ff8f5e34 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -23,13 +23,13 @@ The PassportForWork configuration service provider is used to provision Windows The following diagram shows the PassportForWork configuration service provider in tree format. -![passportforwork csp](images/provisioning-csp-passportforwork.png) +![passportforwork csp.](images/provisioning-csp-passportforwork.png) ### Device configuration diagram The following diagram shows the PassportForWork configuration service provider in tree format. -![passportforwork diagram](images/provisioning-csp-passportforwork2.png) +![passportforwork diagram.](images/provisioning-csp-passportforwork2.png) **PassportForWork** Root node for PassportForWork configuration service provider. diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index ddeb61f84a..da0f0543dc 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -44,7 +44,7 @@ The Policy configuration service provider has the following sub-categories: The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. -![policy csp diagram](images/provisioning-csp-policy.png) +![policy csp diagram.](images/provisioning-csp-policy.png) **./Vendor/MSFT/Policy** diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 9d7aa06011..013edacaec 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -549,7 +549,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and ``` You can also change the evaluation order of device installation policy settings by using a custom profile in Intune. -:::image type="content" source="images/edit-row.png" alt-text="This is a edit row image"::: +:::image type="content" source="images/edit-row.png" alt-text="This is a edit row image."::: @@ -743,7 +743,7 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i You can also block installation by using a custom profile in Intune. -![Custom profile prevent devices](images/custom-profile-prevent-other-devices.png) +![Custom profile prevent devices.](images/custom-profile-prevent-other-devices.png) @@ -863,7 +863,7 @@ You can also block installation and usage of prohibited peripherals by using a c For example, this custom profile blocks installation and usage of USB devices with hardware IDs "USB\Composite" and "USB\Class_FF", and applies to USB devices with matching hardware IDs that are already installed. -![Custom profile prevent device ids](images/custom-profile-prevent-device-ids.png) +![Custom profile prevent device ids.](images/custom-profile-prevent-device-ids.png) @@ -977,7 +977,7 @@ You can also block installation and usage of prohibited peripherals by using a c For example, this custom profile prevents installation of devices with matching device instance IDs. -![Custom profile](images/custom-profile-prevent-device-instance-ids.png) +![Custom profile.](images/custom-profile-prevent-device-instance-ids.png) To prevent installation of devices with matching device instance IDs by using custom profile in Intune: 1. Locate the device instance ID. diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md index a0a34ee244..92df20eba2 100644 --- a/windows/client-management/mdm/push-notification-windows-mdm.md +++ b/windows/client-management/mdm/push-notification-windows-mdm.md @@ -52,34 +52,34 @@ To get a PFN and WNS credentials, you must create an Microsoft Store app. 1. Go to the Windows [Dashboard](https://dev.windows.com/en-US/dashboard) and sign in with your developer account. - ![mdm push notification1](images/push-notification1.png) + ![mdm push notification1.](images/push-notification1.png) 2. Create a new app. - ![mdm push notification2](images/push-notification2.png) + ![mdm push notification2.](images/push-notification2.png) 3. Reserve an app name. - ![mdm push notification3](images/push-notification3.png) + ![mdm push notification3.](images/push-notification3.png) 4. Click **Services**. - ![mdm push notification4](images/push-notification4.png) + ![mdm push notification4.](images/push-notification4.png) 5. Click **Push notifications**. - ![mdm push notification5](images/push-notification5.png) + ![mdm push notification5.](images/push-notification5.png) 6. Click **Live Services site**. A new window opens for the **Application Registration Portal** page. - ![mdm push notification6](images/push-notification6.png) + ![mdm push notification6.](images/push-notification6.png) 7. In the **Application Registration Portal** page, you will see the properties for the app that you created, such as: - Application Id - Application Secrets - Microsoft Store Package SID, Application Identity, and Publisher. - ![mdm push notification7](images/push-notification7.png) + ![mdm push notification7.](images/push-notification7.png) 8. Click **Save**. 9. Close the **Application Registration Portal** window and go back to the Windows Dev Center Dashboard. 10. Select your app from the list on the left. 11. From the left nav, expand **App management** and then click **App identity**. - ![mdm push notification10](images/push-notification10.png) + ![mdm push notification10.](images/push-notification10.png) 12. In the **App identity** page, you will see the **Package Family Name (PFN)** of your app.   diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md index 48baff3fe8..e2d40a822a 100644 --- a/windows/client-management/mdm/pxlogical-csp.md +++ b/windows/client-management/mdm/pxlogical-csp.md @@ -23,11 +23,11 @@ The PXLOGICAL configuration service provider is used to add, remove, or modify W The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for initial bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider. -![pxlogical csp (cp) (initial bootstrapping)](images/provisioning-csp-pxlogical-cp.png) +![pxlogical csp (cp) (initial bootstrapping).](images/provisioning-csp-pxlogical-cp.png) The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for updating the bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider. -![pxlogical csp (cp) (update bootstrapping)](images/provisioning-csp-pxlogical-cp-2.png) +![pxlogical csp (cp) (update bootstrapping).](images/provisioning-csp-pxlogical-cp-2.png) **PXPHYSICAL** Defines a group of logical proxy settings. diff --git a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md index be9c8a5339..28e198aa1f 100644 --- a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md +++ b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md @@ -23,15 +23,15 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent 1. Sign in to the Microsoft 365 admin center at using your organization's account. - ![register azuread](images/azure-ad-add-tenant10.png) + ![register azuread.](images/azure-ad-add-tenant10.png) 2. On the **Home** page, click on the Admin tools icon. - ![register azuread](images/azure-ad-add-tenant11.png) + ![register azuread.](images/azure-ad-add-tenant11.png) 3. On the **Admin center** page, under Admin Centers on the left, click **Azure Active Directory**. This will take you to the Azure Active Directory portal. - ![Azure-AD-updated](https://user-images.githubusercontent.com/41186174/71594506-e4845300-2b40-11ea-9a08-c21c824e12a4.png) + ![Azure-AD-updated.](https://user-images.githubusercontent.com/41186174/71594506-e4845300-2b40-11ea-9a08-c21c824e12a4.png) diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md index 9e203d4d39..4ffdbad557 100644 --- a/windows/client-management/mdm/securitypolicy-csp.md +++ b/windows/client-management/mdm/securitypolicy-csp.md @@ -25,7 +25,7 @@ For the SecurityPolicy CSP, you cannot use the Replace command unless the node a The following diagram shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. -![securitypolicy csp (dm,cp)](images/provisioning-csp-securitypolicy-dmandcp.png) +![securitypolicy csp (dm,cp).](images/provisioning-csp-securitypolicy-dmandcp.png) ***PolicyID*** Defines the security policy identifier as a decimal value. diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index 5b211a0f55..21f39c4389 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -56,11 +56,11 @@ Group Policy option button setting: The following diagram shows the main display for the Group Policy Editor. -![Group Policy editor](images/group-policy-editor.png) +![Group Policy editor.](images/group-policy-editor.png) The following diagram shows the settings for the "Publishing Server 2 Settings" Group Policy in the Group Policy Editor. -![Group Policy publisher server 2 settings](images/group-policy-publisher-server-2-settings.png) +![Group Policy publisher server 2 settings.](images/group-policy-publisher-server-2-settings.png) Note that most Group Policies are a simple Boolean type. For a Boolean Group Policy, if you select **Enabled**, the options panel contains no data input fields and the payload of the SyncML is simply ``. However, if there are data input fields in the options panel, the MDM server must supply this data. The following *Enabling a Group Policy* example illustrates this complexity. In this example, 10 name-value pairs are described by `` tags in the payload, which correspond to the 10 data input fields in the Group Policy Editor options panel for the "Publishing Server 2 Settings" Group Policy. The ADMX file, which defines the Group Policies, is consumed by the MDM server, similarly to how the Group Policy Editor consumes it. The Group Policy Editor displays a UI to receive the complete Group Policy instance data, which the MDM server's IT administrator console must also do. For every `` element and id attribute in the ADMX policy definition, there must be a corresponding `` element and id attribute in the payload. The ADMX file drives the policy definition and is required by the MDM server via the SyncML protocol. diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md index 7916778bec..00d2b86cd5 100644 --- a/windows/client-management/mdm/unifiedwritefilter-csp.md +++ b/windows/client-management/mdm/unifiedwritefilter-csp.md @@ -119,7 +119,7 @@ Currently SwapfileSize should not be relied for determining or controlling the o **CurrentSession/MaximumOverlaySize** or **NextSession/MaximumOverlaySize** should be used for that purpose. -:::image type="content" source="images/overlaysetting.png" alt-text="This is the overlay setting"::: +:::image type="content" source="images/overlaysetting.png" alt-text="This is the overlay setting."::: > [!NOTE] > Only single swapfile is supported in current implementation and creating swapfile on specific volume will disable any other swapfile created on other volumes. diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md index 3f6badf192..42a6882673 100644 --- a/windows/client-management/mdm/vpn-csp.md +++ b/windows/client-management/mdm/vpn-csp.md @@ -33,7 +33,7 @@ Important considerations: The following diagram shows the VPN configuration service provider in tree format. -![provisioning\-csp\-vpnimg](images/provisioning-csp-vpn.png) +![provisioning\-csp\-vpnimg.](images/provisioning-csp-vpn.png) ***ProfileName*** Unique alpha numeric Identifier for the profile. The profile name must not include a forward slash (/). diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index d6b9110b32..e7321b1888 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -25,7 +25,7 @@ The default security roles are defined in the root characteristic, and map to ea The following diagram shows the configuration service provider in tree format as used by OMA Client Provisioning. -![w4 application csp (cp)](images/provisioning-csp-w4-application-cp.png) +![w4 application csp (cp).](images/provisioning-csp-w4-application-cp.png) **APPID** Required. This parameter takes a string value. The only supported value for configuring MMS is "w4". diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md index 20f21f79bc..7aaa801796 100644 --- a/windows/client-management/mdm/w7-application-csp.md +++ b/windows/client-management/mdm/w7-application-csp.md @@ -23,7 +23,7 @@ The APPLICATION configuration service provider that has an APPID of w7 is used f The following image shows the configuration service provider in tree format as used by OMA Client Provisioning. -![w7 application csp (dm)](images/provisioning-csp-w7-application-dm.png) +![w7 application csp (dm).](images/provisioning-csp-w7-application-dm.png) > **Note**   All parm names and characteristic types are case sensitive and must use all uppercase. Both APPSRV and CLIENT credentials must be provided in provisioning XML. diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 125bbfb687..e867ae66ef 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -31,7 +31,7 @@ Programming considerations: The following image shows the WiFi configuration service provider in tree format. -![wi-fi csp diagram](images/provisioning-csp-wifi.png) +![wi-fi csp diagram.](images/provisioning-csp-wifi.png) The following list shows the characteristics and parameters. diff --git a/windows/client-management/mdm/windows-mdm-enterprise-settings.md b/windows/client-management/mdm/windows-mdm-enterprise-settings.md index a8be6bba9c..e5e7511669 100644 --- a/windows/client-management/mdm/windows-mdm-enterprise-settings.md +++ b/windows/client-management/mdm/windows-mdm-enterprise-settings.md @@ -25,7 +25,7 @@ The DM client is configured during the enrollment process to be invoked by the t The following diagram shows the work flow between server and client. -![windows client and server mdm diagram](images/enterprise-workflow.png) +![windows client and server mdm diagram.](images/enterprise-workflow.png) ## Management workflow diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index c68424cd04..fc13fd3034 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -19,7 +19,7 @@ The Windows Defender Advanced Threat Protection (WDATP) configuration service pr The following diagram shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM). -![windowsadvancedthreatprotection csp diagram](images/provisioning-csp-watp.png) +![windowsadvancedthreatprotection csp diagram.](images/provisioning-csp-watp.png) The following list describes the characteristics and parameters. diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md index 2f3cdf7fc7..2fe71b5e76 100644 --- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md +++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md @@ -213,16 +213,16 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw | Class | Test completed in Windows 10 for desktop | |--------------------------------------------------------------------------|------------------------------------------| -| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | -| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | -| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | -| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | +| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | +| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | +| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | +| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | | [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | | -| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | -| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | -| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | -| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | -| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | +| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | +| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | +| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | +| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | +| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | @@ -232,17 +232,17 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw |--------------------------------------------------------------------------|------------------------------------------| [**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) | [**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) | -[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | ![cross mark](images/checkmark.png) -[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | ![cross mark](images/checkmark.png) +[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | ![cross mark.](images/checkmark.png) +[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | ![cross mark.](images/checkmark.png) [**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) | -[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | ![cross mark](images/checkmark.png) -[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | ![cross mark](images/checkmark.png) -[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | ![cross mark](images/checkmark.png) +[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | ![cross mark.](images/checkmark.png) +[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | ![cross mark.](images/checkmark.png) +[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | ![cross mark.](images/checkmark.png) [**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) | -[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |![cross mark](images/checkmark.png) -[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | ![cross mark](images/checkmark.png) +[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |![cross mark.](images/checkmark.png) +[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | ![cross mark.](images/checkmark.png) [**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) | -[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | ![cross mark](images/checkmark.png) +[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | ![cross mark.](images/checkmark.png) [**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) | [**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) | [**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) | @@ -252,23 +252,23 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw [**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) | [**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) | [**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) | -[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | ![cross mark](images/checkmark.png) +[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | ![cross mark.](images/checkmark.png) [**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) | -[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | ![cross mark](images/checkmark.png) +[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | ![cross mark.](images/checkmark.png) [**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) | -[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | ![cross mark](images/checkmark.png) +[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | ![cross mark.](images/checkmark.png) [**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) | [**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) | [**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) | [**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) | [**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) | -[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | ![cross mark](images/checkmark.png) +[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | ![cross mark.](images/checkmark.png) [**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) | [**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) | [**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) | [**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) | [**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) | -[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | ![cross mark](images/checkmark.png) +[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | ![cross mark.](images/checkmark.png) [**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) | [**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) | [**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) | @@ -277,25 +277,25 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw [**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) | [**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) | [**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) | -[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | ![cross mark](images/checkmark.png) -[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | ![cross mark](images/checkmark.png) +[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | ![cross mark.](images/checkmark.png) +[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | ![cross mark.](images/checkmark.png) [**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) | [**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) | [**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) | [**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) | [**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) | -[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | ![cross mark](images/checkmark.png) -[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | ![cross mark](images/checkmark.png) +[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | ![cross mark.](images/checkmark.png) +[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | ![cross mark.](images/checkmark.png) [**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) | [**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) | -[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | ![cross mark](images/checkmark.png) +[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | ![cross mark.](images/checkmark.png) [**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) | -[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | ![cross mark](images/checkmark.png) +[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | ![cross mark.](images/checkmark.png) [**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) | -[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | ![cross mark](images/checkmark.png) +[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | ![cross mark.](images/checkmark.png) [**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) | [**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) | -[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | ![cross mark](images/checkmark.png) +[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | ![cross mark.](images/checkmark.png) [**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) | **Win32\_WindowsUpdateAgentVersion** | diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 6a50151342..acdcd2d268 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -57,7 +57,7 @@ Both the helper and sharer must be able to reach these endpoints over port 443: 7. RDP shares the video to the helper over https (port 443) through the RDP relay service to the helper's RDP control. Input is shared from the helper to the sharer through the RDP relay service. -:::image type="content" source="images/quick-assist-flow.png" lightbox="images/quick-assist-flow.png" alt-text="Schematic flow of connections when a Quick Assist session is established"::: +:::image type="content" source="images/quick-assist-flow.png" lightbox="images/quick-assist-flow.png" alt-text="Schematic flow of connections when a Quick Assist session is established."::: ### Data and privacy diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index e0afd3d480..490b24075a 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -119,7 +119,7 @@ To verify the BCD entries: > [!NOTE] > If the computer is UEFI-based, the file path value that's specified in the **path** parameter of **{bootmgr}** and **{default}** contains an **.efi** extension. - ![bcdedit](images/screenshot1.png) + ![bcdedit.](images/screenshot1.png) If any of the information is wrong or missing, we recommend that you create a backup of the BCD store. To do this, run `bcdedit /export C:\temp\bcdbackup`. This command creates a backup in **C:\\temp\\** that's named **bcdbackup**. To restore the backup, run `bcdedit /import C:\temp\bcdbackup`. This command overwrites all BCD settings by using the settings in **bcdbackup**. @@ -179,11 +179,11 @@ Dism /Image:: /Get-packages After you run this command, you'll see the **Install pending** and **Uninstall Pending** packages: -![Dism output pending update](images/pendingupdate.png) +![Dism output pending update.](images/pendingupdate.png) 1. Run the `dism /Image:C:\ /Cleanup-Image /RevertPendingActions` command. Replace **C:** with the system partition for your computer. - ![Dism output revert pending](images/revertpending.png) + ![Dism output revert pending.](images/revertpending.png) 2. Navigate to ***OSdriveLetter*:\Windows\WinSxS**, and then check whether the **pending.xml** file exists. If it does, rename it to **pending.xml.old**. @@ -193,14 +193,14 @@ After you run this command, you'll see the **Install pending** and **Uninstall P 5. Navigate to ***OSdriveLetter*:\Windows\System32\config**, select the file that's named **COMPONENT** (with no extension), and then select **Open**. When you're prompted, enter the name **OfflineComponentHive** for the new hive. - ![Load Hive](images/loadhive.png) + ![Load Hive.](images/loadhive.png) 6. Expand **HKEY_LOCAL_MACHINE\OfflineComponentHive**, and check whether the **PendingXmlIdentifier** key exists. Create a backup of the **OfflineComponentHive** key, and then delete the **PendingXmlIdentifier** key. 7. Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File** > **Unload hive**. > [!div class="mx-imgBorder"] - > ![Unload Hive](images/unloadhive.png)![Unload Hive](images/unloadhive1.png) + > ![Unload Hive.](images/unloadhive.png)![Unload Hive](images/unloadhive1.png) 8. Select **HKEY_LOCAL_MACHINE**, go to **File** > **Load Hive**, navigate to ***OSdriveLetter*:\Windows\System32\config**, select the file that's named **SYSTEM** (with no extension), and then select **Open**. When you're prompted, enter the name **OfflineSystemHive** for the new hive. @@ -256,7 +256,7 @@ Check whether there are any non-Microsoft upper and lower filter drivers on the \Control\Class\\{71A27CDD-812A-11D0-BEC7-08002BE2092F} > [!div class="mx-imgBorder"] - > ![Registry](images/controlset.png) + > ![Registry.](images/controlset.png) If an **UpperFilters** or **LowerFilters** entry is non-standard (for example, it's not a Windows default filter driver, such as PartMgr), remove the entry. To remove it, double-click it in the right pane, and then delete only that value. @@ -274,8 +274,8 @@ Check whether there are any non-Microsoft upper and lower filter drivers on the * `chkdsk /f /r OsDrive:` - ![Check disk](images/check-disk.png) + ![Check disk.](images/check-disk.png) * `sfc /scannow /offbootdir=OsDrive:\ /offwindir=OsDrive:\Windows` - ![SFC scannow](images/sfc-scannow.png) + ![SFC scannow.](images/sfc-scannow.png) diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md index 454101462a..390add3169 100644 --- a/windows/client-management/troubleshoot-stop-errors.md +++ b/windows/client-management/troubleshoot-stop-errors.md @@ -165,13 +165,13 @@ You can use the tools such as Windows Software Development KIT (SDK) and Symbols 6. Click on **Open Crash Dump**, and then open the memory.dmp file that you copied. See the example below. - ![WinDbg img](images/windbg.png) + ![WinDbg img.](images/windbg.png) 7. There should be a link that says **!analyze -v** under **Bugcheck Analysis**. Click that link. This will enter the command !analyze -v in the prompt at the bottom of the page. 8. A detailed bugcheck analysis will appear. See the example below. - ![Bugcheck analysis](images/bugcheck-analysis.png) + ![Bugcheck analysis.](images/bugcheck-analysis.png) 9. Scroll down to the section where it says **STACK_TEXT**. There will be rows of numbers with each row followed by a colon and some text. That text should tell you what DLL is causing the crash and if applicable what service is crashing the DLL. diff --git a/windows/client-management/troubleshoot-tcpip-connectivity.md b/windows/client-management/troubleshoot-tcpip-connectivity.md index 77e524634d..10ae554304 100644 --- a/windows/client-management/troubleshoot-tcpip-connectivity.md +++ b/windows/client-management/troubleshoot-tcpip-connectivity.md @@ -44,17 +44,17 @@ If the initial TCP handshake is failing because of packet drops, then you would Source side connecting on port 445: -![Screenshot of frame summary in Network Monitor](images/tcp-ts-6.png) +![Screenshot of frame summary in Network Monitor.](images/tcp-ts-6.png) Destination side: applying the same filter, you do not see any packets. -![Screenshot of frame summary with filter in Network Monitor](images/tcp-ts-7.png) +![Screenshot of frame summary with filter in Network Monitor.](images/tcp-ts-7.png) For the rest of the data, TCP will retransmit the packets five times. **Source 192.168.1.62 side trace:** -![Screenshot showing packet side trace](images/tcp-ts-8.png) +![Screenshot showing packet side trace.](images/tcp-ts-8.png) **Destination 192.168.1.2 side trace:** @@ -79,15 +79,15 @@ In the below screenshots, you see that the packets seen on the source and the de **Source Side** -![Screenshot of packets on source side in Network Monitor](images/tcp-ts-9.png) +![Screenshot of packets on source side in Network Monitor.](images/tcp-ts-9.png) **On the destination-side trace** -![Screenshot of packets on destination side in Network Monitor](images/tcp-ts-10.png) +![Screenshot of packets on destination side in Network Monitor.](images/tcp-ts-10.png) You also see an ACK+RST flag packet in a case when the TCP establishment packet SYN is sent out. The TCP SYN packet is sent when the client wants to connect on a particular port, but if the destination/server for some reason does not want to accept the packet, it would send an ACK+RST packet. -![Screenshot of packet flag](images/tcp-ts-11.png) +![Screenshot of packet flag.](images/tcp-ts-11.png) The application that's causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection. @@ -110,8 +110,8 @@ auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /fai You can then review the Security event logs to see for a packet drop on a particular port-IP and a filter ID associated with it. -![Screenshot of Event Properties](images/tcp-ts-12.png) +![Screenshot of Event Properties.](images/tcp-ts-12.png) Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. After you open this file and filter for the ID that you find in the above event (2944008), you'll be able to see a firewall rule name that's associated with this ID that's blocking the connection. -![Screenshot of wfpstate.xml file](images/tcp-ts-13.png) +![Screenshot of wfpstate.xml file.](images/tcp-ts-13.png) diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md index b432191920..daa23de8b1 100644 --- a/windows/client-management/troubleshoot-tcpip-netmon.md +++ b/windows/client-management/troubleshoot-tcpip-netmon.md @@ -21,7 +21,7 @@ In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is To get started, [download Network Monitor tool](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image: -![Adapters](images/nm-adapters.png) +![Adapters.](images/nm-adapters.png) When the driver gets hooked to the network interface card (NIC) during installation, the NIC is reinitialized, which might cause a brief network glitch. @@ -29,15 +29,15 @@ When the driver gets hooked to the network interface card (NIC) during installat 1. Run netmon in an elevated status by choosing Run as Administrator. - ![Image of Start search results for Netmon](images/nm-start.png) + ![Image of Start search results for Netmon.](images/nm-start.png) 2. Network Monitor opens with all network adapters displayed. Select the network adapters where you want to capture traffic, click **New Capture**, and then click **Start**. - ![Image of the New Capture option on menu](images/tcp-ts-4.png) + ![Image of the New Capture option on menu.](images/tcp-ts-4.png) 3. Reproduce the issue, and you will see that Network Monitor grabs the packets on the wire. - ![Frame summary of network packets](images/tcp-ts-5.png) + ![Frame summary of network packets.](images/tcp-ts-5.png) 4. Select **Stop**, and go to **File > Save as** to save the results. By default, the file will be saved as a ".cap" file. diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index ca8551b1dd..4c1e8b1b7f 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -58,19 +58,19 @@ Since outbound connections start to fail, you will see a lot of the below behavi - Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work. - ![Screenshot of error for NETLOGON in Event Viewer](images/tcp-ts-14.png) + ![Screenshot of error for NETLOGON in Event Viewer.](images/tcp-ts-14.png) - Group Policy update failures: - ![Screenshot of event properties for Group Policy failure](images/tcp-ts-15.png) + ![Screenshot of event properties for Group Policy failure.](images/tcp-ts-15.png) - File shares are inaccessible: - ![Screenshot of error message "Windows cannot access"](images/tcp-ts-16.png) + ![Screenshot of error message "Windows cannot access."](images/tcp-ts-16.png) - RDP from the affected server fails: - ![Screenshot of error when Remote Desktop is unable to connect](images/tcp-ts-17.png) + ![Screenshot of error when Remote Desktop is unable to connect.](images/tcp-ts-17.png) - Any other application running on the machine will start to give out errors @@ -84,15 +84,15 @@ If you suspect that the machine is in a state of port exhaustion: a. **Event ID 4227** - ![Screenshot of event id 4227 in Event Viewer](images/tcp-ts-18.png) + ![Screenshot of event id 4227 in Event Viewer.](images/tcp-ts-18.png) b. **Event ID 4231** - ![Screenshot of event id 4231 in Event Viewer](images/tcp-ts-19.png) + ![Screenshot of event id 4231 in Event Viewer.](images/tcp-ts-19.png) 3. Collect a `netstat -anob` output from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID. - ![Screenshot of netstate command output](images/tcp-ts-20.png) + ![Screenshot of netstate command output.](images/tcp-ts-20.png) After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state. @@ -136,7 +136,7 @@ If method 1 does not help you identify the process (prior to Windows 10 and Wind 1. Add a column called “handles” under details/processes. 2. Sort the column handles to identify the process with the highest number of handles. Usually the process with handles greater than 3000 could be the culprit except for processes like System, lsass.exe, store.exe, sqlsvr.exe. - ![Screenshot of handles column in Windows Task Maner](images/tcp-ts-21.png) + ![Screenshot of handles column in Windows Task Maner.](images/tcp-ts-21.png) 3. If any other process than these has a higher number, stop that process and then try to login using domain credentials and see if it succeeds. @@ -157,7 +157,7 @@ Steps to use Process explorer: File \Device\AFD - ![Screenshot of Process Explorer](images/tcp-ts-22.png) + ![Screenshot of Process Explorer.](images/tcp-ts-22.png) 10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app. diff --git a/windows/client-management/troubleshoot-tcpip-rpc-errors.md b/windows/client-management/troubleshoot-tcpip-rpc-errors.md index 37b4dfa002..ba02501c81 100644 --- a/windows/client-management/troubleshoot-tcpip-rpc-errors.md +++ b/windows/client-management/troubleshoot-tcpip-rpc-errors.md @@ -16,7 +16,7 @@ manager: dansimp You might encounter an **RPC server unavailable** error when connecting to Windows Management Instrumentation (WMI), SQL Server, during a remote connection, or for some Microsoft Management Console (MMC) snap-ins. The following image is an example of an RPC error. -![The following error has occurred: the RPC server is unavailable](images/rpc-error.png) +![The following error has occurred: the RPC server is unavailable.](images/rpc-error.png) This is a commonly encountered error message in the networking world and one can lose hope very fast without trying to understand much, as to what is happening ‘under the hood’. @@ -37,7 +37,7 @@ Before getting in to troubleshooting the *RPC server unavailable- error Client A wants to execute some functions or wants to make use of a service running on the remote server, will first establish the connection with the Remote Server by doing a three-way handshake. -![Diagram illustrating connection to remote server](images/rpc-flow.png) +![Diagram illustrating connection to remote server.](images/rpc-flow.png) RPC ports can be given from a specific range as well. ### Configure RPC dynamic port allocation @@ -162,13 +162,13 @@ Open the traces in [Microsoft Network Monitor 3.4](troubleshoot-tcpip-netmon.md) - Now check if you are getting a response from the server. If you get a response, note the dynamic port number that you have been allocated to use. - ![Screenshot of Network Monitor with dynamic port highlighted](images/tcp-ts-23.png) + ![Screenshot of Network Monitor with dynamic port highlighted.](images/tcp-ts-23.png) - Check if we are connecting successfully to this Dynamic port successfully. - The filter should be something like this: `tcp.port==` and `ipv4.address==` - ![Screenshot of Network Monitor with filter applied](images/tcp-ts-24.png) + ![Screenshot of Network Monitor with filter applied.](images/tcp-ts-24.png) This should help you verify the connectivity and isolate if any network issues are seen. @@ -177,7 +177,7 @@ This should help you verify the connectivity and isolate if any network issues a The most common reason why we would see the RPC server unavailable is when the dynamic port that the client tries to connect is not reachable. The client side trace would then show TCP SYN retransmits for the dynamic port. -![Screenshot of Network Monitor with TCP SYN retransmits](images/tcp-ts-25.png) +![Screenshot of Network Monitor with TCP SYN retransmits.](images/tcp-ts-25.png) The port cannot be reachable due to one of the following reasons: diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md index 29a781be98..16c416a9cd 100644 --- a/windows/client-management/windows-version-search.md +++ b/windows/client-management/windows-version-search.md @@ -22,27 +22,27 @@ Click **Start** > **Settings** > **System** > click **About** from the bottom of You'll now see **Edition**, **Version**, and **OS Build** information. Something like this: -![screenshot of the system properties window for a device running Windows 10](images/systemcollage.png) +![screenshot of the system properties window for a device running Windows 10.](images/systemcollage.png) ## Using Keyword Search You can simply type the following in the search bar and press **ENTER** to see version details for your device. **“winver”** -![screenshot of the About Windows display text](images/winver.png) +![screenshot of the About Windows display text.](images/winver.png) **“msinfo”** or **"msinfo32"** to open **System Information**: -![screenshot of the System Information display text](images/msinfo32.png) +![screenshot of the System Information display text.](images/msinfo32.png) ## Using Command Prompt or PowerShell At the Command Prompt or PowerShell interface, type **"systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"** and then press **ENTER** -![screenshot of system information display text](images/refcmd.png) +![screenshot of system information display text.](images/refcmd.png) At the Command Prompt or PowerShell, type **"slmgr /dlv"**, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the image below: -![screenshot of software licensing manager](images/slmgr_dlv.png) +![screenshot of software licensing manager.](images/slmgr_dlv.png) ## What does it all mean? diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index 15407ebc50..5f433844ac 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -31,7 +31,7 @@ The order of apps in the XML file dictates the order of pinned apps on the taskb The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square). -![Windows left, user center, enterprise to the right](images/taskbar-generic.png) +![Windows left, user center, enterprise to the right.](images/taskbar-generic.png) ## Configure taskbar (general) @@ -142,11 +142,11 @@ The `` section will append listed apps to the tas ``` **Before:** -![default apps pinned to taskbar](images/taskbar-default.png) +![default apps pinned to taskbar.](images/taskbar-default.png) **After:** - ![additional apps pinned to taskbar](images/taskbar-default-plus.png) + ![additional apps pinned to taskbar.](images/taskbar-default-plus.png) ## Remove default apps and add your own @@ -175,11 +175,11 @@ If you only want to remove some of the default pinned apps, you would use this m ``` **Before:** -![Taskbar with default apps](images/taskbar-default.png) +![Taskbar with default apps.](images/taskbar-default.png) **After:** -![Taskbar with default apps removed](images/taskbar-default-removed.png) +![Taskbar with default apps removed.](images/taskbar-default-removed.png) ## Remove default apps @@ -250,15 +250,15 @@ The following example shows you how to configure taskbars by country or region. When the preceding example XML file is applied, the resulting taskbar for computers in the US or UK: -![taskbar for US and UK locale](images/taskbar-region-usuk.png) +![taskbar for US and UK locale.](images/taskbar-region-usuk.png) The resulting taskbar for computers in Germany or France: -![taskbar for DE and FR locale](images/taskbar-region-defr.png) +![taskbar for DE and FR locale.](images/taskbar-region-defr.png) The resulting taskbar for computers in any other country region: -![taskbar for all other regions](images/taskbar-region-other.png) +![taskbar for all other regions.](images/taskbar-region-other.png) > [!NOTE] diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md index e8a0cdee55..1190119050 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md @@ -19,7 +19,7 @@ Cortana integration is a Preview feature that's available for your test or dev e >[!NOTE] >For more info about Dynamics CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](https://go.microsoft.com/fwlink/p/?LinkId=746819). -![Cortana at work, showing the sales data pulled from Dynamics CRM](../images/cortana-crm-screen.png) +![Cortana at work, showing the sales data pulled from Dynamics CRM.](../images/cortana-crm-screen.png) ## Turn on Cortana with Dynamics CRM in your organization You must be a CRM administrator to turn on and use Preview features. For more info about what Preview features are and how to use them, see [What are Preview features and how do I enable them](https://go.microsoft.com/fwlink/p/?LinkId=746817)? @@ -43,7 +43,7 @@ You must tell your employees to turn on Cortana, before they’ll be able to use 2. Click on **Connected Services**, click **Dynamics CRM**, and then click **Connect**. - ![Cotana at work, showing how to turn on the connected services for Dynamics CRM](../images/cortana-connect-crm.png) + ![Cotana at work, showing how to turn on the connected services for Dynamics CRM.](../images/cortana-connect-crm.png) The employee can also disconnect by clicking **Disconnect** from the **Dynamics CRM** screen. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md index 65919eb8e8..481cb27659 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md @@ -48,35 +48,35 @@ Before you can start this testing scenario, you must first set up your test envi 2. Expand the left rail by clicking the **Show the navigation pane** icon. - ![Cortana at work, showing the navigation expand icon in Power BI](../images/cortana-powerbi-expand-nav.png) + ![Cortana at work, showing the navigation expand icon in Power BI.](../images/cortana-powerbi-expand-nav.png) 3. Click **Get Data** from the left-hand navigation in Power BI. - ![Cortana at work, showing the Get Data link](../images/cortana-powerbi-getdata.png) + ![Cortana at work, showing the Get Data link.](../images/cortana-powerbi-getdata.png) 4. Click **Samples** from the **Content Pack Library** area of the **Get Data** screen. - ![Cortana at work, showing the Samples link](../images/cortana-powerbi-getdata-samples.png) + ![Cortana at work, showing the Samples link.](../images/cortana-powerbi-getdata-samples.png) 5. Click **Retail Analysis Sample**, and then click **Connect**. - ![Cortana at work, showing the Samples link](../images/cortana-powerbi-retail-analysis-sample.png) + ![Cortana at work, showing the Samples link.](../images/cortana-powerbi-retail-analysis-sample.png) The sample data is imported and you’re returned to the **Power BI** screen. 6. Click **Dashboards** from the left pane of the **Power BI** screen, and then click **Retail Analysis Sample**. - ![Cortana at work, showing a dashboard view of the sample data](../images/cortana-powerbi-retail-analysis-dashboard.png) + ![Cortana at work, showing a dashboard view of the sample data.](../images/cortana-powerbi-retail-analysis-dashboard.png) 7. In the upper right-hand menu, click the **Settings** icon, and then click **Settings**. - ![Cortana at work, showing where to find the Settings option](../images/cortana-powerbi-settings.png) + ![Cortana at work, showing where to find the Settings option.](../images/cortana-powerbi-settings.png) 8. Click the **Datasets** tab, and then pick the **Retail Analysis Sample** dataset from the list. 9. Click **Q&A and Cortana**, check the **Allow Cortana to access this dataset** box, and then click **Apply**. - ![Cortana at work, showing where to find the dataset options](../images/cortana-powerbi-retail-analysis-dataset.png) + ![Cortana at work, showing where to find the dataset options.](../images/cortana-powerbi-retail-analysis-dataset.png) >[!NOTE] >It can take up to 30 minutes for a new dataset to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.

If you enable a dataset for Cortana, and that dataset is part of a content pack you own, you’ll need to re-publish for your colleagues to also use it with Cortana. @@ -92,7 +92,7 @@ After you’ve finished creating your Answer Page, you can continue to the inclu **To create a custom sales data Answer Page for Cortana** 1. In Power BI, click **My Workspace**, click **Create**, and then click **Report**. - ![Cortana at work, showing where to create the new report](../images/cortana-powerbi-create-report.png) + ![Cortana at work, showing where to create the new report.](../images/cortana-powerbi-create-report.png) 2. In the **Create Report** screen, click the **Retail Analysis Sample**, and then click **Create**. @@ -100,11 +100,11 @@ After you’ve finished creating your Answer Page, you can continue to the inclu 3. In the **Visualizations** pane, click the paint roller icon, expand **Page Size**, and then pick **Cortana** from the **Type** drop-down list. - ![Cortana at work, showing the Visualizations options](../images/cortana-powerbi-pagesize.png) + ![Cortana at work, showing the Visualizations options.](../images/cortana-powerbi-pagesize.png) 4. In the **Fields** pane, click to expand **Sales**, expand **This year sales**, and then add both **Value** and **Goal**. - ![Cortana at work, showing the Field options](../images/cortana-powerbi-field-selection.png) + ![Cortana at work, showing the Field options.](../images/cortana-powerbi-field-selection.png) The automatically generated graph is added to your blank report. You have the option to change colors, add borders, add additional visualizations, and modify this page so that it answers the question about sales data as precisely, and in as custom a way, as you want. You just need to make sure that it all stays within the page borders. @@ -112,7 +112,7 @@ After you’ve finished creating your Answer Page, you can continue to the inclu The alternate names help Cortana to know what questions to look for and when to show this report. To also improve your results, you should avoid using the names of your report columns. - ![Cortana at work, showing the page info for your specific report](../images/cortana-powerbi-report-qna.png) + ![Cortana at work, showing the page info for your specific report.](../images/cortana-powerbi-report-qna.png) 6. Click **File**, click **Save as**, and save the report as _Sales data 2016_. @@ -128,13 +128,13 @@ Now that you’ve set up your device, you can use Cortana to show your info from Cortana shows you the available results. - ![Cortana at work, showing the best matches based on the Power BI data](../images/cortana-powerbi-search.png) + ![Cortana at work, showing the best matches based on the Power BI data.](../images/cortana-powerbi-search.png) 3. In the **Power BI** area, click **This year in sales – in Retail Analysis Sample**. Cortana returns your custom report. - ![Cortana at work, showing your custom report from Power BI](../images/cortana-powerbi-myreport.png) + ![Cortana at work, showing your custom report from Power BI.](../images/cortana-powerbi-myreport.png) >[!NOTE] >For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/). diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md index 478aeb7938..c701623a88 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md @@ -49,7 +49,7 @@ While these aren't line-of-business apps, we've worked to make sure to implement 2. Click on **Connected Services**, click **Uber**, and then click **Connect**. - ![Cortana at work, showing where to connect the Uber service to Cortana](../images/cortana-connect-uber.png) + ![Cortana at work, showing where to connect the Uber service to Cortana.](../images/cortana-connect-uber.png) **To use the voice-enabled commands with Cortana** 1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box). diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index 601ad70810..f50e213ce8 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -161,7 +161,7 @@ When you have the Start layout that you want your users to see, use the [Export- A partial Start layout enables you to add one or more customized tile groups to users' Start screens or menus, while still allowing users to make changes to other parts of the Start layout. All groups that you add are *locked*, meaning users cannot change the contents of those tile groups, however users can change the location of those groups. Locked groups are identified with an icon, as shown in the following image. -![locked tile group](images/start-pinned-app.png) +![locked tile group.](images/start-pinned-app.png) When a partial Start layout is applied for the first time, the new groups are added to the users' existing Start layouts. If an app tile is in both an existing group and in a new locked group, the duplicate app tile is removed from the existing (unlocked) group. diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 12f62c8444..7b7dcaed64 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -92,13 +92,13 @@ This procedure adds the customized Start and taskbar layout to the user configur 2. Go to **User Configuration** or **Computer Configuration** > **Administrative Templates** >**Start Menu and Taskbar**. - ![start screen layout policy settings](images/starttemplate.jpg) + ![start screen layout policy settings.](images/starttemplate.jpg) 3. Right-click **Start Layout** in the right pane, and click **Edit**. This opens the **Start Layout** policy settings. - ![policy settings for start screen layout](images/startlayoutpolicy.jpg) + ![policy settings for start screen layout.](images/startlayoutpolicy.jpg) 4. Enter the following settings, and then click **OK**: diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index ea856b24cd..42b70e6248 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -87,7 +87,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L 7. Open the customizations.xml file in a text editor. The **<Customizations>** section will look like this: - ![Customizations file with the placeholder text to replace highlighted](images/customization-start.png) + ![Customizations file with the placeholder text to replace highlighted.](images/customization-start.png) 7. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape). diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index aa195fb89f..f5540c6ddd 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -50,7 +50,7 @@ To get the names and AUMIDs for all apps installed for the current user, perform 3. In the **Choose Details** window, select **AppUserModelId**, and then select **OK**. (You might need to change the **View** setting from **Tiles** to **Details**.) -![Image of the Choose Details options](images/aumid-file-explorer.png) +![Image of the Choose Details options.](images/aumid-file-explorer.png) ## To find the AUMID of an installed app for the current user by using the registry diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index bd502511d7..9efa2b652d 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -24,13 +24,13 @@ Some desktop devices in an enterprise serve a special purpose, such as a PC in t A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen. - ![Illustration of a full-screen kiosk experience](images/kiosk-fullscreen.png) + ![Illustration of a full-screen kiosk experience.](images/kiosk-fullscreen.png) - **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. - ![Illustration of a kiosk Start screen](images/kiosk-desktop.png) + ![Illustration of a kiosk Start screen.](images/kiosk-desktop.png) Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. @@ -38,25 +38,25 @@ There are several kiosk configuration methods that you can choose from, dependin - **Which type of app will your kiosk run?** - ![icon that represents apps](images/office-logo.png) + ![icon that represents apps.](images/office-logo.png) Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), simply select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md) - **Which type of kiosk do you need?** - ![icon that represents a kiosk](images/kiosk.png) + ![icon that represents a kiosk.](images/kiosk.png) If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#uwp) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop). - **Which edition of Windows 10 will the kiosk run?** - ![icon that represents Windows](images/windows.png) + ![icon that represents Windows.](images/windows.png) All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. - **Which type of user account will be the kiosk account?** - ![icon that represents a user account](images/user.png) + ![icon that represents a user account.](images/user.png) The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method. diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 154b35c3d0..ba1aaa2b58 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -54,7 +54,7 @@ Disable removable media. | Go to **Group Policy Editor** > **Computer Con Logs can help you [troubleshoot issues](./kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. -![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png) +![Event Viewer, right-click Operational, select enable log.](images/enable-assigned-access-log.png) ## Automatic logon @@ -257,7 +257,7 @@ A single-app kiosk configuration runs an app above the lock screen. It doesn't w When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** is not selected in the **View** menu; that means it's a basic session. -![VM windows, View menu, Extended session is not selected](images/vm-kiosk.png) +![VM windows, View menu, Extended session is not selected.](images/vm-kiosk.png) To connect to a VM in a basic session, do not select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog. diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md index f510b637bd..73e724bd75 100644 --- a/windows/configuration/kiosk-shelllauncher.md +++ b/windows/configuration/kiosk-shelllauncher.md @@ -137,7 +137,7 @@ The OMA-URI path is `./Device/Vendor/MSFT/AssignedAccess/ShellLauncher`. For the value, you can select data type `String` and paste the desired configuration file content into the value box. If you wish to upload the xml instead of pasting the content, choose data type `String (XML file)`. -![Screenshot of custom OMA-URI settings](images/slv2-oma-uri.png) +![Screenshot of custom OMA-URI settings.](images/slv2-oma-uri.png) After you configure the profile containing the custom Shell Launcher setting, select **All Devices** or selected groups of devices to apply the profile to. Don't assign the profile to users or user groups. diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 8baee6a466..eac49be093 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -24,7 +24,7 @@ ms.topic: article A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app. -![Illustration of a single-app kiosk experience](images/kiosk-fullscreen-sm.png) +![Illustration of a single-app kiosk experience.](images/kiosk-fullscreen-sm.png) >[!IMPORTANT] >[User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode. @@ -66,7 +66,7 @@ When your kiosk is a local device that is not managed by Active Directory or Azu - If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. -![Screenshot of automatic sign-in setting](images/auto-signin.png) +![Screenshot of automatic sign-in setting.](images/auto-signin.png) ### Instructions for Windows 10, version 1809 @@ -98,7 +98,7 @@ To remove assigned access, select the account tile on the **Set up a kiosk** pag When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) -![The Set up assigned access page in Settings](images/kiosk-settings.png) +![The Set up assigned access page in Settings.](images/kiosk-settings.png) **To set up assigned access in PC settings** @@ -131,7 +131,7 @@ To remove assigned access, choose **Turn off assigned access and sign out of the > >Account type: Local standard user -![PowerShell windows displaying Set-AssignedAccess cmdlet](images/set-assignedaccess.png) +![PowerShell windows displaying Set-AssignedAccess cmdlet.](images/set-assignedaccess.png) You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. @@ -191,7 +191,7 @@ Clear-AssignedAccess > >Account type: Local standard user, Active Directory -![Kiosk wizard option in Windows Configuration Designer](images/kiosk-wizard.png) +![Kiosk wizard option in Windows Configuration Designer.](images/kiosk-wizard.png) >[!IMPORTANT] diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md index 75781737fb..e34bee8204 100644 --- a/windows/configuration/kiosk-troubleshoot.md +++ b/windows/configuration/kiosk-troubleshoot.md @@ -53,7 +53,7 @@ For example: 3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration. 4. Additional logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. -![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png) +![Event Viewer, right-click Operational, select enable log.](images/enable-assigned-access-log.png) ### Automatic logon issues diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md index c2221b549a..5c2cfa795b 100644 --- a/windows/configuration/lock-down-windows-10-applocker.md +++ b/windows/configuration/lock-down-windows-10-applocker.md @@ -34,7 +34,7 @@ AppLocker rules are organized into collections based on file format. If no AppLo This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy. -![install create lockdown customize](images/lockdownapps.png) +![install create lockdown customize.](images/lockdownapps.png) ## Install apps @@ -50,13 +50,13 @@ After you install the desired apps, set up AppLocker rules to only allow specifi 2. Go to **Security Settings** > **Application Control Policies** > **AppLocker**, and select **Configure rule enforcement**. - ![configure rule enforcement](images/apprule.png) + ![configure rule enforcement.](images/apprule.png) 3. Check **Configured** under **Executable rules**, and then click **OK**. 4. Right-click **Executable Rules** and then click **Automatically generate rules**. - ![automatically generate rules](images/genrule.png) + ![automatically generate rules.](images/genrule.png) 5. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps. @@ -68,7 +68,7 @@ After you install the desired apps, set up AppLocker rules to only allow specifi 9. Read the message and click **Yes**. - ![default rules warning](images/appwarning.png) + ![default rules warning.](images/appwarning.png) 10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users. diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 702221c085..2bbcd7f1a3 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -81,7 +81,7 @@ Let's start by looking at the basic structure of the XML file. - A profile has no effect if it’s not associated to a config section. - ![profile = app and config = account](images/profile-config.png) + ![profile = app and config = account.](images/profile-config.png) You can start your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this topic. You can see a full sample version in the [Assigned access XML reference.](kiosk-xml.md) @@ -271,7 +271,7 @@ This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, >[!NOTE] >If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen. -![What the Start screen looks like when the XML sample is applied](images/sample-start.png) +![What the Start screen looks like when the XML sample is applied.](images/sample-start.png) ##### Taskbar @@ -494,7 +494,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L 7. In the center pane, click **Browse** to locate and select the assigned access configuration XML file that you created. - ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](images/multiappassignedaccesssettings.png) + ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer.](images/multiappassignedaccesssettings.png) 8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed. @@ -544,7 +544,7 @@ Provisioning packages can be applied to a device during the first-run experience 1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. - ![The first screen to set up a new PC](images/oobe.jpg) + ![The first screen to set up a new PC.](images/oobe.jpg) 2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**. @@ -552,11 +552,11 @@ Provisioning packages can be applied to a device during the first-run experience 3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. - ![Provision this device](images/prov.jpg) + ![Provision this device.](images/prov.jpg) 4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. - ![Choose a package](images/choose-package.png) + ![Choose a package.](images/choose-package.png) 5. Select **Yes, add it**. @@ -570,7 +570,7 @@ Provisioning packages can be applied to a device during the first-run experience >[!NOTE] >if your provisioning package doesn’t include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device. -![add a package option](images/package.png) +![add a package option.](images/package.png) ### Use MDM to deploy the multi-app configuration diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md index d577b69cff..6dc4c73ddb 100644 --- a/windows/configuration/manage-wifi-sense-in-enterprise.md +++ b/windows/configuration/manage-wifi-sense-in-enterprise.md @@ -46,7 +46,7 @@ You can manage your Wi-Fi Sense settings by using Group Policy and your Group Po 1. Open your Group Policy editor and go to the `Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services` setting. - ![Group Policy Editor, showing the Wi-Fi Sense setting](images/wifisense-grouppolicy.png) + ![Group Policy Editor, showing the Wi-Fi Sense setting.](images/wifisense-grouppolicy.png) 2. Turn Wi-Fi Sense on (enabled) or off (disabled), based on your company's environment. @@ -60,7 +60,7 @@ You can manage your Wi-Fi Sense settings by using registry keys and the Registry 2. Create and set a new **DWORD (32-bit) Value** named, **AutoConnectAllowedOEM**, with a **Value data** of **0 (zero)**.

Setting this value to 0 turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see How to configure Wi-Fi Sense on Windows 10 in an enterprise. - ![Registry Editor, showing the creation of a new DWORD value](images/wifisense-registry.png) + ![Registry Editor, showing the creation of a new DWORD value.](images/wifisense-registry.png) ### Using the Windows Provisioning settings You can manage your Wi-Fi Sense settings by changing the Windows provisioning setting, **WiFISenseAllowed**. @@ -81,7 +81,7 @@ If your company still uses Unattend, you can manage your Wi-Fi Sense settings by ### How employees can change their own Wi-Fi Sense settings If you don’t turn off the ability for your employees to use Wi-Fi Sense, they can turn it on locally by selecting **Settings > Network & Internet > Wi-Fi > Manage Wi-Fi settings**, and then turning on **Connect to suggested open hotspots**. -![Wi-Fi Sense options shown to employees if it's not turned off](images/wifisense-settingscreens.png) +![Wi-Fi Sense options shown to employees if it's not turned off.](images/wifisense-settingscreens.png) **Important**
The service that was used to share networks with Facebook friends, Outlook.com contacts, or Skype contacts is no longer available. This means: diff --git a/windows/configuration/mobile-devices/lockdown-xml.md b/windows/configuration/mobile-devices/lockdown-xml.md index ecf485cb1d..87f2b7b7cf 100644 --- a/windows/configuration/mobile-devices/lockdown-xml.md +++ b/windows/configuration/mobile-devices/lockdown-xml.md @@ -62,7 +62,7 @@ The settings for the Default role and other roles must be listed in your XML fil ## Action Center -![XML for Action Center](../images/ActionCenterXML.jpg) +![XML for Action Center.](../images/ActionCenterXML.jpg) The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. @@ -92,7 +92,7 @@ The following example is a complete lockdown XML file that disables Action Cente ## Apps -![XML for Apps](../images/AppsXML.png) +![XML for Apps.](../images/AppsXML.png) The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running. @@ -110,7 +110,7 @@ The following example makes Outlook Calendar available on the device. When you list an app, you can also set the app to be pinned to the Start screen by specifying the tile size and location. Tip: draw a grid and mark your app tiles on it to make sure you get the result you want. The width (X axis) in the following example is the limit for Windows 10 Mobile, but the length (Y axis) is unlimited. The number of columns available to you depends on the value for [StartScreenSize](#start-screen-size). -![Grid to lay out tiles for Start](../images/StartGrid.jpg) +![Grid to lay out tiles for Start.](../images/StartGrid.jpg) Tile sizes are: * Small: 1x1 @@ -152,7 +152,7 @@ In the following example, Outlook Calendar and Outlook Mail are pinned to the St That layout would appear on a device like this: -![Example of the layout on a Start screen](../images/StartGridPinnedApps.jpg) +![Example of the layout on a Start screen.](../images/StartGridPinnedApps.jpg) You can create and pin folders to Start by using the Apps setting. Each folder requires a **folderId**, which must be a consecutive positive integer starting with `1`. You can also specify a **folderName** (optional) which will be displayed on Start. @@ -203,7 +203,7 @@ When an app is contained in a folder, its **PinToStart** configuration (tile siz ## Buttons -![XML for buttons](../images/ButtonsXML.jpg) +![XML for buttons.](../images/ButtonsXML.jpg) In the Buttons setting, you use ButtonLockdownList to disable hardware buttons and ButtonRemapList to change button events to open an app that you specify. @@ -213,11 +213,11 @@ When a user taps a button that is in the lockdown list, nothing will happen. The Button | Press | PressAndHold | All ---|:---:|:---:|:--:|- -Start | ![no](../images/crossmark.png) | ![yes](../images/checkmark.png) | ![no](../images/crossmark.png) -Back | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) -Search | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) -Camera | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) -Custom 1, 2, and 3 | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) +Start | ![no.](../images/crossmark.png) | ![yes](../images/checkmark.png) | ![no](../images/crossmark.png) +Back | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) +Search | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) +Camera | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) +Custom 1, 2, and 3 | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) > [!NOTE] > Custom buttons are hardware buttons that can be added to devices by OEMs. @@ -270,7 +270,7 @@ In the following example, when a user presses the Search button, the phone diale ## CSPRunner -![XML for CSP Runner](../images/CSPRunnerXML.jpg) +![XML for CSP Runner.](../images/CSPRunnerXML.jpg) You can use CSPRunner to include settings that are not defined in AssignedAccessXML. For example, you can include settings from other sections of EnterpriseAssignedAccess CSP, such as lockscreen, theme, and time zone. You can also include settings from other CSPs, such as [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) or [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). @@ -317,7 +317,7 @@ SyncML entry | Description ## Menu items -![XML for menu items](../images/MenuItemsXML.png) +![XML for menu items.](../images/MenuItemsXML.png) Use DisableMenuItems to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Apps list. You can include this entry in the default profile and in any additional user role profiles that you create. @@ -329,7 +329,7 @@ Use DisableMenuItems to prevent use of the context menu, which is displayed when ## Settings -![XML for settings](../images/SettingsXML.png) +![XML for settings.](../images/SettingsXML.png) The **Settings** section contains an `allow` list of pages in the Settings app and quick actions. The following example allows all settings. @@ -363,7 +363,7 @@ For a list of the settings and quick actions that you can allow or block, see [S ## Tiles - ![XML for tiles](../images/TilesXML.png) + ![XML for tiles.](../images/TilesXML.png) By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile. @@ -446,7 +446,7 @@ Use the Windows ICD tool included in the Windows Assessment and Deployment Kit ( 3. In the center pane, click **Browse** to locate and select the lockdown XML file that you created. - ![browse button](../images/icdbrowse.png) + ![browse button.](../images/icdbrowse.png) 4. On the **File** menu, select **Save.** diff --git a/windows/configuration/mobile-devices/mobile-lockdown-designer.md b/windows/configuration/mobile-devices/mobile-lockdown-designer.md index 68774e0da5..a7d82f6088 100644 --- a/windows/configuration/mobile-devices/mobile-lockdown-designer.md +++ b/windows/configuration/mobile-devices/mobile-lockdown-designer.md @@ -16,7 +16,7 @@ manager: dansimp # Use the Lockdown Designer app to create a Lockdown XML file -![Lockdown Designer in the Store](../images/ldstore.png) +![Lockdown Designer in the Store.](../images/ldstore.png) Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. @@ -55,7 +55,7 @@ Perform these steps on the device running Windows 10 Mobile that you will use to >[!IMPORTANT] >Check **Settings > Personalization > Start > Show more tiles** on the test mobile device. If **Show more tiles** is **On**, you must select **Large** on the [**Start screen** page](#start) in Lockdown Designer. If you want to apply a **Small** layout, set **Show more tiles** on the test mobile device to **Off**. > ->![turn off show more tiles for small start screen size](../images/show-more-tiles.png) +>![turn off show more tiles for small start screen size.](../images/show-more-tiles.png) ## Prepare the PC @@ -89,7 +89,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf 3. Click **Pair**. - ![Pair](../images/ld-pair.png) + ![Pair.](../images/ld-pair.png) **Connect to remote device** appears. @@ -99,7 +99,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf 6. Next, click **Sync** to pull information from the device in to Lockdown Designer. - ![Sync](../images/ld-sync.png) + ![Sync.](../images/ld-sync.png) 7. Click the **Save** icon and enter a name for your project. @@ -113,7 +113,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf 3. On the **Project setting** > **General settings** page, click **Pair**. - ![Pair](../images/ld-pair.png) + ![Pair.](../images/ld-pair.png) **Connect to remote device** appears. @@ -123,7 +123,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf 6. Next, click **Sync** to pull information from the device in to Lockdown Designer. - ![Sync](../images/ld-sync.png) + ![Sync.](../images/ld-sync.png) 7. Click the **Save** icon and enter a name for your project. @@ -134,13 +134,13 @@ The apps and settings available in the pages of Lockdown Designer should now be | Page | Description | | --- | --- | -| ![Applications](../images/ld-apps.png) | Each app from the test mobile device is listed. Select the apps that you want visible to users.

You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. | -| ![CSP Runner](../images/ld-csp.png) | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner) | -| ![Settings](../images/ld-settings.png) | On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI. | -| ![Quick actions](../images/ld-quick.png) | On this page, you select the settings that you want visible to users. | -| ![Buttons](../images/ld-buttons.png) | Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.

Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. | -| ![Other settings](../images/ld-other.png) | This page contains several settings that you can configure:

- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.

- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.

- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. | -| ![Start screen](../images/ld-start.png) | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)

On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.

When you are done changing the layout on the test mobile device, click **Accept** on the PC. | +| ![Applications.](../images/ld-apps.png) | Each app from the test mobile device is listed. Select the apps that you want visible to users.

You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. | +| ![CSP Runner.](../images/ld-csp.png) | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner) | +| ![Settings.](../images/ld-settings.png) | On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI. | +| ![Quick actions.](../images/ld-quick.png) | On this page, you select the settings that you want visible to users. | +| ![Buttons.](../images/ld-buttons.png) | Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.

Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. | +| ![Other settings.](../images/ld-other.png) | This page contains several settings that you can configure:

- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.

- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.

- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. | +| ![Start screen.](../images/ld-start.png) | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)

On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.

When you are done changing the layout on the test mobile device, click **Accept** on the PC. | ## Validate and export @@ -169,4 +169,4 @@ You can create additional roles for the device and have unique configurations fo 4. Configure the settings for the role as above, but make sure on each page that you select the correct role. - ![Current role selection box](../images/ld-role.png) \ No newline at end of file + ![Current role selection box.](../images/ld-role.png) \ No newline at end of file diff --git a/windows/configuration/mobile-devices/provisioning-configure-mobile.md b/windows/configuration/mobile-devices/provisioning-configure-mobile.md index 1d321fd9cb..ebd4218503 100644 --- a/windows/configuration/mobile-devices/provisioning-configure-mobile.md +++ b/windows/configuration/mobile-devices/provisioning-configure-mobile.md @@ -66,13 +66,13 @@ You can apply a provisioning package to a device running Windows 10 Mobile by us 1. Insert an SD card containing the provisioning package into the device. 2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. - ![add a package option](../images/packages-mobile.png) + ![add a package option.](../images/packages-mobile.png) 3. Click **Add**. 4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. - ![Is this package from a source you trust](../images/package-trust.png) + ![Is this package from a source you trust.](../images/package-trust.png) ### Copying the provisioning package to the device @@ -82,7 +82,7 @@ You can apply a provisioning package to a device running Windows 10 Mobile by us 3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. - ![Is this package from a source you trust](../images/package-trust.png) + ![Is this package from a source you trust.](../images/package-trust.png) ## Related topics diff --git a/windows/configuration/mobile-devices/provisioning-nfc.md b/windows/configuration/mobile-devices/provisioning-nfc.md index 571a1488af..42ff3ff229 100644 --- a/windows/configuration/mobile-devices/provisioning-nfc.md +++ b/windows/configuration/mobile-devices/provisioning-nfc.md @@ -31,7 +31,7 @@ All Windows 10 Mobile Enterprise and Windows 10 Mobile images have the NFC provi On all Windows devices, device provisioning during OOBE can be triggered by 5 fast taps on the Windows hardware key, which shows the **Provision this device** screen. In the **Provision this device** screen, select **NFC** for NFC-based provisioning. -![Example of Provision this device screen](../images/nfc.png) +![Example of Provision this device screen.](../images/nfc.png) If there is an error during NFC provisioning, the device will show a message if any of the following errors occur: diff --git a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md index 711f3cfc4e..a265a544e3 100644 --- a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md +++ b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md @@ -168,28 +168,28 @@ Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or **To set up Apps Corner** -1. On Start ![start](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) > **Accounts** > **Apps Corner**. +1. On Start ![start.](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) > **Accounts** > **Apps Corner**. -2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![done icon](images/doneicon.png). +2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![done icon.](images/doneicon.png). -3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back](../images/backicon.png) to the Apps Corner settings. +3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back.](../images/backicon.png) to the Apps Corner settings. 4. Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode. 5. Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them. -6. Press **Back** ![back](../images/backicon.png) when you're done. +6. Press **Back** ![back.](../images/backicon.png) when you're done. **To use Apps Corner** -1. On Start ![start](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) > **Accounts** > **Apps Corner** > launch ![launch](../images/launchicon.png). +1. On Start ![start.](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) > **Accounts** > **Apps Corner** > launch ![launch](../images/launchicon.png). >[!TIP] >Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** > **pin** to pin the Apps Corner tile to your Start screen. 2. Give the device to someone else, so they can use the device and only the one app you chose. -3. When they're done and you get the device back, press and hold Power ![power](../images/powericon.png), and then swipe right to exit Apps Corner. +3. When they're done and you get the device back, press and hold Power ![power.](../images/powericon.png), and then swipe right to exit Apps Corner. ## Related topics diff --git a/windows/configuration/mobile-devices/start-layout-xml-mobile.md b/windows/configuration/mobile-devices/start-layout-xml-mobile.md index 41fc17fe04..858de39174 100644 --- a/windows/configuration/mobile-devices/start-layout-xml-mobile.md +++ b/windows/configuration/mobile-devices/start-layout-xml-mobile.md @@ -36,7 +36,7 @@ On Windows 10 Mobile, the customized Start works by: The following diagrams show the default Windows 10, version 1607 Start layouts for single SIM and dual SIM devices with Cortana support, and single SIM and dual SIM devices with no Cortana support. -![Start layout for Windows 10 Mobile](../images/mobile-start-layout.png) +![Start layout for Windows 10 Mobile.](../images/mobile-start-layout.png) The diagrams show: diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/provisioning-apn.md index 326ea5b8b8..a8d47b38e2 100644 --- a/windows/configuration/provisioning-apn.md +++ b/windows/configuration/provisioning-apn.md @@ -53,11 +53,11 @@ For users who work in different locations, you can configure one APN to connect 5. Enter a name for the connection, and then click **Add**. - ![Example of APN connection name](images/apn-add.png) + ![Example of APN connection name.](images/apn-add.png) 6. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection. - ![settings for new connection](images/apn-add-details.png) + ![settings for new connection.](images/apn-add-details.png) 7. The following table describes the settings available for the connection. diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index 67c28a8b90..38d6791423 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -38,7 +38,7 @@ Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](/win CSPs are behind many of the management tasks and policies for Windows 10, both in Microsoft Intune and in non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). -![how intune maps to csp](../images/policytocsp.png) +![how intune maps to csp.](../images/policytocsp.png) CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Endpoint Configuration Manager, can also target CSPs, by using a client-side Windows Management Instrumentation (WMI)-to-CSP Bridge. @@ -66,7 +66,7 @@ You can use Windows Configuration Designer to create [provisioning packages](./p Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image. -![how help content appears in icd](../images/cspinicd.png) +![how help content appears in icd.](../images/cspinicd.png) [Provisioning packages in Windows 10](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package. @@ -86,7 +86,7 @@ All CSPs in Windows 10 are documented in the [Configuration service provider ref The [main CSP topic](/windows/client-management/mdm/configuration-service-provider-reference) tells you which CSPs are supported on each edition of Windows 10, and links to the documentation for each individual CSP. -![csp per windows edition](../images/csptable.png) +![csp per windows edition.](../images/csptable.png) The documentation for each CSP follows the same structure. After an introduction that explains the purpose of the CSP, a diagram shows the parts of the CSP in tree format. @@ -94,7 +94,7 @@ The full path to a specific configuration setting is represented by its Open Mob The following example shows the diagram for the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes, and rectangular elements are settings or policies for which a value must be supplied. -![assigned access csp tree](../images/provisioning-csp-assignedaccess.png) +![assigned access csp tree.](../images/provisioning-csp-assignedaccess.png) The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see that it uses the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). @@ -104,7 +104,7 @@ The element in the tree diagram after the root node tells you the name of the CS When an element in the diagram uses _italic_ font, it indicates a placeholder for specific information, such as the tenant ID in the following example. -![placeholder in csp tree](../images/csp-placeholder.png) +![placeholder in csp tree.](../images/csp-placeholder.png) After the diagram, the documentation describes each element. For each policy or setting, the valid values are listed. diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index 38b7e01c09..818a935488 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -58,7 +58,7 @@ Provisioning packages can include management instructions and policies, installa > [!TIP] > Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc. > ->![open advanced editor](../images/icd-simple-edit.png) +>![open advanced editor.](../images/icd-simple-edit.png) ## Create the provisioning package @@ -68,11 +68,11 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L 2. Click **Provision desktop devices**. - ![ICD start options](../images/icd-create-options-1703.png) + ![ICD start options.](../images/icd-create-options-1703.png) 3. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps. - ![ICD desktop provisioning](../images/icd-desktop-1703.png) + ![ICD desktop provisioning.](../images/icd-desktop-1703.png) > [!IMPORTANT] > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md index a71916bfab..68cfcc37af 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md @@ -46,7 +46,7 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi 2. Click **Advanced provisioning**. - ![ICD start options](../images/icdstart-option.png) + ![ICD start options.](../images/icdstart-option.png) 3. Name your project and click **Next**. @@ -73,19 +73,19 @@ Universal apps that you can distribute in the provisioning package can be line-o 2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page. - ![details for offline app package](../images/uwp-family.png) + ![details for offline app package.](../images/uwp-family.png) 3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). 4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. - ![required frameworks for offline app package](../images/uwp-dependencies.png) + ![required frameworks for offline app package.](../images/uwp-dependencies.png) 5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. - In Microsoft Store for Business, generate the unencoded license for the app on the app's download page, and change the extension of the license file from **.xml** to **.ms-windows-store-license**. - ![generate license for offline app](../images/uwp-license.png) + ![generate license for offline app.](../images/uwp-license.png) - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**. diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index cca8b46be8..f6f7f9876b 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -74,11 +74,11 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate 2. Enter a name for the first app, and then click **Add**. - ![enter name for first app](../images/wcd-app-name.png) + ![enter name for first app.](../images/wcd-app-name.png) 3. Configure the settings for the appropriate installer type. - ![enter settings for first app](../images/wcd-app-commands.png) + ![enter settings for first app.](../images/wcd-app-commands.png) ## Add a universal app to your package @@ -88,19 +88,19 @@ Universal apps that you can distribute in the provisioning package can be line-o 2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page. - ![details for offline app package](../images/uwp-family.png) + ![details for offline app package.](../images/uwp-family.png) 3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). 4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. - ![required frameworks for offline app package](../images/uwp-dependencies.png) + ![required frameworks for offline app package.](../images/uwp-dependencies.png) 5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. - In Microsoft Store for Business, generate the unencoded license for the app on the app's download page. - ![generate license for offline app](../images/uwp-license.png) + ![generate license for offline app.](../images/uwp-license.png) - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**. diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md index 4a1bb159ac..4a9381ab1c 100644 --- a/windows/configuration/provisioning-packages/provisioning-apply-package.md +++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md @@ -35,7 +35,7 @@ Provisioning packages can be applied to a device during the first-run experience 1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. - ![The first screen to set up a new PC](../images/oobe.jpg) + ![The first screen to set up a new PC.](../images/oobe.jpg) 2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**. @@ -43,11 +43,11 @@ Provisioning packages can be applied to a device during the first-run experience 3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. - ![Provision this device](../images/prov.jpg) + ![Provision this device.](../images/prov.jpg) 4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. - ![Choose a package](../images/choose-package.png) + ![Choose a package.](../images/choose-package.png) 5. Select **Yes, add it**. @@ -59,7 +59,7 @@ Provisioning packages can be applied to a device during the first-run experience Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation. -![add a package option](../images/package.png) +![add a package option.](../images/package.png) ## Mobile editions @@ -68,13 +68,13 @@ Insert the USB drive to a desktop computer, navigate to **Settings** > **Account 1. Insert an SD card containing the provisioning package into the device. 2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. - ![add a package option](../images/packages-mobile.png) + ![add a package option.](../images/packages-mobile.png) 3. Click **Add**. 4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. - ![Is this package from a source you trust](../images/package-trust.png) + ![Is this package from a source you trust.](../images/package-trust.png) ### Copying the provisioning package to the device @@ -84,7 +84,7 @@ Insert the USB drive to a desktop computer, navigate to **Settings** > **Account 3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. - ![Is this package from a source you trust](../images/package-trust.png) + ![Is this package from a source you trust.](../images/package-trust.png) diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index b67e28b34d..0aa10c16b5 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -39,7 +39,7 @@ You can use Windows Configuration Designer to create a provisioning package (.pp 2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image: - ![Configuration Designer wizards](../images/icd-create-options-1703.png) + ![Configuration Designer wizards.](../images/icd-create-options-1703.png) - The following wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices: @@ -56,7 +56,7 @@ You can use Windows Configuration Designer to create a provisioning package (.pp >[!TIP] > You can start a project in the simple wizard editor and then switch the project to the advanced editor. > - > ![Switch to advanced editor](../images/icd-switch.png) + > ![Switch to advanced editor.](../images/icd-switch.png) 3. Enter a name for your project, and then select **Next**. @@ -87,7 +87,7 @@ You can use Windows Configuration Designer to create a provisioning package (.pp For an advanced provisioning project, Windows Configuration Designer opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings. -![What the ICD interface looks like](../images/icd-runtime.png) +![What the ICD interface looks like.](../images/icd-runtime.png) The settings in Windows Configuration Designer are based on Windows 10 configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](./how-it-pros-can-use-configuration-service-providers.md). @@ -103,14 +103,14 @@ The process for configuring settings is similar for all settings. The following For details on each specific setting, see [Windows Provisioning settings reference](../wcd/wcd.md). The reference topic for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image. -![Windows Configuration Designer opens the reference topic when you select a setting](../images/icd-setting-help.png) +![Windows Configuration Designer opens the reference topic when you select a setting.](../images/icd-setting-help.png) ## Build package 1. After you're done configuring your customizations, select **Export**, and then select **Provisioning Package**. - ![Export on top bar](../images/icd-export-menu.png) + ![Export on top bar.](../images/icd-export-menu.png) 2. In the **Describe the provisioning package** window, enter the following information, and then select **Next**: - **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field. diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index 8a7b9c464d..1a467d4e6d 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -66,7 +66,7 @@ On devices running Windows 10, you can install [the Windows Configuration Design 6. On the **Select the features you want to install** page, clear all selections except **Configuration Designer**, and then click **Install**. - ![Only Configuration Designer selected for installation](../images/icd-install.png) + ![Only Configuration Designer selected for installation.](../images/icd-install.png) ## Current Windows Configuration Designer limitations diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index e5d60aba7f..6e54b39009 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -35,7 +35,7 @@ In the XML file, you provide an **Id**, or friendly name, for each **Target**. E A **Target** can have more than one **TargetState**, and a **TargetState** can have more than one **Condition**. -![Target with multiple target states and conditions](../images/multi-target.png) +![Target with multiple target states and conditions.](../images/multi-target.png) The following table describes the logic for the target definition. diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index 2313b0e929..a3b4e25f84 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -124,7 +124,7 @@ For details about the settings you can customize in provisioning packages, see [ Windows ICD for Windows 10, version 1607, simplified common provisioning scenarios. -![Configuration Designer options](../images/icd.png) +![Configuration Designer options.](../images/icd.png) Windows ICD in Windows 10, version 1607, supported the following scenarios for IT administrators: diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md index a616731808..6e01640c44 100644 --- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md +++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md @@ -189,13 +189,13 @@ cmd /c InstallMyApp.bat In Windows Configuration Designer, this looks like: -![Command line in Selected customizations](../images/icd-script1.png) +![Command line in Selected customizations.](../images/icd-script1.png) You also need to add the relevant assets for that command line including the orchestrator script and any other assets it references such as installers or .cab files. In Windows Configuration Designer, that is done by adding files under the `ProvisioningCommands/DeviceContext/CommandFiles` setting. -![Command files in Selected customizations](../images/icd-script2.png) +![Command files in Selected customizations.](../images/icd-script2.png) When you are done, [build the package](provisioning-create-package.md#build-package). diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index e4327a7b35..ed5c4ee3a3 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -108,13 +108,13 @@ You can configure Windows to be in shared PC mode in a couple different ways: 8. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**. > [!div class="mx-imgBorder"] - > ![Shared PC mode in the Configuration settings page](images/shared_pc_3.png) + > ![Shared PC mode in the Configuration settings page.](images/shared_pc_3.png) 11. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**. - A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**. - ![Shared PC settings in ICD](images/icd-adv-shared-pc.png) + ![Shared PC settings in ICD.](images/icd-adv-shared-pc.png) - WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the [MDM_SharedPC class](/windows/win32/dmwmibridgeprov/mdm-sharedpc). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following: @@ -189,7 +189,7 @@ You can apply the provisioning package to a PC during initial setup or to a PC t 1. Start with a PC on the setup screen. - ![The first screen to set up a new PC](images/oobe.jpg) + ![The first screen to set up a new PC.](images/oobe.jpg) 2. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times. @@ -206,7 +206,7 @@ You can apply the provisioning package to a PC during initial setup or to a PC t On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and selects the package to install. -![add a package option](images/package.png) +![add a package option.](images/package.png) > [!NOTE] > If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost. diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md index 24dbcd1b32..5a39031455 100644 --- a/windows/configuration/start-layout-troubleshoot.md +++ b/windows/configuration/start-layout-troubleshoot.md @@ -42,7 +42,7 @@ When troubleshooting basic Start issues (and for the most part, all other Window - `get-AppXPackage -Name Microsoft.Windows.ShellExperienceHost` - `get-AppXPackage -Name Microsoft.Windows.Cortana` - ![Example of output from cmdlets](images/start-ts-1.png) + ![Example of output from cmdlets.](images/start-ts-1.png) Failure messages will appear if they aren't installed @@ -188,7 +188,7 @@ Events for both PDC and Background Tasks Infrastructure Service will be recorded ### Symptom: Application tiles like Alarm, Calculator, and Edge are missing from Start menu and the Settings app fails to open on Windows 10, version 1709 when a local user profile is deleted -![Screenshots that show download icons on app tiles and missing app tiles](images/start-ts-2.png) +![Screenshots that show download icons on app tiles and missing app tiles.](images/start-ts-2.png) **Cause**: This issue is known. The first-time sign-in experience is not detected and does not trigger the install of some apps. @@ -236,11 +236,11 @@ Specifically, behaviors include - If a new roaming user is created, the first sign-in appears normal, but on subsequent sign-ins, tiles are missing. -![Example of a working layout](images/start-ts-3.png) +![Example of a working layout.](images/start-ts-3.png) *Working layout on first sign-in of a new roaming user profile* -![Example of a failing layout](images/start-ts-4.png) +![Example of a failing layout.](images/start-ts-4.png) *Failing layout on subsequent sign-ins* @@ -256,15 +256,15 @@ Specifically, behaviors include Before the upgrade: - ![Example of Start screen with customizations applied](images/start-ts-5.jpg) + ![Example of Start screen with customizations applied.](images/start-ts-5.jpg) After the upgrade the user pinned tiles are missing: - ![Example of Start screen with previously pinned tiles missing](images/start-ts-6.png) + ![Example of Start screen with previously pinned tiles missing.](images/start-ts-6.png) Additionally, users may see blank tiles if sign-in was attempted without network connectivity. - ![Example of blank tiles](images/start-ts-7.png) + ![Example of blank tiles.](images/start-ts-7.png) **Resolution**: This issue was fixed in the [October 2017 update](https://support.microsoft.com/en-us/help/4041676). diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md index d988f11531..351f09ce8e 100644 --- a/windows/configuration/start-secondary-tiles.md +++ b/windows/configuration/start-secondary-tiles.md @@ -31,15 +31,15 @@ In a Start layout for Windows 10, version 1703, you can include secondary tiles Suppose that the [Start layout that you export](customize-and-export-start-layout.md) had two secondary tiles, such as in the following image: -![tile for MSN and for a SharePoint site](images/edge-with-logo.png) +![tile for MSN and for a SharePoint site.](images/edge-with-logo.png) In prior versions of Windows 10, when you applied the Start layout to a device, the tiles would display as shown in the following image: -![tile for MSN and for a SharePoint site with no logos](images/edge-without-logo.png) +![tile for MSN and for a SharePoint site with no logos.](images/edge-without-logo.png) In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutEdgeAssets` and the policy setting `ImportEdgeAssets`, the tiles will now display the same as they did on the device from which you exported the Start layout. -![tile for MSN and for a SharePoint site](images/edge-with-logo.png) +![tile for MSN and for a SharePoint site.](images/edge-with-logo.png) **Example of secondary tiles in XML generated by Export-StartLayout** @@ -156,7 +156,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L 12. Open the customizations.xml file in a text editor. The **<Customizations>** section will look like this: - ![Customizations file with the placeholder text to replace highlighted](images/customization-start-edge.png) + ![Customizations file with the placeholder text to replace highlighted.](images/customization-start-edge.png) 13. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape). diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md index 83744db2ca..75fcbcdad0 100644 --- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md +++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md @@ -121,7 +121,7 @@ UE-V for Windows 10, version 1607 includes a new template generator. If you are --> -![Selecting UE-V features in ADK](images/uev-adk-select-uev-feature.png) +![Selecting UE-V features in ADK.](images/uev-adk-select-uev-feature.png) 3. To open the generator, select **Microsoft Application Virtualization Generator** from the **Start** menu. diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md index bb6d70d870..0d091fe1bb 100644 --- a/windows/configuration/ue-v/uev-for-windows.md +++ b/windows/configuration/ue-v/uev-for-windows.md @@ -41,7 +41,7 @@ The diagram below illustrates how UE-V components work together to synchronize u UE-V architecture, with server share, desktop, and UE-V service | **Component** | **Function** | @@ -65,7 +65,7 @@ Use these UE-V components to create and manage custom templates for your third-p --> -![UE-V template generator process](images/uev-generator-process.png) +![UE-V template generator process.](images/uev-generator-process.png) ## Settings synchronized by default diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md index bfc7cfa6f3..08853f5b22 100644 --- a/windows/configuration/ue-v/uev-prepare-for-deployment.md +++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md @@ -44,7 +44,7 @@ If you want to use UE-V to synchronize user-defined settings for custom applicat The workflow diagram below illustrates a typical UE-V deployment and the decisions you need to be prepared to make. -![UE-V deployment preparation](images/uev-deployment-preparation.png) +![UE-V deployment preparation.](images/uev-deployment-preparation.png) Update & Security --> Windows Update**. - **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update. diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md index f822925011..e56e7a3b5b 100644 --- a/windows/deployment/update/wufb-compliancedeadlines.md +++ b/windows/deployment/update/wufb-compliancedeadlines.md @@ -93,11 +93,11 @@ Once the device is in the pending restart state, it will attempt to restart the Notification users get for a quality update deadline: -![The notification users get for an impending quality update deadline](images/wufb-quality-notification.png) +![The notification users get for an impending quality update deadline.](images/wufb-quality-notification.png) Notification users get for a feature update deadline: -![The notification users get for an impending feature update deadline](images/wufb-feature-notification.png) +![The notification users get for an impending feature update deadline.](images/wufb-feature-notification.png) ### Deadline with user engagement @@ -130,17 +130,17 @@ Before the deadline the device will be in two states: auto-restart period and en Notification users get for quality update engaged deadline: -![The notification users get for an impending engaged quality update deadline example](images/wufb-quality-engaged-notification.png) +![The notification users get for an impending engaged quality update deadline example.](images/wufb-quality-engaged-notification.png) Notification users get for a quality update deadline: -![The notification users get for an impending quality update deadline example](images/wufb-quality-notification.png) +![The notification users get for an impending quality update deadline example.](images/wufb-quality-notification.png) Notification users get for a feature update engaged deadline: -![The notification users get for an impending feature update engaged deadline example](images/wufb-feature-update-engaged-notification.png) +![The notification users get for an impending feature update engaged deadline example.](images/wufb-feature-update-engaged-notification.png) Notification users get for a feature update deadline: -![The notification users get for an impending feature update deadline example](images/wufb-feature-update-deadline-notification.png) +![The notification users get for an impending feature update deadline example.](images/wufb-feature-update-deadline-notification.png) diff --git a/windows/deployment/update/wufb-manageupdate.md b/windows/deployment/update/wufb-manageupdate.md index 93a5ab27b7..8589495141 100644 --- a/windows/deployment/update/wufb-manageupdate.md +++ b/windows/deployment/update/wufb-manageupdate.md @@ -40,7 +40,7 @@ If you don't need a wave deployment and have a small set of devices to manage, w |Do not allow update deferral policies to cause scans against Windows Update|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not allow update deferral policies to cause scans against Windows Update|State: Disabled| ## Suggested configuration for a wave deployment -![Graphic showing a deployment divided into rings for a wave deployment](images/wufb-wave-deployment.png) +![Graphic showing a deployment divided into rings for a wave deployment.](images/wufb-wave-deployment.png) ## Early validation and testing Depending on your organizational size and requirements you might be able to test feature updates earlier to identify if there are impacts to Line of Business applications. Our recommendation is to enroll a set of devices that are a good representation of your device ecosystem (for example, devices with accounting software or engineering software). Learn more about [different deployment rings](https://insider.windows.com/how-to-pc/#working-with-rings). diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md index e044463423..8aafc8f67d 100644 --- a/windows/deployment/upgrade/quick-fixes.md +++ b/windows/deployment/upgrade/quick-fixes.md @@ -174,7 +174,7 @@ To check your system for unsigned drivers: 5. Type **sigverif** and press ENTER. 6. The File Signature Verification tool will open. Click **Start**. - ![File Signature Verification](../images/sigverif.png) + ![File Signature Verification.](../images/sigverif.png) 7. After the scanning process is complete, if you see **Your files have been scanned and verified as digitally signed** then you have no unsigned drivers. Otherwise, you will see **The following files have not been digitally signed** and a list will be provided with name, location, and version of all unsigned drivers. 8. To view and save a log file, click **Advanced**, and then click **View Log**. Save the log file if desired. @@ -268,7 +268,7 @@ To obtain the proper firmware drivers, search for the most updated driver versio When you begin a Windows Update, the setup process will ask you to **Get important updates**. Answer **Yes** if the computer you are updating is connected to the Internet. See the following example: -![Get important updates](../images/update.jpg) +![Get important updates.](../images/update.jpg) ### Verify disk space @@ -280,13 +280,13 @@ In File Explorer, click on **Computer** or **This PC** on the left, then look un The amount of space available on the system drive will be displayed under the drive. See the following example: -![System drive](../images/drive.png) +![System drive.](../images/drive.png) In the previous example, there is 703 GB of available free space on the system drive (C:). To free up additional space on the system drive, begin by running Disk Cleanup. You can access Disk Cleanup by right-clicking the hard drive icon and then clicking Properties. See the following example: -![Disk cleanup](../images/cleanup.png) +![Disk cleanup.](../images/cleanup.png) For instructions to run Disk Cleanup and other suggestions to free up hard drive space, see [Tips to free up drive space on your PC](https://support.microsoft.com/help/17421/windows-free-up-drive-space). diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index 9e7a29631c..4dcb8fe787 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -25,7 +25,7 @@ ms.topic: article >This is a 300 level topic (moderate advanced).
>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
- [![Download SetupDiag](../images/download.png)](https://go.microsoft.com/fwlink/?linkid=870142) + [![Download SetupDiag.](../images/download.png)](https://go.microsoft.com/fwlink/?linkid=870142) ## About SetupDiag @@ -563,7 +563,7 @@ Refer to "https://docs.microsoft.com/windows/desktop/Debug/system-error-codes" f ## Sample registry key -![Example of Addreg](./../images/addreg.png) +![Example of Addreg.](./../images/addreg.png) ## Related topics diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md index 5839bb088a..7ea7080113 100644 --- a/windows/deployment/upgrade/submit-errors.md +++ b/windows/deployment/upgrade/submit-errors.md @@ -61,7 +61,7 @@ Click **Submit** to send your feedback. See the following example: -![feedback example](../images/feedback.png) +![feedback example.](../images/feedback.png) After you click Submit, that's all you need to do. Microsoft will receive your feedback and begin analyzing the issue. You can check on your feedback periodically to see what solutions have been provided. @@ -69,7 +69,7 @@ After you click Submit, that's all you need to do. Microsoft will receive your f After your feedback is submitted, you can email or post links to it by opening the Feedback Hub, clicking My feedback at the top, clicking the feedback item you submitted, clicking **Share**, then copying the short link that is displayed. -![share](../images/share.jpg) +![share.](../images/share.jpg) ## Related topics diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md index 842e478dcf..bdb7e4814a 100644 --- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md +++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md @@ -59,31 +59,31 @@ When performing an operating system upgrade, Windows Setup uses phases described 1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Windows files are copied and installation components are gathered. - ![downlevel phase](../images/downlevel.png) + ![downlevel phase.](../images/downlevel.png) 2. **Safe OS phase**: A recovery partition is configured, Windows files are expanded, and updates are installed. An OS rollback is prepared if needed. Example error codes: 0x2000C, 0x20017. - ![safeOS phase](../images/safeos.png) + ![safeOS phase.](../images/safeos.png) 3. **First boot phase**: Initial settings are applied. Example error codes: 0x30018, 0x3000D. - ![first boot phase](../images/firstboot.png) + ![first boot phase.](../images/firstboot.png) 4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**. Example error codes: 0x4000D, 0x40017. At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed. - ![second boot phase](../images/secondboot.png) + ![second boot phase.](../images/secondboot.png) - ![second boot phase](../images/secondboot2.png) + ![second boot phase.](../images/secondboot2.png) - ![second boot phase](../images/secondboot3.png) + ![second boot phase.](../images/secondboot3.png) 5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015. **Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown): -![Upgrade process](../images/upgrade-process.png) +![Upgrade process.](../images/upgrade-process.png) DU = Driver/device updates.
OOBE = Out of box experience.
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index 1454fe92ed..72fb2c3d26 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -34,9 +34,9 @@ The following table shows the methods and paths available to change the edition > [!TIP] > Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Endpoint Configuration Manager. -![not supported](../images/x_blk.png) (X) = not supported
-![supported, reboot required](../images/check_grn.png) (green checkmark) = supported, reboot required
-![supported, no reboot](../images/check_blu.png) (blue checkmark) = supported, no reboot required
+![not supported.](../images/x_blk.png) (X) = not supported
+![supported, reboot required.](../images/check_grn.png) (green checkmark) = supported, reboot required
+![supported, no reboot.](../images/check_blu.png) (blue checkmark) = supported, no reboot required
| Edition upgrade | Using mobile device management (MDM) | Using a provisioning package | Using a command-line tool | Using Microsoft Store for Business or PC | Entering a product key manually | Purchasing a license from the Microsoft Store | |-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- | -| **Home > Pro** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | -| **Home > Pro for Workstations** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | -| **Home > Pro Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Home > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro > Pro for Workstations** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | -| **Pro > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(1703 - PC)
(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(1703 - PC)
(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro Education > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Enterprise > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Home > Pro** | ![not supported.](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | +| **Home > Pro for Workstations** | ![not supported.](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | +| **Home > Pro Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Home > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro > Pro for Workstations** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | +| **Pro > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(1703 - PC)
(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(1703 - PC)
(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro Education > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Enterprise > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | > [!NOTE] > - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md) diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md index 08c4982f9c..50aad1782d 100644 --- a/windows/deployment/upgrade/windows-error-reporting.md +++ b/windows/deployment/upgrade/windows-error-reporting.md @@ -63,7 +63,7 @@ Ten parameters are listed in the event: The event will also contain links to log files that can be used to perform a detailed diagnosis of the error. An example of this event from a successful upgrade is shown below. -![Windows Error Reporting](../images/event.png) +![Windows Error Reporting.](../images/event.png) ## Related topics diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md index 84a87a0aac..52b489720f 100644 --- a/windows/deployment/usmt/migration-store-types-overview.md +++ b/windows/deployment/usmt/migration-store-types-overview.md @@ -49,7 +49,7 @@ You use a command-line option,**/hardlink** , to create a hard-link migration st The following flowchart illustrates the procedural differences between a local migration store and a remote migration store. In this example, a hard-link migration store is used for the local store. -![migration store comparison](images/dep-win8-l-usmt-migrationcomparemigstores.gif) +![migration store comparison.](images/dep-win8-l-usmt-migrationcomparemigstores.gif) ## Local Store vs. Remote Store diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md index 30930ac481..b94bc3041b 100644 --- a/windows/deployment/usmt/usmt-common-migration-scenarios.md +++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md @@ -49,7 +49,7 @@ The following diagram shows a PC-refresh migration, also known as a computer ref   -![usmt pc refresh scenario](images/dep-win8-l-usmt-pcrefresh.jpg) +![usmt pc refresh scenario.](images/dep-win8-l-usmt-pcrefresh.jpg)   @@ -100,7 +100,7 @@ The following diagram shows a PC-replacement migration. First, the administrator   -![usmt pc replace scenario](images/dep-win8-l-usmt-pcreplace.jpg) +![usmt pc replace scenario.](images/dep-win8-l-usmt-pcreplace.jpg)   diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index f32ee0d61e..10e7c2e418 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -55,7 +55,7 @@ The process proceeds as follows: 3. Client computers are activated by receiving the activation object from a domain controller during startup. > [!div class="mx-imgBorder"] - > ![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg) + > ![Active Directory-based activation flow.](../images/volumeactivationforwindows81-10.jpg) **Figure 10**. The Active Directory-based activation flow @@ -80,31 +80,31 @@ When a reactivation event occurs, the client queries AD DS for the activation o 3. Add the Volume Activation Services role, as shown in Figure 11. - ![Adding the Volume Activation Services role](../images/volumeactivationforwindows81-11.jpg) + ![Adding the Volume Activation Services role.](../images/volumeactivationforwindows81-11.jpg) **Figure 11**. Adding the Volume Activation Services role 4. Click the link to launch the Volume Activation Tools (Figure 12). - ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-12.jpg) + ![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-12.jpg) **Figure 12**. Launching the Volume Activation Tools 5. Select the **Active Directory-Based Activation** option (Figure 13). - ![Selecting Active Directory-Based Activation](../images/volumeactivationforwindows81-13.jpg) + ![Selecting Active Directory-Based Activation.](../images/volumeactivationforwindows81-13.jpg) **Figure 13**. Selecting Active Directory-Based Activation 6. Enter your KMS host key and (optionally) a display name (Figure 14). - ![Choosing how to activate your product](../images/volumeactivationforwindows81-15.jpg) + ![Choosing how to activate your product.](../images/volumeactivationforwindows81-15.jpg) **Figure 14**. Entering your KMS host key 7. Activate your KMS host key by phone or online (Figure 15). - ![Entering your KMS host key](../images/volumeactivationforwindows81-14.jpg) + ![Entering your KMS host key.](../images/volumeactivationforwindows81-14.jpg) **Figure 15**. Choosing how to activate your product diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md index f9cfcf33ac..5fa4723874 100644 --- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md +++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md @@ -80,39 +80,39 @@ This scenario is commonly used in larger organizations that do not find the over 2. Launch Server Manager. 3. Add the Volume Activation Services role, as shown in Figure 4. - ![Adding the Volume Activation Services role in Server Manager](../images/volumeactivationforwindows81-04.jpg) + ![Adding the Volume Activation Services role in Server Manager.](../images/volumeactivationforwindows81-04.jpg) **Figure 4**. Adding the Volume Activation Services role in Server Manager 4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5). - ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-05.jpg) + ![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-05.jpg) **Figure 5**. Launching the Volume Activation Tools 5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6). This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10. - ![Configuring the computer as a KMS host](../images/volumeactivationforwindows81-06.jpg) + ![Configuring the computer as a KMS host.](../images/volumeactivationforwindows81-06.jpg) **Figure 6**. Configuring the computer as a KMS host 6. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7). - ![Installing your KMS host key](../images/volumeactivationforwindows81-07.jpg) + ![Installing your KMS host key.](../images/volumeactivationforwindows81-07.jpg) **Figure 7**. Installing your KMS host key 7. If asked to confirm replacement of an existing key, click **Yes**. 8. After the product key is installed, you must activate it. Click **Next** (Figure 8). - ![Activating the software](../images/volumeactivationforwindows81-08.jpg) + ![Activating the software.](../images/volumeactivationforwindows81-08.jpg) **Figure 8**. Activating the software The KMS key can be activated online or by phone. See Figure 9. - ![Choosing to activate online](../images/volumeactivationforwindows81-09.jpg) + ![Choosing to activate online.](../images/volumeactivationforwindows81-09.jpg) **Figure 9**. Choosing to activate online diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md index b88d65def4..728b60519b 100644 --- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md +++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md @@ -99,12 +99,12 @@ A MAK is used for one-time activation with Microsoft’s hosted activation servi You can activate computers by using a MAK in two ways: - **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16. - ![MAK independent activation](../images/volumeactivationforwindows81-16.jpg) + ![MAK independent activation.](../images/volumeactivationforwindows81-16.jpg) **Figure 16**. MAK independent activation - **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17. - ![MAK proxy activation with the VAMT](../images/volumeactivationforwindows81-17.jpg) + ![MAK proxy activation with the VAMT.](../images/volumeactivationforwindows81-17.jpg) **Figure 17**. MAK proxy activation with the VAMT diff --git a/windows/deployment/volume-activation/add-remove-computers-vamt.md b/windows/deployment/volume-activation/add-remove-computers-vamt.md index 4e2248db96..e671e92d02 100644 --- a/windows/deployment/volume-activation/add-remove-computers-vamt.md +++ b/windows/deployment/volume-activation/add-remove-computers-vamt.md @@ -34,7 +34,7 @@ Before adding computers, ensure that the Windows Management Instrumentation (WMI 5. VAMT searches for the specified computers and adds them to the VAMT database. During the search, VAMT displays the **Finding computers** message shown below. To cancel the search, click **Cancel**. When the search is complete the names of the newly-discovered computers appear in the product list view in the center pane. - ![VAMT, Finding computers dialog box](images/dep-win8-l-vamt-findingcomputerdialog.gif) + ![VAMT, Finding computers dialog box.](images/dep-win8-l-vamt-findingcomputerdialog.gif) **Important**   This step adds only the computers to the VAMT database, and not the products that are installed on the computers. To add the products, you need to run the **Update license status** function. diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md index 87cb8d7b0f..5cbd41f410 100644 --- a/windows/deployment/volume-activation/configure-client-computers-vamt.md +++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md @@ -45,7 +45,7 @@ Enable the VAMT to access client computers using the **Windows Firewall** Contro Enable the VAMT to access client computers across multiple subnets using the **Windows Firewall with Advanced Security** Control Panel: -![VAMT Firewall configuration for multiple subnets](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif) +![VAMT Firewall configuration for multiple subnets.](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif) 1. Open the Control Panel and double-click **Administrative Tools**. 2. Click **Windows Firewall with Advanced Security**. diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index f462f8655f..0b67293d6a 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -49,7 +49,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for 5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. - ![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png) + ![In this example, the instance name is SQLEXPRESS01.](images/sql-instance.png) ### Install VAMT using the ADK @@ -73,7 +73,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for 2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL. - ![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png) + ![Server name is .\SQLEXPRESS and database name is VAMT.](images/vamt-db.png) For remote SQL Server, use `servername.yourdomain.com`. diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md index 45619726e9..91d2d8540b 100644 --- a/windows/deployment/volume-activation/introduction-vamt.md +++ b/windows/deployment/volume-activation/introduction-vamt.md @@ -45,7 +45,7 @@ VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type prod VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab. -![VAMT in the enterprise](images/dep-win8-l-vamt-image001-enterprise.jpg) +![VAMT in the enterprise.](images/dep-win8-l-vamt-image001-enterprise.jpg) In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection. The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab. @@ -54,7 +54,7 @@ The Isolated Lab environment is a workgroup that is physically separate from the The following screenshot shows the VAMT graphical user interface. -![VAMT user interface](images/vamtuserinterfaceupdated.jpg) +![VAMT user interface.](images/vamtuserinterfaceupdated.jpg) VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as: diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md index 443e1e417b..71d990f500 100644 --- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md +++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md @@ -120,7 +120,7 @@ In the core network, a centralized KMS solution is recommended. You can also use A typical core network that includes a KMS host is shown in Figure 1. -![Typical core network](../images/volumeactivationforwindows81-01.jpg) +![Typical core network.](../images/volumeactivationforwindows81-01.jpg) **Figure 1**. Typical core network @@ -140,7 +140,7 @@ If the isolated network cannot communicate with the core network’s KMS server, If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they are placed in the isolated network. -![New KMS host in an isolated network](../images/volumeactivationforwindows81-02.jpg) +![New KMS host in an isolated network.](../images/volumeactivationforwindows81-02.jpg) **Figure 2**. New KMS host in an isolated network @@ -222,7 +222,7 @@ The flow of KMS activation is shown in Figure 3, and it follows this sequence: 7. If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host. 8. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold has not yet been met, the client will try again. -![KMS activation flow](../images/volumeactivationforwindows81-03.jpg) +![KMS activation flow.](../images/volumeactivationforwindows81-03.jpg) **Figure 3**. KMS activation flow diff --git a/windows/deployment/volume-activation/scenario-online-activation-vamt.md b/windows/deployment/volume-activation/scenario-online-activation-vamt.md index 2716a475b8..118a656e49 100644 --- a/windows/deployment/volume-activation/scenario-online-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-online-activation-vamt.md @@ -25,7 +25,7 @@ In this scenario, the Volume Activation Management Tool (VAMT) is deployed in th - Retail The Secure Zone represents higher-security Core Network computers that have additional firewall protection. -![VAMT firewall configuration for multiple subnets](images/dep-win8-l-vamt-makindependentactivationscenario.jpg) +![VAMT firewall configuration for multiple subnets.](images/dep-win8-l-vamt-makindependentactivationscenario.jpg) ## In This Topic - [Install and start VAMT on a networked host computer](#bkmk-partone) diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md index 84e0a8ea19..d3b906680d 100644 --- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md @@ -19,7 +19,7 @@ ms.topic: article In this scenario, the Volume Activation Management Tool (VAMT) is used to activate products that are installed on workgroup computers in an isolated lab environment. For workgroups which are isolated from the larger network, you can perform proxy activation of Multiple Activation Keys (MAKs), KMS Host keys (CSVLKs), Generic Volume License Keys (GVLKs) (or KMS client keys), or retail keys. Proxy activation is performed by installing a second instance of VAMT on a computer in the isolated workgroup. You can then use removable media to transfer VAMT Computer Information Lists (CILXs) between the instance of VAMT in the isolated workgroup and another VAMT host that has Internet access. The following diagram shows a Multiple Activation Key (MAK) proxy activation scenario: -![VAMT MAK proxy activation scenario](images/dep-win8-l-vamt-makproxyactivationscenario.jpg) +![VAMT MAK proxy activation scenario.](images/dep-win8-l-vamt-makproxyactivationscenario.jpg) ## Step 1: Install VAMT on a Workgroup Computer in the Isolated Lab diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md index c8e7913ed2..562251c0a9 100644 --- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md +++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md @@ -51,7 +51,7 @@ You can use the VAMT to complete the activation process in products by using MAK The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing. -![VAMT showing the licensing status of multiple computers](../images/volumeactivationforwindows81-18.jpg) +![VAMT showing the licensing status of multiple computers.](../images/volumeactivationforwindows81-18.jpg) **Figure 18**. The VAMT showing the licensing status of multiple computers @@ -59,7 +59,7 @@ The VAMT provides an overview of the activation and licensing status of computer The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it is and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage. -![VAMT showing key types and usage](../images/volumeactivationforwindows81-19.jpg) +![VAMT showing key types and usage.](../images/volumeactivationforwindows81-19.jpg) **Figure 19**. The VAMT showing key types and usage diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md index 844c46ba14..55fd4c1684 100644 --- a/windows/deployment/volume-activation/vamt-known-issues.md +++ b/windows/deployment/volume-activation/vamt-known-issues.md @@ -30,7 +30,7 @@ The current known issues with the Volume Activation Management Tool (VAMT), vers Another known issue is that when you try to add a Windows 10 Key Management Service (KMS) Host key (CSVLK) or a Windows Server 2012 R2 for Windows 10 CSVLK into VAMT 3.1 (version 10.0.10240.0), you receive the error message shown here. -![VAMT error message](./images/vamt-known-issue-message.png) +![VAMT error message.](./images/vamt-known-issue-message.png) This issue occurs because VAMT 3.1 does not contain the correct Pkconfig files to recognize this kind of key. To work around this issue, use one of the following methods. diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md index 3bda096ca5..2a0f0da2a9 100644 --- a/windows/deployment/windows-10-deployment-posters.md +++ b/windows/deployment/windows-10-deployment-posters.md @@ -26,13 +26,13 @@ The following posters step through various options for deploying Windows 10 with The Windows Autopilot poster is two pages in portrait mode (11x17). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10AutopilotFlowchart.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10Autopilotflowchart.vsdx) format. -[![Deploy Windows 10 with Autopilot](./media/windows10-autopilot-flowchart.png)](./media/Windows10AutopilotFlowchart.pdf) +[![Deploy Windows 10 with Autopilot.](./media/windows10-autopilot-flowchart.png)](./media/Windows10AutopilotFlowchart.pdf) ## Deploy Windows 10 with Microsoft Endpoint Configuration Manager The Configuration Manager poster is one page in landscape mode (17x11). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.vsdx) format. -[![Deploy Windows 10 with Configuration Manager](./media/windows10-deployment-config-manager.png)](./media/Windows10DeploymentConfigManager.pdf) +[![Deploy Windows 10 with Configuration Manager.](./media/windows10-deployment-config-manager.png)](./media/Windows10DeploymentConfigManager.pdf) ## See also diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md index a90baefd20..0e160f2943 100644 --- a/windows/deployment/windows-10-media.md +++ b/windows/deployment/windows-10-media.md @@ -42,7 +42,7 @@ Windows 10, version 1709 is available starting on 10/17/2017 in all relevant dis For ISOs that you download from the VLSC or Visual Studio Subscriptions, you can still search for the individual Windows editions. However, each of these editions (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education) will point to the same ISO file, so you only need to download the ISO once. A single Windows image (WIM) file is included in the ISO that contains all the volume licensing images: -![Images](images/table01.png) +![Images.](images/table01.png) When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or Microsoft Endpoint Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update. @@ -69,7 +69,7 @@ This Semi-Annual Channel release of Windows 10 continues the Windows as a servic See the following example for Windows 10, version 1709: -![Windows 10, version 1709 lang pack](images/lang-pack-1709.png) +![Windows 10, version 1709 lang pack.](images/lang-pack-1709.png) ### Features on demand diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md index 7e6d238721..9d18e1af46 100644 --- a/windows/deployment/windows-10-poc-mdt.md +++ b/windows/deployment/windows-10-poc-mdt.md @@ -284,7 +284,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env 10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example: - ![custom image](images/image.png) + ![custom image.](images/image.png) ### Create the deployment task sequence @@ -459,7 +459,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env 7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed. 8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator. - ![finish](images/deploy-finish.png) + ![finish.](images/deploy-finish.png) This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section. diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 603113f920..d69cc3b5db 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -331,7 +331,7 @@ WDSUTIL /Set-Server /AnswerClients:None - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure. See the following example: - ![Config Mgr PXE](images/configmgr-pxe.png) + ![Config Mgr PXE.](images/configmgr-pxe.png) 5. Click **OK**. 6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: @@ -803,7 +803,7 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce >Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter. -![contoso.com\Computers](images/poc-computers.png) +![contoso.com\Computers.](images/poc-computers.png) In the replace procedure, PC1 will not be migrated to a new operating system. It is simplest to perform this procedure before performing the refresh procedure. After refreshing PC1, the operating system will be new. The next (replace) procedure does not install a new operating system on PC1 but rather performs a side-by-side migration of PC1 and another computer (PC4), to copy users and settings from PC1 to the new computer. @@ -907,7 +907,7 @@ The **Client** column indicates that the Configuration Manager client is not cur 14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example: - ![site](images/configmgr-site.png) + ![site.](images/configmgr-site.png) If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated. @@ -915,7 +915,7 @@ The **Client** column indicates that the Configuration Manager client is not cur 16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: - ![client](images/configmgr-client.png) + ![client.](images/configmgr-client.png) >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**. @@ -976,7 +976,7 @@ The **Client** column indicates that the Configuration Manager client is not cur 11. Click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but do not proceed until PC4 is available. See the following example: - ![collection](images/configmgr-collection.png) + ![collection.](images/configmgr-collection.png) ### Create a device collection for PC1 @@ -1026,7 +1026,7 @@ In the Configuration Manager console, in the Software Library workspace under Op 4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example: - ![software](images/configmgr-software-cntr.png) + ![software.](images/configmgr-software-cntr.png) >If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available. @@ -1064,17 +1064,17 @@ In the Configuration Manager console, in the Software Library workspace under Op 3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**. 4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example: - ![installOS](images/configmgr-install-os.png) + ![installOS.](images/configmgr-install-os.png) The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example: - ![asset](images/configmgr-asset.png) + ![asset.](images/configmgr-asset.png) You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**. When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system. - ![post-refresh](images/configmgr-post-refresh.png) + ![post-refresh.](images/configmgr-post-refresh.png) ## Related Topics diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 319121950d..d4a667a65b 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -150,7 +150,7 @@ Hardware requirements are displayed below: The lab architecture is summarized in the following diagram: -![PoC diagram](images/poc.png) +![PoC diagram.](images/poc.png) - Computer 1 is configured to host four VMs on a private, PoC network. - Two VMs are running Windows Server 2012 R2 with required network services and tools installed. @@ -224,9 +224,9 @@ Starting with Windows 8, the host computer’s microprocessor must support secon >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: - ![hyper-v features](images/hyper-v-feature.png) + ![hyper-v features.](images/hyper-v-feature.png) - ![hyper-v](images/svr_mgr2.png) + ![hyper-v.](images/svr_mgr2.png)

If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. @@ -449,7 +449,7 @@ Notes:
3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation). 4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example: - ![disk2vhd 1](images/disk2vhd.png) + ![disk2vhd 1.](images/disk2vhd.png) >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. @@ -482,7 +482,7 @@ Notes:
5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example: - ![disk2vhd 2](images/disk2vhd-gen2.png) + ![disk2vhd 2.](images/disk2vhd-gen2.png) >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. @@ -506,7 +506,7 @@ Notes:
3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later. 4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example: - ![disk2vhd 3](images/disk2vhd4.png) + ![disk2vhd 3.](images/disk2vhd4.png) >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. @@ -821,7 +821,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area. - ![PoC 1](images/installing-drivers.png) + ![PoC 1.](images/installing-drivers.png) >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease. @@ -879,7 +879,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to See the following example: - ![ISE 1](images/ISE.png) + ![ISE 1.](images/ISE.png) 19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host. 20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1: diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 447ea81cfb..16e8c70c2a 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -65,7 +65,7 @@ To support Inherited Activation, both the host computer and the VM must be runni The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic. -![Illustration of how Windows 10 deployment has evolved](images/sa-evolution.png) +![Illustration of how Windows 10 deployment has evolved.](images/sa-evolution.png) - **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
@@ -117,11 +117,11 @@ If the device is running Windows 10, version 1809 or later: - When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below: - ![Subscription Activation with MFA example 1](images/sa-mfa1.png)
+ ![Subscription Activation with MFA example 1.](images/sa-mfa1.png)
- ![Subscription Activation with MFA example 2](images/sa-mfa2.png)
+ ![Subscription Activation with MFA example 2.](images/sa-mfa2.png)
- ![Subscription Activation with MFA example 3](images/sa-mfa3.png) + ![Subscription Activation with MFA example 3.](images/sa-mfa3.png) ### Windows 10 Education requirements @@ -162,7 +162,7 @@ The device is AAD joined from **Settings > Accounts > Access work or school**. The IT administrator assigns Windows 10 Enterprise to a user. See the following figure. -![Windows 10 Enterprise](images/ent.png) +![Windows 10 Enterprise.](images/ent.png) When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user’s subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires. @@ -171,10 +171,10 @@ Devices running Windows 10 Pro, version 1703 or Windows 10 Pro Education, versio The following figures summarize how the Subscription Activation model works: Before Windows 10, version 1903:
-![1703](images/before.png) +![1703.](images/before.png) After Windows 10, version 1903:
-![1903](images/after.png) +![1903.](images/after.png) > [!NOTE] > diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index d132aa99a6..74e099fc82 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -115,9 +115,9 @@ When you are prompted to restart the computer, choose **Yes**. The computer migh Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: - ![Hyper-V feature](images/hyper-v-feature.png) + ![Hyper-V feature.](images/hyper-v-feature.png) - ![Hyper-V](images/svr_mgr2.png) + ![Hyper-V.](images/svr_mgr2.png)

If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. @@ -232,21 +232,21 @@ PS C:\autopilot> Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples: - ![Windows setup example 1](images/winsetup1.png) - ![Windows setup example 2](images/winsetup2.png) - ![Windows setup example 3](images/winsetup3.png) - ![Windows setup example 4](images/winsetup4.png) - ![Windows setup example 5](images/winsetup5.png) - ![Windows setup example 6](images/winsetup6.png) + ![Windows setup example 1.](images/winsetup1.png) + ![Windows setup example 2.](images/winsetup2.png) + ![Windows setup example 3.](images/winsetup3.png) + ![Windows setup example 4.](images/winsetup4.png) + ![Windows setup example 5.](images/winsetup5.png) + ![Windows setup example 6.](images/winsetup6.png) After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example: - ![Windows setup example 7](images/winsetup7.png) + ![Windows setup example 7.](images/winsetup7.png) Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. > [!div class="mx-imgBorder"] - > ![Windows setup example 8](images/winsetup8.png) + > ![Windows setup example 8.](images/winsetup8.png) To create a checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following: @@ -322,7 +322,7 @@ Follow these steps to run the PowerShell script: > [!NOTE] > Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below. - ![Serial number and hardware hash](images/hwid.png) + ![Serial number and hardware hash.](images/hwid.png) You will need to upload this data into Intune to register your device for Autopilot, so the next step is to transfer this file to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM). @@ -338,11 +338,11 @@ With the hardware ID captured in a file, prepare your Virtual Machine for Window On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**. Select **Remove everything** and **Just remove my files**. If you are asked **How would you like to reinstall Windows**, select Local reinstall. Finally, click on **Reset**. -![Reset this PC final prompt](images/autopilot-reset-prompt.jpg) +![Reset this PC final prompt.](images/autopilot-reset-prompt.jpg) Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process. -![Reset this PC screen capture](images/autopilot-reset-progress.jpg) +![Reset this PC screen capture.](images/autopilot-reset-progress.jpg) ## Verify subscription level @@ -350,13 +350,13 @@ For this lab, you need an AAD Premium subscription. You can tell if you have a **Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune** -![MDM and Intune](images/mdm-intune2.png) +![MDM and Intune.](images/mdm-intune2.png) If the configuration blade shown above does not appear, it's likely that you don't have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium. To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5. -![License conversion option](images/aad-lic1.png) +![License conversion option.](images/aad-lic1.png) ## Configure company branding @@ -367,7 +367,7 @@ If you already have company branding configured in Azure Active Directory, you c Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE. -![Configure company branding](images/branding.png) +![Configure company branding.](images/branding.png) When you are finished, click **Save**. @@ -382,7 +382,7 @@ Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**. -![MDM user scope in the Mobility blade](images/ap-aad-mdm.png) +![MDM user scope in the Mobility blade.](images/ap-aad-mdm.png) ## Register your VM @@ -392,14 +392,14 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B 1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**. - ![Intune device import](images/enroll1.png) + ![Intune device import.](images/enroll1.png) > [!NOTE] > If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared. 2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It's okay if other fields (Windows Product ID) are left blank. - ![HWID CSV](images/enroll2.png) + ![HWID CSV.](images/enroll2.png) You should receive confirmation that the file is formatted correctly before uploading it, as shown above. @@ -407,7 +407,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B 4. Click **Refresh** to verify your VM or device has been added. See the following example. - ![Import HWID](images/enroll3.png) + ![Import HWID.](images/enroll3.png) ### Autopilot registration using MSfB @@ -426,11 +426,11 @@ Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft. Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example: -![Microsoft Store for Business](images/msfb.png) +![Microsoft Store for Business.](images/msfb.png) Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added. -![Microsoft Store for Business Devices](images/msfb-device.png) +![Microsoft Store for Business Devices.](images/msfb-device.png) ## Create and assign a Windows Autopilot deployment profile @@ -446,7 +446,7 @@ Pick one: > [!NOTE] > Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list. -![Devices](images/enroll4.png) +![Devices.](images/enroll4.png) #### Create a device group @@ -463,7 +463,7 @@ The Autopilot deployment profile wizard will ask for a device group, so we must 3. Click **Members** and add the Autopilot VM to the group. See the following example: > [!div class="mx-imgBorder"] - > ![add members](images/group1.png) + > ![add members.](images/group1.png) 4. Click **Create**. @@ -472,12 +472,12 @@ The Autopilot deployment profile wizard will ask for a device group, so we must To create a Windows Autopilot profile, scroll back to the left hand pane and click **Devices**, then under **Enroll devices | Windows enrollment** select **Deployment Profiles**. > [!div class="mx-imgBorder"] -> ![Deployment profiles](images/dp.png) +> ![Deployment profiles.](images/dp.png) Click on **Create profile** and then select **Windows PC**. > [!div class="mx-imgBorder"] -> ![Create deployment profile](images/create-profile.png) +> ![Create deployment profile.](images/create-profile.png) On the **Create profile** blade, use the following values: @@ -512,7 +512,7 @@ Click **Next** to continue with the **Assignments** settings: 2. Click the **Autopilot Lab** group, and then click **Select**. 3. Click **Next** to continue and then click **Create**. See the following example: -![Deployment profile](images/profile.png) +![Deployment profile.](images/profile.png) Click on **OK** and then click on **Create**. @@ -529,7 +529,7 @@ First, sign in to the [Microsoft Store for Business](https://businessstore.micro Click **Manage** from the top menu, then click **Devices** from the left navigation tree. -![MSfB manage](images/msfb-manage.png) +![MSfB manage.](images/msfb-manage.png) Click the **Windows Autopilot Deployment Program** link in the **Devices** tile. @@ -538,17 +538,17 @@ To CREATE the profile: Select your device from the **Devices** list: > [!div class="mx-imgBorder"] -> ![MSfB create step 1](images/msfb-create1.png) +> ![MSfB create step 1.](images/msfb-create1.png) On the Autopilot deployment dropdown menu, select **Create new profile**: > [!div class="mx-imgBorder"] -> ![MSfB create step 2](images/msfb-create2.png) +> ![MSfB create step 2.](images/msfb-create2.png) Name the profile, choose your desired settings, and then click **Create**: > [!div class="mx-imgBorder"] -> ![MSfB create step 3](images/msfb-create3.png) +> ![MSfB create step 3.](images/msfb-create3.png) The new profile is added to the Autopilot deployment list. @@ -557,12 +557,12 @@ To ASSIGN the profile: To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown: > [!div class="mx-imgBorder"] -> ![MSfB assign step 1](images/msfb-assign1.png) +> ![MSfB assign step 1.](images/msfb-assign1.png) Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column: > [!div class="mx-imgBorder"] -> ![MSfB assign step 2](images/msfb-assign2.png) +> ![MSfB assign step 2.](images/msfb-assign2.png) > [!IMPORTANT] > The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device. @@ -572,7 +572,7 @@ Confirm the profile was successfully assigned to the intended device by checking If you shut down your VM after the last reset, it's time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**: > [!div class="mx-imgBorder"] -> ![Device status](images/device-status.png) +> ![Device status.](images/device-status.png) Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up. @@ -583,12 +583,12 @@ Also, make sure to wait at least 30 minutes from the time you've [configured com - Turn on the device - Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip). -![OOBE sign-in page](images/autopilot-oobe.png) +![OOBE sign-in page.](images/autopilot-oobe.png) Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated. > [!div class="mx-imgBorder"] -> ![Device enabled](images/devices1.png) +> ![Device enabled.](images/devices1.png) Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done. @@ -606,7 +606,7 @@ To use the device (or VM) for other purposes after completion of this lab, you w You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into the MEM admin center, then navigate to **Intune > Devices > All Devices**. Select the device you want to delete, then click the Delete button along the top menu. > [!div class="mx-imgBorder"] -> ![Delete device step 1](images/delete-device1.png) +> ![Delete device step 1.](images/delete-device1.png) This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**. @@ -618,7 +618,7 @@ The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment To remove the device from the Autopilot program, select the device and click **Delete**. You will get a popup dialog box to confirm deletion. > [!div class="mx-imgBorder"] -> ![Delete device](images/delete-device2.png) +> ![Delete device.](images/delete-device2.png) At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program: @@ -686,7 +686,7 @@ Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-ms Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example: > [!div class="mx-imgBorder"] -> ![Add app example](images/app01.png) +> ![Add app example.](images/app01.png) After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps. @@ -696,20 +696,20 @@ Log into the Azure portal and select **Intune**. Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package. -![Add app step 1](images/app02.png) +![Add app step 1.](images/app02.png) Under **App Type**, select **Windows app (Win32)**: -![Add app step 2](images/app03.png) +![Add app step 2.](images/app03.png) On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**: > [!div class="mx-imgBorder"] -> ![Add app step 3](images/app04.png) +> ![Add app step 3.](images/app04.png) On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as: -![Add app step 4](images/app05.png) +![Add app step 4.](images/app05.png) On the **Program Configuration** blade, supply the install and uninstall commands: @@ -721,7 +721,7 @@ Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q > [!NOTE] > Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) automatically generated them when it converted the .msi file into a .intunewin file. -![Add app step 5](images/app06.png) +![Add app step 5.](images/app06.png) Simply using an install command like "notepad++.exe /S" will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn't actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available). @@ -730,23 +730,23 @@ Click **OK** to save your input and activate the **Requirements** blade. On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**: > [!div class="mx-imgBorder"] -> ![Add app step 6](images/app07.png) +> ![Add app step 6.](images/app07.png) Next, configure the **Detection rules**. For our purposes, we will select manual format: > [!div class="mx-imgBorder"] -> ![Add app step 7](images/app08.png) +> ![Add app step 7.](images/app08.png) Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule: -![Add app step 8](images/app09.png) +![Add app step 8.](images/app09.png) Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration. **Return codes**: For our purposes, leave the return codes at their default values: > [!div class="mx-imgBorder"] -> ![Add app step 9](images/app10.png) +> ![Add app step 9.](images/app10.png) Click **OK** to exit. @@ -757,12 +757,12 @@ Click the **Add** button to finalize and save your app package. Once the indicator message says the addition has completed. > [!div class="mx-imgBorder"] -> ![Add app step 10](images/app11.png) +> ![Add app step 10.](images/app11.png) You will be able to find your app in your app list: > [!div class="mx-imgBorder"] -> ![Add app step 11](images/app12.png) +> ![Add app step 11.](images/app12.png) #### Assign the app to your Intune profile @@ -772,7 +772,7 @@ You will be able to find your app in your app list: In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu: > [!div class="mx-imgBorder"] -> ![Assign app step 1](images/app13.png) +> ![Assign app step 1.](images/app13.png) Select **Add Group** to open the **Add group** pane that is related to the app. @@ -783,10 +783,10 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu Select **Included Groups** and assign the groups you previously created that will use this app: -![Assign app step 2](images/app14.png) +![Assign app step 2.](images/app14.png) > [!div class="mx-imgBorder"] -> ![Assign app step 3](images/app15.png) +> ![Assign app step 3.](images/app15.png) In the **Select groups** pane, click the **Select** button. @@ -797,7 +797,7 @@ In the **Add group** pane, select **OK**. In the app **Assignments** pane, select **Save**. > [!div class="mx-imgBorder"] -> ![Assign app step 4](images/app16.png) +> ![Assign app step 4.](images/app16.png) At this point, you have completed steps to add a Win32 app to Intune. @@ -811,16 +811,16 @@ Log into the Azure portal and select **Intune**. Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package. -![Create app step 1](images/app17.png) +![Create app step 1.](images/app17.png) Under **App Type**, select **Office 365 Suite > Windows 10**: -![Create app step 2](images/app18.png) +![Create app step 2.](images/app18.png) Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel: > [!div class="mx-imgBorder"] -> ![Create app step 3](images/app19.png) +> ![Create app step 3.](images/app19.png) Click **OK**. @@ -829,13 +829,13 @@ In the **App Suite Information** pane, enter a unique suite name, and a s Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal. > [!div class="mx-imgBorder"] -> ![Create app step 4](images/app20.png) +> ![Create app step 4.](images/app20.png) Click **OK**. In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**: -![Create app step 5](images/app21.png) +![Create app step 5.](images/app21.png) Click **OK** and then click **Add**. @@ -847,7 +847,7 @@ Click **OK** and then click **Add**. In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu: > [!div class="mx-imgBorder"] -> ![Create app step 6](images/app22.png) +> ![Create app step 6.](images/app22.png) Select **Add Group** to open the **Add group** pane that is related to the app. @@ -857,10 +857,10 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu Select **Included Groups** and assign the groups you previously created that will use this app: -![Create app step 7](images/app23.png) +![Create app step 7.](images/app23.png) > [!div class="mx-imgBorder"] -> ![Create app step 8](images/app24.png) +> ![Create app step 8.](images/app24.png) In the **Select groups** pane, click the **Select** button. @@ -870,7 +870,7 @@ In the **Add group** pane, select **OK**. In the app **Assignments** pane, select **Save**. -![Create app step 9](images/app25.png) +![Create app step 9.](images/app25.png) At this point, you have completed steps to add Office to Intune. @@ -878,7 +878,7 @@ For more information on adding Office apps to Intune, see [Assign Office 365 app If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate: -![Create app step 10](images/app26.png) +![Create app step 10.](images/app26.png) ## Glossary diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index 0d04abd1e0..04f798b127 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -29,7 +29,7 @@ In this topic, you also learn about different types of reference images that you Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more details, see [Windows ADK for Windows 10](/windows-hardware/get-started/adk-install) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md). -![figure 1](images/win-10-adk-select.png) +![figure 1.](images/win-10-adk-select.png) The Windows 10 ADK feature selection page. @@ -50,7 +50,7 @@ Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All -Source D:\Sources\SxS -LimitAccess ``` -![figure 2](images/mdt-11-fig05.png) +![figure 2.](images/mdt-11-fig05.png) Using DISM functions in PowerShell. @@ -77,7 +77,7 @@ In addition to these tools, there are also XML templates that manage which data - **Custom templates.** Custom templates that you create. - **Config template.** An optional template, called Config.xml, which you can use to exclude or include components in a migration without modifying the other standard XML templates. -![figure 3](images/mdt-11-fig06.png) +![figure 3.](images/mdt-11-fig06.png) A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files. @@ -100,7 +100,7 @@ These are the settings migrated by the default MigUser.xml and MigApp.xml templa Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This is particularly useful for setting up new devices, without the need for re-imaging the device with a custom image. -![figure 4](images/windows-icd.png) +![figure 4.](images/windows-icd.png) Windows Imaging and Configuration Designer. @@ -110,7 +110,7 @@ For more information, see [Windows Imaging and Configuration Designer](/windows/ Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or Configuration Manager, you don’t need Windows SIM very often because those systems automatically update the Unattend.xml file during the deployment, greatly simplifying the process overall. -![figure 7](images/mdt-11-fig07.png) +![figure 7.](images/mdt-11-fig07.png) Windows answer file opened in Windows SIM. @@ -120,7 +120,7 @@ For more information, see [Windows System Image Manager Technical Reference]( ht If you don’t use KMS, you can still manage your MAKs centrally with the Volume Activation Management Tool (VAMT). With this tool, you can install and manage product keys throughout the organization. VAMT also can activate on behalf of clients without Internet access, acting as a MAK proxy. -![figure 6](images/mdt-11-fig08.png) +![figure 6.](images/mdt-11-fig08.png) The updated Volume Activation Management Tool. @@ -138,7 +138,7 @@ Windows PE is a “Lite” version of Windows 10 and was created to act as a dep The key thing to know about Windows PE is that, like the operating system, it needs drivers for at least network and storage devices in each PC. Luckily Windows PE includes the same drivers as the full Windows 10 operating system, which means much of your hardware will work out of the box. -![figure 7](images/mdt-11-fig09.png) +![figure 7.](images/mdt-11-fig09.png) A machine booted with the Windows ADK default Windows PE boot image. @@ -149,7 +149,7 @@ For more details on Windows PE, see [Windows PE (WinPE)](/windows-hardware/manuf Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you will see an automatic failover into Windows RE. -![figure 8](images/mdt-11-fig10.png) +![figure 8.](images/mdt-11-fig10.png) A Windows 10 client booted into Windows RE, showing Advanced options. @@ -160,7 +160,7 @@ For more information on Windows RE, see [Windows Recovery Environment](/windows- Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you will use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker. -![figure 9](images/mdt-11-fig11.png) +![figure 9.](images/mdt-11-fig11.png) Windows Deployment Services using multicast to deploy three machines. @@ -176,7 +176,7 @@ Also, there are a few new features related to TFTP performance: - **Scalable port management.** Provides the capability to service clients with shared UDP port allocation, increasing scalability. - **Variable-size transmission window (Variable Windows Extension).** Improves TFTP performance by allowing the client and server to determine the largest workable window size. -![figure 10](images/mdt-11-fig12.png) +![figure 10.](images/mdt-11-fig12.png) TFTP changes are now easy to perform. @@ -192,7 +192,7 @@ Lite Touch and Zero Touch are marketing names for the two solutions that MDT sup -![figure 11](images/mdt-11-fig13.png) +![figure 11.](images/mdt-11-fig13.png) The Deployment Workbench in, showing a task sequence. @@ -203,7 +203,7 @@ For more information on MDT, see the [Microsoft Deployment Toolkit](/mem/configm [Microsoft SCM](https://go.microsoft.com/fwlink/p/?LinkId=619246) is a free utility used to create baseline security settings for the Windows client and server environment. The baselines can be exported and then deployed via Group Policy, local policies, MDT, or Configuration Manager. The current version of Security Compliance Manager includes baselines for Windows 8.1 and several earlier versions of Windows, Windows Server, and Internet Explorer. -![figure 12](images/mdt-11-fig14.png) +![figure 12.](images/mdt-11-fig14.png) The SCM console showing a baseline configuration for a fictional client's computer security compliance. @@ -228,7 +228,7 @@ For more information on the benefits of an MDOP subscription, see [Microsoft Des There has been a version of IEAK for every version of Internet Explorer since 3.0. It gives you the capability to customize Internet Explorer as you would like. The end result of using IEAK is an Internet Explorer package that can be deployed unattended. The wizard creates one .exe file and one .msi file. -![figure 13](images/mdt-11-fig15.png) +![figure 13.](images/mdt-11-fig15.png) The User Experience selection screen in IEAK 11. @@ -239,7 +239,7 @@ To download IEAK 11, see the [Internet Explorer Administration Kit (IEAK) Inform WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment. -![figure 14](images/mdt-11-fig16.png) +![figure 14.](images/mdt-11-fig16.png) The Windows Server Update Services console. diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md index 930819c367..5852e85928 100644 --- a/windows/privacy/Microsoft-DiagnosticDataViewer.md +++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md @@ -64,7 +64,7 @@ Note that this setting does not control whether your device sends diagnostic dat 2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option. - ![Location to turn on data viewing](images/ddv-data-viewing.png) + ![Location to turn on data viewing.](images/ddv-data-viewing.png) **To turn on data viewing through PowerShell** @@ -134,7 +134,7 @@ When you're done reviewing your diagnostic data, we recommend turning off data v 2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option. - ![Location to turn off data viewing](images/ddv-settings-off.png) + ![Location to turn off data viewing.](images/ddv-settings-off.png) **To turn off data viewing through PowerShell** diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index 3b40651ee2..dc9a127179 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -38,7 +38,7 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn 2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option. - ![Location to turn on data viewing](images/ddv-data-viewing.png) + ![Location to turn on data viewing.](images/ddv-data-viewing.png) ### Download the Diagnostic Data Viewer Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. @@ -54,7 +54,7 @@ You can start this app from the **Settings** panel. 2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button. - ![Location to turn on the Diagnostic Data Viewer](images/ddv-settings-launch.png)

-OR-

+ ![Location to turn on the Diagnostic Data Viewer.](images/ddv-settings-launch.png)

-OR-

Go to **Start** and search for _Diagnostic Data Viewer_. @@ -73,7 +73,7 @@ The Diagnostic Data Viewer provides you with the following features to view and >[!Important] >Seeing an event does not necessarily mean it has been uploaded yet. It’s possible that some events are still queued and will be uploaded at a later time. - ![View your diagnostic events](images/ddv-event-view.jpg) + ![View your diagnostic events.](images/ddv-event-view.jpg) - **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text. @@ -83,7 +83,7 @@ The Diagnostic Data Viewer provides you with the following features to view and - **Help to make your Windows experience better.** Microsoft only needs diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others. - To signify your contribution, you’ll see this icon (![Icon to review the device-level sampling](images/ddv-device-sample.png)) if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)). + To signify your contribution, you’ll see this icon (![Icon to review the device-level sampling.](images/ddv-device-sample.png)) if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)). - **Provide diagnostic event feedback.** The **Feedback** icon in the upper right corner of the window opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events. @@ -99,7 +99,7 @@ The Diagnostic Data Viewer provides you with the following features to view and >[!Important] >This content is a reflection of the history of Windows data the app has stored. If you'd like to have extended analyses, please modify the storage capacity of Diagnostic Data Viewer. - ![Look at an overview of what data you've shared with Microsoft through the 'About my data' page in Diagnostic Data Viewer](images/ddv-analytics.png) + ![Look at an overview of what data you've shared with Microsoft through the 'About my data' page in Diagnostic Data Viewer.](images/ddv-analytics.png) ## View Office Diagnostic Data By default, Diagnostic Data Viewer shows you Windows data. You can also view Office diagnostic data by enabling the feature in the app settings page. To learn more about how to view Office diagnostic data, please visit this [page](https://go.microsoft.com/fwlink/?linkid=2023830). @@ -112,7 +112,7 @@ When you're done reviewing your diagnostic data, you should turn of data viewing 2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option. - ![Location to turn off data viewing](images/ddv-settings-off.png) + ![Location to turn off data viewing.](images/ddv-settings-off.png) ## Modifying the size of your data history By default, Diagnostic Data Viewer shows you up to 1GB or 30 days of data (whichever comes first) for Windows diagnostic data. Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first. @@ -139,7 +139,7 @@ You can also use the Windows Error Reporting tool available in the Control Panel Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer. -![Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer](images/ddv-problem-reports.png) +![Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer.](images/ddv-problem-reports.png) **To view your Windows Error Reporting diagnostic data using the Control Panel** @@ -147,7 +147,7 @@ Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Secu Go to **Start** and search for _Problem Reports_. The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft. -![View problem reports tool with report statuses](images/control-panel-problem-reports-screen.png) +![View problem reports tool with report statuses.](images/control-panel-problem-reports-screen.png) ## Known Issues with Diagnostic Data Viewer diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index aad2616468..f1f0d9469a 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -57,60 +57,60 @@ The following table lists management options for each setting, beginning with Wi | Setting | UI | Group Policy | Registry | | - | :-: | :-: | :-: | -| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [2. Cortana and Search](#bkmk-cortana) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [8. Internet Explorer](#bkmk-ie) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [9. License Manager](#bkmk-licmgr) | | | ![Check mark](images/checkmark.png) | -| [10. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [12. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | -| [13. Microsoft Edge](#bkmk-edge) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | +| [2. Cortana and Search](#bkmk-cortana) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | +| [3. Date & Time](#bkmk-datetime) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | +| [5. Find My Device](#find-my-device) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | +| [6. Font streaming](#font-streaming) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | +| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | +| [8. Internet Explorer](#bkmk-ie) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | +| [9. License Manager](#bkmk-licmgr) | | | ![Check mark.](images/checkmark.png) | +| [10. Live Tiles](#live-tiles) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | +| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark.](images/checkmark.png) | | ![Check mark.](images/checkmark.png) | +| [12. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark.](images/checkmark.png) | +| [13. Microsoft Edge](#bkmk-edge) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [16. OneDrive](#bkmk-onedrive) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [17. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | [18. Settings > Privacy](#bkmk-settingssection) | | | | -|     [18.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)| -|     [18.6 Speech](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.21 Inking & Typing](#bkmk-priv-ink) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -|     [18.22 Activity History](#bkmk-act-history) | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.23 Voice Activation](#bkmk-voice-act) | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [20. Storage Health](#bkmk-storage-health) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.1 General](#bkmk-general) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.2 Location](#bkmk-priv-location) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.3 Camera](#bkmk-priv-camera) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.4 Microphone](#bkmk-priv-microphone) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.5 Notifications](#bkmk-priv-notifications) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png)| +|     [18.6 Speech](#bkmk-priv-speech) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.7 Account info](#bkmk-priv-accounts) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.8 Contacts](#bkmk-priv-contacts) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.9 Calendar](#bkmk-priv-calendar) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.10 Call history](#bkmk-priv-callhistory) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.11 Email](#bkmk-priv-email) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.12 Messaging](#bkmk-priv-messaging) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.14 Radios](#bkmk-priv-radios) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.17 Background apps](#bkmk-priv-background) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.18 Motion](#bkmk-priv-motion) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.19 Tasks](#bkmk-priv-tasks) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.21 Inking & Typing](#bkmk-priv-ink) | ![Check mark.](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +|     [18.22 Activity History](#bkmk-act-history) | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.23 Voice Activation](#bkmk-voice-act) | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [20. Storage Health](#bkmk-storage-health) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [22. Teredo](#bkmk-teredo) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [28. Delivery Optimization](#bkmk-updates) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [29. Windows Update](#bkmk-wu) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) | | -| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ### Settings for Windows Server 2016 with Desktop Experience @@ -119,20 +119,20 @@ See the following table for a summary of the management settings for Windows Ser | Setting | UI | Group Policy | Registry | | - | :-: | :-: | :-: | -| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [2. Cortana and Search](#bkmk-cortana) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [8. Internet Explorer](#bkmk-ie) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [10. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [2. Cortana and Search](#bkmk-cortana) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [3. Date & Time](#bkmk-datetime) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [6. Font streaming](#font-streaming) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [8. Internet Explorer](#bkmk-ie) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [10. Live Tiles](#live-tiles) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [12. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | -| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [16. OneDrive](#bkmk-onedrive) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [18. Settings > Privacy](#bkmk-settingssection) | | | | -| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [22. Teredo](#bkmk-teredo) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | @@ -172,54 +172,54 @@ See the following table for a summary of the management settings for Windows Ser | - | :-: | :-: | :-: | | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [2. Cortana and Search](#bkmk-cortana) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [3. Date & Time](#bkmk-datetime) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [5. Find My Device](#find-my-device) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [8. Internet Explorer](#bkmk-ie) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [10. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark.](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | [12. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | | [13. Microsoft Edge](#bkmk-edge) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [17. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | [18. Settings > Privacy](#bkmk-settingssection) | | | | -|     [18.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)| -|     [18.6 Speech](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.21 Inking & Typing](#bkmk-priv-ink) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -|     [18.22 Activity History](#bkmk-act-history) | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.23 Voice Activation](#bkmk-voice-act) | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.1 General](#bkmk-general) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.2 Location](#bkmk-priv-location) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.3 Camera](#bkmk-priv-camera) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.4 Microphone](#bkmk-priv-microphone) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.5 Notifications](#bkmk-priv-notifications) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)| +|     [18.6 Speech](#bkmk-priv-speech) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.7 Account info](#bkmk-priv-accounts) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.8 Contacts](#bkmk-priv-contacts) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.9 Calendar](#bkmk-priv-calendar) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.10 Call history](#bkmk-priv-callhistory) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.11 Email](#bkmk-priv-email) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.12 Messaging](#bkmk-priv-messaging) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.14 Radios](#bkmk-priv-radios) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.17 Background apps](#bkmk-priv-background) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.18 Motion](#bkmk-priv-motion) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.19 Tasks](#bkmk-priv-tasks) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.21 Inking & Typing](#bkmk-priv-ink) | ![Check mark.](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +|     [18.22 Activity History](#bkmk-act-history) | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.23 Voice Activation](#bkmk-voice-act) | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [20. Storage Health](#bkmk-storage-health) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | -| [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) | +| [28. Delivery Optimization](#bkmk-updates) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) | | | [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md index 8ac3729427..69dba47679 100644 --- a/windows/security/identity-protection/access-control/active-directory-accounts.md +++ b/windows/security/identity-protection/access-control/active-directory-accounts.md @@ -592,7 +592,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s > **Note**  You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see [Delegation of Administration in Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx). - ![Active Directory local accounts](images/adlocalaccounts-proc1-sample1.gif) + ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample1.gif) 3. Close Active Directory Users and Computers. @@ -600,13 +600,13 @@ In this procedure, the workstations are dedicated to domain administrators. By s 5. Right-click the new OU, and > **Create a GPO in this domain, and Link it here**. - ![Active Directory local accounts](images/adlocalaccounts-proc1-sample2.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample2.png) 6. Name the GPO, and > **OK**. 7. Expand the GPO, right-click the new GPO, and > **Edit**. - ![Active Directory local accounts](images/adlocalaccounts-proc1-sample3.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample3.png) 8. Configure which members of accounts can log on locally to these administrative workstations as follows: @@ -625,7 +625,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s 5. Click **Add User or Group**, type **Administrators**, and > **OK**. - ![Active Directory local accounts](images/adlocalaccounts-proc1-sample4.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample4.png) 9. Configure the proxy configuration: @@ -633,7 +633,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s 2. Double-click **Proxy Settings**, select the **Enable proxy settings** check box, type **127.0.0.1** (the network Loopback IP address) as the proxy address, and > **OK**. - ![Active Directory local accounts](images/adlocalaccounts-proc1-sample5.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample5.png) 10. Configure the loopback processing mode to enable the user Group Policy proxy setting to apply to all users on the computer as follows: @@ -696,11 +696,11 @@ In this procedure, the workstations are dedicated to domain administrators. By s 1. Right-click **Windows Firewall with Advanced Security LDAP://path**, and > **Properties**. - ![Active Directory local accounts](images/adlocalaccounts-proc1-sample6.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample6.png) 2. On each profile, ensure that the firewall is enabled and that inbound connections are set to **Block all connections**. - ![Active Directory local accounts](images/adlocalaccounts-proc1-sample7.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample7.png) 3. Click **OK** to complete the configuration. @@ -738,11 +738,11 @@ For this procedure, do not link accounts to the OU that contain workstations for 3. Right-click **Group Policy Objects**, and > **New**. - ![Active Directory local accounts](images/adlocalaccounts-proc2-sample1.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample1.png) 4. In the **New GPO** dialog box, name the GPO that restricts administrators from signing in to workstations, and > **OK**. - ![Active Directory local accounts](images/adlocalaccounts-proc2-sample2.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample2.png) 5. Right-click **New GPO**, and > **Edit**. @@ -756,7 +756,7 @@ For this procedure, do not link accounts to the OU that contain workstations for 3. Click **Add User or Group**, click **Browse**, type **Domain Admins**, and > **OK**. - ![Active Directory local accounts](images/adlocalaccounts-proc2-sample3.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample3.png) **Note** You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations. @@ -778,7 +778,7 @@ For this procedure, do not link accounts to the OU that contain workstations for 3. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**. - ![Active Directory local accounts](images/adlocalaccounts-proc2-sample4.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample4.png) **Note** You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations. @@ -791,7 +791,7 @@ For this procedure, do not link accounts to the OU that contain workstations for 6. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**. - ![Active Directory local accounts](images/adlocalaccounts-proc2-sample5.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample5.png) **Note** You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations. @@ -804,11 +804,11 @@ For this procedure, do not link accounts to the OU that contain workstations for 1. Right-click the workstation OU, and then > **Link an Existing GPO**. - ![Active Directory local accounts](images/adlocalaccounts-proc2-sample6.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample6.png) 2. Select the GPO that you just created, and > **OK**. - ![Active Directory local accounts](images/adlocalaccounts-proc2-sample7.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample7.png) 10. Test the functionality of enterprise applications on workstations in the first OU and resolve any issues caused by the new policy. @@ -831,7 +831,7 @@ It is a best practice to configure the user objects for all sensitive accounts i As with any configuration change, test this enabled setting fully to ensure that it performs correctly before you implement it. -![Active Directory local accounts](images/adlocalaccounts-proc3-sample1.png) +![Active Directory local accounts.](images/adlocalaccounts-proc3-sample1.png) ## Secure and manage domain controllers diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index d67808e585..6ad17afded 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -367,15 +367,15 @@ The following table shows the Group Policy and registry settings that are used t 3. In the console tree, right-click **Group Policy Objects**, and > **New**. - ![local accounts 1](images/localaccounts-proc1-sample1.png) + ![local accounts 1.](images/localaccounts-proc1-sample1.png) 4. In the **New GPO** dialog box, type <**gpo\_name**>, and > **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer. - ![local accounts 2](images/localaccounts-proc1-sample2.png) + ![local accounts 2.](images/localaccounts-proc1-sample2.png) 5. In the details pane, right-click <**gpo\_name**>, and > **Edit**. - ![local accounts 3](images/localaccounts-proc1-sample3.png) + ![local accounts 3.](images/localaccounts-proc1-sample3.png) 6. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by doing the following: @@ -391,7 +391,7 @@ The following table shows the Group Policy and registry settings that are used t 2. Right-click **Registry**, and > **New** > **Registry Item**. - ![local accounts 4](images/localaccounts-proc1-sample4.png) + ![local accounts 4.](images/localaccounts-proc1-sample4.png) 3. In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**. @@ -407,7 +407,7 @@ The following table shows the Group Policy and registry settings that are used t 9. Verify this configuration, and > **OK**. - ![local accounts 5](images/localaccounts-proc1-sample5.png) + ![local accounts 5.](images/localaccounts-proc1-sample5.png) 8. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following: @@ -415,7 +415,7 @@ The following table shows the Group Policy and registry settings that are used t 2. Right-click the **Workstations** OU, and > **Link an existing GPO**. - ![local accounts 6](images/localaccounts-proc1-sample6.png) + ![local accounts 6.](images/localaccounts-proc1-sample6.png) 3. Select the GPO that you just created, and > **OK**. @@ -495,11 +495,11 @@ The following table shows the Group Policy settings that are used to deny networ 4. In the **New GPO** dialog box, type <**gpo\_name**>, and then > **OK** where *gpo\_name* is the name of the new GPO indicates that it is being used to restrict the local administrative accounts from interactively signing in to the computer. - ![local accounts 7](images/localaccounts-proc2-sample1.png) + ![local accounts 7.](images/localaccounts-proc2-sample1.png) 5. In the details pane, right-click <**gpo\_name**>, and > **Edit**. - ![local accounts 8](images/localaccounts-proc2-sample2.png) + ![local accounts 8.](images/localaccounts-proc2-sample2.png) 6. Configure the user rights to deny network logons for administrative local accounts as follows: diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md index e770d29de4..be0a573f71 100644 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ b/windows/security/identity-protection/access-control/security-identifiers.md @@ -52,7 +52,7 @@ SIDs always remain unique. Security authorities never issue the same SID twice, A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID. -![Security identifier architecture](images/security-identifider-architecture.jpg) +![Security identifier architecture.](images/security-identifider-architecture.jpg) The individual values of a SID are described in the following table. diff --git a/windows/security/identity-protection/access-control/security-principals.md b/windows/security/identity-protection/access-control/security-principals.md index 26564af45a..293acd13c9 100644 --- a/windows/security/identity-protection/access-control/security-principals.md +++ b/windows/security/identity-protection/access-control/security-principals.md @@ -42,7 +42,7 @@ The following diagram illustrates the Windows authorization and access control **Authorization and access control process** -![authorization and access control process](images/authorizationandaccesscontrolprocess.gif) +![authorization and access control process.](images/authorizationandaccesscontrolprocess.gif) Security principals are closely related to the following components and technologies: diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md index f055141697..9423de2923 100644 --- a/windows/security/identity-protection/configure-s-mime.md +++ b/windows/security/identity-protection/configure-s-mime.md @@ -52,11 +52,11 @@ On the device, perform the following steps: (add select certificate) 2. Open **Settings** by tapping the gear icon on a PC, or the ellipsis (...) and then the gear icon on a phone. - :::image type="content" alt-text="settings icon in mail app" source="images/mailsettings.png"::: + :::image type="content" alt-text="settings icon in mail app." source="images/mailsettings.png"::: 3. Tap **Email security**. - :::image type="content" alt-text="email security settings" source="images/emailsecurity.png"::: + :::image type="content" alt-text="email security settings." source="images/emailsecurity.png"::: 4. In **Select an account**, select the account for which you want to configure S/MIME options. @@ -77,7 +77,7 @@ On the device, perform the following steps: (add select certificate) 2. Use **Sign** and **Encrypt** icons to turn on digital signature and encryption for this message. - :::image type="content" alt-text="sign or encrypt message" source="images/signencrypt.png"::: + :::image type="content" alt-text="sign or encrypt message." source="images/signencrypt.png"::: ## Read signed or encrypted messages @@ -93,5 +93,5 @@ When you receive a signed email, the app provide feature to install correspondin 3. Tap **Install.** - :::image type="content" alt-text="message security information" source="images/installcert.png"::: + :::image type="content" alt-text="message security information." source="images/installcert.png":::   \ No newline at end of file diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md index 8d0219c5dd..b122158529 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md @@ -33,7 +33,7 @@ When Windows Defender Credential Guard is enabled, Kerberos does not allow uncon Here's a high-level overview on how the LSA is isolated by using virtualization-based security: -![Windows Defender Credential Guard overview](images/credguard.png) +![Windows Defender Credential Guard overview.](images/credguard.png) ## See also diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index c737034fd5..936172770d 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -45,7 +45,7 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will 5. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. Check [this article](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) for more details. - ![Windows Defender Credential Guard Group Policy setting](images/credguard-gp-2.png) + ![Windows Defender Credential Guard Group Policy setting.](images/credguard-gp-2.png) 6. Close the Group Policy Management Console. @@ -168,7 +168,7 @@ You can view System Information to check that Windows Defender Credential Guard Here's an example: > [!div class="mx-imgBorder"] - > ![System Information](images/credguard-msinfo32.png) + > ![System Information.](images/credguard-msinfo32.png) You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md index 8a678b6ff4..fea29a3fc3 100644 --- a/windows/security/identity-protection/enterprise-certificate-pinning.md +++ b/windows/security/identity-protection/enterprise-certificate-pinning.md @@ -176,7 +176,7 @@ Certutil writes the binary information to the following registration location: | Value | Binary contents from the certificate pin rules certificate trust list file | | Data type | REG_BINARY | -![Registry binary information](images/enterprise-pinning-registry-binary-information.png) +![Registry binary information.](images/enterprise-pinning-registry-binary-information.png) ### Deploying Enterprise Pin Rule Settings using Group Policy @@ -203,7 +203,7 @@ Sign-in to the reference computer using domain administrator equivalent credenti 11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Click **OK** to save your settings and close the dialog box. - ![PinRules Properties](images/enterprise-certificate-pinning-pinrules-properties.png) + ![PinRules Properties.](images/enterprise-certificate-pinning-pinrules-properties.png) 12. Close the **Group Policy Management Editor** to save your settings. 13. Link the **Enterprise Certificate Pinning Rules** Group Policy object to apply to computers that run Windows 10, version 1703 in your enterprise. When these domain-joined computers apply Group Policy, the registry information configured in the Group Policy object is applied to the computer. @@ -258,7 +258,7 @@ These dates must be properly formatted and represented in UTC. You can use Windows PowerShell to format these dates. You can then copy and paste the output of the cmdlet into the XML file. -![Representing a date](images/enterprise-certificate-pinning-representing-a-date.png) +![Representing a date.](images/enterprise-certificate-pinning-representing-a-date.png) For simplicity, you can truncate decimal point (.) and the numbers after it. However, be certain to append the uppercase “Z” to the end of the XML date string. @@ -272,7 +272,7 @@ However, be certain to append the uppercase “Z” to the end of the XML date s You can also use Windows PowerShell to validate convert an XML date into a human readable date to validate it’s the correct date. -![Converting an XML date](images/enterprise-certificate-pinning-converting-an-xml-date.png) +![Converting an XML date.](images/enterprise-certificate-pinning-converting-an-xml-date.png) ## Representing a Duration in XML @@ -280,13 +280,13 @@ Some elements may be configured to use a duration rather than a date. You must represent the duration as an XML timespan data type. You can use Windows PowerShell to properly format and validate durations (timespans) and copy and paste them into your XML file. -![Representing a duration](images/enterprise-certificate-pinning-representing-a-duration.png) +![Representing a duration.](images/enterprise-certificate-pinning-representing-a-duration.png) ## Converting an XML Duration You can convert a XML formatted timespan into a timespan variable that you can read. -![Converting an XML duration](images/enterprise-certificate-pinning-converting-a-duration.png) +![Converting an XML duration.](images/enterprise-certificate-pinning-converting-a-duration.png) ## Certificate Trust List XML Schema Definition (XSD) diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index b7018e4477..f80ffec25c 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -372,11 +372,11 @@ The Group Policy object contains the policy settings needed to trigger Windows H 7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. - ![Group Policy Editor](images/multifactorUnlock/gpme.png) + ![Group Policy Editor.](images/multifactorUnlock/gpme.png) 8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values. - ![Multifactor Policy Setting](images/multifactorUnlock/gp-setting.png) + ![Multifactor Policy Setting.](images/multifactorUnlock/gp-setting.png) 9. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configuring-unlock-factors). diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index 16be1aa6bc..25d27e28d3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -38,23 +38,23 @@ Determining an adequate number of Windows Server domain controllers is important Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following: -![dc-chart1](images/plan/dc-chart1.png) +![dc-chart1.](images/plan/dc-chart1.png) The environment changes. The first change includes DC1 upgraded to Windows Server 2016 or later to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following: -![dc-chart2](images/plan/dc-chart2.png) +![dc-chart2.](images/plan/dc-chart2.png) The Windows Server 2016 or later domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of password authentication. Why? This behavior occurs because domain controllers 2 - 10 only support password and certificate trust authentication; only a Windows Server 2016 and above domain controller supports public key trust authentication. The Windows Server 2016 and above domain controller still understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will bear more of the authentication load, and easily become overloaded. What if another Windows Server 2016 or later domain controller is added, but without deploying Windows Hello for Business to any more clients? -![dc-chart3](images/plan/dc-chart3.png) +![dc-chart3.](images/plan/dc-chart3.png) Upgrading another domain controller to Windows Server 2016 or later distributes the public key trust authentication across two domain controllers - each supporting 50 percent of the load. But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2019 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016 or later, but the number of WHFB clients remains the same. -![dc-chart4](images/plan/dc-chart4.png) +![dc-chart4.](images/plan/dc-chart4.png) Domain controllers 1 through 5 now share the public key trust authentication load where each domain controller handles 20 percent of the public key trust load but they each still handle 10 percent of the password and certificate trust authentication. These domain controllers still have a heavier load than domain controllers 6 through 10; however, the load is adequately distributed. Now look the scenario when half of the client computers are upgraded to Windows Hello for Business using a key-trust deployment. -![dc-chart5](images/plan/dc-chart5.png) +![dc-chart5.](images/plan/dc-chart5.png) You'll notice the distribution did not change. Each Windows Server 2016 or later domain controller handles 20 percent of the public key trust authentication. However, increasing the volume of authentication (by increasing the number of clients) increases the amount of work that is represented by the same 20 percent. In the previous example, 20 percent of public key trust authentication equated to a volume of 20 authentications per domain controller capable of public key trust authentication. However, with upgraded clients, that same 20 percent represents a volume of 100 public key trust authentications per public key trust capable domain controller. Also, the distribution of non-public key trust authentication remained at 10 percent, but the volume of password and certificate trust authentications decreased across the older domain controllers. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index ab73eab4f9..f354ae19d4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -91,7 +91,7 @@ Sign-in the federation server with domain administrator equivalent credentials. 5. Click **Next** on the **Select Certificate Enrollment Policy** page. 6. On the **Request Certificates** page, Select the **Internal Web Server** check box. 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link - ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png) + ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/hello-internal-web-server-cert.png) 8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. 9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Repeat the same to add device registration service name (*enterpriseregistration.contoso.com*) as another alternative name. Click **OK** when finished. 10. Click **Enroll**. @@ -184,7 +184,7 @@ Sign-in the federation server with _domain administrator_ equivalent credentials 1. Start **Server Manager**. 2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. -![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) +![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png) 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. 4. Click **Next** on the **Connect to Active Directory Domain Services** page. 5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*. @@ -204,7 +204,7 @@ Sign-in the federation server with _domain administrator_ equivalent credentials 1. Start **Server Manager**. 2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. -![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) +![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png) 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. 4. Click **Next** on the **Connect to Active Directory Domain Services** page. 5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net. @@ -456,7 +456,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. 6. On the **Select server roles** page, click **Next**. 7. Select **Network Load Balancing** on the **Select features** page. 8. Click **Install** to start the feature installation. - ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png) + ![Feature selection screen with NLB selected.](images/hello-nlb-feature-install.png) ### Configure Network Load Balancing for AD FS @@ -465,25 +465,25 @@ Before you can load balance all the nodes in the AD FS farm, you must first crea Sign-in a node of the federation farm with _Admin_ equivalent credentials. 1. Open **Network Load Balancing Manager** from **Administrative Tools**. - ![NLB Manager user interface](images/hello-nlb-manager.png) + ![NLB Manager user interface.](images/hello-nlb-manager.png) 2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**. 3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**. - ![NLB Manager - Connect to new Cluster screen](images/hello-nlb-connect.png) + ![NLB Manager - Connect to new Cluster screen.](images/hello-nlb-connect.png) 4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.) 5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**. 6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**. - ![NLB Manager - Add IP to New Cluster screen](images/hello-nlb-add-ip.png) + ![NLB Manager - Add IP to New Cluster screen.](images/hello-nlb-add-ip.png) 7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster. - ![NLB Manager - Cluster IP Configuration screen](images/hello-nlb-cluster-ip-config.png) + ![NLB Manager - Cluster IP Configuration screen.](images/hello-nlb-cluster-ip-config.png) 8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**. 9. In Port Rules, click Edit to modify the default port rules to use port 443. - ![NLB Manager - Add\Edit Port Rule screen](images/hello-nlb-cluster-port-rule.png) + ![NLB Manager - Add\Edit Port Rule screen.](images/hello-nlb-cluster-port-rule.png) ### Additional AD FS Servers 1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**. 2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same. - ![NLB Manager - Cluster with nodes](images/hello-nlb-cluster.png) + ![NLB Manager - Cluster with nodes.](images/hello-nlb-cluster.png) ## Configure DNS for Device Registration diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index 0686de8a9a..57f12a0692 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -34,7 +34,7 @@ To locate the schema master role holder, open and command prompt and type: ```Netdom query fsmo | findstr -i “schema”``` -![Netdom example output](images/hello-cmd-netdom.png) +![Netdom example output.](images/hello-cmd-netdom.png) The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md index bafde6afc2..0bbce98b00 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md @@ -51,7 +51,7 @@ Three approaches are documented here: 1. Right-click the **Smartcard Logon** template and click **Duplicate Template** - ![Duplicating Smartcard Template](images/rdpcert/duplicatetemplate.png) + ![Duplicating Smartcard Template.](images/rdpcert/duplicatetemplate.png) 1. On the **Compatibility** tab: 1. Clear the **Show resulting changes** check box @@ -109,7 +109,7 @@ Three approaches are documented here: 1. In the Certificate Authority console, right-click **Certificate Templates**, select **New**, and select **Certificate Template to Issue** - ![Selecting Certificate Template to Issue](images/rdpcert/certificatetemplatetoissue.png) + ![Selecting Certificate Template to Issue.](images/rdpcert/certificatetemplatetoissue.png) 1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and click **OK**. It can take some time for the template to replicate to all servers and become available in this list. @@ -123,7 +123,7 @@ Three approaches are documented here: 1. In the left pane of the MMC, right-click **Personal**, click **All Tasks**, and then click **Request New Certificate…** - ![Request a new certificate](images/rdpcert/requestnewcertificate.png) + ![Request a new certificate.](images/rdpcert/requestnewcertificate.png) 1. On the Certificate Enrollment screen, click **Next**. diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 476aed7683..48a0d130df 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -29,7 +29,7 @@ When you set up Windows Hello in Windows 10, you may get an error during the ** The following image shows an example of an error during **Create a PIN**. -![PIN error](images/pinerror.png) +![PIN error.](images/pinerror.png) ## Error mitigations diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 0ecc622ba4..2fbed0b012 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -97,20 +97,20 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se 1. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account. - ![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png) + ![PIN reset service application in Azure.](images/pinreset/pin-reset-service-prompt.png) 1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. 1. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account. - ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png) + ![PIN reset client application in Azure.](images/pinreset/pin-reset-client-prompt.png) > [!NOTE] > After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant. 1. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant. - :::image type="content" alt-text="PIN reset service permissions page" source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications.png"::: + :::image type="content" alt-text="PIN reset service permissions page." source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications.png"::: ### Configure Windows devices to use PIN reset using Group Policy @@ -210,7 +210,7 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au - **Data type:** String - **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be _signin.contoso.com;portal.contoso.com_ (without quotation marks) - :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy" source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png"::: + :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png"::: 1. Click the Save button to save the custom configuration. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index 30dc6c78e6..b5361a656c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -55,7 +55,7 @@ Windows Hello for Business emulates a smart card for application compatibility. Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it. > [!div class="mx-imgBorder"] -> ![WHFB Certificate GP Setting](images/rdpbio/rdpbiopolicysetting.png) +> ![WHFB Certificate GP Setting.](images/rdpbio/rdpbiopolicysetting.png) > [!IMPORTANT] > The remote desktop with biometric feature does not work with [Dual Enrollment](hello-feature-dual-enrollment.md) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature. diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index a90f1587c2..1efcc90b24 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -31,7 +31,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c ## Azure AD join authentication to Azure Active Directory -![Azure AD join authentication to Azure Active Directory](images/howitworks/auth-aadj-cloud.png) +![Azure AD join authentication to Azure Active Directory.](images/howitworks/auth-aadj-cloud.png) | Phase | Description | | :----: | :----------- | @@ -42,7 +42,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c |E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| ## Azure AD join authentication to Active Directory using a Key -![Azure AD join authentication to Active Directory using a Key](images/howitworks/auth-aadj-keytrust-kerb.png) +![Azure AD join authentication to Active Directory using a Key.](images/howitworks/auth-aadj-keytrust-kerb.png) | Phase | Description | @@ -56,7 +56,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c ## Azure AD join authentication to Active Directory using a Certificate -![Azure AD join authentication to Active Directory using a Certificate](images/howitworks/auth-aadj-certtrust-kerb.png) +![Azure AD join authentication to Active Directory using a Certificate.](images/howitworks/auth-aadj-certtrust-kerb.png) | Phase | Description | | :----: | :----------- | @@ -69,7 +69,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c ## Hybrid Azure AD join authentication using a Key -![Hybrid Azure AD join authentication using a Key](images/howitworks/auth-haadj-keytrust.png) +![Hybrid Azure AD join authentication using a Key.](images/howitworks/auth-haadj-keytrust.png) | Phase | Description | | :----: | :----------- | @@ -85,7 +85,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c > In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time. ## Hybrid Azure AD join authentication using a Certificate -![Hybrid Azure AD join authentication using a Certificate](images/howitworks/auth-haadj-certtrust.png) +![Hybrid Azure AD join authentication using a Certificate.](images/howitworks/auth-haadj-certtrust.png) | Phase | Description | | :----: | :----------- | diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index 0fb161ccb5..20008e7565 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -37,7 +37,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, ## Azure AD joined provisioning in a Managed environment -![Azure AD joined provisioning in a Managed environment](images/howitworks/prov-aadj-managed.png) +![Azure AD joined provisioning in a Managed environment.](images/howitworks/prov-aadj-managed.png) | Phase | Description | | :----: | :----------- | @@ -48,7 +48,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Return to top](#windows-hello-for-business-provisioning) ## Azure AD joined provisioning in a Federated environment -![Azure AD joined provisioning in a Managed environment](images/howitworks/prov-aadj-federated.png) +![Azure AD joined provisioning in a Managed environment.](images/howitworks/prov-aadj-federated.png) | Phase | Description | | :----: | :----------- | @@ -58,7 +58,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Return to top](#windows-hello-for-business-provisioning) ## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment -![Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment](images/howitworks/prov-haadj-keytrust-managed.png) +![Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment.](images/howitworks/prov-haadj-keytrust-managed.png) | Phase | Description | @@ -76,7 +76,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Return to top](#windows-hello-for-business-provisioning) ## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment -![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](images/howitworks/prov-haadj-instant-certtrust-federated.png) +![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment.](images/howitworks/prov-haadj-instant-certtrust-federated.png) | Phase | Description | @@ -94,7 +94,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Return to top](#windows-hello-for-business-provisioning) ## Domain joined provisioning in an On-premises Key Trust deployment -![Domain joined provisioning in an On-premises Key Trust deployment](images/howitworks/prov-onprem-keytrust.png) +![Domain joined provisioning in an On-premises Key Trust deployment.](images/howitworks/prov-onprem-keytrust.png) | Phase | Description | | :----: | :----------- | @@ -105,7 +105,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Return to top](#windows-hello-for-business-provisioning) ## Domain joined provisioning in an On-premises Certificate Trust deployment -![Domain joined provisioning in an On-premises Certificate Trust deployment](images/howitworks/prov-onprem-certtrust.png) +![Domain joined provisioning in an On-premises Certificate Trust deployment.](images/howitworks/prov-onprem-certtrust.png) | Phase | Description | | :----: | :----------- | diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 8e0a208a86..13246cec6f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -40,19 +40,19 @@ Before adding Azure Active Directory (Azure AD) joined devices to your existing Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure. To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate. Ensure you have Azure AD Connect installed and functioning properly. To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect). If you upgraded your Active Directory schema to the Windows Server 2016 schema after installing Azure AD Connect, run Azure AD Connect and run **Refresh directory schema** from the list of tasks. -![Azure AD Connect Schema Refresh](images/aadj/aadconnectschema.png) +![Azure AD Connect Schema Refresh.](images/aadj/aadconnectschema.png) ### Azure Active Directory Device Registration A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration. A user cannot provision Windows Hello for Business unless the device from which they are trying to provision has registered with Azure Active Directory. For more information about device registration, read [Introduction to device management in Azure Active Directory](/azure/active-directory/devices/overview). You can use the **dsregcmd.exe** command to determine if your device is registered to Azure Active Directory. -![dsregcmd output](images/aadj/dsregcmd.png) +![dsregcmd output.](images/aadj/dsregcmd.png) ### CRL Distribution Point (CDP) Certificates issued by a certificate authority can be revoked. When a certificate authority revokes as certificate, it writes information about the certificate into a revocation list. During certificate validation, Windows 10 consults the CRL distribution point within the certificate to get a list of revoked certificates. Validation compares the current certificate with information in the certificate revocation list to determine if the certificate remains valid. -![Domain Controller Certificate with LDAP CDP](images/aadj/Certificate-CDP.png) +![Domain Controller Certificate with LDAP CDP.](images/aadj/Certificate-CDP.png) The preceding domain controller certificate shows a CRL distribution path (CDP) using Active Directory. You can determine this because the value in the URL begins with **ldap**. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Azure Active Directory joined devices and users on Azure Active Directory joined devices cannot read data from Active Directory, and certificate validation does not provide an opportunity to authenticate prior to reading the certificate revocation list. This becomes a circular problem as the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user cannot read Active Directory because they have not authenticated. @@ -122,16 +122,16 @@ You need to host your new certificate revocation list of a web server so Azure A 1. From **Windows Administrative Tools**, Open **Internet Information Services (IIS) Manager**. 2. Expand the navigation pane to show **Default Web Site**. Select and then right-click **Default Web site** and click **Add Virtual Directory...**. 3. In the **Add Virtual Directory** dialog box, type **cdp** in **alias**. For physical path, type or browse for the physical file location where you will host the certificate revocation list. For this example, the path **c:\cdp** is used. Click **OK**. - ![Add Virtual Directory](images/aadj/iis-add-virtual-directory.png) + ![Add Virtual Directory.](images/aadj/iis-add-virtual-directory.png) > [!NOTE] > Make note of this path as you will use it later to configure share and file permissions. 4. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Directory Browsing** in the content pane. Click **Enable** in the details pane. 5. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Configuration Editor**. 6. In the **Section** list, navigate to **system.webServer/security/requestFiltering**. - ![IIS Configuration Editor requestFiltering](images/aadj/iis-config-editor-requestFiltering.png) + ![IIS Configuration Editor requestFiltering.](images/aadj/iis-config-editor-requestFiltering.png) In the list of named value-pairs in the content pane, configure **allowDoubleEscaping** to **True**. Click **Apply** in the actions pane. - ![IIS Configuration Editor double escaping](images/aadj/iis-config-editor-allowDoubleEscaping.png) + ![IIS Configuration Editor double escaping.](images/aadj/iis-config-editor-allowDoubleEscaping.png) 7. Close **Internet Information Services (IIS) Manager**. #### Create a DNS resource record for the CRL distribution point URL @@ -139,7 +139,7 @@ You need to host your new certificate revocation list of a web server so Azure A 1. On your DNS server or from an administrative workstation, open **DNS Manager** from **Administrative Tools**. 2. Expand **Forward Lookup Zones** to show the DNS zone for your domain. Right-click your domain name in the navigation pane and click **New Host (A or AAAA)...**. 3. In the **New Host** dialog box, type **crl** in **Name**. Type the IP address of the web server you configured in **IP Address**. Click **Add Host**. Click **OK** to close the **DNS** dialog box. Click **Done**. -![Create DNS host record](images/aadj/dns-new-host-dialog.png) +![Create DNS host record.](images/aadj/dns-new-host-dialog.png) 4. Close the **DNS Manager**. ### Prepare a file share to host the certificate revocation list @@ -151,12 +151,12 @@ These procedures configure NTFS and share permissions on the web server to allow 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server). 2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**. 3. Select **Share this folder**. Type **cdp$** in **Share name**. Click **Permissions**. -![cdp sharing](images/aadj/cdp-sharing.png) +![cdp sharing.](images/aadj/cdp-sharing.png) 4. In the **Permissions for cdp$** dialog box, click **Add**. 5. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**. In the **Object Types** dialog box, select **Computers**, and then click **OK**. 7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the server running the certificate authority issuing the certificate revocation list, and then click **Check Names**. Click **OK**. 8. In the **Permissions for cdp$** dialog box, select the certificate authority from the **Group or user names list**. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**. -![CDP Share Permissions](images/aadj/cdp-share-permissions.png) +![CDP Share Permissions.](images/aadj/cdp-share-permissions.png) 9. In the **Advanced Sharing** dialog box, click **OK**. > [!Tip] @@ -166,7 +166,7 @@ These procedures configure NTFS and share permissions on the web server to allow 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server). 2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**. 3. Click **Caching**. Select **No files or programs from the shared folder are available offline**. -![CDP disable caching](images/aadj/cdp-disable-caching.png) +![CDP disable caching.](images/aadj/cdp-disable-caching.png) 4. Click **OK**. #### Configure NTFS permission for the CDP folder @@ -175,7 +175,7 @@ These procedures configure NTFS and share permissions on the web server to allow 2. Right-click the **cdp** folder and click **Properties**. Click the **Security** tab. 3. On the **Security** tab, click Edit. 5. In the **Permissions for cdp** dialog box, click **Add**. -![CDP NTFS Permissions](images/aadj/cdp-ntfs-permissions.png) +![CDP NTFS Permissions.](images/aadj/cdp-ntfs-permissions.png) 6. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**. In the **Object Types** dialog box, select **Computers**. Click **OK**. 7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the certificate authority, and then click **Check Names**. Click **OK**. 8. In the **Permissions for cdp** dialog box, select the name of the certificate authority from the **Group or user names** list. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**. @@ -192,11 +192,11 @@ The web server is ready to host the CRL distribution point. Now, configure the 2. In the navigation pane, right-click the name of the certificate authority and click **Properties** 3. Click **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list. 4. On the **Extensions** tab, click **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, ** or ** (do not forget the trailing forward slash). - ![CDP New Location dialog box](images/aadj/cdp-extension-new-location.png) + ![CDP New Location dialog box.](images/aadj/cdp-extension-new-location.png) 5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. 6. Type **.crl** at the end of the text in **Location**. Click **OK**. 7. Select the CDP you just created. - ![CDP complete http](images/aadj/cdp-extension-complete-http.png) + ![CDP complete http.](images/aadj/cdp-extension-complete-http.png) 8. Select **Include in CRLs. Clients use this to find Delta CRL locations**. 9. Select **Include in the CDP extension of issued certificates**. 10. Click **Apply** save your selections. Click **No** when ask to restart the service. @@ -213,7 +213,7 @@ The web server is ready to host the CRL distribution point. Now, configure the 5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. 6. Type **.crl** at the end of the text in **Location**. Click **OK**. 7. Select the CDP you just created. - ![CDP publishing location](images/aadj/cdp-extension-complete-unc.png) + ![CDP publishing location.](images/aadj/cdp-extension-complete-unc.png) 8. Select **Publish CRLs to this location**. 9. Select **Publish Delta CRLs to this location**. 10. Click **Apply** save your selections. Click **Yes** when ask to restart the service. Click **OK** to close the properties dialog box. @@ -222,7 +222,7 @@ The web server is ready to host the CRL distribution point. Now, configure the 1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**. 2. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and click **Publish** -![Publish a New CRL](images/aadj/publish-new-crl.png) +![Publish a New CRL.](images/aadj/publish-new-crl.png) 3. In the **Publish CRL** dialog box, select **New CRL** and click **OK**. #### Validate CDP Publishing @@ -230,7 +230,7 @@ The web server is ready to host the CRL distribution point. Now, configure the Validate your new CRL distribution point is working. 1. Open a web browser. Navigate to http://crl.[yourdomain].com/cdp. You should see two files created from publishing your new CRL. - ![Validate the new CRL](images/aadj/validate-cdp-using-browser.png) + ![Validate the new CRL.](images/aadj/validate-cdp-using-browser.png) ### Reissue domain controller certificates @@ -239,9 +239,9 @@ With the CA properly configured with a valid HTTP-based CRL distribution point, 1. Sign-in a domain controller using administrative credentials. 2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer. 3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, select the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**. -![Certificate Manager Personal store](images/aadj/certlm-personal-store.png) +![Certificate Manager Personal store.](images/aadj/certlm-personal-store.png) 4. Right-click the selected certificate. Hover over **All Tasks** and then select **Renew Certificate with New Key...**. In the **Certificate Enrollment** wizard, click **Next**. -![Renew with New key](images/aadj/certlm-renew-with-new-key.png) +![Renew with New key.](images/aadj/certlm-renew-with-new-key.png) 5. In the **Request Certificates** page of the wizard, verify the selected certificate has the correct certificate template and ensure the status is available. Click **Enroll**. 6. After the enrollment completes, click **Finish** to close the wizard. 7. Repeat this procedure on all your domain controllers. @@ -259,7 +259,7 @@ With the CA properly configured with a valid HTTP-based CRL distribution point, 3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**. 4. Click the **Details** tab. Scroll down the list until **CRL Distribution Points** is visible in the **Field** column of the list. Select **CRL Distribution Point**. 5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Click **OK**.
-![New Certificate with updated CDP](images/aadj/dc-cert-with-new-cdp.png) +![New Certificate with updated CDP.](images/aadj/dc-cert-with-new-cdp.png) ## Configure and Assign a Trusted Certificate Device Configuration Profile @@ -276,13 +276,13 @@ Steps you will perform include: 2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer. 3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**. 4. Click the **Certification Path** tab. In the **Certification path** view, select the top most node and click **View Certificate**. -![Certificate Path](images/aadj/certlm-cert-path-tab.png) +![Certificate Path.](images/aadj/certlm-cert-path-tab.png) 5. In the new **Certificate** dialog box, click the **Details** tab. Click **Copy to File**. -![Details tab and copy to file](images/aadj/certlm-root-cert-details-tab.png) +![Details tab and copy to file.](images/aadj/certlm-root-cert-details-tab.png) 6. In the **Certificate Export Wizard**, click **Next**. 7. On the **Export File Format** page of the wizard, click **Next**. 8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box. -![Export root certificate](images/aadj/certlm-export-root-certificate.png) +![Export root certificate.](images/aadj/certlm-export-root-certificate.png) 9. Click **OK** two times to return to the **Certificate Manager** for the local computer. Close the **Certificate Manager**. ### Create and Assign a Trust Certificate Device Configuration Profile @@ -291,12 +291,12 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted 1. Sign-in to the [Microsoft Azure Portal](https://portal.azure.com) and select **Microsoft Intune**. 2. Click **Device configuration**. In the **Device Configuration** blade, click **Create profile**. -![Intune Create Profile](images/aadj/intune-create-device-config-profile.png) +![Intune Create Profile.](images/aadj/intune-create-device-config-profile.png) 3. In the **Create profile** blade, type **Enterprise Root Certificate** in **Name**. Provide a description. Select **Windows 10 and later** from the **Platform** list. Select **Trusted certificate** from the **Profile type** list. Click **Configure**. 4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate). Click **OK**. Click **Create**. -![Intune Trusted Certificate Profile](images/aadj/intune-create-trusted-certificate-profile.png) +![Intune Trusted Certificate Profile.](images/aadj/intune-create-trusted-certificate-profile.png) 5. In the **Enterprise Root Certificate** blade, click **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**. -![Intune Profile assignment](images/aadj/intune-device-config-enterprise-root-assignment.png) +![Intune Profile assignment.](images/aadj/intune-device-config-enterprise-root-assignment.png) 6. Sign out of the Microsoft Azure Portal. > [!NOTE] > After the creation, the **supported platform** parameter of the profile will contain the value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same. @@ -310,7 +310,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 3. Choose **Enroll devices**. 4. Select **Windows enrollment**. 5. Under **Windows enrollment**, select **Windows Hello for Business**. - ![Create Windows Hello for Business Policy](images/aadj/MEM.png) + ![Create Windows Hello for Business Policy.](images/aadj/MEM.png) 6. Select **Enabled** from the **Configure Windows Hello for Business** list. 7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys. 8. Enter the desired **Minimum PIN length** and **Maximum PIN length**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index b8ce7af3da..e4ada9da90 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -82,7 +82,7 @@ The easiest way to verify the onPremisesDistingushedNamne attribute is synchroni 2. Click **Login** and provide Azure credentials 3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go** 4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user. - ![Azure AD Connect On-Prem DN Attribute](images/aadjcert/aadconnectonpremdn.png) + ![Azure AD Connect On-Prem DN Attribute.](images/aadjcert/aadconnectonpremdn.png) ## Prepare the Network Device Enrollment Services (NDES) Service Account @@ -259,15 +259,15 @@ Sign-in to the certificate authority or management workstations with an _Enterpr 1. Open **Server Manager** on the NDES server. 2. Click **Manage**. Click **Add Roles and Features**. 3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**. Select **Role-based or feature-based installation** on the **Select installation type** page. Click **Next**. Click **Select a server from the server pool**. Select the local server from the **Server Pool** list. Click **Next**. - ![Server Manager destination server](images/aadjCert/servermanager-destination-server-ndes.png) + ![Server Manager destination server.](images/aadjCert/servermanager-destination-server-ndes.png) 4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list. - ![Server Manager AD CS Role](images/aadjCert/servermanager-adcs-role.png) + ![Server Manager AD CS Role.](images/aadjCert/servermanager-adcs-role.png) Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**. - ![Server Manager Add Features](images/aadjcert/serverManager-adcs-add-features.png) + ![Server Manager Add Features.](images/aadjcert/serverManager-adcs-add-features.png) 5. On the **Features** page, expand **.NET Framework 3.5 Features**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Expand **.NET Framework 4.5 Features**. Expand **WCF Services**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**. - ![Server Manager Feature HTTP Activation](images/aadjcert/servermanager-adcs-http-activation.png) + ![Server Manager Feature HTTP Activation.](images/aadjcert/servermanager-adcs-http-activation.png) 6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**. Click **Add Features** on the **Add Roles and Features Wizard** dialog box. Click **Next**. - ![Server Manager ADCS NDES Role](images/aadjcert/servermanager-adcs-ndes-role-checked.png) + ![Server Manager ADCS NDES Role.](images/aadjcert/servermanager-adcs-ndes-role-checked.png) 7. Click **Next** on the **Web Server Role (IIS)** page. 8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**. * **Web Server > Security > Request Filtering** @@ -275,11 +275,11 @@ Sign-in to the certificate authority or management workstations with an _Enterpr * **Web Server > Application Development > ASP.NET 4.5**. . * **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility** * **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility** - ![Server Manager Web Server Role](images/aadjcert/servermanager-adcs-webserver-role.png) + ![Server Manager Web Server Role.](images/aadjcert/servermanager-adcs-webserver-role.png) 9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**. > [!IMPORTANT] > .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \:\\Sources\SxS\ - ![.NET Side by Side](images/aadjcert/dotNet35sidebyside.png) + ![.NET Side by Side.](images/aadjcert/dotNet35sidebyside.png) ### Configure the NDES service account This task adds the NDES service account to the local IIS_USRS group. The task also configures the NDES service account for Kerberos authentication and delegation @@ -308,7 +308,7 @@ Sign-in the NDES server with access equivalent to _Domain Admins_. > [!NOTE] > If you use the same service account for multiple NDES Servers, repeat the following task for each NDES server under which the NDES service runs. -![Set SPN command prompt](images/aadjcert/setspn-commandprompt.png) +![Set SPN command prompt.](images/aadjcert/setspn-commandprompt.png) #### Configure the NDES Service account for delegation The NDES service enrolls certificates on behalf of users. Therefore, you want to limit the actions it can perform on behalf of the user. You do this through delegation. @@ -317,16 +317,16 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_. 1. Open **Active Directory Users and Computers** 2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab. - ![NDES Delegation Tab](images/aadjcert/ndessvcdelegationtab.png) + ![NDES Delegation Tab.](images/aadjcert/ndessvcdelegationtab.png) 3. Select **Trust this user for delegation to specified services only**. 4. Select **Use any authentication protocol**. 5. Click **Add**. 6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Avaiable services** list, select **HOST**. Click **OK**. - ![NDES Service delegation to NDES host](images/aadjcert/ndessvcdelegation-host-ndes-spn.png) + ![NDES Service delegation to NDES host.](images/aadjcert/ndessvcdelegation-host-ndes-spn.png) 7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**. 8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**. 9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates. - ![NDES Service delegation complete](images/aadjcert/ndessvcdelegation-host-ca-spn.png) + ![NDES Service delegation complete.](images/aadjcert/ndessvcdelegation-host-ca-spn.png) 10. Click **OK**. Close **Active Directory Users and Computers**. ### Configure the NDES Role and Certificate Templates @@ -338,21 +338,21 @@ Sign-in to the certificate authority or management workstations with an _Enterpr > [!NOTE] > If you closed Server Manger from the last set of tasks, start Server Manager and click the action flag that shows a yellow exclamation point. -![Server Manager Post-Install Yellow flag](images/aadjcert/servermanager-post-ndes-yellowactionflag.png) +![Server Manager Post-Install Yellow flag.](images/aadjcert/servermanager-post-ndes-yellowactionflag.png) 1. Click the **Configure Active Directory Certificate Services on the destination server** link. 2. On the **Credentials** page, click **Next**. - ![NDES Installation Credentials](images/aadjcert/ndesconfig01.png) + ![NDES Installation Credentials.](images/aadjcert/ndesconfig01.png) 3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next** - ![NDES Role Services](images/aadjcert/ndesconfig02.png) + ![NDES Role Services.](images/aadjcert/ndesconfig02.png) 4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**. - ![NDES Service Account for NDES](images/aadjcert/ndesconfig03b.png) + ![NDES Service Account for NDES.](images/aadjcert/ndesconfig03b.png) 5. On the **CA for NDES** page, select **CA name**. Click **Select...**. Select the issuing certificate authority from which the NDES server requests certificates. Click **Next**. - ![NDES CA selection](images/aadjcert/ndesconfig04.png) + ![NDES CA selection.](images/aadjcert/ndesconfig04.png) 6. On the **RA Information**, click **Next**. 7. On the **Cryptography for NDES** page, click **Next**. 8. Review the **Confirmation** page. Click **Configure**. - ![NDES Confirmation](images/aadjcert/ndesconfig05.png) + ![NDES Confirmation.](images/aadjcert/ndesconfig05.png) 8. Click **Close** after the configuration completes. #### Configure Certificate Templates on NDES @@ -407,18 +407,18 @@ Sign-in a workstation with access equivalent to a _domain user_. 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. 3. Under **MANAGE**, click **Application proxy**. 4. Click **Download connector service**. Click **Accept terms & Download**. Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain. - ![Azure Application Proxy Connectors](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png) + ![Azure Application Proxy Connectors.](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png) 5. Sign-in the computer that will run the connector with access equivalent to a _domain user_. > [!IMPORTANT] > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers. 6. Start **AADApplicationProxyConnectorInstaller.exe**. 7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**. - ![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-01.png) + ![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-01.png) 8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**. - ![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-02.png) + ![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-02.png) 9. When the installation completes. Read the information regarding outbound proxy servers. Click **Close**. - ![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-03.png) + ![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-03.png) 10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments. #### Create a Connector Group @@ -427,9 +427,9 @@ Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. 3. Under **MANAGE**, click **Application proxy**. - ![Azure Application Proxy Connector groups](images/aadjcert/azureconsole-applicationproxy-connectors-default.png) + ![Azure Application Proxy Connector groups.](images/aadjcert/azureconsole-applicationproxy-connectors-default.png) 4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**. - ![Azure Application New Connector Group](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png) + ![Azure Application New Connector Group.](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png) 5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests. 6. Click **Save**. @@ -443,7 +443,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL. 6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**. 7. Under **Internal URL**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net). - ![Azure NDES Application Proxy Configuration](images/aadjcert/azureconsole-appproxyconfig.png) + ![Azure NDES Application Proxy Configuration.](images/aadjcert/azureconsole-appproxyconfig.png) 8. Select **Passthrough** from the **Pre Authentication** list. 9. Select **NDES WHFB Connectors** from the **Connector Group** list. 10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**. @@ -465,7 +465,7 @@ Sign-in the NDES server with access equivalent to _local administrators_. 5. Click **Next** on the **Select Certificate Enrollment Policy** page. 6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box. 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link - ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png) + ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png) 8. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**. 9. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished. 9. Click **Enroll** @@ -478,12 +478,12 @@ Sign-in the NDES server with access equivalent to _local administrator_. 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. 2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. - ![NDES IIS Console](images/aadjcert/ndes-iis-console.png) + ![NDES IIS Console.](images/aadjcert/ndes-iis-console.png) 3. Click **Bindings...*** under **Actions**. Click **Add**. - ![NDES IIS Console](images/aadjcert/ndes-iis-bindings.png) + ![NDES IIS Console.](images/aadjcert/ndes-iis-bindings.png) 4. Select **https** from **Type**. Confirm the value for **Port** is **443**. 5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**. - ![NDES IIS Console](images/aadjcert/ndes-iis-bindings-add-443.png) + ![NDES IIS Console.](images/aadjcert/ndes-iis-bindings-add-443.png) 6. Select **http** from the **Site Bindings** list. Click **Remove**. 7. Click **Close** on the **Site Bindings** dialog box. 8. Close **Internet Information Services (IIS) Manager**. @@ -509,10 +509,10 @@ Sign-in the NDES server with access equivalent to _local administrator_. A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. -![NDES IIS Console](images/aadjcert/ndes-https-website-test-01.png) +![NDES IIS Console.](images/aadjcert/ndes-https-website-test-01.png) Confirm the web site uses the server authentication certificate. -![NDES IIS Console](images/aadjcert/ndes-https-website-test-01-show-cert.png) +![NDES IIS Console.](images/aadjcert/ndes-https-website-test-01-show-cert.png) ## Configure Network Device Enrollment Services to work with Microsoft Intune @@ -527,7 +527,7 @@ Sign-in the NDES server with access equivalent to _local administrator_. 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. 2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. 3. In the content pane, double-click **Request Filtering**. Click **Edit Feature Settings...** in the action pane. - ![Intune NDES Request filtering](images/aadjcert/NDES-IIS-RequestFiltering.png) + ![Intune NDES Request filtering.](images/aadjcert/NDES-IIS-RequestFiltering.png) 4. Select **Allow unlisted file name extensions**. 5. Select **Allow unlisted verbs**. 6. Select **Allow high-bit characters**. @@ -554,7 +554,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**. 3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section. - ![Intune Certificate Authority](images/aadjcert/profile01.png) + ![Intune Certificate Authority.](images/aadjcert/profile01.png) 4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server. 5. Sign-out of the Microsoft Endpoint Manager admin center. @@ -564,26 +564,26 @@ Sign-in the NDES server with access equivalent to _domain administrator_. 1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server. 2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server. 3. On the **Microsoft Intune** page, click **Next**. - ![Intune Connector Install 01](images/aadjcert/intunecertconnectorinstall-01.png) + ![Intune Connector Install 01.](images/aadjcert/intunecertconnectorinstall-01.png) 4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation. 5. On the **Destination Folder** page, click **Next**. 6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**. - ![Intune Connector Install 03](images/aadjcert/intunecertconnectorinstall-03.png) + ![Intune Connector Install 03.](images/aadjcert/intunecertconnectorinstall-03.png) 7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**. - ![Intune Connector Install 05](images/aadjcert/intunecertconnectorinstall-05.png) + ![Intune Connector Install 05.](images/aadjcert/intunecertconnectorinstall-05.png) > [!NOTE] > The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page. 8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**. 9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**. - ![Intune Connector Install 06](images/aadjcert/intunecertconnectorinstall-06.png) + ![Intune Connector Install 06.](images/aadjcert/intunecertconnectorinstall-06.png) > [!NOTE] > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder. 10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task. - ![Intune Connector install 07](images/aadjcert/intunecertconnectorinstall-07.png) + ![Intune Connector install 07.](images/aadjcert/intunecertconnectorinstall-07.png) ### Configure the Intune Certificate Connector Sign-in the NDES server with access equivalent to _domain administrator_. @@ -594,10 +594,10 @@ Sign-in the NDES server with access equivalent to _domain administrator_. > If the **NDES Connector** user interface is not open, you can start it from **\\NDESConnectorUI\NDESConnectorUI.exe**. 2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect. Click **Apply** - ![Intune Certificate Connector Configuration 01](images/aadjcert/intunecertconnectorconfig-01.png) + ![Intune Certificate Connector Configuration 01.](images/aadjcert/intunecertconnectorconfig-01.png) 3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role. - ![Intune Certificate Connector Configuration 02](images/aadjcert/intunecertconnectorconfig-02.png) + ![Intune Certificate Connector Configuration 02.](images/aadjcert/intunecertconnectorconfig-02.png) > [!IMPORTANT] > The user account must have a valid Intune license assigned. If the user account does not have a valid Intune license, the sign-in fails. @@ -614,7 +614,7 @@ Sign-in the certificate authority used by the NDES Connector with access equival 1. Start the **Certification Authority** management console. 2. In the navigation pane, right-click the name of the certificate authority and select **Properties**. 3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**. - ![Configure Intune certificate revocation 02](images/aadjcert/intuneconfigcertrevocation-02.png) + ![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png) 4. Close the **Certification Authority** #### Enable the NDES Connector for certificate revocation @@ -622,7 +622,7 @@ Sign-in the NDES server with access equivalent to _domain administrator_. 1. Open the **NDES Connector** user interface (**\\NDESConnectorUI\NDESConnectorUI.exe**). 2. Click the **Advanced** tab. Select **Specify a different account username and password**. Type the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**. - ![Intune Connector cert revocation configuration 04](images/aadjcert/intunecertconnectorconfig-04.png) + ![Intune Connector cert revocation configuration 04.](images/aadjcert/intunecertconnectorconfig-04.png) 3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**. ### Test the NDES Connector @@ -641,7 +641,7 @@ Sign-in the NDES server with access equivalent to _domain admin_. ``` where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. - ![NDES web site test after Intune Certificate Connector](images/aadjcert/ndes-https-website-test-after-intune-connector.png) + ![NDES web site test after Intune Certificate Connector.](images/aadjcert/ndes-https-website-test-after-intune-connector.png) 6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**. ## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile @@ -656,7 +656,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 5. Under **Group Name**, type the name of the group. For example, **AADJ WHFB Certificate Users**. 6. Provide a **Group description**, if applicable. 7. Select **Assigned** from the **Membership type** list. - ![Azure AD new group creation](images/aadjcert/azureadcreatewhfbcertgroup.png) + ![Azure AD new group creation.](images/aadjcert/azureadcreatewhfbcertgroup.png) 8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**. 9. Click **Create**. @@ -666,7 +666,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. Select **Devices**, and then click **Configuration Profiles**. 3. Select **Create Profile**. - ![Intune Device Configuration Create Profile](images/aadjcert/profile02.png) + ![Intune Device Configuration Create Profile.](images/aadjcert/profile02.png) 4. Select **Windows 10 and later** from the **Platform** list. 5. Choose **SCEP certificate** from the **Profile** list, and select **Create**. 6. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**. @@ -689,7 +689,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile. 15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**. 16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**. - ![WHFB SCEP certificate Profile EKUs](images/aadjcert/profile03.png) + ![WHFB SCEP certificate Profile EKUs.](images/aadjcert/profile03.png) 17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile. 18. Click **Next**. 19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**. @@ -702,7 +702,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 3. Click **WHFB Certificate Enrollment**. 4. Select **Properties**, and then click **Edit** next to the **Assignments** section. 5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list. Click **Select groups to include**. - ![WHFB SCEP Profile Assignment](images/aadjcert/profile04.png) + ![WHFB SCEP Profile Assignment.](images/aadjcert/profile04.png) 6. Select the **AADJ WHFB Certificate Users** group. Click **Select**. 7. Click **Review + Save**, and then **Save**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index e80dc75f72..9e100bc146 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -70,7 +70,7 @@ To locate the schema master role holder, open and command prompt and type: ```Netdom query fsmo | findstr -i schema``` -![Netdom example output](images/hello-cmd-netdom.png) +![Netdom example output.](images/hello-cmd-netdom.png) The command should return the name of the domain controller where you need to run adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. @@ -114,14 +114,14 @@ When you are ready to install, follow the **Configuring federation with AD FS** ### Create AD objects for AD FS Device Authentication If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration. -![Device Registration](images/hybridct/device1.png) +![Device Registration.](images/hybridct/device1.png) > [!NOTE] > The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1. 1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**. -![Device Registration](images/hybridct/device2.png) +![Device Registration.](images/hybridct/device2.png) 2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands: @@ -132,7 +132,7 @@ If your AD FS farm is not already configured for Device Authentication (you can > [!NOTE] > If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$" -![Device Registration](images/hybridct/device3.png) +![Device Registration.](images/hybridct/device3.png) The above PSH creates the following objects: @@ -140,11 +140,11 @@ The above PSH creates the following objects: - Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration - Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration -![Device Registration](images/hybridct/device4.png) +![Device Registration.](images/hybridct/device4.png) 4. Once this is done, you will see a successful completion message. -![Device Registration](images/hybridct/device5.png) +![Device Registration.](images/hybridct/device5.png) ### Create Service Connection Point (SCP) in Active Directory If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS @@ -155,13 +155,13 @@ If you plan to use Windows 10 domain join (with automatic registration to Azure > [!NOTE] > If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep -![Device Registration](images/hybridct/device6.png) +![Device Registration.](images/hybridct/device6.png) 2. Provide your Azure AD global administrator credentials `PS C:>$aadAdminCred = Get-Credential` -![Device Registration](images/hybridct/device7.png) +![Device Registration.](images/hybridct/device7.png) 3. Run the following PowerShell command @@ -517,7 +517,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe - Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - Container Device Registration Service DKM under the above container -![Device Registration](images/hybridct/device8.png) +![Device Registration.](images/hybridct/device8.png) - object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - read/write access to the specified AD connector account name on the new object diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index cfaf049efd..35bd16ed3e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -27,22 +27,22 @@ ms.reviewer: ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. -![Event358 from User Device Registration log showing Windows Hello for Business prerequisite check result](images/Event358.png) +![Event358 from User Device Registration log showing Windows Hello for Business prerequisite check result.](images/Event358.png) The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**. Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**. -![Setup a PIN Provisioning](images/setupapin.png) +![Setup a PIN Provisioning.](images/setupapin.png) The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment. Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA. The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry. -![MFA prompt during provisioning](images/mfa.png) +![MFA prompt during provisioning.](images/mfa.png) After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity requirements that you deployed to the environment. -![Create a PIN during provisioning](images/createPin.png) +![Create a PIN during provisioning.](images/createPin.png) The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment. * A successful single factor authentication (username and password at sign-in) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md index 9caf362da6..e60e0b15f0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md @@ -27,22 +27,22 @@ ms.reviewer: ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. -![Event358](images/Event358-2.png) +![Event358.](images/Event358-2.png) The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**. Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**. -![Setup a PIN Provisioning](images/setupapin.png) +![Setup a PIN Provisioning.](images/setupapin.png) The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment. Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA. The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry. -![MFA prompt during provisioning](images/mfa.png) +![MFA prompt during provisioning.](images/mfa.png) After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity requirements that you deployed to the environment. -![Create a PIN during provisioning](images/createPin.png) +![Create a PIN during provisioning.](images/createPin.png) The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment. * A successful single factor authentication (username and password at sign-in) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index 99491fb5c3..4e83f31ec3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -73,7 +73,7 @@ Sign-in the federation server with domain administrator equivalent credentials. 5. Click **Next** on the **Select Certificate Enrollment Policy** page. 6. On the **Request Certificates** page, Select the **Internal Web Server** check box. 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link - ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png) + ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/hello-internal-web-server-cert.png) 8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Click **OK** when finished. 9. Click **Enroll**. @@ -155,7 +155,7 @@ Use the following procedures to configure AD FS when your environment uses **Win Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. 1. Start **Server Manager**. 2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. - ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) + ![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png) 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. 4. Click **Next** on the **Connect to Active Directory Domain Services** page. @@ -175,7 +175,7 @@ Use the following procedures to configure AD FS when your environment uses **Win Sign-in the federation server with _Domain Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. 1. Start **Server Manager**. 2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. - ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) + ![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png) 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. 4. Click **Next** on the **Connect to Active Directory Domain Services** page. @@ -262,7 +262,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. 6. On the **Select server roles** page, click **Next**. 7. Select **Network Load Balancing** on the **Select features** page. 8. Click **Install** to start the feature installation - ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png) + ![Feature selection screen with NLB selected.](images/hello-nlb-feature-install.png) ### Configure Network Load Balancing for AD FS @@ -270,25 +270,25 @@ Before you can load balance all the nodes in the AD FS farm, you must first crea Sign-in a node of the federation farm with _Admin_ equivalent credentials. 1. Open **Network Load Balancing Manager** from **Administrative Tools**. - ![NLB Manager user interface](images/hello-nlb-manager.png) + ![NLB Manager user interface.](images/hello-nlb-manager.png) 2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**. 3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**. - ![NLB Manager - Connect to new Cluster screen](images/hello-nlb-connect.png) + ![NLB Manager - Connect to new Cluster screen.](images/hello-nlb-connect.png) 4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.) 5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**. 6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**. - ![NLB Manager - Add IP to New Cluster screen](images/hello-nlb-add-ip.png) + ![NLB Manager - Add IP to New Cluster screen.](images/hello-nlb-add-ip.png) 7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster. - ![NLB Manager - Cluster IP Configuration screen](images/hello-nlb-cluster-ip-config.png) + ![NLB Manager - Cluster IP Configuration screen.](images/hello-nlb-cluster-ip-config.png) 8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**. 9. In Port Rules, click Edit to modify the default port rules to use port 443. - ![NLB Manager - Add\Edit Port Rule screen](images/hello-nlb-cluster-port-rule.png) + ![NLB Manager - Add\Edit Port Rule screen.](images/hello-nlb-cluster-port-rule.png) ### Additional AD FS Servers 1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**. 2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same. - ![NLB Manager - Cluster with nodes](images/hello-nlb-cluster.png) + ![NLB Manager - Cluster with nodes.](images/hello-nlb-cluster.png) ## Configure DNS for Device Registration diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 00fa16c254..1a2b17c308 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -69,7 +69,7 @@ In Windows 10, Windows Hello replaces passwords. When the identity provider sup >[!NOTE] >Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password. -![How authentication works in Windows Hello](images/authflow.png) +![How authentication works in Windows Hello.](images/authflow.png) Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device. diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md index 3ff85f511f..e7d6a0cea8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md @@ -35,11 +35,11 @@ People who are currently using virtual or physical smart cards for authenticatio When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**. -![who owns this pc](images/corpown.png) +![who owns this pc.](images/corpown.png) Next, they select a way to connect. Tell the people in your enterprise which option they should pick here. -![choose how you'll connect](images/connect.png) +![choose how you'll connect.](images/connect.png) They sign in, and are then asked to verify their identity. People have options to choose from a text message, phone call, or the authentication application. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length. @@ -55,7 +55,7 @@ People can go to **Settings** > **Accounts** > **Work or school**, select If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it. -![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png) +![sign in to windows, apps, and services using fingerprint or face.](images/hellosettings.png) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 87e71bc747..2b1c101fc0 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -21,7 +21,7 @@ ms.reviewer: ## Four steps to password freedom Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. At Microsoft Ignite 2017, we shared our four-step approach to password freedom. -![Passwordless approach](images/four-steps-passwordless.png) +![Passwordless approach.](images/four-steps-passwordless.png) ### 1. Develop a password replacement offering @@ -203,24 +203,24 @@ Windows provides two ways to prevent your users from using passwords. You can us ##### Security Policy You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**. The name of the policy setting depends on the version of the operating systems you use to configure Group Policy. -![securityPolicyLocation](images/passwordless/00-securityPolicy.png) +![securityPolicyLocation.](images/passwordless/00-securityPolicy.png) **Windows Server 2016 and earlier** The policy name for these operating systems is **Interactive logon: Require smart card**. -![securityPolicyBefore2016](images/passwordless/00-securitypolicy-2016.png) +![securityPolicyBefore2016.](images/passwordless/00-securitypolicy-2016.png) **Windows 10, version 1703 or later using Remote Server Administrator Tools** The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**. -![securityPolicyRSAT](images/passwordless/00-updatedsecuritypolicytext.png) +![securityPolicyRSAT.](images/passwordless/00-updatedsecuritypolicytext.png) When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. #### Excluding the password credential provider You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon** -![HideCredProvPolicy](images/passwordless/00-hidecredprov.png) +![HideCredProvPolicy.](images/passwordless/00-hidecredprov.png) The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**. -![HideCredProvPolicy2](images/passwordless/01-hidecredprov.png) +![HideCredProvPolicy2.](images/passwordless/01-hidecredprov.png) Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs. @@ -261,7 +261,7 @@ The account options on a user account includes an option -- **Smart card is requ > [!NOTE] > Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally). A user account configured for SCRIL is enforced at the domain controller. -![SCRIL setting on AD Users and Computers](images/passwordless/00-scril-dsa.png) +![SCRIL setting on AD Users and Computers.](images/passwordless/00-scril-dsa.png) **SCRIL setting for a user on Active Directory Users and Computers.** When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because: @@ -270,13 +270,13 @@ When you configure a user account for SCRIL, Active Directory changes the affect - the user is not asked to change their password - domain controllers do not allow passwords for interactive authentication -![SCRIL setting from ADAC on Windows Server 2012](images/passwordless/01-scril-adac-2012.png) +![SCRIL setting from ADAC on Windows Server 2012.](images/passwordless/01-scril-adac-2012.png) **SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012.** > [!NOTE] > Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account (clear the check box, save the settings, select the check box and save the settings) to generate a new random 128 bit password. However, you should consider upgrading the domain to Windows Server 2016 domain forest functional level and allow the domain controller to do this for you automatically. -![SCRIL setting from ADAC on Windows Server 2016](images/passwordless/01-scril-adac-2016.png) +![SCRIL setting from ADAC on Windows Server 2016.](images/passwordless/01-scril-adac-2016.png) **SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016.** > [!NOTE] @@ -286,7 +286,7 @@ When you configure a user account for SCRIL, Active Directory changes the affect Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for SCRIL-enabled users by configuring the domain to automatically change the password for SCRIL users. In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or any authentication outages. -![Rotate Password 2016](images/passwordless/02-rotate-scril-2016.png) +![Rotate Password 2016.](images/passwordless/02-rotate-scril-2016.png) > [!NOTE] > Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely. diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md index 5e24e71b64..2ad3bb1f3b 100644 --- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md @@ -54,7 +54,7 @@ It’s important to keep in mind that there are no physical containers on disk, The container actually contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container. -![Each logical container holds one or more sets of keys](../images/passport-fig3-logicalcontainer.png) +![Each logical container holds one or more sets of keys.](../images/passport-fig3-logicalcontainer.png) Containers can contain several types of key material: diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index 57bbf194fc..65fa656745 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -34,13 +34,13 @@ Administrator credentials are highly privileged and must be protected. By using The following diagram helps you to understand how a standard Remote Desktop session to a server without Windows Defender Remote Credential Guard works: -![RDP connection to a server without Windows Defender Remote Credential Guard.png](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png) +![RDP connection to a server without Windows Defender Remote Credential Guard.png.](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png)
The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option: -![Windows Defender Remote Credential Guard](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png) +![Windows Defender Remote Credential Guard.](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png)
As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection. @@ -152,7 +152,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C 2. Double-click **Restrict delegation of credentials to remote servers**. - ![Windows Defender Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png) + ![Windows Defender Remote Credential Guard Group Policy.](images/remote-credential-guard-gp.png) 3. Under **Use the following restricted mode**: diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md index 635a9631d6..d5c9651f0f 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md +++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md @@ -34,7 +34,7 @@ Smart card support is required to enable many Remote Desktop Services scenarios. In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using. In a smart card sign-in scenario, the smart card service on the remote server redirects to the smart card reader that is connected to the local computer where the user is trying to sign in. -![Smart card service redirects to smart card reader](images/sc-image101.png) +![Smart card service redirects to smart card reader.](images/sc-image101.png) **Remote Desktop redirection** diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md index 0663f9a479..63cbad9b26 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md +++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md @@ -52,7 +52,7 @@ Interactive sign-in in Windows begins when the user presses CTRL+ALT+DEL. The CT After receiving the SAS, the UI then generates the sign-in tile from the information received from the registered credential providers. The following graphic shows the architecture for credential providers in the Windows operating system. -![Credential provider architecture](images/sc-image201.gif) +![Credential provider architecture.](images/sc-image201.gif) **Figure 1**  **Credential provider architecture** @@ -88,7 +88,7 @@ Vendors provide smart cards and smart card readers, and in many cases the vendor Figure 2 illustrates the relationship between the CryptoAPI, CSPs, the Smart Card Base Cryptographic Service Provider (Base CSP), and smart card minidrivers. -![Base CSP and smart card minidriver architecture](images/sc-image203.gif) +![Base CSP and smart card minidriver architecture.](images/sc-image203.gif) **Figure 2**  **Base CSP and smart card minidriver architecture** @@ -236,7 +236,7 @@ Applications can call the Base CSP with CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL, set In some of the following scenarios, the user can be prompted to insert a smart card. If the user context is silent, this operation fails and no UI is displayed. Otherwise, in response to the UI, the user can insert a smart card or click **Cancel**. If the user cancels the operation, the operation fails. The flow chart in Figure 3 shows the selection steps performed by the Windows operating system. -![Smart card selection process](images/sc-image205.png) +![Smart card selection process.](images/sc-image205.png) **Figure 3**  **Smart card selection behavior** @@ -314,7 +314,7 @@ For other operations, the caller may be able to acquire a "verify" context again Figure 4 shows the Cryptography architecture that is used by the Windows operating system. -![Cryptography architecture](images/sc-image206.gif) +![Cryptography architecture.](images/sc-image206.gif) **Figure 4**  **Cryptography architecture** diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md index ae671b4ace..dbcf86ee67 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md @@ -38,7 +38,7 @@ The following figure shows the flow of the certificate propagation service. The **Certificate propagation service** -![Certificate propagation service](images/sc-image302.gif) +![Certificate propagation service.](images/sc-image302.gif) 1. A signed-in user inserts a smart card. diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md index ef209588b9..a220e7e658 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md @@ -89,7 +89,7 @@ If you enable the **Allow signature keys valid for Logon** credential provider p The following diagram illustrates how smart card sign-in works in the supported versions of Windows. -![Smart card sign-in flow](images/sc-image402.png) +![Smart card sign-in flow.](images/sc-image402.png) **Smart card sign-in flow** @@ -206,21 +206,21 @@ SSL/TLS can map certificates that do not have SAN, and the mapping is done by us **Certificate revocation list distribution points** -![Certificate revocation list distribution points](images/sc-image403.png) +![Certificate revocation list distribution points.](images/sc-image403.png) **UPN in Subject Alternative Name field** -![UPN in Subject Alternative Name field](images/sc-image404.png) +![UPN in Subject Alternative Name field.](images/sc-image404.png) **Subject and Issuer fields** -![Subject and Issuer fields](images/sc-image405.png) +![Subject and Issuer fields.](images/sc-image405.png) This account mapping is supported by the KDC in addition to six other mapping methods. The following figure demonstrates a flow of user account mapping logic that is used by the KDC. **High-level flow of certificate processing for sign-in** -![High-level flow of certificate processing for sign-in](images/sc-image406.png) +![High-level flow of certificate processing for sign-in.](images/sc-image406.png) The certificate object is parsed to look for content to perform user account mapping. @@ -236,7 +236,7 @@ The following figure illustrates the process of mapping user accounts for sign-i **Certificate processing logic** -![Certificate processing logic](images/sc-image407.png) +![Certificate processing logic.](images/sc-image407.png) NT\_AUTH policy is best described in the CERT\_CHAIN\_POLICY\_NT\_AUTH parameter section of the CertVerifyCertificateChainPolicy function. For more information, see [CertVerifyCertificateChainPolicy](/windows/win32/api/wincrypt/nf-wincrypt-certverifycertificatechainpolicy). diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md index fa36cf563f..3f72307e25 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md @@ -26,7 +26,7 @@ The smart card removal policy service is applicable when a user has signed in wi **Smart card removal policy service** -![Smart card removal policy service](images/sc-image501.gif) +![Smart card removal policy service.](images/sc-image501.gif) The numbers in the previous figure represent the following actions: diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md index 10ffd31a84..76159c664d 100644 --- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md +++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md @@ -34,7 +34,7 @@ In order to better understand how this process happens, let's look at the Window The following shows how the logon process for an administrator differs from the logon process for a standard user. -![uac windows logon process](images/uacwindowslogonprocess.gif) +![uac windows logon process.](images/uacwindowslogonprocess.gif) By default, standard users and administrators access resources and run apps in the security context of standard users. When a user logs on to a computer, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges. @@ -56,7 +56,7 @@ With UAC enabled, Windows 10 prompts for consent or prompts for credentials of The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token. The following is an example of the UAC consent prompt. -![uac consent prompt](images/uacconsentprompt.gif) +![uac consent prompt.](images/uacconsentprompt.gif) **The credential prompt** @@ -64,7 +64,7 @@ The credential prompt is presented when a standard user attempts to perform a ta The following is an example of the UAC credential prompt. -![uac credential prompt](images/uaccredentialprompt.gif) +![uac credential prompt.](images/uaccredentialprompt.gif) **UAC elevation prompts** @@ -81,7 +81,7 @@ The elevation prompt color-coding is as follows: Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screen shot of the **Date and Time Properties** Control Panel item. -![uac shield icon](images/uacshieldicon.png) +![uac shield icon.](images/uacshieldicon.png) The shield icon on the **Change date and time** button indicates that the process requires a full administrator access token and will display a UAC elevation prompt. @@ -99,7 +99,7 @@ While malware could present an imitation of the secure desktop, this issue canno The following diagram details the UAC architecture. -![uac architecture](images/uacarchitecture.gif) +![uac architecture.](images/uacarchitecture.gif) To better understand each component, review the table below: diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md index badf574468..4468785ff0 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md @@ -24,7 +24,7 @@ This topic for the IT professional discusses the factors to consider when you de Traditional identity devices, such as physical smart cards, follow a predictable lifecycle in any deployment, as shown in the following diagram. -![Diagram of physical smart card lifecycle](images/vsc-physical-smart-card-lifecycle.png) +![Diagram of physical smart card lifecycle.](images/vsc-physical-smart-card-lifecycle.png) Physical devices are created by a dedicated manufacturer and then purchased by the corporation that will ultimately deploy it. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the administrator key, Personal Identification Number (PIN), PIN Unlock Key (PUK), and its physical appearance. To provision the device, it is loaded with the required certificates, such as a sign-in certificate. After you provision the device, it is ready for use. The device must simply be maintained. For example, you must replace cards when they are lost or stolen and reset PINs when users forget them. Finally, you’ll retire devices when they exceed their intended lifetime or when employees leave the company. diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md index 6fb462eb81..044f7c1fe1 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md @@ -28,7 +28,7 @@ A crucial aspect of TPM virtual smart cards is their ability to securely store a The following diagram illustrates the secure key hierarchy and the process of accessing the user key. -![Diagram of the process of accessing the user key](images/vsc-process-of-accessing-user-key.png) +![Diagram of the process of accessing the user key.](images/vsc-process-of-accessing-user-key.png) The following keys are stored on the hard disk: diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md index 6810a79d95..c6ad4e0710 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md @@ -62,21 +62,21 @@ On your domain server, you need to create a template for the certificate that yo 2. Click **File**, and then click **Add/Remove Snap-in**. - ![Add or remove snap-in](images/vsc-02-mmc-add-snap-in.png) + ![Add or remove snap-in.](images/vsc-02-mmc-add-snap-in.png) 3. In the available snap-ins list, click **Certificate Templates**, and then click **Add**. - ![Add Certificate Templates snap-in](images/vsc-03-add-certificate-templates-snap-in.png) + ![Add Certificate Templates snap-in.](images/vsc-03-add-certificate-templates-snap-in.png) 4. Certificate Templates is now located under **Console Root** in the MMC. Double-click it to view all the available certificate templates. 5. Right-click the **Smartcard Logon** template, and click **Duplicate Template**. - ![Duplicating the Smartcard Logon template](images/vsc-04-right-click-smartcard-logon-template.png) + ![Duplicating the Smartcard Logon template.](images/vsc-04-right-click-smartcard-logon-template.png) 6. On the **Compatibility** tab, under **Certification Authority**, review the selection, and change it if needed. - ![Compatibility tab, certification authority setting](images/vsc-05-certificate-template-compatibility.png) + ![Compatibility tab, certification authority setting.](images/vsc-05-certificate-template-compatibility.png) 7. On the **General** tab: @@ -102,23 +102,23 @@ On your domain server, you need to create a template for the certificate that yo 12. Select **File**, then click **Add/Remove Snap-in** to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably **Local Computer**. - ![Add Certification Authority snap-in](images/vsc-06-add-certification-authority-snap-in.png) + ![Add Certification Authority snap-in.](images/vsc-06-add-certification-authority-snap-in.png) 13. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list. 14. Right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**. - ![Right-click menu for Certificate Templates](images/vsc-07-right-click-certificate-templates.png) + ![Right-click menu for Certificate Templates.](images/vsc-07-right-click-certificate-templates.png) 15. From the list, select the new template that you just created (**TPM Virtual Smart Card Logon**), and then click **OK**. > **Note**  It can take some time for your template to replicate to all servers and become available in this list. - ![Selecting a certificate template](images/vsc-08-enable-certificate-template.png) + ![Selecting a certificate template.](images/vsc-08-enable-certificate-template.png) 16. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks**, and then click **Stop Service**. Then, right-click the name of the CA again, click **All Tasks**, and then click **Start Service**. - ![Stopping and starting the service](images/vsc-09-stop-service-start-service.png) + ![Stopping and starting the service.](images/vsc-09-stop-service-start-service.png) ## Step 2: Create the TPM virtual smart card @@ -128,7 +128,7 @@ In this step, you will create the virtual smart card on the client computer by u 1. On a domain-joined computer, open a Command Prompt window with Administrative credentials. - ![Cmd prompt, Run as administrator](images/vsc-10-cmd-run-as-administrator.png) + ![Cmd prompt, Run as administrator.](images/vsc-10-cmd-run-as-administrator.png) 2. At the command prompt, type the following, and then press ENTER: @@ -150,11 +150,11 @@ The virtual smart card must be provisioned with a sign-in certificate for it to 2. Right-click **Personal**, click **All Tasks**, and then click **Request New Certificate**. - ![Request New Certificate](images/vsc-11-certificates-request-new-certificate.png) + ![Request New Certificate.](images/vsc-11-certificates-request-new-certificate.png) 3. Follow the prompts and when offered a list of templates, select the **TPM Virtual Smart Card Logon** check box (or whatever you named the template in Step 1). - ![Certificate enrollment, select certificate](images/vsc-12-certificate-enrollment-select-certificate.png) + ![Certificate enrollment, select certificate.](images/vsc-12-certificate-enrollment-select-certificate.png) 4. If prompted for a device, select the Microsoft virtual smart card that corresponds to the one you created in the previous section. It displays as **Identity Device (Microsoft Profile)**. diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index 789da743aa..4d3f59ff0a 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -74,7 +74,7 @@ For more information about these Windows APIs, see: To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The following icon is displayed during sign in, and on other screens that require the user to enter the PIN for a virtual smart card. -![Icon for a virtual smart card](images/vsc-virtual-smart-card-icon.png) +![Icon for a virtual smart card.](images/vsc-virtual-smart-card-icon.png) A TPM-based virtual smart card is labeled **Security Device** in the user interface. diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md index 9665848076..2c0a581e8d 100644 --- a/windows/security/identity-protection/vpn/vpn-authentication.md +++ b/windows/security/identity-protection/vpn/vpn-authentication.md @@ -51,7 +51,7 @@ See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EA The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP). -![EAP XML configuration in Intune profile](images/vpn-eap-xml.png) +![EAP XML configuration in Intune profile.](images/vpn-eap-xml.png) ## Related topics diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md index 2c1405d9e0..44b05da541 100644 --- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md @@ -89,11 +89,11 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien The following image shows associating an app to a VPN connection in a VPN Profile configuration policy using Microsoft Intune. -![Add an app for the VPN connection](images/vpn-app-trigger.png) +![Add an app for the VPN connection.](images/vpn-app-trigger.png) After you add an associated app, if you select the **Only these apps can use this VPN connection (per-app VPN)** checkbox, the app becomes available in **Corporate Boundaries**, where you can configure rules for the app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details. -![Configure rules for the app](images/vpn-app-rules.png) +![Configure rules for the app.](images/vpn-app-rules.png) ## Related topics diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index 393bf3b90b..66baa88e46 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -87,7 +87,7 @@ Two client-side configuration service providers are leveraged for VPN device com The VPN client side connection flow works as follows: > [!div class="mx-imgBorder"] -> ![Device compliance workflow when VPN client attempts to connect](images/vpn-device-compliance.png) +> ![Device compliance workflow when VPN client attempts to connect.](images/vpn-device-compliance.png) When a VPNv2 Profile is configured with \ \true<\/Enabled> the VPN client uses this connection flow: diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md index e65b9b6d8b..465f79924f 100644 --- a/windows/security/identity-protection/vpn/vpn-connection-type.md +++ b/windows/security/identity-protection/vpn/vpn-connection-type.md @@ -23,7 +23,7 @@ Virtual private networks (VPNs) are point-to-point connections across a private There are many options for VPN clients. In Windows 10, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured. -![VPN connection types](images/vpn-connection.png) +![VPN connection types.](images/vpn-connection.png) ## Built-in VPN client @@ -67,12 +67,12 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune: > [!div class="mx-imgBorder"] -> ![Available connection types](images/vpn-connection-intune.png) +> ![Available connection types.](images/vpn-connection-intune.png) In Intune, you can also include custom XML for third-party plug-in profiles: > [!div class="mx-imgBorder"] -> ![Custom XML](images/vpn-custom-xml-intune.png) +> ![Custom XML.](images/vpn-custom-xml-intune.png) ## Related topics diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md index fcc360257b..70cec8d554 100644 --- a/windows/security/identity-protection/vpn/vpn-name-resolution.md +++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md @@ -64,7 +64,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien The following image shows name resolution options in a VPN Profile configuration policy using Microsoft Intune. -![Add DNS rule](images/vpn-name-intune.png) +![Add DNS rule.](images/vpn-name-intune.png) The fields in **Add or edit DNS rule** in the Intune profile correspond to the XML settings shown in the following table. diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md index 69940276c8..96eae8c6ac 100644 --- a/windows/security/identity-protection/vpn/vpn-profile-options.md +++ b/windows/security/identity-protection/vpn/vpn-profile-options.md @@ -312,7 +312,7 @@ After you configure the settings that you want using ProfileXML, you can apply i 10. Set Data type to **String (XML file)**. 11. Upload the profile XML file. 12. Click **OK**. - ![Custom VPN profile](images/custom-vpn-profile.png) + ![Custom VPN profile.](images/custom-vpn-profile.png) 13. Click **OK**, then **Create**. 14. Assign the profile. diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md index a33e2b0f3f..ea0cb1c3ae 100644 --- a/windows/security/identity-protection/vpn/vpn-routing.md +++ b/windows/security/identity-protection/vpn/vpn-routing.md @@ -53,11 +53,11 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien When you configure a VPN profile in Microsoft Intune, you select a checkbox to enable split tunnel configuration. -![split tunnel](images/vpn-split.png) +![split tunnel.](images/vpn-split.png) Next, in **Corporate Boundaries**, you add the routes that should use the VPN connection. -![add route for split tunnel](images/vpn-split-route.png) +![add route for split tunnel.](images/vpn-split-route.png) ## Related topics diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md index bd1a32dde4..c84ab32cb0 100644 --- a/windows/security/identity-protection/vpn/vpn-security-features.md +++ b/windows/security/identity-protection/vpn/vpn-security-features.md @@ -59,7 +59,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien The following image shows the interface to configure traffic rules in a VPN Profile configuration policy, using Microsoft Intune. -![Add a traffic rule](images/vpn-traffic-rules.png) +![Add a traffic rule.](images/vpn-traffic-rules.png) ## LockDown VPN diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md index 2c1a02b8db..62a4cf6cf0 100644 --- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md +++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md @@ -31,7 +31,7 @@ This guide explains how credential theft attacks occur and the strategies and co - Respond to suspicious activity - Recover from a breach -![Security stages](images/security-stages.png) +![Security stages.](images/security-stages.png) ## Attacks that steal credentials diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index fc9b15fdef..23b9d93073 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -89,7 +89,7 @@ On computers with a compatible TPM, operating system drives that are BitLocker-p In the following Group Policy example, TPM + PIN is required to unlock an operating system drive: -![Pre-boot authentication setting in Group Policy](images/pre-boot-authentication-group-policy.png) +![Pre-boot authentication setting in Group Policy.](images/pre-boot-authentication-group-policy.png) Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured. @@ -110,7 +110,7 @@ This Kernel DMA Protection is available only for new systems beginning with Wind You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection enabled: -![Kernel DMA protection](images/kernel-dma-protection.png) +![Kernel DMA protection.](images/kernel-dma-protection.png) If kernel DMA protection *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports: diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index 4864bdf4d4..cd0b6543e6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -34,31 +34,31 @@ This article depicts the BitLocker deployment comparison chart. |Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined | |Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | |Cloud or on premises | Cloud | On premises | On premises | -|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client | |Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | -|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | -|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | +|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database | |Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | -|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | -|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | | -|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | +|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | | +|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index eaccfb9c9f..a72324edf4 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -298,18 +298,18 @@ This policy can be configured using GPO under **Computer Configuration** > **Adm It can also be configured using Intune mobile device management (MDM) in the BitLocker CSP: *\./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage\* -![Custom URL](./images/bl-intune-custom-url.png) +![Custom URL.](./images/bl-intune-custom-url.png) Example of customized recovery screen: -![Customized BitLocker Recovery Screen](./images/bl-password-hint1.png) +![Customized BitLocker Recovery Screen.](./images/bl-password-hint1.png) ### BitLocker recovery key hints BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen. -![Customized BitLocker recovery screen](./images/bl-password-hint2.png) +![Customized BitLocker recovery screen.](./images/bl-password-hint2.png) > [!IMPORTANT] > We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft Account. @@ -339,7 +339,7 @@ There are rules governing which hint is shown during the recovery (in order of p **Result:** The hint for the Microsoft Account and the custom URL are displayed. -![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.png) +![Example 1 of Customized BitLocker recovery screen.](./images/rp-example1.png) #### Example 2 (single recovery key with single backup) @@ -354,7 +354,7 @@ There are rules governing which hint is shown during the recovery (in order of p **Result:** Only the custom URL is displayed. -![Example 2 of customized BitLocker recovery screen](./images/rp-example2.png) +![Example 2 of customized BitLocker recovery screen.](./images/rp-example2.png) #### Example 3 (single recovery key with multiple backups) @@ -369,7 +369,7 @@ There are rules governing which hint is shown during the recovery (in order of p **Result:** Only the Microsoft Account hint is displayed. -![Example 3 of customized BitLocker recovery screen](./images/rp-example3.png) +![Example 3 of customized BitLocker recovery screen.](./images/rp-example3.png) #### Example 4 (multiple recovery passwords) @@ -399,7 +399,7 @@ There are rules governing which hint is shown during the recovery (in order of p **Result:** Only the hint for a successfully backed up key is displayed, even if it isn't the most recent key. -![Example 4 of customized BitLocker recovery screen](./images/rp-example4.png) +![Example 4 of customized BitLocker recovery screen.](./images/rp-example4.png) #### Example 5 (multiple recovery passwords) @@ -429,7 +429,7 @@ There are rules governing which hint is shown during the recovery (in order of p **Result:** The hint for the most recent key is displayed. -![Example 5 of customized BitLocker recovery screen](./images/rp-example5.png) +![Example 5 of customized BitLocker recovery screen.](./images/rp-example5.png) ## Using additional recovery information diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index c6483a8057..e8045e225c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -52,7 +52,7 @@ manage-bde -status ``` This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume: -![Using manage-bde to check encryption status](images/manage-bde-status.png) +![Using manage-bde to check encryption status.](images/manage-bde-status.png) The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process. diff --git a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md index 2a08e910d0..664fb40db0 100644 --- a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md +++ b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md @@ -58,7 +58,7 @@ You can use Get-WinEvent in an elevated PowerShell window to display filtered in The output of such a command resembles the following. - ![Display of events that is produced by using Get-WinEvent and a BitLocker filter](./images/psget-winevent-1.png) + ![Display of events that is produced by using Get-WinEvent and a BitLocker filter.](./images/psget-winevent-1.png) - To export BitLocker-related information: ```ps @@ -77,7 +77,7 @@ You can use Get-WinEvent in an elevated PowerShell window to display filtered in The output of such a command resembles the following. - ![Display of events that is produced by using Get-WinEvent and a TPM filter](./images/psget-winevent-2.png) + ![Display of events that is produced by using Get-WinEvent and a TPM filter.](./images/psget-winevent-2.png) > [!NOTE] > If you intend to contact Microsoft Support, we recommend that you export the logs listed in this section. diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md index d41b2c7bf1..6268e09343 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md @@ -82,11 +82,11 @@ To verify that this issue has occurred, follow these steps: 1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring?view=powershell-6) command in the PowerShell window, as follows. - ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE](./images/ts-bitlocker-usb-sddl.png) + ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE.](./images/ts-bitlocker-usb-sddl.png) If you see NT AUTHORITY\INTERACTIVE (as highlighted), in the output of this command, this is the cause of the issue. Under typical conditions, the output should resemble the following: - ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users](./images/ts-bitlocker-usb-default-sddl.png) + ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users.](./images/ts-bitlocker-usb-default-sddl.png) > [!NOTE] > GPOs that change the security descriptors of services have been known to cause this issue. diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md index bab9c21e3e..1def746b1f 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md @@ -45,11 +45,11 @@ To install the tool, follow these steps: 1. Accept the default installation path. - ![Specify Location page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-1.png) + ![Specify Location page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-1.png) 1. Under **Select the features you want to install**, select **Windows Hardware Lab Kit—Controller + Studio**. - ![Select features page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-2.png) + ![Select features page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-2.png) 1. Finish the installation. @@ -60,7 +60,7 @@ To use TBSLogGenerator, follow these steps: This folder contains the TBSLogGenerator.exe file. - ![Properties and location of the TBSLogGenerator.exe file](./images/ts-tpm-3.png) + ![Properties and location of the TBSLogGenerator.exe file.](./images/ts-tpm-3.png) 1. Run the following command: ```cmd @@ -78,19 +78,19 @@ To use TBSLogGenerator, follow these steps: TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt ``` - ![Command Prompt window that shows an example of how to use TBSLogGenerator](./images/ts-tpm-4.png) + ![Command Prompt window that shows an example of how to use TBSLogGenerator.](./images/ts-tpm-4.png) The command produces a text file that uses the specified name. In the case of the example, the file is **0000000005-0000000000.txt**. The file is located in the same folder as the original .log file. - ![Windows Explorer window that shows the text file that TBSLogGenerator produces](./images/ts-tpm-5.png) + ![Windows Explorer window that shows the text file that TBSLogGenerator produces.](./images/ts-tpm-5.png) The content of this text file resembles the following. -![Contents of the text file, as shown in NotePad](./images/ts-tpm-6.png) +![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png) To find the PCR information, go to the end of the file. - ![View of NotePad that shows the PCR information at the end of the text file](./images/ts-tpm-7.png) + ![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png) ## Use PCPTool to decode Measured Boot logs @@ -114,4 +114,4 @@ where the variables represent the following values: The content of the XML file resembles the following. -![Command Prompt window that shows an example of how to use PCPTool](./images/pcptool-output.jpg) +![Command Prompt window that shows an example of how to use PCPTool.](./images/pcptool-output.jpg) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md index 60c34a7bb6..611dc64098 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md @@ -20,7 +20,7 @@ ms.custom: bitlocker This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices. -![The BitLocker status indictors on the Intune portal](./images/4509189-en-1.png) +![The BitLocker status indictors on the Intune portal.](./images/4509189-en-1.png) To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages: @@ -43,7 +43,7 @@ For information about how to verify that Intune policies are enforcing BitLocker Event ID 853 can carry different error messages, depending on the context. In this case, the Event ID 853 error message indicates that the device does not appear to have a TPM. The event information resembles the following: -![Details of event ID 853 (TPM is not available, cannot find TPM)](./images/4509190-en-1.png) +![Details of event ID 853 (TPM is not available, cannot find TPM).](./images/4509190-en-1.png) ### Cause @@ -64,7 +64,7 @@ For more information, see [Troubleshoot the TPM](../tpm/initialize-and-configure In this case, you see event ID 853, and the error message in the event indicates that bootable media is available to the device. The event information resembles the following. -![Details of event ID 853 (TPM is not available, bootable media found)](./images/4509191-en-1.png) +![Details of event ID 853 (TPM is not available, bootable media found).](./images/4509191-en-1.png) ### Cause @@ -100,7 +100,7 @@ You can resolve this issue by verifying the configuration of the disk partitions The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 10 automatically creates a recovery partition that contains the Winre.wim file. The partition configuration resembles the following. -![Default disk partitions, including the recovery partition](./images/4509194-en-1.png) +![Default disk partitions, including the recovery partition.](./images/4509194-en-1.png) To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands: @@ -108,11 +108,11 @@ To verify the configuration of the disk partitions, open an elevated Command Pro diskpart list volume ``` -![Output of the list volume command in the Diskpart app](./images/4509195-en-1.png) +![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png) If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager). -![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/configmgr-imageconfig.jpg) +![Windows image configuration in Microsoft Endpoint Configuration Manager.](./images/configmgr-imageconfig.jpg) #### Step 2: Verify the status of WinRE @@ -123,7 +123,7 @@ reagentc /info ``` The output of this command resembles the following. -![Output of the reagentc /info command](./images/4509193-en-1.png) +![Output of the reagentc /info command.](./images/4509193-en-1.png) If the **Windows RE status** is not **Enabled**, run the following command to enable it: @@ -141,7 +141,7 @@ bcdedit /enum all The output of this command resembles the following. -![Output of the bcdedit /enum all command](./images/4509196-en-1.png) +![Output of the bcdedit /enum all command.](./images/4509196-en-1.png) In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros. @@ -163,7 +163,7 @@ To verify the BIOS mode, use the System Information app. To do this, follow thes 1. Select **Start**, and enter **msinfo32** in the **Search** box. 1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**. - ![System Information app, showing the BIOS Mode setting](./images/4509198-en-1.png) + ![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png) 1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device. > [!NOTE] > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device. @@ -192,11 +192,11 @@ Manage-bde -protectors -get %systemdrive% In the TPM section of the output of this command, verify that the **PCR Validation Profile** setting includes **7**, as follows. -![Output of the manage-bde command](./images/4509199-en-1.png) +![Output of the manage-bde command.](./images/4509199-en-1.png) If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then Secure Boot is not turned on. -![Output of the manage-bde command when PCR 7 is not present](./images/4509200-en-1.png) +![Output of the manage-bde command when PCR 7 is not present.](./images/4509200-en-1.png) #### 2. Verify the Secure Boot state @@ -204,9 +204,9 @@ To verify the Secure Boot state, use the System Information app. To do this, fol 1. Select **Start**, and enter **msinfo32** in the **Search** box. 1. Verify that the **Secure Boot State** setting is **On**, as follows: - ![System Information app, showing a supported Secure Boot State](./images/4509201-en-1.png) + ![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png) 1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device. - ![System Information app, showing a unsupported Secure Boot State](./images/4509202-en-1.png) + ![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png) > [!NOTE] > You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi?view=win10-ps) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command: @@ -290,7 +290,7 @@ If your device runs Windows 10 version 1703 or later, supports Modern Standby (a If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker Drive Encryption. The settings for this policy should resemble the following: -![Intune policy settings](./images/4509186-en-1.png) +![Intune policy settings.](./images/4509186-en-1.png) The OMA-URI references for these settings are as follows: @@ -316,7 +316,7 @@ The Intune 1901 release provides settings that you can use to configure automati - Support Modern Standby - Use Windows 10 version 1803 or later -![Intune policy setting](./images/4509188-en-1.png) +![Intune policy setting.](./images/4509188-en-1.png) The OMA-URI references for these settings are as follows: @@ -331,17 +331,17 @@ The OMA-URI references for these settings are as follows: During regular operations, BitLocker Drive Encryption generates events such as Event ID 796 and Event ID 845. -![Event ID 796, as shown in Event Viewer](./images/4509203-en-1.png) +![Event ID 796, as shown in Event Viewer.](./images/4509203-en-1.png) -![Event ID 845, as shown in Event Viewer](./images/4509204-en-1.png) +![Event ID 845, as shown in Event Viewer.](./images/4509204-en-1.png) You can also determine whether the BitLocker recovery password has been uploaded to Azure AD by checking the device details in the Azure AD Devices section. -![BitLocker recovery information as viewed in Azure AD](./images/4509205-en-1.png) +![BitLocker recovery information as viewed in Azure AD.](./images/4509205-en-1.png) On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the following subkeys: - **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\BitLocker** - **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device** -![Registry subkeys that relate to Intune policy](./images/4509206-en-1.png) \ No newline at end of file +![Registry subkeys that relate to Intune policy.](./images/4509206-en-1.png) \ No newline at end of file diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 31fc1097a4..768d8cdd75 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -53,7 +53,7 @@ By default, peripherals with DMA Remapping incompatible drivers will be blocked ## User experience -![Kernel DMA protection user experience](images/kernel-dma-protection-user-experience.png) +![Kernel DMA protection user experience.](images/kernel-dma-protection-user-experience.png) By default, peripherals with DMA remapping compatible device drivers will be automatically enumerated and started. Peripherals with DMA Remapping incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. The peripheral will continue to function normally if the user locks the screen or logs out of the system. @@ -77,7 +77,7 @@ Systems running Windows 10 version 1803 that do support Kernel DMA Protection do Beginning with Windows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**. -![Kernel DMA protection in Security Center](bitlocker/images/kernel-dma-protection-security-center.png) +![Kernel DMA protection in Security Center.](bitlocker/images/kernel-dma-protection-security-center.png) ### Using System information @@ -85,7 +85,7 @@ Beginning with Windows 10 version 1809, you can use Security Center to check if 2. Check the value of **Kernel DMA Protection**. - ![Kernel DMA protection in System Information](bitlocker/images/kernel-dma-protection.png) + ![Kernel DMA protection in System Information.](bitlocker/images/kernel-dma-protection.png) 3. If the current state of **Kernel DMA Protection** is OFF and **Hyper-V - Virtualization Enabled in Firmware** is NO: @@ -113,11 +113,11 @@ No, Kernel DMA Protection only protects against drive-by DMA attacks after the O DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (i.e. the device driver does not support DMA-remapping). Please check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external). -![Kernel DMA protection user experience](images/device_details_tab_1903.png) +![Kernel DMA protection user experience.](images/device_details_tab_1903.png) *For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the following image. -![Kernel DMA protection user experience](images/device-details-tab.png) +![Kernel DMA protection user experience.](images/device-details-tab.png) ### What should I do if the drivers for my PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping? diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index 721ae1e1e3..3d8754473d 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -55,7 +55,7 @@ Windows 10 supports four features to help prevent rootkits and bootkits from lo Figure 1 shows the Windows 10 startup process. -![Windows 10 startup process](./images/dn168167.boot_process(en-us,MSDN.10).png) +![Windows 10 startup process.](./images/dn168167.boot_process(en-us,MSDN.10).png) **Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage** @@ -115,7 +115,7 @@ Depending on the implementation and configuration, the server can now determine Figure 2 illustrates the Measured Boot and remote attestation process. -![Measured Boot and remote attestation process](./images/dn168167.measure_boot(en-us,MSDN.10).png) +![Measured Boot and remote attestation process.](./images/dn168167.measure_boot(en-us,MSDN.10).png) **Figure 2. Measured Boot proves the PC’s health to a remote server** diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md index 06d8c54066..dd9e12558e 100644 --- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md @@ -84,7 +84,7 @@ Identity providers have flexibility in how they provision credentials on client • **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios. -![TPM Capabilities](images/tpm-capabilities.png) +![TPM Capabilities.](images/tpm-capabilities.png) *Figure 1: TPM Cryptographic Key Management* @@ -126,7 +126,7 @@ The TPM provides the following way for scenarios to use the measurements recorde When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state. -![Process to Create Evidence of Boot Software and Configuration Using TPM](images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png) +![Process to Create Evidence of Boot Software and Configuration Using TPM.](images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png) *Figure 2: Process used to create evidence of boot software and configuration using a TPM* diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index 4a5ddd2df2..5a5e12feb9 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -91,7 +91,7 @@ It's possible that you might revoke data from an unenrolled device only to later To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**. - ![Robocopy in S mode](images/robocopy-s-mode.png) + ![Robocopy in S mode.](images/robocopy-s-mode.png) If the employee performed a clean installation and there is no user profile, you need to recover the keys from the System Volume folder in each drive. Type: diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md index a605d96688..909073181d 100644 --- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md @@ -34,11 +34,11 @@ Follow these steps to associate your WIP policy with your organization's existin 2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**. - ![Microsoft Intune, Create a new policy using the portal](images/wip-azure-vpn-device-policy.png) + ![Microsoft Intune, Create a new policy using the portal.](images/wip-azure-vpn-device-policy.png) 3. In the **Create Profile** blade, type a name for your profile, such as *Contoso_VPN_Win10*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**. - ![Microsoft Intune, Create a new policy using the Create Profile blade](images/wip-azure-vpn-configure-policy.png) + ![Microsoft Intune, Create a new policy using the Create Profile blade.](images/wip-azure-vpn-configure-policy.png) 4. In the **Custom OMA-URI Settings** blade, click **Add**. @@ -54,7 +54,7 @@ Follow these steps to associate your WIP policy with your organization's existin - **Value.** Type your fully-qualified domain that should be used by the OMA-URI setting. For example, _corp.contoso.com_. - ![Microsoft Intune, Add your OMA-URI settings](images/wip-azure-vpn-custom-omauri.png) + ![Microsoft Intune, Add your OMA-URI settings.](images/wip-azure-vpn-custom-omauri.png) 6. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy. @@ -73,7 +73,7 @@ After you’ve created your VPN policy, you'll need to deploy it to the same gro The policy is deployed to the selected users' devices. - ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) + ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed.](images/wip-azure-add-user-groups.png) >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md index f13e30a044..32511b9cd5 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md @@ -36,12 +36,12 @@ After you've installed and set up Configuration Manager for your organization, y 1. Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. - ![Configuration Manager, Configuration Items screen](images/wip-configmgr-addpolicy.png) + ![Configuration Manager, Configuration Items screen.](images/wip-configmgr-addpolicy.png) 2. Click the **Create Configuration Item** button.

The **Create Configuration Item Wizard** starts. - ![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/wip-configmgr-generalscreen.png) + ![Create Configuration Item wizard, define the configuration item and choose the configuration type.](images/wip-configmgr-generalscreen.png) 3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. @@ -55,11 +55,11 @@ The **Create Configuration Item Wizard** starts. 5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**. - ![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-configmgr-supportedplat.png) + ![Create Configuration Item wizard, choose the supported platforms for the policy.](images/wip-configmgr-supportedplat.png) 6. On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**. - ![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-configmgr-devicesettings.png) + ![Create Configuration Item wizard, choose the Windows Information Protection settings.](images/wip-configmgr-devicesettings.png) The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. @@ -81,7 +81,7 @@ For this example, we're going to add Microsoft OneNote, a store app, to the **Ap The **Add app rule** box appears. - ![Create Configuration Item wizard, add a universal store app](images/wip-configmgr-adduniversalapp.png) + ![Create Configuration Item wizard, add a universal store app.](images/wip-configmgr-adduniversalapp.png) 2. Add a friendly name for your app into the **Title** box. In this example, it's *Microsoft OneNote*. @@ -141,7 +141,7 @@ For this example, we're going to add Internet Explorer, a desktop app, to the ** The **Add app rule** box appears. - ![Create Configuration Item wizard, add a classic desktop app](images/wip-configmgr-adddesktopapp.png) + ![Create Configuration Item wizard, add a classic desktop app.](images/wip-configmgr-adddesktopapp.png) 2. Add a friendly name for your app into the **Title** box. In this example, it's *Internet Explorer*. @@ -218,7 +218,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules** 2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. - ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) + ![Local security snap-in, showing the Packaged app Rules.](images/intune-local-security-snapin.png) 3. Right-click in the right-hand pane, and then click **Create New Rule**. @@ -226,33 +226,33 @@ For this example, we're going to add an AppLocker XML file to the **App Rules** 4. On the **Before You Begin** page, click **Next**. - ![Create a Packaged app Rules wizard and showing the Before You Begin page](images/intune-applocker-before-begin.png) + ![Create a Packaged app Rules wizard and showing the Before You Begin page.](images/intune-applocker-before-begin.png) 5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. - ![Create Packaged app Rules wizard, set action to Allow](images/intune-applocker-permissions.png) + ![Create Packaged app Rules wizard, set action to Allow.](images/intune-applocker-permissions.png) 6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. - ![Create Packaged app Rules wizard, select use an installed packaged app](images/intune-applocker-publisher.png) + ![Create Packaged app Rules wizard, select use an installed packaged app.](images/intune-applocker-publisher.png) 7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we're using Microsoft Photos. - ![Create Packaged app Rules wizard, select application and click ok](images/intune-applocker-select-apps.png) + ![Create Packaged app Rules wizard, select application and click ok.](images/intune-applocker-select-apps.png) 8. On the updated **Publisher** page, click **Create**. - ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) + ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page.](images/intune-applocker-publisher-with-app.png) 9. Review the Local Security Policy snap-in to make sure your rule is correct. - ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) + ![Local security snap-in, showing the new rule.](images/intune-local-security-snapin-updated.png) 10. In the left pane, right-click on **AppLocker**, and then click **Export policy**. The **Export policy** box opens, letting you export and save your new policy as XML. - ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) + ![Local security snap-in, showing the Export Policy option.](images/intune-local-security-export.png) 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. @@ -286,7 +286,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules** The **Add app rule** box appears. - ![Create Configuration Item wizard, add an AppLocker policy](images/wip-configmgr-addapplockerfile.png) + ![Create Configuration Item wizard, add an AppLocker policy.](images/wip-configmgr-addapplockerfile.png) 2. Add a friendly name for your app into the **Title** box. In this example, it's *Allowed app list*. @@ -353,7 +353,7 @@ You can specify multiple domains owned by your enterprise by separating them wit - Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. - ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-configmgr-corp-identity.png) + ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity.](images/wip-configmgr-corp-identity.png) ## Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. @@ -372,7 +372,7 @@ There are no default locations included with WIP, you must add each of your netw 2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. - ![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-configmgr-add-network-domain.png) + ![Add or edit corporate network definition box, Add your enterprise network locations.](images/wip-configmgr-add-network-domain.png)

@@ -431,7 +431,7 @@ There are no default locations included with WIP, you must add each of your netw 5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-configmgr-dra.png) + ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate.](images/wip-configmgr-dra.png) After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. @@ -440,7 +440,7 @@ There are no default locations included with WIP, you must add each of your netw ## Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you'll be asked to decide if you want to add any optional WIP settings. -![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-configmgr-additionalsettings.png) +![Create Configuration Item wizard, Choose any additional, optional settings.](images/wip-configmgr-additionalsettings.png) **To set your optional settings** 1. Choose to set any or all of the optional settings: @@ -467,7 +467,7 @@ After you've finished configuring your policy, you can review all of your info o **To view the Summary screen** - Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy. - ![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-configmgr-summaryscreen.png) + ![Create Configuration Item wizard, Summary screen for all of your policy choices.](images/wip-configmgr-summaryscreen.png) A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page. diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 17dcaff4f3..0442c3778a 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -50,7 +50,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or 3. Click **Restore Default URLs** or enter the settings for MDM or MAM user scope and click **Save**: - ![Configure MDM or MAM provider](images/mobility-provider.png) + ![Configure MDM or MAM provider.](images/mobility-provider.png) ## Create a WIP policy @@ -58,7 +58,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or 2. Open Microsoft Intune and click **Apps** > **App protection policies** > **Create policy**. - ![Open Client apps](images/create-app-protection-policy.png) + ![Open Client apps.](images/create-app-protection-policy.png) 3. In the **App policy** screen, click **Add a policy**, and then fill out the fields: @@ -70,11 +70,11 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or - **Enrollment state.** Choose **Without enrollment** for MAM or **With enrollment** for MDM. - ![Add a mobile app policy](images/add-a-mobile-app-policy.png) + ![Add a mobile app policy.](images/add-a-mobile-app-policy.png) 4. Click **Protected apps** and then click **Add apps**. - ![Add protected apps](images/add-protected-apps.png) + ![Add protected apps.](images/add-protected-apps.png) You can add these types of apps: @@ -89,7 +89,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or Select **Recommended apps** and select each app you want to access your enterprise data or select them all, and click **OK**. -![Microsoft Intune management console: Recommended apps](images/recommended-apps.png) +![Microsoft Intune management console: Recommended apps.](images/recommended-apps.png) ### Add Store apps @@ -99,7 +99,7 @@ Select **Store apps**, type the app product name and publisher, and click **OK** - **Publisher**: `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` - **Product Name**: `Microsoft.MicrosoftPowerBIForWindows` -![Add Store app](images/add-a-protected-store-app.png) +![Add Store app.](images/add-a-protected-store-app.png) To add multiple Store apps, click the ellipsis **…**. @@ -201,7 +201,7 @@ To add **Desktop apps**, complete the following fields, based on what results yo To add another Desktop app, click the ellipsis **…**. After you’ve entered the info into the fields, click **OK**. -![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png) +![Microsoft Intune management console: Adding Desktop app info.](images/wip-azure-add-desktop-apps.png) If you’re unsure about what to include for the publisher, you can run this PowerShell command: @@ -242,7 +242,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo 2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. - ![Local security snap-in, showing the Packaged app Rules](images/wip-applocker-secpol-1.png) + ![Local security snap-in, showing the Packaged app Rules.](images/wip-applocker-secpol-1.png) 3. Right-click in the right-hand blade, and then click **Create New Rule**. @@ -250,7 +250,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo 4. On the **Before You Begin** page, click **Next**. - ![Screenshot of the Before You Begin tab](images/wip-applocker-secpol-wizard-1.png) + ![Screenshot of the Before You Begin tab.](images/wip-applocker-secpol-wizard-1.png) 5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. @@ -262,25 +262,25 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo 7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Dynamics 365. - ![Screenshot of the Select applications list](images/wip-applocker-secpol-wizard-4.png) + ![Screenshot of the Select applications list.](images/wip-applocker-secpol-wizard-4.png) 8. On the updated **Publisher** page, click **Create**. - ![Screenshot of the Publisher tab](images/wip-applocker-secpol-wizard-5.png) + ![Screenshot of the Publisher tab.](images/wip-applocker-secpol-wizard-5.png) 9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy. - ![Screenshot of AppLocker warning](images/wip-applocker-default-rule-warning.png) + ![Screenshot of AppLocker warning.](images/wip-applocker-default-rule-warning.png) 9. Review the Local Security Policy snap-in to make sure your rule is correct. - ![Local security snap-in, showing the new rule](images/wip-applocker-secpol-create.png) + ![Local security snap-in, showing the new rule.](images/wip-applocker-secpol-create.png) 10. In the left blade, right-click on **AppLocker**, and then click **Export policy**. The **Export policy** box opens, letting you export and save your new policy as XML. - ![Local security snap-in, showing the Export Policy option](images/wip-applocker-secpol-export.png) + ![Local security snap-in, showing the Export Policy option.](images/wip-applocker-secpol-export.png) 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. @@ -320,7 +320,7 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps. 3. Right-click **Executable Rules** > **Create New Rule**. - ![Local security snap-in, showing the Executable Rules](images/create-new-path-rule.png) + ![Local security snap-in, showing the Executable Rules.](images/create-new-path-rule.png) 4. On the **Before You Begin** page, click **Next**. @@ -328,11 +328,11 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps. 6. On the **Conditions** page, click **Path** and then click **Next**. - ![Screenshot with Path conditions selected in the Create Executable Rules wizard](images/path-condition.png) + ![Screenshot with Path conditions selected in the Create Executable Rules wizard.](images/path-condition.png) 7. Click **Browse Folders...** and select the path for the unsigned apps. For this example, we’re using "C:\Program Files". - ![Screenshot of the Path field of the Create Executable Rules wizard](images/select-path.png) + ![Screenshot of the Path field of the Create Executable Rules wizard.](images/select-path.png) 8. On the **Exceptions** page, add any exceptions and then click **Next**. @@ -351,11 +351,11 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps. 1. In **Protected apps**, click **Import apps**. - ![Import protected apps](images/import-protected-apps.png) + ![Import protected apps.](images/import-protected-apps.png) Then import your file. - ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/wip-azure-import-apps.png) + ![Microsoft Intune, Importing your AppLocker policy file using Intune.](images/wip-azure-import-apps.png) 2. Browse to your exported AppLocker policy file, and then click **Open**. @@ -366,7 +366,7 @@ If your app is incompatible with WIP, but still needs to be used with enterprise 1. In **Client apps - App protection policies**, click **Exempt apps**. - ![Exempt apps](images/exempt-apps.png) + ![Exempt apps.](images/exempt-apps.png) 2. In **Exempt apps**, click **Add apps**. @@ -391,7 +391,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi 1. From the **App protection policy** blade, click the name of your policy, and then click **Required settings**. - ![Microsoft Intune, Required settings blade showing Windows Information Protection mode](images/wip-azure-required-settings-protection-mode.png) + ![Microsoft Intune, Required settings blade showing Windows Information Protection mode.](images/wip-azure-required-settings-protection-mode.png) |Mode |Description | |-----|------------| @@ -413,11 +413,11 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor 2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field. - ![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png) + ![Microsoft Intune, Set your corporate identity for your organization.](images/wip-azure-required-settings-corp-identity.png) 3. To add domains, such your email domain names, click **Configure Advanced settings** > **Add network boundary** and select **Protected domains**. - ![Add protected domains](images/add-protected-domains.png) + ![Add protected domains.](images/add-protected-domains.png) ## Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include your enterprise network locations. @@ -426,7 +426,7 @@ There are no default locations included with WIP, you must add each of your netw To define the network boundaries, click **App policy** > the name of your policy > **Advanced settings** > **Add network boundary**. -![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png) +![Microsoft Intune, Set where your apps can access enterprise data on your network.](images/wip-azure-advanced-settings-network.png) Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the options covered in the following subsections, and then click **OK**. @@ -558,7 +558,7 @@ Decide if you want Windows to look for additional network settings: - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you turn this off, Windows will search for additional IP ranges on any domain-joined devices connected to your network. -![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise](images/wip-azure-advanced-settings-network-autodetect.png) +![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise.](images/wip-azure-advanced-settings-network-autodetect.png) ## Upload your Data Recovery Agent (DRA) certificate After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data. @@ -573,12 +573,12 @@ After you create and deploy your WIP policy to your employees, Windows begins to 2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png) + ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate.](images/wip-azure-advanced-settings-efsdra.png) ## Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you can choose optional settings. -![Advanced optional settings](images/wip-azure-advanced-settings-optional.png) +![Advanced optional settings.](images/wip-azure-advanced-settings-optional.png) **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: @@ -613,7 +613,7 @@ After you've decided where your protected apps can access enterprise data on you You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied. -![WIP encrypted file extensions](images/wip-encrypted-file-extensions.png) +![WIP encrypted file extensions.](images/wip-encrypted-file-extensions.png) ## Related topics diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md index 524199cf73..8d929e1db4 100644 --- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md @@ -34,7 +34,7 @@ After you’ve created your Windows Information Protection (WIP) policy, you'll The policy is deployed to the selected users' devices. - ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) + ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed.](images/wip-azure-add-user-groups.png) >[!NOTE] diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md index b54cc7cbe1..dd3fb2529e 100644 --- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md +++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md @@ -36,13 +36,13 @@ You need to add the Enterprise Context column to the **Details** tab of the Task The **Select columns** box appears. - ![Task Manager, Select column box with Enterprise Context option selected](images/wip-select-column.png) + ![Task Manager, Select column box with Enterprise Context option selected.](images/wip-select-column.png) 3. Scroll down and check the **Enterprise Context** option, and then click **OK** to close the box. The **Enterprise Context** column should now be available in Task Manager. - ![Task Manager, Enterprise Context column highlighted](images/wip-taskmgr.png) + ![Task Manager, Enterprise Context column highlighted.](images/wip-taskmgr.png) ## Review the Enterprise Context The **Enterprise Context** column shows you what each app can do with your enterprise data: diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index 1e97616ee8..e2f9ce0a1f 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -38,11 +38,11 @@ In the **Website learning report**, you can view a summary of the devices that h 1. Click **Intune** > **Client apps** > **App protection status** > **Reports**. - ![Image showing the UI path to the WIP report](images/access-wip-learning-report.png) + ![Image showing the UI path to the WIP report.](images/access-wip-learning-report.png) 1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**. - ![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png) + ![Image showing the UI with for app and website learning reports.](images/wip-learning-select-report.png) Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. @@ -75,7 +75,7 @@ The information needed for the following steps can be found using Device Health, 4. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app). - ![View of drop down menu for Store or desktop apps](images/wip-learning-choose-store-or-desktop-app.png) + ![View of drop down menu for Store or desktop apps.](images/wip-learning-choose-store-or-desktop-app.png) 5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above. @@ -87,7 +87,7 @@ The information needed for the following steps can be found using Device Health, `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US` - ![View of Add Apps app info entry boxes](images/wip-learning-app-info.png) + ![View of Add Apps app info entry boxes.](images/wip-learning-app-info.png) 6. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**). diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 1ede3ef4ed..ea4b252a30 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -58,7 +58,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP] 3. Double-click **Turn on Virtualization Based Security**. 4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**. - ![Enable HVCI using Group Policy](../images/enable-hvci-gp.png) + ![Enable HVCI using Group Policy.](../images/enable-hvci-gp.png) 5. Click **Ok** to close the editor. @@ -279,7 +279,7 @@ This field lists the computer name. All valid values for computer name. Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section. -![Windows Defender Device Guard properties in the System Summary](../images/dg-fig11-dgproperties.png) +![Windows Defender Device Guard properties in the System Summary.](../images/dg-fig11-dgproperties.png) ## Troubleshooting diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md index 6e6173e36d..def1ec0b93 100644 --- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md +++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md @@ -17,7 +17,7 @@ ms.technology: mde --- # Coordinated Malware Eradication -![coordinated-malware-eradication](images/CoordinatedMalware.png) +![coordinated-malware-eradication.](images/CoordinatedMalware.png) Coordinated Malware Eradication (CME) aims to bring organizations in cybersecurity and in other industries together to change the game against malware. While the cybersecurity industry today is effective at disrupting malware families through individual efforts, those disruptions rarely lead to eradication since malware authors quickly adapt their tactics to survive. diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md index e2029f3c2c..b125773d18 100644 --- a/windows/security/threat-protection/intelligence/fileless-threats.md +++ b/windows/security/threat-protection/intelligence/fileless-threats.md @@ -25,7 +25,7 @@ Attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) fo For clarity, fileless threats are grouped into different categories. -![Comprehensive diagram of fileless malware](images/fileless-malware.png)
+![Comprehensive diagram of fileless malware.](images/fileless-malware.png)
*Figure 1. Comprehensive diagram of fileless malware* Fileless threats can be classified by their entry point, which indicates how fileless malware can arrive on a machine. They can arrive via an exploit, through compromised hardware, or via regular execution of applications and scripts. @@ -56,7 +56,7 @@ It’s possible to carry out such installation via command line without requirin Some malware can have a sort of fileless persistence, but not without using files to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. Opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe. -![Image of Kovter's registry key](images/kovter-reg-key.png)
+![Image of Kovter's registry key.](images/kovter-reg-key.png)
*Figure 2. Kovter’s registry key* When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an autorun key configured to open such file when the machine starts. diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md index ef4a133061..3b37bdf391 100644 --- a/windows/security/threat-protection/intelligence/malware-naming.md +++ b/windows/security/threat-protection/intelligence/malware-naming.md @@ -20,7 +20,7 @@ ms.technology: mde We name the malware and unwanted software that we detect according to the Computer Antivirus Research Organization (CARO) malware naming scheme. The scheme uses the following format: -![coordinated-malware-eradication](images/NamingMalware1.png) +![coordinated-malware-eradication.](images/NamingMalware1.png) When our analysts research a particular threat, they'll determine what each of the components of the name will be. diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md index 1f997dac95..01c216b8fe 100644 --- a/windows/security/threat-protection/intelligence/phishing.md +++ b/windows/security/threat-protection/intelligence/phishing.md @@ -35,7 +35,7 @@ Here are several telltale signs of a phishing scam: * The links or URLs provided in emails are **not pointing to the correct location** or are pointing to a third-party site not affiliated with the sender of the email. For example, in the image below the URL provided doesn't match the URL that you'll be taken to. - ![example of how exploit kits work](./images/URLhover.png) + ![example of how exploit kits work.](./images/URLhover.png) * There's a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email. diff --git a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md index 00eafc82ce..ae7c0e8363 100644 --- a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md +++ b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md @@ -33,7 +33,7 @@ This process requires a global or application admin in the tenant. 2. Select **Grant admin consent for organization**. 3. If you're able to do so, review the API permissions required for this application, as the following image shows. Provide consent for the tenant. - ![grant consent image](images/msi-grant-admin-consent.jpg) + ![grant consent image.](images/msi-grant-admin-consent.jpg) 4. If the administrator receives an error while attempting to provide consent manually, try either [Option 1](#option-1-approve-enterprise-application-permissions-by-user-request) or [Option 2](#option-2-provide-admin-consent-by-authenticating-the-application-as-an-admin) as possible workarounds.   @@ -43,13 +43,13 @@ This process requires a global or application admin in the tenant. Azure Active Directory admins will need to allow for users to request admin consent to apps. Verify the setting is configured to **Yes** in [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/). -![Enterprise applications user settings](images/msi-enterprise-app-user-setting.jpg) +![Enterprise applications user settings.](images/msi-enterprise-app-user-setting.jpg) More information is available in [Configure Admin consent workflow](/azure/active-directory/manage-apps/configure-admin-consent-workflow). Once this setting is verified, users can go through the enterprise customer sign-in at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission), and submit a request for admin consent, including justification. -![Contoso sign in flow](images/msi-contoso-approval-required.png) +![Contoso sign in flow.](images/msi-contoso-approval-required.png) Admin will be able to review and approve the application permissions [Azure admin consent requests](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AccessRequests/menuId/). @@ -58,7 +58,7 @@ After providing consent, all users in the tenant will be able to use the applica ## Option 2 Provide admin consent by authenticating the application as an admin This process requires that global admins go through the Enterprise customer sign-in flow at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission). -![Consent sign in flow](images/msi-microsoft-permission-required.jpg) +![Consent sign in flow.](images/msi-microsoft-permission-required.jpg) Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and then select **Accept**. @@ -70,20 +70,20 @@ If neither of these options resolve the issue, try the following steps (as an ad 1. Remove previous configurations for the application. Go to [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/982e94b2-fea9-4d1f-9fca-318cda92f90b) and select **delete**. - ![Delete app permissions](images/msi-properties.png) + ![Delete app permissions.](images/msi-properties.png) 2. Capture TenantID from [Properties](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties). 3. Replace {tenant-id} with the specific tenant that needs to grant consent to this application in the URL below. Copy this URL into browser. The rest of the parameters are already completed. ``https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent?client_id=f0cf43e5-8a9b-451c-b2d5-7285c785684d&state=12345&redirect_uri=https%3a%2f%2fwww.microsoft.com%2fwdsi%2ffilesubmission&scope=openid+profile+email+offline_access`` - ![Permissions needed](images/msi-microsoft-permission-requested-your-organization.png) + ![Permissions needed.](images/msi-microsoft-permission-requested-your-organization.png) 4. Review the permissions required by the application, and then select **Accept**. 5. Confirm the permissions are applied in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/ce60a464-5fca-4819-8423-bcb46796b051). - ![Review that permissions are applied](images/msi-permissions.jpg) + ![Review that permissions are applied.](images/msi-permissions.jpg) 6. Sign in to [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission) as an enterprise user with a non-admin account to see if you have access. diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md index ed4e5aaf84..2aa32ed8f6 100644 --- a/windows/security/threat-protection/intelligence/worms-malware.md +++ b/windows/security/threat-protection/intelligence/worms-malware.md @@ -39,7 +39,7 @@ Both Bondat and Gamarue have clever ways of obscuring themselves to evade detect This image shows how a worm can quickly spread through a shared USB drive. -![Worm example](./images/WormUSB-flight.png) +![Worm example.](./images/WormUSB-flight.png) ### *Figure worm spreading from a shared USB drive* diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index f0c6938382..83a6f5e00b 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -29,8 +29,8 @@ For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with Po For example: -[![VBS script](images/vbs-example.png)](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline) -[![PowerShell script](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0) +[![VBS script.](images/vbs-example.png)](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline) +[![PowerShell script.](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0) The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it. The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it does not contain any information on non-security updates, tools or drivers. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index 994ade09de..3b18ab25d3 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -45,7 +45,7 @@ Applies to: You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container. The following diagram shows the flow between the host PC and the isolated container. -![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png) +![Flowchart for movement between Microsoft Edge and Application Guard.](images/application-guard-container-v-host.png) ## Install Application Guard @@ -55,7 +55,7 @@ Application Guard functionality is turned off by default. However, you can quick 1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**. - ![Windows Features, turning on Microsoft Defender Application Guard](images/turn-windows-features-on-off.png) + ![Windows Features, turning on Microsoft Defender Application Guard.](images/turn-windows-features-on-off.png) 2. Select the check box next to **Microsoft Defender Application Guard** and then click **OK**. @@ -86,7 +86,7 @@ Application Guard functionality is turned off by default. However, you can quick > [!IMPORTANT] > Make sure your organization's devices meet [requirements](reqs-md-app-guard.md) and are [enrolled in Intune](/mem/intune/enrollment/device-enrollment). -:::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune"::: +:::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune."::: 1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index de798293db..4ad66674a9 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -29,7 +29,7 @@ For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrus For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from the host operating system. This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials. -![Hardware isolation diagram](images/appguard-hardware-isolation.png) +![Hardware isolation diagram.](images/appguard-hardware-isolation.png) ### What types of devices should use Application Guard? diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index 74525211f8..d8ff39f397 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -33,7 +33,7 @@ You can see how an employee would use standalone mode with Application Guard. 2. Restart the device, start Microsoft Edge, and then select **New Application Guard window** from the menu. - ![New Application Guard window setting option](images/appguard-new-window.png) + ![New Application Guard window setting option.](images/appguard-new-window.png) 3. Wait for Application Guard to set up the isolated environment. @@ -42,7 +42,7 @@ You can see how an employee would use standalone mode with Application Guard. 4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues. - ![Untrusted website running in Application Guard](images/appguard-visual-cues.png) + ![Untrusted website running in Application Guard.](images/appguard-visual-cues.png) ## Application Guard in Enterprise-managed mode @@ -64,19 +64,19 @@ Before you can use Application Guard in managed mode, you must install Windows 1 c. For the purposes of this scenario, type `.microsoft.com` into the **Enterprise cloud resources** box. - ![Group Policy editor with Enterprise cloud resources setting](images/appguard-gp-network-isolation.png) + ![Group Policy editor with Enterprise cloud resources setting.](images/appguard-gp-network-isolation.png) d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting. e. For the purposes of this scenario, type `bing.com` into the **Neutral resources** box. - ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png) + ![Group Policy editor with Neutral resources setting.](images/appguard-gp-network-isolation-neutral.png) 4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Managed Mode** setting. 5. Click **Enabled**, choose Option **1**, and click **OK**. - ![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png) + ![Group Policy editor with Turn On/Off setting.](images/appguard-gp-turn-on.png) >[!NOTE] >Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario. @@ -85,13 +85,13 @@ Before you can use Application Guard in managed mode, you must install Windows 1 After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard. - ![Trusted website running on Microsoft Edge](images/appguard-turned-on-with-trusted-site.png) + ![Trusted website running on Microsoft Edge.](images/appguard-turned-on-with-trusted-site.png) 7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists. After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment. - ![Untrusted website running in Application Guard](images/appguard-visual-cues.png) + ![Untrusted website running in Application Guard.](images/appguard-visual-cues.png) ### Customize Application Guard @@ -118,7 +118,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. - ![Group Policy editor clipboard options](images/appguard-gp-clipboard.png) + ![Group Policy editor clipboard options.](images/appguard-gp-clipboard.png) 3. Choose how the clipboard works: @@ -144,7 +144,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. - ![Group Policy editor Print options](images/appguard-gp-print.png) + ![Group Policy editor Print options.](images/appguard-gp-print.png) 3. Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing. @@ -156,7 +156,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. - ![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png) + ![Group Policy editor Data Persistence options.](images/appguard-gp-persistence.png) 3. Open Microsoft Edge and browse to an untrusted, but safe URL. @@ -186,7 +186,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. - ![Group Policy editor Download options](images/appguard-gp-download.png) + ![Group Policy editor Download options.](images/appguard-gp-download.png) 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. @@ -200,7 +200,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. - ![Group Policy editor hardware acceleration options](images/appguard-gp-vgpu.png) + ![Group Policy editor hardware acceleration options.](images/appguard-gp-vgpu.png) 3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. @@ -217,7 +217,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled**, set **Options** to 2, and click **OK**. - ![Group Policy editor File trust options](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png) + ![Group Policy editor File trust options.](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png) 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. @@ -231,7 +231,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. - ![Group Policy editor Camera and microphone options](images/appguard-gp-allow-camera-and-mic.png) + ![Group Policy editor Camera and microphone options.](images/appguard-gp-allow-camera-and-mic.png) 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. @@ -245,7 +245,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**. - ![Group Policy editor Root certificate options](images/appguard-gp-allow-root-certificates.png) + ![Group Policy editor Root certificate options.](images/appguard-gp-allow-root-certificates.png) 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. @@ -258,10 +258,10 @@ Once a user has the extension and its companion app installed on their enterpris 1. Open either Firefox or Chrome — whichever browser you have the extension installed on. 2. Navigate to an enterprise website, i.e. an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded. - ![The evaluation page displayed while the page is being loaded, explaining that the user must wait](images/app-guard-chrome-extension-evaluation-page.png) + ![The evaluation page displayed while the page is being loaded, explaining that the user must wait.](images/app-guard-chrome-extension-evaluation-page.png) 3. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge. - ![A non-enterprise website being redirected to an Application Guard container -- the text displayed explains that the page is being opened in Application Guard for Microsoft Edge](images/app-guard-chrome-extension-launchIng-edge.png) + ![A non-enterprise website being redirected to an Application Guard container -- the text displayed explains that the page is being opened in Application Guard for Microsoft Edge.](images/app-guard-chrome-extension-launchIng-edge.png) 4. Open a new Application Guard window, by select the Microsoft Defender Application Guard icon, then **New Application Guard Window** ![The "New Application Guard Window" option is highlighted in red](images/app-guard-chrome-extension-new-app-guard-page.png) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index 80486846fb..146b20c787 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -61,7 +61,7 @@ If you believe a warning or block was incorrectly shown for a file or applicatio When submitting Microsoft Defender SmartScreen products, make sure to select **Microsoft Defender SmartScreen** from the product menu. -![Windows Security, Microsoft Defender SmartScreen controls](images/Microsoft-defender-smartscreen-submission.png) +![Windows Security, Microsoft Defender SmartScreen controls.](images/Microsoft-defender-smartscreen-submission.png) ## Viewing Microsoft Defender SmartScreen anti-phishing events diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md index 85c404a314..89c036958f 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md @@ -60,7 +60,7 @@ Starting with Windows 10, version 1703, users can use Windows Security to set up - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. - ![Windows Security, Microsoft Defender SmartScreen controls](images/windows-defender-smartscreen-control-2020.png) + ![Windows Security, Microsoft Defender SmartScreen controls.](images/windows-defender-smartscreen-control-2020.png) ## How Microsoft Defender SmartScreen works when a user tries to run an app Microsoft Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Microsoft Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization. diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md index c792222c8a..c2a1d31b98 100644 --- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md +++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md @@ -41,7 +41,7 @@ The following procedure describes how to use Group Policy to override individual 1. Open your Group Policy editor and go to the **Administrative Templates\System\Mitigation Options\Process Mitigation Options** setting. - ![Group Policy editor: Process Mitigation Options with setting enabled and Show button active](images/gp-process-mitigation-options.png) + ![Group Policy editor: Process Mitigation Options with setting enabled and Show button active.](images/gp-process-mitigation-options.png) 2. Click **Enabled**, and then in the **Options** area, click **Show** to open the **Show Contents** box, where you’ll be able to add your apps and the appropriate bit flag values, as shown in the [Setting the bit field](#setting-the-bit-field) and [Example](#example) sections of this topic. @@ -52,12 +52,12 @@ The following procedure describes how to use Group Policy to override individual **Note**
Setting bit flags in positions not specified here to anything other than ? might cause undefined behavior. - ![Group Policy editor: Process Mitigation Options with Show Contents box and example text](images/gp-process-mitigation-options-show.png) + ![Group Policy editor: Process Mitigation Options with Show Contents box and example text.](images/gp-process-mitigation-options-show.png) ## Setting the bit field Here’s a visual representation of the bit flag locations for the various Process Mitigation Options settings: -![Visual representation of the bit flag locations for the Process Mitigation Options settings](images/gp-process-mitigation-options-bit-flag-image.png) +![Visual representation of the bit flag locations for the Process Mitigation Options settings.](images/gp-process-mitigation-options-bit-flag-image.png) Where the bit flags are read from right to left and are defined as: diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index f98634584d..0a9058b91d 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -130,7 +130,7 @@ You can now see which processes have DEP enabled. -![Processes with DEP enabled in Windows 10](images/security-fig5-dep.png) +![Processes with DEP enabled in Windows 10.](images/security-fig5-dep.png) *Figure 2.  Processes on which DEP has been enabled in Windows 10* @@ -168,7 +168,7 @@ One of the most common techniques used to gain access to a system is to find a v Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts. -![ASLR at work](images/security-fig4-aslr.png) +![ASLR at work.](images/security-fig4-aslr.png) **Figure 3.  ASLR at work** diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index 220c774696..e24bb48367 100644 --- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -56,13 +56,13 @@ Because mobile devices are increasingly being used to access corporate informati Devices that are used to access corporate resources must be trusted. An efficient end-to-end security approach is able to evaluate device health and use the current security state when granting access to a high-value asset. -:::image type="content" alt-text="figure 1" source="images/hva-fig1-endtoend1.png"::: +:::image type="content" alt-text="figure 1." source="images/hva-fig1-endtoend1.png"::: A robust design needs to establish the user’s identity, strengthen the authentication method if needed, and learn behavior like the network location the user regularly connects from. Also, a modern approach must be able to release sensitive content only if user devices are determined to be healthy and secure. The following figure shows a solution built to assess device health from the cloud. The device authenticates the user through a connection to an identity provider in the cloud. If the managed asset contains highly confidential information, the conditional access engine of the identity provider may elect to verify the security compliance of the mobile device before access is granted. The user’s device is able to prove its health status that can be sent at any time or when mobile device management (MDM) requests it. -:::image type="content" alt-text="figure 2" source="images/hva-fig2-assessfromcloud2.png"::: +:::image type="content" alt-text="figure 2." source="images/hva-fig2-assessfromcloud2.png"::: Windows devices can be protected from low-level rootkits and bootkits by using low-level hardware technologies such as Unified Extensible Firmware Interface (UEFI) Secure Boot. @@ -94,7 +94,7 @@ In Windows 10, there are three pillars of investments: This section is an overview that describes different parts of the end-to-end security solution that helps protect high-value assets and information from attackers and malware. -:::image type="content" alt-text="figure 3" source="images/hva-fig3-endtoendoverview3.png"::: +:::image type="content" alt-text="figure 3." source="images/hva-fig3-endtoendoverview3.png"::: | Number | Part of the solution | Description | | - | - | - | @@ -115,7 +115,7 @@ This section describes what Windows 10 offers in terms of security defenses and The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the operating system early and prevent protection mechanisms and antimalware software from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal with low-level malware is to secure the boot process so that the device is protected from the very start. Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-req) section. -:::image type="content" alt-text="figure 4" source="images/hva-fig4-hardware.png"::: +:::image type="content" alt-text="figure 4." source="images/hva-fig4-hardware.png"::: Windows 10 supports features to help prevent sophisticated low-level malware like rootkits and bootkits from loading during the startup process: @@ -230,7 +230,7 @@ The following Windows 10 services are protected with virtualization-based securi The schema below is a high-level view of Windows 10 with virtualization-based security. -:::image type="content" alt-text="figure 5" source="images/hva-fig5-virtualbasedsecurity.png"::: +:::image type="content" alt-text="figure 5." source="images/hva-fig5-virtualbasedsecurity.png"::: ### Credential Guard @@ -425,11 +425,11 @@ The antimalware software can search to determine whether the boot sequence conta Health attestation logs the measurements in various TPM Platform Configuration Registers (PCRs) and TCG logs during the boot process. -:::image type="content" alt-text="figure 6" source="images/hva-fig6-logs.png"::: +:::image type="content" alt-text="figure 6." source="images/hva-fig6-logs.png"::: When starting a device equipped with TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log. -:::image type="content" alt-text="figure 7" source="images/hva-fig7-measurement.png"::: +:::image type="content" alt-text="figure 7." source="images/hva-fig7-measurement.png"::: The health attestation process works as follows: @@ -459,7 +459,7 @@ The following process describes how health boot measurements are sent to the hea 4. The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter. -:::image type="content" alt-text="figure 8" source="images/hva-fig8a-healthattest8a.png"::: +:::image type="content" alt-text="figure 8." source="images/hva-fig8a-healthattest8a.png"::: ### Device health attestation components @@ -632,7 +632,7 @@ A solution that leverages MDM and the Health Attestation Service consists of thr 2. After this is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return. 3. At any point after this, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it’s been attested. - :::image type="content" alt-text="figure 9" source="images/hva-fig8-evaldevicehealth8.png"::: + :::image type="content" alt-text="figure 9." source="images/hva-fig8-evaldevicehealth8.png"::: Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as follows: @@ -671,7 +671,7 @@ The remote device health attestation process uses measured boot data to verify t The figure below shows how the Health Attestation Service is expected to work with Microsoft’s cloud-based Intune MDM service. -:::image type="content" alt-text="figure 10" source="images/hva-fig9-intune.png"::: +:::image type="content" alt-text="figure 10." source="images/hva-fig9-intune.png"::: An MDM solution can then leverage health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware free, its antimalware system is functional and up to date, the firewall is running, and the devices patch state is compliant. @@ -705,7 +705,7 @@ If the device is not registered, the user will get a message with instructions o **Azure AD** authenticates the user and the device, **MDM** manages the compliance and conditional access policies, and the **Health Attestation Service** reports about the health of the device in an attested way. -:::image type="content" alt-text="figure 11" source="images/hva-fig10-conditionalaccesscontrol.png"::: +:::image type="content" alt-text="figure 11." source="images/hva-fig10-conditionalaccesscontrol.png"::: ### Office 365 conditional access control @@ -725,7 +725,7 @@ The user will be denied access to services when sign-in credentials are changed, Depending on the type of email application that employees use to access Exchange online, the path to establish secured access to email can be slightly different. However, the key components: Azure AD, Office 365/Exchange Online, and Intune, are the same. The IT experience and end-user experience also are similar. -:::image type="content" alt-text="figure 12" source="images/hva-fig11-office365.png"::: +:::image type="content" alt-text="figure 12." source="images/hva-fig11-office365.png"::: Clients that attempt to access Office 365 will be evaluated for the following properties: @@ -758,7 +758,7 @@ For on-premises applications there are two options to enable conditional access - For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more details, see the [Azure AD Conditional Access preview updated: Now supports On-Premises and Custom LOB apps](https://go.microsoft.com/fwlink/p/?LinkId=691618) blog post. - Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications. -:::image type="content" alt-text="figure 13" source="images/hva-fig12-conditionalaccess12.png"::: +:::image type="content" alt-text="figure 13." source="images/hva-fig12-conditionalaccess12.png"::: The following process describes how Azure AD conditional access works: diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md index eb88a41772..ce251bc758 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md @@ -36,7 +36,7 @@ Beginning with Windows 10 version 1607, new functionality was added to Windows 1 This functionality is controlled by a new **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The Privacy setting is off by default, which hides the details. -![Privacy setting](images/privacy-setting-in-sign-in-options.png) +![Privacy setting.](images/privacy-setting-in-sign-in-options.png) The **Interactive logon: Display user information when the session is locked** Group Policy setting controls the same functionality. diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md index 426d291c10..7a58b942a4 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md @@ -157,7 +157,7 @@ The following diagram shows Security Settings and related features. #### Security Settings Policies and Related Features -![components related to security policies](images/secpol-components.gif) +![components related to security policies.](images/secpol-components.gif) - **Scesrv.dll** @@ -181,7 +181,7 @@ The Security Settings extension of the Local Group Policy Editor is part of the **Security Settings Architecture** -![architecture of security policy settings](images/secpol-architecture.gif) +![architecture of security policy settings.](images/secpol-architecture.gif) The security settings configuration and analysis tools include a security configuration engine, which provides local computer (non-domain member) and Group Policy−based configuration and analysis of security settings policies. The security configuration engine also supports the creation of security policy files. The primary features of the security configuration engine are scecli.dll and scesrv.dll. @@ -321,7 +321,7 @@ In the context of Group Policy processing, security settings policy is processed **Multiple GPOs and Merging of Security Policy** - ![multiple gpos and merging of security policy](images/secpol-multigpomerge.gif) + ![multiple gpos and merging of security policy.](images/secpol-multigpomerge.gif) 1. The resultant security policies are stored in secedit.sdb, the security settings database. The security engine gets the security template files and imports them to secedit.sdb. 1. The security settings policies are applied to devices. @@ -329,7 +329,7 @@ The following figure illustrates the security settings policy processing. **Security Settings Policy Processing** -![process and interactions of security policy settings](images/secpol-processes.gif) +![process and interactions of security policy settings.](images/secpol-processes.gif) ### Merging of security policies on domain controllers diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index 277bc347d1..a8362c5bda 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -380,9 +380,9 @@ This can easily be extended to other Auto-Execution Start Points keys in the reg Use the following figures to see how you can configure those registry keys. -![default acl for run key](images/runkey.png) +![default acl for run key.](images/runkey.png) -![default acl for runonce key](images/runoncekey.png) +![default acl for runonce key.](images/runoncekey.png) ## Appendix C - Event channel settings (enable and channel access) methods @@ -399,7 +399,7 @@ The following GPO snippet performs the following: - Enables the **Microsoft-Windows-DriverFrameworks-UserMode/Operational** event channel. - Sets the maximum file size for **Microsoft-Windows-DriverFrameworks-UserMode/Operational** to 50MB. -![configure event channels](images/capi-gpo.png) +![configure event channels.](images/capi-gpo.png) ## Appendix D - Minimum GPO for WEF Client configuration @@ -409,7 +409,7 @@ Here are the minimum steps for WEF to operate: 2. Start the WinRM service. 3. Add the Network Service account to the built-in Event Log Readers security group. This allows reading from secured event channel, such as the security event channel. -![configure the wef client](images/wef-client-config.png) +![configure the wef client.](images/wef-client-config.png) ## Appendix E – Annotated baseline subscription event query diff --git a/windows/security/threat-protection/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md index 9b1eb730a6..11b4c1a58b 100644 --- a/windows/security/threat-protection/windows-10-mobile-security-guide.md +++ b/windows/security/threat-protection/windows-10-mobile-security-guide.md @@ -299,7 +299,7 @@ One of the most common techniques used by attackers to gain access to a system i Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. The below diagram illustrates how ASLR works, showing how the locations of different critical Windows components can change in memory between restarts. -![figure 3](images/mobile-security-guide-figure3.png) +![figure 3.](images/mobile-security-guide-figure3.png) Microsoft has substantively improved the ASLR implementation in Windows 10 Mobile over previous versions, applying it across the entire system rather than only in specific apps. With 64bit system and application processes that can take advantage of a vastly increased memory space, it is even more difficult for malware to predict where Windows 10 Mobile stores vital data. When used on systems that have TPMs, ASLR memory randomization becomes increasingly unique across devices, adding additional degrees of difficulty for repurposing successful exploits to another system. diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index 311cfd2625..8a31f70d8e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -32,7 +32,7 @@ Refer to the below video for an overview and brief demo. > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4mlcp] ## Policy Authorization Process -![Policy Authorization](images/wdac-intune-policy-authorization.png) +![Policy Authorization.](images/wdac-intune-policy-authorization.png) The general steps for expanding the S mode base policy on your Intune-managed devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups. Because you need access to WDAC PowerShell cmdlets to generate your supplemental policy, you should create and manage your policies on a non-S mode device. Once the policy has been uploaded to Intune, we recommend assigning it to a single test S-mode device to verify expected functioning before deploying the policy more broadly. 1. Generate a supplemental policy with WDAC tooling @@ -84,11 +84,11 @@ The general steps for expanding the S mode base policy on your Intune-managed de > When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion?view=win10-ps) for information on setting the version number. ## Standard Process for Deploying Apps through Intune -![Deploying Apps through Intune](images/wdac-intune-app-deployment.png) +![Deploying Apps through Intune.](images/wdac-intune-app-deployment.png) Refer to [Intune Standalone - Win32 app management](/intune/apps-win32-app-management) for guidance on the existing procedure of packaging signed catalogs and app deployment. ## Optional: Process for Deploying Apps using Catalogs -![Deploying Apps using Catalogs](images/wdac-intune-app-catalogs.png) +![Deploying Apps using Catalogs.](images/wdac-intune-app-catalogs.png) Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that will authorize all apps signed by that certificate, which may include apps you don't want to allow as well. Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) through the use of signed catalogs. This works for apps which may be unsigned or even signed apps when you don't want to trust all apps that may share the same signing certificate. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md index f197b8f4b2..af49d0b081 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md @@ -61,7 +61,7 @@ AppLocker can be configured to display the default message but with a custom URL The following image shows an example of the error message for a blocked app. You can use the **Set a support web link** policy setting to customize the **More information** link. -![applocker blocked application error message](images/blockedappmsg.gif) +![applocker blocked application error message.](images/blockedappmsg.gif) For steps to display a custom URL for the message, see [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md index 5350f5c843..9ffaf2b82c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md @@ -44,7 +44,7 @@ Because a computer's effective policy includes rules from each linked GPO, dupli The following figure demonstrates how AppLocker rule enforcement is applied through linked GPOs. -![applocker rule enforcement inheritance chart](images/applocker-plan-inheritance.gif) +![applocker rule enforcement inheritance chart.](images/applocker-plan-inheritance.gif) In the preceding illustration, note that all GPOs linked to Contoso are applied in order as configured. The rules that are not configured are also applied. For example, the result of the Contoso and Human Resources GPOs is 33 rules enforced, as shown in the client HR-Term1. The Human Resources GPO contains 10 non-configured rules. When the rule collection is configured for **Audit only**, no rules are enforced. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md index 0f909bdf3d..a51539d046 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md @@ -30,7 +30,7 @@ To successfully deploy AppLocker policies, you need to identify your application The following diagram shows the main points in the design, planning, and deployment process for AppLocker. -![applocker quick reference guide](images/applocker-plandeploy-quickreference.gif) +![applocker quick reference guide.](images/applocker-plandeploy-quickreference.gif) ## Resources to support the deployment process diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md index c1d7ac7c71..48dc8c3166 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md @@ -42,7 +42,7 @@ To familiarize yourself with creating WDAC rules from audit events, follow these **Figure 1. Exceptions to the deployed WDAC policy**
- ![Event showing exception to WDAC policy](images/dg-fig23-exceptionstocode.png) + ![Event showing exception to WDAC policy.](images/dg-fig23-exceptionstocode.png) 3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**. diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index 5ed5fa1cf7..7700137052 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -41,7 +41,7 @@ To familiarize yourself with creating WDAC rules from audit events, follow these 2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md). **Figure 1. Exceptions to the deployed WDAC policy** - ![Event showing exception to WDAC policy](images/dg-fig23-exceptionstocode.png) + ![Event showing exception to WDAC policy.](images/dg-fig23-exceptionstocode.png) 3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md index f3b993cbc0..7eabd55187 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md @@ -35,7 +35,7 @@ ECDSA is not supported. 2. When connected, right-click **Certificate Templates**, and then click **Manage** to open the Certification Templates Console. - ![CA snap-in showing Certificate Templates](images/dg-fig27-managecerttemp.png) + ![CA snap-in showing Certificate Templates.](images/dg-fig27-managecerttemp.png) Figure 1. Manage the certificate templates @@ -51,7 +51,7 @@ ECDSA is not supported. 8. In the **Edit Basic Constraints Extension** dialog box, select **Enable this extension**, as shown in Figure 2. - ![Edit Basic Constraints Extension](images/dg-fig29-enableconstraints.png) + ![Edit Basic Constraints Extension.](images/dg-fig29-enableconstraints.png) Figure 2. Select constraints on the new template @@ -67,7 +67,7 @@ When this certificate template has been created, you must publish it to the CA p 1. In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then click **Certificate Template to Issue**, as shown in Figure 3. - ![Select Certificate Template to Issue](images/dg-fig30-selectnewcert.png) + ![Select Certificate Template to Issue.](images/dg-fig30-selectnewcert.png) Figure 3. Select the new certificate template to issue @@ -85,7 +85,7 @@ Now that the template is available to be issued, you must request one from the c 4. In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4. - ![Request Certificates: more information required](images/dg-fig31-getmoreinfo.png) + ![Request Certificates: more information required.](images/dg-fig31-getmoreinfo.png) Figure 4. Get more information for your code signing certificate diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index 2a3d5a91f3..ba2fcb0f9b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -138,7 +138,7 @@ To sign the existing catalog file, copy each of the following commands into an e 4. Verify the catalog file digital signature. Right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 1. - ![Digital Signature list in file Properties](images/dg-fig12-verifysigning.png) + ![Digital Signature list in file Properties.](images/dg-fig12-verifysigning.png) Figure 1. Verify that the signing certificate exists @@ -178,7 +178,7 @@ To simplify the management of catalog files, you can use Group Policy preference > [!NOTE] > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate). - ![Group Policy Management, create a GPO](images/dg-fig13-createnewgpo.png) + ![Group Policy Management, create a GPO.](images/dg-fig13-createnewgpo.png) Figure 2. Create a new GPO @@ -188,7 +188,7 @@ To simplify the management of catalog files, you can use Group Policy preference 5. Within the selected GPO, navigate to Computer Configuration\\Preferences\\Windows Settings\\Files. Right-click **Files**, point to **New**, and then click **File**, as shown in Figure 3. - ![Group Policy Management Editor, New File](images/dg-fig14-createnewfile.png) + ![Group Policy Management Editor, New File.](images/dg-fig14-createnewfile.png) Figure 3. Create a new file @@ -198,7 +198,7 @@ To simplify the management of catalog files, you can use Group Policy preference 7. To keep versions consistent, in the **New File Properties** dialog box (Figure 4), select **Replace** from the **Action** list so that the newest version is always used. - ![File Properties, Replace option](images/dg-fig15-setnewfileprops.png) + ![File Properties, Replace option.](images/dg-fig15-setnewfileprops.png) Figure 4. Set the new file properties @@ -231,7 +231,7 @@ As an alternative to Group Policy, you can use Configuration Manager to deploy c 3. Name the package, set your organization as the manufacturer, and select an appropriate version number. - ![Create Package and Program Wizard](images/dg-fig16-specifyinfo.png) + ![Create Package and Program Wizard.](images/dg-fig16-specifyinfo.png) Figure 5. Specify information about the new package @@ -253,7 +253,7 @@ As an alternative to Group Policy, you can use Configuration Manager to deploy c - From the **Drive mode** list, select **Runs with UNC name**. - ![Standard Program page of wizard](images/dg-fig17-specifyinfo.png) + ![Standard Program page of wizard.](images/dg-fig17-specifyinfo.png) Figure 6. Specify information about the standard program @@ -281,7 +281,7 @@ After you create the deployment package, deploy it to a collection so that the c - Select the **Commit changes at deadline or during a maintenance window (requires restarts)** check box. - ![Deploy Software Wizard, User Experience page](images/dg-fig18-specifyux.png) + ![Deploy Software Wizard, User Experience page.](images/dg-fig18-specifyux.png) Figure 7. Specify the user experience @@ -306,13 +306,13 @@ When catalog files have been deployed to the computers within your environment, 3. Name the new policy, and under **Select and then configure the custom settings for client devices**, select the **Software Inventory** check box, as shown in Figure 8. - ![Create Custom Client Device Settings](images/dg-fig19-customsettings.png) + ![Create Custom Client Device Settings.](images/dg-fig19-customsettings.png) Figure 8. Select custom settings 4. In the navigation pane, click **Software Inventory**, and then click **Set Types**, as shown in Figure 9. - ![Software Inventory settings for devices](images/dg-fig20-setsoftwareinv.png) + ![Software Inventory settings for devices.](images/dg-fig20-setsoftwareinv.png) Figure 9. Set the software inventory @@ -325,7 +325,7 @@ When catalog files have been deployed to the computers within your environment, 7. In the **Path Properties** dialog box, select **Variable or path name**, and then type **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}** in the box, as shown in Figure 10. - ![Path Properties, specifying a path](images/dg-fig21-pathproperties.png) + ![Path Properties, specifying a path.](images/dg-fig21-pathproperties.png) Figure 10. Set the path properties diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md index 8e8fa29002..f3d496160b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -39,7 +39,7 @@ To deploy and manage a WDAC policy with Group Policy: > [!NOTE] > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control policy management](plan-windows-defender-application-control-management.md). - ![Group Policy Management, create a GPO](images/dg-fig24-creategpo.png) + ![Group Policy Management, create a GPO.](images/dg-fig24-creategpo.png) 3. Name the new GPO. You can choose any name. @@ -47,7 +47,7 @@ To deploy and manage a WDAC policy with Group Policy: 5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**. - ![Edit the Group Policy for Windows Defender Application Control](images/wdac-edit-gp.png) + ![Edit the Group Policy for Windows Defender Application Control.](images/wdac-edit-gp.png) 6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the WDAC policy deployment path. @@ -56,7 +56,7 @@ To deploy and manage a WDAC policy with Group Policy: > [!NOTE] > This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers. - ![Group Policy called Deploy Windows Defender Application Control](images/dg-fig26-enablecode.png) + ![Group Policy called Deploy Windows Defender Application Control.](images/dg-fig26-enablecode.png) > [!NOTE] > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 8cf09e5b2f..b4cb9a3f05 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -66,7 +66,7 @@ The steps to use Intune's custom OMA-URI functionality are: - **Certificate file**: upload your binary format policy file. You do not need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. > [!div class="mx-imgBorder"] - > ![Configure custom WDAC](images/wdac-intune-custom-oma-uri.png) + > ![Configure custom WDAC.](images/wdac-intune-custom-oma-uri.png) > [!NOTE] > For the _Policy GUID_ value, do not include the curly brackets. diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md index a9cd8c8585..12975743d7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md @@ -41,7 +41,7 @@ Most WDAC policies will evolve over time and proceed through a set of identifiab 6. Deploy the enforced mode policy to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly. 7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes. -![Recommended WDAC policy deployment process](images/policyflow.png) +![Recommended WDAC policy deployment process.](images/policyflow.png) ### Keep WDAC policies in a source control or document management solution diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md index 2c5382e43b..4915d3faea 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md @@ -43,7 +43,7 @@ Each of the template policies has a unique set of policy allow list rules that w More information about the Default Windows Mode and Allow Microsoft Mode policies can be accessed through the [Example WDAC base policies article](example-wdac-base-policies.md). -![Selecting a base template for the policy](images/wdac-wizard-template-selection.png) +![Selecting a base template for the policy.](images/wdac-wizard-template-selection.png) Once the base template is selected, give the policy a name and choose where to save the application control policy on disk. @@ -69,7 +69,7 @@ A description of each policy rule, beginning with the left-most column, is provi | **User Mode Code Integrity** | WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. | > [!div class="mx-imgBorder"] -> ![Rule options UI for Windows Allowed mode policy](images/wdac-wizard-rule-options-UI-advanced-collapsed.png) +> ![Rule options UI for Windows Allowed mode policy.](images/wdac-wizard-rule-options-UI-advanced-collapsed.png) ### Advanced Policy Rules Description @@ -84,7 +84,7 @@ Selecting the **+ Advanced Options** label will show another column of policy ru | **Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.| | **Require EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later drivers will meet this requirement. | -![Rule options UI for Windows Allowed mode](images/wdac-wizard-rule-options-UI.png) +![Rule options UI for Windows Allowed mode.](images/wdac-wizard-rule-options-UI.png) > [!NOTE] > We recommend that you **enable Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. For this reason, all templates have Audit Mode enabled by default. @@ -105,7 +105,7 @@ The Publisher file rule type uses properties in the code signing certificate cha | **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate as well as a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. | -![Custom filepublisher file rule creation](images/wdac-wizard-custom-publisher-rule.png) +![Custom filepublisher file rule creation.](images/wdac-wizard-custom-publisher-rule.png) ### Filepath Rules @@ -123,7 +123,7 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c | **Internal name** | Specifies the internal name of the binary. | > [!div class="mx-imgBorder"] -> ![Custom file attributes rule](images/wdac-wizard-custom-file-attribute-rule.png) +> ![Custom file attributes rule.](images/wdac-wizard-custom-file-attribute-rule.png) ### File Hash Rules diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md index bca81708e6..5f96c11702 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md @@ -33,15 +33,15 @@ Prerequisite information about application control can be accessed through the [ Once the Supplemental Policy type is chosen on the New Policy page, policy name and file dialog fields can be used to name and save the supplemental policy. The next step requires selecting a base policy to expand. To expand a base policy, the base must allow supplemental policies. The WDAC Wizard will verify if the base policy allows supplementals and will show the following confirmation. -![Base policy allows supplemental policies](images/wdac-wizard-supplemental-expandable.png) +![Base policy allows supplemental policies.](images/wdac-wizard-supplemental-expandable.png) If the base policy is not configured for supplemental policies, the Wizard will attempt to convert the policy to one that can be supplemented. Once successful, the Wizard will show a dialog demonstrating that the addition of the Allow Supplemental Policy rule was completed. -![Wizard confirms modification of base policy](images/wdac-wizard-confirm-base-policy-modification.png) +![Wizard confirms modification of base policy.](images/wdac-wizard-confirm-base-policy-modification.png) Policies that cannot be supplemented, for instance, a supplemental policy, will be detected by the Wizard and will show the following error. Only a base policy can be supplemented. More information on supplemental policies can be found on our [Multiple Policies article](deploy-multiple-windows-defender-application-control-policies.md). -![Wizard detects a bad base policy](images/wdac-wizard-supplemental-not-base.png) +![Wizard detects a bad base policy.](images/wdac-wizard-supplemental-not-base.png) ## Configuring Policy Rules @@ -60,7 +60,7 @@ There are only three policy rules that can be configured by the supplemental pol | **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. | | **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. | -![Rule options UI for Windows Allowed mode](images/wdac-wizard-supplemental-policy-rule-options-UI.png) +![Rule options UI for Windows Allowed mode.](images/wdac-wizard-supplemental-policy-rule-options-UI.png) ## Creating custom file rules @@ -78,7 +78,7 @@ The Publisher file rule type uses properties in the code signing certificate cha | **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate and a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. | -![Custom filepublisher file rule creation](images/wdac-wizard-custom-publisher-rule.png) +![Custom filepublisher file rule creation.](images/wdac-wizard-custom-publisher-rule.png) ### Filepath Rules @@ -96,7 +96,7 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c | **Internal name** | Specifies the internal name of the binary. | -![Custom file attributes rule](images/wdac-wizard-custom-file-attribute-rule.png) +![Custom file attributes rule.](images/wdac-wizard-custom-file-attribute-rule.png) ### File Hash Rules diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md index 2b94c7f004..09c88d84aa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md @@ -36,7 +36,7 @@ The WDAC Wizard makes editing and viewing WDAC policies easier than the PowerShe The `Policy Rules` page will load with the in-edit policy rules configured per the set rules. Selecting the `+ Advanced Options` button will reveal the advanced policy rule options panel. This grouping of rules contains additional policy rule options that are less common to the majority of users. To edit any of the rules, flip the corresponding policy rule state. For instance, to disable Audit Mode and enable Enforcement Mode in the figure below, the button beside the `Audit Mode` label needs only to be pressed. Once the policy rules are configured, select the Next button to continue the next stage of editing: [Adding File Rules](#adding-file-rules). -![Configuring the policy rules](images/wdac-wizard-edit-policy-rules.png) +![Configuring the policy rules.](images/wdac-wizard-edit-policy-rules.png) A description of the policy rule is shown at the bottom of the page when the cursor is placed over the rule title. For a complete list of the policy rules and their capabilities, see the [Windows Defender Application Control policy rules table](select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules). @@ -50,7 +50,7 @@ Selecting the `+ Custom Rules` button will open the Custom Rules panel. For more The WDAC Wizard makes deleting file rules from an existing policy quick and easy. To remove any type of file rule: publisher rule, path rule, filename rule, or a hash rule, select the rule in the `Policy Signing Rules List` table on the left-hand side of the page. Selecting the rule will highlight the entire row. Once the row is highlighted, select the remove icon underneath the table. The Wizard will prompt for user confirmation before removing the file rule. Once removed, the rule will no longer appear in the policy or the table. -![Removing file rule from policy during edit](images/wdac-wizard-edit-remove-file-rule.png) +![Removing file rule from policy during edit.](images/wdac-wizard-edit-remove-file-rule.png) **Note:** removing a publisher rule will also remove the associated File Attribute rules. For instance, in the xml block below, removing ID_SIGNER_CONTOSO_PUBLISHER would also remove the rules ID_FILEATTRIB_LOB_APP_1 and ID_FILEATTRIB_LOB_APP_2. diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md index ec6e988048..66ad01329f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md @@ -30,4 +30,4 @@ Select the policies you wish to merge into one policy using the `+ Add Policy` b Lastly, select a filepath save location for the final merged policy using the `Browse` button. If a minimum of two policies are selected, and the save location is specified, select the `Next` button to build the policy. -![Merging WDAC policies into a final WDAC policy](images/wdac-wizard-merge.png) +![Merging WDAC policies into a final WDAC policy.](images/wdac-wizard-merge.png) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md index 6da28ad681..ed1a7fe460 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md @@ -57,4 +57,4 @@ This can only be done in Group Policy. >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file +>![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md index 80d025f7ac..544e90142e 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md @@ -76,4 +76,4 @@ This can only be done in Group Policy. > [!NOTE] > If you hide all sections then the app will show a restricted interface, as in the following screenshot: > -> ![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file +> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md index 1bfddcc3f2..969d80c8bf 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md @@ -32,11 +32,11 @@ ms.technology: mde You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support. -![The security center custom fly-out](images/security-center-custom-flyout.png) +![The security center custom fly-out.](images/security-center-custom-flyout.png) This information will also be shown in some enterprise-specific notifications (including notifications for the [Block at first sight feature](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)). -![A security center notification](images/security-center-custom-notif.png) +![A security center notification.](images/security-center-custom-notif.png) Users can select the displayed information to initiate a support request: diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md index 919f2cb7a2..13fce0f2d5 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md @@ -56,4 +56,4 @@ This can only be done in Group Policy. >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file +>![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md index f0627d2869..f4d3053cd9 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md @@ -50,7 +50,7 @@ This can only be done in Group Policy. >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) +>![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) ## Disable the Clear TPM button If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md index c7d0fb4944..274c66bd66 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md @@ -55,4 +55,4 @@ This can only be done in Group Policy. >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file +>![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md index 5cf74d9fdf..3a14dc7c26 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md @@ -52,5 +52,5 @@ This can only be done in Group Policy. >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) +>![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md index 762e9c7402..87960171d1 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md @@ -63,7 +63,7 @@ This can only be done in Group Policy. >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) +>![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) ## Hide the Ransomware protection area diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md index 146bdcc78e..30cc06c3d0 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md @@ -34,7 +34,7 @@ Windows 10 in S mode is streamlined for tighter security and superior performanc The Windows Security interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically. -![Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode](images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png) +![Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode.](images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png) For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode). diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index 17eb0a98fd..fe03727f33 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -31,7 +31,7 @@ In Windows 10, version 1709 and later, the app also shows information from third In Windows 10, version 1803, the app has two new areas, **Account protection** and **Device security**. -![Screenshot of the Windows Security app showing that the device is protected and five icons for each of the features](images/security-center-home.png) +![Screenshot of the Windows Security app showing that the device is protected and five icons for each of the features.](images/security-center-home.png) > [!NOTE] > The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender for Endpoint](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). @@ -55,19 +55,19 @@ You can find more information about each section, including options for configur > [!NOTE] > If you hide all sections then the app will show a restricted interface, as in the following screenshot: > -> ![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) +> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) ## Open the Windows Security app - Click the icon in the notification area on the taskbar. - ![Screenshot of the icon for the Windows Security app on the Windows task bar](images/security-center-taskbar.png) + ![Screenshot of the icon for the Windows Security app on the Windows task bar.](images/security-center-taskbar.png) - Search the Start menu for **Windows Security**. - ![Screenshot of the Start menu showing the results of a search for the Windows Security app, the first option with a large shield symbol is selected](images/security-center-start-menu.png) + ![Screenshot of the Start menu showing the results of a search for the Windows Security app, the first option with a large shield symbol is selected.](images/security-center-start-menu.png) - Open an area from Windows **Settings**. - ![Screenshot of Windows Settings showing the different areas available in the Windows Security](images/settings-windows-defender-security-center-areas.png) + ![Screenshot of Windows Settings showing the different areas available in the Windows Security.](images/settings-windows-defender-security-center-areas.png) > [!NOTE] > Settings configured with management tools, such as Group Policy, Microsoft Intune, or Microsoft Endpoint Configuration Manager, will generally take precedence over the settings in the Windows Security. See the topics for each of the sections for links to configuring the associated features or products. diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md index 8b55c05b3e..848345ef8b 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md +++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md @@ -52,7 +52,7 @@ DRTM lets the system freely boot into untrusted code initially, but shortly afte This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state. -![System Guard Secure Launch](images/system-guard-secure-launch.png) +![System Guard Secure Launch.](images/system-guard-secure-launch.png) Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly. @@ -82,7 +82,7 @@ While Windows Defender System Guard provides advanced protection that will help As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch will not support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. -![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png) +![Boot time integrity.](images/windows-defender-system-guard-boot-time-integrity.png) After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Endpoint Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources. diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 14695d80d0..55321967df 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -38,13 +38,13 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM) 2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**. - ![Secure Launch Configuration](images/secure-launch-group-policy.png) + ![Secure Launch Configuration.](images/secure-launch-group-policy.png) ### Windows Security Center Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**. - ![Windows Security Center](images/secure-launch-security-app.png) + ![Windows Security Center.](images/secure-launch-security-app.png) ### Registry @@ -58,13 +58,13 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** > 5. Double-click **Enabled**, change the value to **1**, and click **OK**. - ![Secure Launch Registry](images/secure-launch-registry.png) + ![Secure Launch Registry.](images/secure-launch-registry.png) ## How to verify System Guard Secure Launch is configured and running To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**. -![Verifying Secure Launch is running in the Windows Security Center](images/secure-launch-msinfo.png) +![Verifying Secure Launch is running in the Windows Security Center.](images/secure-launch-msinfo.png) > [!NOTE] > To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs). diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md index 71f0392376..5819f886fd 100644 --- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md +++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md @@ -38,7 +38,7 @@ type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](./op When you open the Windows Defender Firewall for the first time, you can see the default settings applicable to the local computer. The Overview panel displays security settings for each type of network to which the device can connect. -![Windows Defender Firewall with Advanced Security first time opening](images/fw01-profiles.png) +![Windows Defender Firewall with Advanced Security first time opening.](images/fw01-profiles.png) *Figure 1: Windows Defender Firewall* @@ -55,7 +55,7 @@ View detailed settings for each profile by right-clicking the top-level **Window Maintain the default settings in Windows Defender Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections. -![A screenshot of a cell phone Description automatically generated](images/fw03-defaults.png) +![A screenshot of a cell phone Description automatically generated.](images/fw03-defaults.png) *Figure 2: Default inbound/outbound settings* @@ -70,7 +70,7 @@ In many cases, a next step for administrators will be to customize these profile This can be accomplished by right-clicking either **Inbound Rules** or **Outbound Rules**, and selecting **New Rule**. The interface for adding a new rule looks like this: -![Rule creation wizard](images/fw02-createrule.png) +![Rule creation wizard.](images/fw02-createrule.png) *Figure 3: Rule Creation Wizard* @@ -131,7 +131,7 @@ To determine why some applications are blocked from communicating in the network Creation of application rules at runtime can also be prohibited by administrators using the Settings app or Group Policy. -![Windows Firewall prompt](images/fw04-userquery.png) +![Windows Firewall prompt.](images/fw04-userquery.png) *Figure 4: Dialog box to allow access* @@ -148,7 +148,7 @@ Rule merging settings control how rules from different policy sources can be com The rule merging settings either allow or prevent local admins from creating their own firewall rules in addition to those obtained from Group Policy. -![Customize settings](images/fw05-rulemerge.png) +![Customize settings.](images/fw05-rulemerge.png) *Figure 5: Rule merging setting* @@ -180,11 +180,11 @@ An important firewall feature you can use to mitigate damage during an active at Shields up can be achieved by checking **Block all incoming connections, including those in the list of allowed apps** setting found in either the Windows Settings app or the legacy file *firewall.cpl*. -![Incoming connections](images/fw06-block.png) +![Incoming connections.](images/fw06-block.png) *Figure 6: Windows settings App/Windows Security/Firewall Protection/Network Type* -![Firewall cpl](images/fw07-legacy.png) +![Firewall cpl.](images/fw07-legacy.png) *Figure 7: Legacy firewall.cpl* diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md index 0e67454be2..37d7edb647 100644 --- a/windows/security/threat-protection/windows-firewall/boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md @@ -32,7 +32,7 @@ The GPOs you build for the boundary zone include IPsec or connection security ru Because these boundary zone devices can receive unsolicited inbound communications from untrusted devices that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision. -![design flowchart](images/wfas-designflowchart1.gif) +![design flowchart.](images/wfas-designflowchart1.gif) The goal of this process is to determine whether the risk of adding a device to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk cannot be mitigated, membership must be denied. diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index bf9a3f7d47..479b2e67af 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -28,7 +28,7 @@ ms.technology: mde To get started, open Device Configuration in Intune, then create a new profile. Choose Windows 10 as the platform, and Endpoint Protection as the profile type. Select Windows Defender Firewall. -![Windows Defender Firewall in Intune](images/windows-firewall-intune.png) +![Windows Defender Firewall in Intune.](images/windows-firewall-intune.png) >[!IMPORTANT] >A single Endpoint Protection profile may contain up to a maximum of 150 firewall rules. If a client device requires more than 150 rules, then multiple profiles must be assigned to it. diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md index 0e7f47576b..8f27c49ab5 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md @@ -32,7 +32,7 @@ In addition to the basic protection provided by the firewall rules in the previo The following illustration shows the traffic protection needed for this design example. -![domain isolation policy design](images/wfas-design2example1.gif) +![domain isolation policy design.](images/wfas-design2example1.gif) 1. All devices on the Woodgrove Bank corporate network that are Active Directory domain members must authenticate inbound network traffic as coming from another computer that is a member of the domain. Unless otherwise specified in this section, Woodgrove Bank's devices reject all unsolicited inbound network traffic that is not authenticated. If the basic firewall design is also implemented, even authenticated inbound network traffic is dropped unless it matches an inbound firewall rule. diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md index 6c13157e59..659827d1c6 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md @@ -34,7 +34,7 @@ By using connection security rules based on IPsec, you provide a logical barrier The design is shown in the following illustration, with the arrows that show the permitted communication paths. -![isolated domain boundary zone](images/wfasdomainisoboundary.gif) +![isolated domain boundary zone.](images/wfasdomainisoboundary.gif) Characteristics of this design, as shown in the diagram, include the following: diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md index 90d5fd2514..718505a9d7 100644 --- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md +++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md @@ -22,7 +22,7 @@ Debugging packet drops is a continuous issue to Windows customers. In the past, Typically, when investigating packet drop events, a customer would use the field `Filter Run-Time ID` from Windows Filtering Platform (WFP) audits 5157 or 5152. -![Event properties](images/event-properties-5157.png) +![Event properties.](images/event-properties-5157.png) The filter ID uniquely identifies the filter that caused the packet drop. The filter ID can be searched in the WFP state dump output to trace back to the Firewall rule where the filter originated from. @@ -73,7 +73,7 @@ To enable a specific audit event, run the corresponding command in an administra As the audit surfaces `Filter Origin` and `Interface Index`, the network admin can determine the root cause of the network packet drop and the interface it happened on. -![Event audit](images/event-audit-5157.png) +![Event audit.](images/event-audit-5157.png) The next sections are divided by `Filter Origin` type, the value is either a rule name or the name of one of the default block filters. If the filter origin is one of the default block filters, skip to the section, **Firewall default block filters**. Otherwise, continue to the section **Firewall rules**. @@ -86,7 +86,7 @@ Get-NetFirewallRule -Name “” Get-NetFirewallRule -Name " {A549B7CF-0542-4B67-93F9-EEBCDD584377} " ``` -![Firewall rule](images/firewallrule.png) +![Firewall rule.](images/firewallrule.png) After identifying the rule that caused the drop, the network admin can now modify/disable the rule to allow the traffic they want through command prompt or using the Windows Defender UI. The network admin can find the rule in the UI with the rule’s `DisplayName`. @@ -118,7 +118,7 @@ Get-NetIPInterface –InterfaceIndex Get-NetIPInterface –InterfaceIndex 5 ``` -![Quarantine default block filter](images/quarantine-default-block-filter.png) +![Quarantine default block filter.](images/quarantine-default-block-filter.png) To learn more about the quarantine feature, see [Quarantine behavior](quarantine.md). @@ -139,7 +139,7 @@ To generate a list of all the query user block rules, you can run the following Get-NetFirewallRule | Where {$_.Name -like "*Query User*"} ``` -![Query user default block filter](images/query-user-default-block-filters.png) +![Query user default block filter.](images/query-user-default-block-filters.png) The query user pop-up feature is enabled by default. diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md index 8c8fb36ee5..5a6acfea96 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md @@ -38,7 +38,7 @@ The network administrators want to implement Windows Defender Firewall with Adva The following illustration shows the traffic protection needs for this design example. -![design example 1](images/wfas-designexample1.gif) +![design example 1.](images/wfas-designexample1.gif) 1. The network infrastructure servers that are running services, such as Active Directory, DNS, DHCP, or WINS, can receive unsolicited inbound requests from network clients. The network clients can receive the responses from the infrastructure servers. diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md index 7b95852c3d..265019f489 100644 --- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -41,7 +41,7 @@ The following are important factors in the implementation of your Windows Defend The next step in implementing your design is to determine in what order each of the deployment steps must be performed. This guide uses checklists to help you accomplish the various deployment tasks that are required to implement your design plan. As the following diagram shows, checklists and subchecklists are used as necessary to provide the end-to-end procedure for deploying a design. -![wfas implementation](images/wfas-implement.gif) +![wfas implementation.](images/wfas-implement.gif) Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Defender Firewall with Advanced Security design. diff --git a/windows/security/threat-protection/windows-firewall/quarantine.md b/windows/security/threat-protection/windows-firewall/quarantine.md index 87bab115a6..bd087a2124 100644 --- a/windows/security/threat-protection/windows-firewall/quarantine.md +++ b/windows/security/threat-protection/windows-firewall/quarantine.md @@ -196,7 +196,7 @@ Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /s Sample drop audit with `filterOrigin` as `Quarantine Default`. -![Quarantine default](images/quarantine-default1.png) +![Quarantine default.](images/quarantine-default1.png) Once the drop’s filter origin has been identified as the quarantine default inbound block filter, the interface should be further investigated. To find the relevant interface, use the `InterfaceIndex` value from the `netEvent` or event audit in the following PowerShell command to generate more information about the interface: @@ -205,7 +205,7 @@ Get-NetIPInterface –InterfaceIndex Get-NetIPInterface –InterfaceIndex 5 ``` -![Quarantine Interfaceindex](images/quarantine-interfaceindex1.png) +![Quarantine Interfaceindex.](images/quarantine-interfaceindex1.png) Using the interface name, event viewer can be searched for any interface related changes. diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md index 81a548b4ee..8fbeb35412 100644 --- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md @@ -30,7 +30,7 @@ For devices that share sensitive information over the network, Windows Defender The following illustration shows an encryption zone in an isolated domain. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory. -![encryption zone in an isolated domain](images/wfas-domainisoencrypt.gif) +![encryption zone in an isolated domain.](images/wfas-domainisoencrypt.gif) This goal provides the following benefits: diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md index a50232fe28..1a7c288575 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md @@ -34,7 +34,7 @@ You can restrict access by specifying either computer or user credentials. The following illustration shows an isolated server, and examples of devices that can and cannot communicate with it. Devices that are outside the Woodgrove corporate network, or computers that are in the isolated domain but are not members of the required NAG, cannot communicate with the isolated server. -![isolated domain with network access groups](images/wfas-domainnag.gif) +![isolated domain with network access groups.](images/wfas-domainnag.gif) This goal, which corresponds to [Server Isolation Policy Design](server-isolation-policy-design.md), provides the following features: diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md index d7de7d8963..5285e56ad9 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md @@ -35,7 +35,7 @@ The protection provided by domain isolation can help you comply with regulatory The following illustration shows an isolated domain, with one of the zones that are optionally part of the design. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory. -![domain isolation](images/wfas-domainiso.gif) +![domain isolation.](images/wfas-domainiso.gif) These goals, which correspond to [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md), provide the following benefits: diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md index 4c6f3f4fb7..8cb2a35d50 100644 --- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -59,7 +59,7 @@ These procedures assume that you already have a public key infrastructure (PKI) The following Windows PowerShell script establishes a connection security rule that uses IKEv2 for communication between two computers (CLIENT1 and SERVER1) that are joined to the corp.contoso.com domain as shown in Figure 1. -![the contoso corporate network](images/corpnet.gif) +![the contoso corporate network.](images/corpnet.gif) **Figure 1** The Contoso corporate network @@ -77,7 +77,7 @@ This script does the following: - Creates the IKEv2 connection security rule called **My IKEv2 Rule**. -![powershell logo](images/powershelllogosmall.gif)**Windows PowerShell commands** +![powershell logo.](images/powershelllogosmall.gif)**Windows PowerShell commands** Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. @@ -117,7 +117,7 @@ Use a Windows PowerShell script similar to the following to create a local IPsec >**Important:**  The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors. -![powershell logo](images/powershelllogosmall.gif)**Windows PowerShell commands** +![powershell logo.](images/powershelllogosmall.gif)**Windows PowerShell commands** Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md index 0e2b6ce11e..a0070cf114 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md @@ -46,7 +46,7 @@ In addition to the protection provided by the firewall rules and domain isolatio The following illustration shows the traffic protection needs for this design example. -![isolated server example](images/wfas-design3example1.gif) +![isolated server example.](images/wfas-design3example1.gif) 1. Access to the SQL Server devices must be restricted to only those computer or user accounts that have a business requirement to access the data. This includes the service accounts that are used by the WGBank front-end servers, and administrators of the SQL Server devices. In addition, access is only granted when it is sent from an authorized computer. Authorization is determined by membership in a network access group (NAG). diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md index f4d452b4cf..7d44e7c17c 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md @@ -32,7 +32,7 @@ You can implement a server isolation design without using domain isolation. To d The design is shown in the following illustration, with arrows that show the permitted communication paths. -![isolated domain with isolated server](images/wfas-domainisohighsec.gif) +![isolated domain with isolated server.](images/wfas-domainisohighsec.gif) Characteristics of this design include the following: diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index 3e383743a4..bf70a3a3b7 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -328,7 +328,7 @@ Windows PowerShell can create powerful, complex IPsec policies like in Netsh and In Netsh, the authentication and cryptographic sets were specified as a list of comma-separated tokens in a specific format. In Windows PowerShell, rather than using default settings, you first create your desired authentication or cryptographic proposal objects and bundle them into lists in your preferred order. Then, you create one or more IPsec rules that reference these sets. The benefit of this model is that programmatic access to the information in the rules is much easier. See the following sections for clarifying examples. -![object model for creating a single ipsec rule](images/createipsecrule.gif) +![object model for creating a single ipsec rule.](images/createipsecrule.gif) ### Create IPsec rules @@ -353,7 +353,7 @@ If you want to create a custom set of quick-mode proposals that includes both AH You can then use the newly created custom quick-mode policies when you create IPsec rules. The cryptography set object is linked to an IPsec rule object. -![crypto set object](images/qmcryptoset.gif) +![crypto set object.](images/qmcryptoset.gif) In this example, we build on the previously created IPsec rule by specifying a custom quick-mode crypto set. The final IPsec rule requires outbound traffic to be authenticated by the specified cryptography method. diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md index f18a5180db..8e719f1364 100644 --- a/windows/security/threat-protection/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-baselines.md @@ -61,12 +61,12 @@ You can download the security baselines from the [Microsoft Download Center](htt The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. -[![Security Compliance Toolkit](images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) -[![Get Support](images/get-support.png)](get-support-for-security-baselines.md) +[![Security Compliance Toolkit.](images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) +[![Get Support.](images/get-support.png)](get-support-for-security-baselines.md) ## Community -[![Microsoft Security Guidance Blog](images/community.png)](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bd-p/Security-Baselines) +[![Microsoft Security Guidance Blog.](images/community.png)](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bd-p/Security-Baselines) ## Related Videos diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index cfb7427cbc..170918a4fa 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -60,12 +60,12 @@ You can download the security baselines from the [Microsoft Download Center](htt The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. -[![Security Compliance Toolkit](./../images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) -[![Get Support](./../images/get-support.png)](get-support-for-security-baselines.md) +[![Security Compliance Toolkit.](./../images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) +[![Get Support.](./../images/get-support.png)](get-support-for-security-baselines.md) ## Community -[![Microsoft Security Guidance Blog](./../images/community.png)](/archive/blogs/secguide/) +[![Microsoft Security Guidance Blog.](./../images/community.png)](/archive/blogs/secguide/) ## Related Videos diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md index 1387997652..b99b7a48ad 100644 --- a/windows/whats-new/contribute-to-a-topic.md +++ b/windows/whats-new/contribute-to-a-topic.md @@ -38,7 +38,7 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner 1. Go to the article that you want to update, and then click **Edit**. - ![GitHub Web, showing the Edit link](images/contribute-link.png) + ![GitHub Web, showing the Edit link.](images/contribute-link.png) 2. Sign into (or sign up for) a GitHub account. @@ -46,7 +46,7 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner 3. Click the **Pencil** icon (in the red box) to edit the content. - ![GitHub Web, showing the Pencil icon in the red box](images/pencil-icon.png) + ![GitHub Web, showing the Pencil icon in the red box.](images/pencil-icon.png) 4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see: - **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring) @@ -55,11 +55,11 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner 5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct. - ![GitHub Web, showing the Preview Changes tab](images/preview-changes.png) + ![GitHub Web, showing the Preview Changes tab.](images/preview-changes.png) 6. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change**. - ![GitHub Web, showing the Propose file change button](images/propose-file-change.png) + ![GitHub Web, showing the Propose file change button.](images/propose-file-change.png) The **Comparing changes** screen shows the changes between your version of the article and the original content. @@ -67,7 +67,7 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner If there are no problems, you’ll see the message, **Able to merge**. - ![GitHub Web, showing the Comparing changes screen](images/compare-changes.png) + ![GitHub Web, showing the Comparing changes screen.](images/compare-changes.png) 8. Click **Create pull request**. diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 83e1c6b032..256dad7a3a 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -48,7 +48,7 @@ This version of Window 10 includes security improvements for threat protection, The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) platform includes the security pillars shown in the following diagram. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. -![Microsoft Defender for Endpoint](../images/wdatp.png) +![Microsoft Defender for Endpoint.](../images/wdatp.png) ##### Attack surface reduction @@ -275,7 +275,7 @@ The WSC service now requires antivirus products to run as a protected process to WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. -![Security at a glance](../images/defender.png "Windows Security Center") +![Security at a glance.](../images/defender.png "Windows Security Center") #### Group Policy Security Options @@ -288,7 +288,7 @@ A new security policy setting We’ve continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: -![S mode settings](../images/virus-and-threat-protection.png "Virus & threat protection settings") +![S mode settings.](../images/virus-and-threat-protection.png "Virus & threat protection settings") ## Deployment @@ -387,7 +387,7 @@ If you have shared devices deployed in your work place, **Fast sign-in** enables 3. Sign-in to a shared PC with your account. You'll notice the difference! - ![fast sign-in](../images/fastsignin.png "fast sign-in") + ![fast sign-in.](../images/fastsignin.png "fast sign-in") ### Web sign-in to Windows 10 @@ -402,7 +402,7 @@ Until now, Windows logon only supported the use of identities federated to ADFS 3. On the lock screen, select web sign-in under sign-in options. 4. Click the “Sign in” button to continue. -![Sign-in option](../images/websignin.png "web sign-in") +![Sign-in option.](../images/websignin.png "web sign-in") ## Windows Analytics @@ -470,7 +470,7 @@ The OS uninstall period is a length of time that users are given when they can o Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. -![get bulk token action in wizard](../images/bulk-token.png) +![get bulk token action in wizard.](../images/bulk-token.png) ### Windows Spotlight @@ -636,7 +636,7 @@ If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, t We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. -![Reg editor](../images/regeditor.png "Registry editor dropdown") +![Reg editor.](../images/regeditor.png "Registry editor dropdown") ## Remote Desktop with Biometrics @@ -650,9 +650,9 @@ To get started, sign into your device using Windows Hello for Business. Bring up See the following example: -![Enter your credentials](../images/RDPwBioTime.png "Windows Hello") -![Provide credentials](../images/RDPwBio2.png "Windows Hello personal") -![Microsoft Hyper-V Server 2016](../images/hyper-v.png "Microsoft Hyper-V Server 2016") +![Enter your credentials.](../images/RDPwBioTime.png "Windows Hello") +![Provide credentials.](../images/RDPwBio2.png "Windows Hello personal") +![Microsoft Hyper-V Server 2016.](../images/hyper-v.png "Microsoft Hyper-V Server 2016") ## See Also diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index b05bba2289..48bf6b509b 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -31,11 +31,11 @@ Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool Windows Configuration Designer in Windows 10, version 1703, includes several new wizards to make it easier to create provisioning packages. -![wizards for desktop, mobile, kiosk, Surface Hub](images/wcd-options.png) +![wizards for desktop, mobile, kiosk, Surface Hub.](images/wcd-options.png) Both the desktop and kiosk wizards include an option to remove pre-installed software, based on the new [CleanPC configuration service provider (CSP)](/windows/client-management/mdm/cleanpc-csp). -![remove pre-installed software option](images/wcd-cleanpc.png) +![remove pre-installed software option.](images/wcd-cleanpc.png) [Learn more about Windows Configuration Designer.](/windows/configuration/provisioning-packages/provisioning-packages) @@ -44,7 +44,7 @@ Both the desktop and kiosk wizards include an option to remove pre-installed sof Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. -![get bulk token action in wizard](images/bulk-token.png) +![get bulk token action in wizard.](images/bulk-token.png) ### Windows Spotlight @@ -279,7 +279,7 @@ Learn about the new Group Policies that were added in Windows 10, version 1703. The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](/windows/configuration/mobile-devices/lockdown-xml). -![Lockdown Designer app in Store](images/ldstore.png) +![Lockdown Designer app in Store.](images/ldstore.png) [Learn more about the Lockdown Designer app.](/windows/configuration/mobile-devices/mobile-lockdown-designer) diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index e73c5af9bc..6410248ff6 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -46,7 +46,7 @@ To learn more about Autopilot self-deploying mode and to see step-by-step instru We’ve continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: > [!div class="mx-imgBorder"] -> ![Virus & threat protection settings](images/virus-and-threat-protection.png "Virus & threat protection settings") +> ![Virus & threat protection settings.](images/virus-and-threat-protection.png "Virus & threat protection settings") With controlled folder access you can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. @@ -109,16 +109,16 @@ To try this: See the following example: > [!div class="mx-imgBorder"] -> ![Security at a glance](images/1_AppBrowser.png "app and browser control") +> ![Security at a glance.](images/1_AppBrowser.png "app and browser control") > [!div class="mx-imgBorder"] -> ![Isolated browser](images/2_InstallWDAG.png "isolated browsing") +> ![Isolated browser.](images/2_InstallWDAG.png "isolated browsing") > [!div class="mx-imgBorder"] -> ![change WDAG settings](images/3_ChangeSettings.png "change settings") +> ![change WDAG settings.](images/3_ChangeSettings.png "change settings") > [!div class="mx-imgBorder"] -> ![view WDAG settings](images/4_ViewSettings.jpg "view settings") +> ![view WDAG settings.](images/4_ViewSettings.jpg "view settings") ### Windows Security Center @@ -130,7 +130,7 @@ The WSC service now requires antivirus products to run as a protected process to WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. -![alt text](images/defender.png "Windows Security Center") +![alt text.](images/defender.png "Windows Security Center") ### Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes @@ -195,7 +195,7 @@ We introduced a simplified assigned access configuration experience in **Setting To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page. -![set up a kiosk](images/kiosk-mode.png "set up a kiosk") +![set up a kiosk.](images/kiosk-mode.png "set up a kiosk") Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types. @@ -203,7 +203,7 @@ Microsoft Edge kiosk mode running in single-app assigned access has two kiosk ty 2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity. -![single app assigned access](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access") +![single app assigned access.](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access") Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types. @@ -212,11 +212,11 @@ Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk typ **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows. -![multi-app assigned access](images/Multi-app_kiosk_inFrame.png "multi-app assigned access") +![multi-app assigned access.](images/Multi-app_kiosk_inFrame.png "multi-app assigned access") **Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books. -![normal mode](images/Normal_inFrame.png "normal mode") +![normal mode.](images/Normal_inFrame.png "normal mode") Learn more about [Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy). @@ -224,7 +224,7 @@ Learn more about [Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-ed We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. -![Registry editor dropdown](images/regeditor.png "Registry editor dropdown") +![Registry editor dropdown.](images/regeditor.png "Registry editor dropdown") ## Faster sign-in to a Windows 10 shared pc @@ -237,7 +237,7 @@ Do you have shared devices deployed in your work place? **Fast sign-in** enables 3. Sign-in to a shared PC with your account. You'll notice the difference! - ![fast sign-in](images/fastsignin.png "fast sign-in") + ![fast sign-in.](images/fastsignin.png "fast sign-in") >[!NOTE] >This is a private preview feature and therefore not meant or recommended for production purposes. @@ -259,7 +259,7 @@ Until now, Windows logon only supported the use of identities federated to ADFS 4. Click the **Sign in** button to continue. > [!div class="mx-imgBorder"] - > ![Web sign-in](images/websignin.png "web sign-in") + > ![Web sign-in.](images/websignin.png "web sign-in") >[!NOTE] >This is a private preview feature and therefore not meant or recommended for production purposes. @@ -271,7 +271,7 @@ Android phone users, you can finally stop emailing yourself photos. With Your Ph For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing–-read, watch, or browse-- with all the benefits of a bigger screen. > [!div class="mx-imgBorder"] -> ![your phone](images/your-phone.png "your phone") +> ![your phone.](images/your-phone.png "your phone") The desktop pin takes you directly to the **Your Phone** app for quicker access to your phone’s content. You can also go through the all apps list in Start, or use the Windows key and search for **Your Phone**. @@ -283,7 +283,7 @@ One of the things we’ve heard from you is that it’s hard to know when you’ * Video mode increases the screen-to-screen latency to ensure the video on the big screen plays back smoothly * Productivity modes strikes a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos don’t glitch as often. -![wireless projection banner](images/beaming.png "wireless projection banner") +![wireless projection banner.](images/beaming.png "wireless projection banner") ## Remote Desktop with Biometrics @@ -293,6 +293,6 @@ To get started, sign into your device using Windows Hello for Business. Bring up See the following example: -![Enter your credentials](images/RDPwBioTime.png "Windows Hello") -![Enter your credentials](images/RDPwBio2.png "Windows Hello personal") -![Microsoft Hyper-V Server 2016](images/hyper-v.png "Microsoft Hyper-V Server 2016") +![Enter your credentials.](images/RDPwBioTime.png "Windows Hello") +![Enter your credentials.](images/RDPwBio2.png "Windows Hello personal") +![Microsoft Hyper-V Server 2016.](images/hyper-v.png "Microsoft Hyper-V Server 2016") diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index 371bf97c95..74eb1725e2 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -125,7 +125,7 @@ The draft release of the [security configuration baseline settings](/archive/blo This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly: -![System Guard](images/system-guard.png "SMM Firmware Measurement") +![System Guard.](images/system-guard.png "SMM Firmware Measurement") ### Identity Protection diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md index ac0d4984f2..692871b1c3 100644 --- a/windows/whats-new/whats-new-windows-10-version-2004.md +++ b/windows/whats-new/whats-new-windows-10-version-2004.md @@ -43,7 +43,7 @@ In this release, [Windows Defender System Guard](/windows/security/threat-prote With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon. - ![System Guard](images/system-guard2.png) + ![System Guard.](images/system-guard2.png) ### Windows Defender Application Guard From dd0d39dbb5eaa3beb0f7973cbeecaf98042fc9f7 Mon Sep 17 00:00:00 2001 From: Michael Mardahl Date: Sun, 22 Aug 2021 20:41:56 +0200 Subject: [PATCH 04/41] Update hello-feature-remote-desktop.md Just noticed some gibberish wording and have tried to adjust to the sentences make more sense. I just concentrated on the part I needed, I have not gone through the entire document. (Less is more ;)) --- .../hello-for-business/hello-feature-remote-desktop.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index 30dc6c78e6..6590ff5250 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -25,7 +25,7 @@ ms.reviewer: - Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments - Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices -Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This functionality is not supported for key trust deployments. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). +Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This functionality is not supported for key trust deployments. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) to establish an RDP connection. Microsoft continues to investigate supporting using keys trust for supplied credentials in a future release. @@ -38,7 +38,7 @@ Microsoft continues to investigate supporting using keys trust for supplied cred - Biometric enrollments - Windows 10, version 1809 -Users using earlier versions of Windows 10 could remote desktop to using Windows Hello for Business but were limited to the using their PIN as their authentication gesture. Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture. The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809. +Users using earlier versions of Windows 10 could authenticate to a remote desktop using Windows Hello for Business but were limited to using their PIN as their authentication gesture. Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture. The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809. ### How does it work @@ -69,4 +69,4 @@ Users appreciate convenience of biometrics and administrators value the security - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) - [Event ID 300 - Windows Hello successfully created](hello-event-300.md) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) From 61149771d21407e0591221acf12c171e6f0b3b64 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Mon, 23 Aug 2021 14:11:14 +0530 Subject: [PATCH 05/41] TASK 5358645: Windows 11 Inclusion Update -01 TASK 5358645: First batch of Windows 11 Inclusion updates under Windows-defender-application-control folder. (I've also made some changes to few words as per Acrolinx suggestions to meet the PR criteria). --- .../LOB-win32-apps-on-s.md | 11 +++-- ...ows-defender-application-control-policy.md | 13 +++--- ...s-defender-application-control-policies.md | 10 +++-- ...s-defender-application-control-policies.md | 10 +++-- ...-apps-deployed-with-a-managed-installer.md | 10 +++-- .../configure-wdac-managed-installer.md | 12 ++++-- ...or-windows-defender-application-control.md | 10 +++-- .../create-initial-default-policy.md | 30 +++++++------ ...e-wdac-policy-for-fully-managed-devices.md | 40 ++++++++++-------- ...wdac-policy-for-lightly-managed-devices.md | 42 ++++++++++--------- ...rt-windows-defender-application-control.md | 8 +++- ...s-defender-application-control-policies.md | 10 +++-- ...ion-control-policies-using-group-policy.md | 14 ++++--- ...plication-control-policies-using-intune.md | 13 ++++-- ...s-defender-application-control-policies.md | 8 +++- ...s-defender-application-control-policies.md | 12 ++++-- .../example-wdac-base-policies.md | 10 +++-- .../feature-availability.md | 12 ++++-- ...th-windows-defender-application-control.md | 8 +++- ...s-defender-application-control-policies.md | 12 ++++-- .../microsoft-recommended-block-rules.md | 16 ++++--- ...icrosoft-recommended-driver-block-rules.md | 12 ++++-- ...defender-application-control-management.md | 14 ++++--- .../select-types-of-rules-to-create.md | 18 ++++---- .../types-of-devices.md | 16 ++++--- 25 files changed, 236 insertions(+), 135 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index 311cfd2625..af1e30dca2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -1,5 +1,5 @@ --- -title: Allow LOB Win32 Apps on Intune-Managed S Mode Devices (Windows 10) +title: Allow LOB Win32 Apps on Intune-Managed S Mode Devices (Windows) description: Using WDAC supplemental policies, you can expand the S mode base policy on your Intune-managed devices. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -23,10 +23,15 @@ ms.technology: mde **Applies to:** - Windows 10 +- Windows 11 +- Windows Server 2016 and above -Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications as well as Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows 10 in S mode devices. +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). -With Intune, IT Pros can now configure their managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps their business uses. This feature changes the S mode security posture from "every app is Microsoft-verified" to "every app is verified by Microsoft or your organization". +Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications and Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows 10 in S mode devices. + +With Intune, IT Pros can now configure their managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps their business uses. This feature changes the S mode security posture from "every app is Microsoft-verified" to "every app is verified by Microsoft or your organization". Refer to the below video for an overview and brief demo. > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4mlcp] diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md index 4b3eb396a8..107430388b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md @@ -1,5 +1,5 @@ --- -title: Allow COM object registration in a WDAC policy (Windows 10) +title: Allow COM object registration in a WDAC policy (Windows) description: You can allow COM object registration in a Windows Defender Application Control policy. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -22,17 +22,20 @@ ms.technology: mde **Applies to:** - Windows 10 -- Windows Server 2016 -- Windows Server 2019 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). >[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +>Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component-object-model) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM specifies an object model and programming requirements that enable COM objects to interact with other objects. ### COM object configurability in WDAC policy -Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC) enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. +Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC) enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. **NOTE**: To add this functionality to other versions of Windows 10, you can install the following or later updates: diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md index c1d7ac7c71..bc1218b82c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md @@ -1,5 +1,5 @@ --- -title: Use audit events to create then enforce WDAC policy rules (Windows 10) +title: Use audit events to create then enforce WDAC policy rules (Windows) description: Learn how audits allow admins to discover apps, binaries, and scripts that should be added to a WDAC policy, then learn how to switch that WDAC policy from audit to enforced mode. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -22,8 +22,12 @@ ms.technology: mde **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included. diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index 5ed5fa1cf7..cb94565bff 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -1,5 +1,5 @@ --- -title: Use audit events to create WDAC policy rules (Windows 10) +title: Use audit events to create WDAC policy rules (Windows) description: Audits allow admins to discover apps, binaries, and scripts that should be added to the WDAC policy. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -22,8 +22,12 @@ ms.technology: mde **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included. diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 15639fd8d3..76eb273ded 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -1,5 +1,5 @@ --- -title: Configure authorized apps deployed with a WDAC-managed installer (Windows 10) +title: Configure authorized apps deployed with a WDAC-managed installer (Windows) description: Explains how to configure a custom Manged Installer. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -22,8 +22,12 @@ ms.technology: mde **Applies to:** -- Windows 10 -- Windows Server 2019 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). Windows 10, version 1703 introduced a new option for Windows Defender Application Control (WDAC), called _managed installer_, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager. diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md index 9d15cbfcc7..14ac17e575 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md @@ -1,5 +1,5 @@ --- -title: Configure a WDAC managed installer (Windows 10) +title: Configure a WDAC managed installer (Windows) description: Explains how to configure a custom Manged Installer. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -22,8 +22,12 @@ ms.technology: mde **Applies to:** -- Windows 10 -- Windows Server 2019 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy with specific rules and options enabled. There are three primary steps to keep in mind: @@ -126,7 +130,7 @@ For example: In order to enable trust for the binaries laid down by managed installers, the Enabled: Managed Installer option must be specified in your WDAC policy. This can be done by using the [Set-RuleOption cmdlet](/powershell/module/configci/set-ruleoption) with Option 13. -Below are steps to create a WDAC policy which allows Windows to boot and enables the managed installer option. +Below are steps to create a WDAC policy that allows Windows to boot and enables the managed installer option. 1. Copy the DefaultWindows_Audit policy into your working folder from C:\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Audit.xml diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md index f3b993cbc0..b9ca84a296 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md @@ -1,5 +1,5 @@ --- -title: Create a code signing cert for Windows Defender Application Control (Windows 10) +title: Create a code signing cert for Windows Defender Application Control (Windows) description: Learn how to set up a publicly-issued code signing certificate, so you can sign catalog files or WDAC policies internally. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -23,7 +23,11 @@ ms.technology: mde **Applies to:** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md). @@ -75,7 +79,7 @@ When this certificate template has been created, you must publish it to the CA p 2. Select the WDAC Catalog signing certificate, and then click **OK**. -Now that the template is available to be issued, you must request one from the computer running Windows 10 on which you create and sign catalog files. To begin, open the MMC, and then complete the following steps: +Now that the template is available to be issued, you must request one from the computer running Windows 10 and Windows 11 on which you create and sign catalog files. To begin, open the MMC, and then complete the following steps: 1. In MMC, from the **File** menu, click **Add/Remove Snap-in**. Double-click **Certificates**, and then select **My user account**. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index a4d560af0b..40ab4ad3bd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -1,5 +1,5 @@ --- -title: Create a WDAC policy for fixed-workload devices using a reference computer (Windows 10) +title: Create a WDAC policy for fixed-workload devices using a reference computer (Windows) description: To create a Windows Defender Application Control (WDAC) policy for fixed-workload devices within your organization, follow this guide. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -22,30 +22,34 @@ ms.technology: mde **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above -This section outlines the process to create a WDAC policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc... +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). -For this example, you must initiate variables to be used during the creation process or use the full file paths in the command. -Then create the WDAC policy by scanning the system for installed applications. +This section outlines the process to create a WDAC policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc. + +For this example, you must initiate variables to be used during the creation process or use the full file paths in the command. +Then create the WDAC policy by scanning the system for installed applications. The policy file is converted to binary format when it gets created so that Windows can interpret it. ## Overview of the process of creating Windows Defender Application Control policies A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. WDAC policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of WDAC policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional WDAC policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the [WDAC Design Guide](windows-defender-application-control-design-guide.md). -Optionally, WDAC can align with your software catalog as well as any IT department–approved applications. One straightforward method to implement WDAC is to use existing images to create one master WDAC policy. You do so by creating a WDAC policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed. +Optionally, WDAC can align with your software catalog and any IT department–approved applications. One straightforward method to implement WDAC is to use existing images to create one master WDAC policy. You do so by creating a WDAC policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged, or serviced, and managed. -If you plan to use an internal CA to sign catalog files or WDAC policies, see the steps in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). +If you plan to use an internal CA to sign catalog files or WDAC policies, see the steps in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). > [!NOTE] -> Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the WDAC policy. +> Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the WDAC policy. -Each installed software application should be validated as trustworthy before you create a policy. -We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. -Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want to run scripts. -You can remove or disable such software on the reference computer. +Each installed software application should be validated as trustworthy before you create a policy. +We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. +Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want to run scripts. +You can remove or disable such software on the reference computer. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index cceb8da77d..3870af3447 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -1,5 +1,5 @@ --- -title: Create a WDAC policy for fully-managed devices (Windows 10) +title: Create a WDAC policy for fully managed devices (Windows) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. keywords: security, malware ms.topic: conceptual @@ -19,29 +19,33 @@ ms.date: 11/20/2019 ms.technology: mde --- -# Create a WDAC policy for fully-managed devices +# Create a WDAC policy for fully managed devices **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above -This section outlines the process to create a WDAC policy for **fully-managed devices** within an organization. The key difference between this scenario and [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully-managed device is managed by IT and users of the device cannot install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager (MEM). Additionally, users on fully-managed devices should ideally run as standard user and only authorized IT pros have administrative access. +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). + +This section outlines the process to create a WDAC policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device cannot install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager (MEM). Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access. > [!NOTE] -> Some of the WDAC options described in this topic are only available on Windows 10 version 1903 and above. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. +> Some of the WDAC options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. As described in [common WDAC deployment scenarios](types-of-devices.md), we will use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. **Alice Pena** is the IT team lead tasked with the rollout of WDAC. -Alice previously created a policy for the organization's lightly-managed devices. Some devices, however, are more tightly managed and can benefit from a more constrained policy. In particular, certain job functions such as administrative staff and task-workers are not granted administrator level access to their devices. Similarly, shared kiosks are configured only with a managed set of apps and all users of the device except IT run as standard user. On these devices, all apps are deployed and installed by IT. +Alice previously created a policy for the organization's lightly managed devices. Some devices, however, are more tightly managed and can benefit from a more constrained policy. In particular, certain job functions such as administrative staff and firstline workers are not granted administrator level access to their devices. Similarly, shared kiosks are configured only with a managed set of apps and all users of the device except IT run as standard user. On these devices, all apps are deployed and installed by IT. -## Define the "circle-of-trust" for fully-managed devices +## Define the "circle-of-trust" for fully managed devices -Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's fully-managed devices: +Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's fully managed devices: -- All clients are running Windows 10 version 1903 or above; +- All clients are running Windows 10 version 1903 or above or Windows 11; - All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune; > [!NOTE] @@ -55,15 +59,15 @@ Alice's team develops a simple console application, called *LamnaITInstaller.exe Based on the above, Alice defines the pseudo-rules for the policy: -1. **“Windows works”** rules which authorizes: +1. **“Windows works”** rules that authorize: - Windows - WHQL (3rd party kernel drivers) - Windows Store signed apps -2. **"MEMCM works”** rules which includes signer and hash rules for MEMCM components to properly function +2. **"MEMCM works”** rules that include signer and hash rules for MEMCM components to properly function 3. **Allow Managed Installer** (MEMCM and *LamnaITInstaller.exe* configured as a managed installer) -The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are: +The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are: - Removal of the Intelligent Security Graph (ISG) option; and - Removal of filepath rules. @@ -77,7 +81,7 @@ Alice follows these steps to complete this task: > [!NOTE] > If you do not use MEMCM or prefer to use a different [example WDAC base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the MEMCM policy path with your preferred example base policy. -1. [Use MEMCM to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above. +1. [Use MEMCM to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above, or Windows 11. 2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables: @@ -129,12 +133,12 @@ Alice follows these steps to complete this task: At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna. -## Security considerations of this fully-managed policy +## Security considerations of this fully managed policy -Alice has defined a policy for Lamna's fully-managed devices that makes some trade-offs between security and manageability for apps. Some of the trade-offs include: +Alice has defined a policy for Lamna's fully managed devices that makes some trade-offs between security and manageability for apps. Some of the trade-offs include: - **Users with administrative access**
- Although applying to fewer users, Lamna still allows some IT staff to log in to its fully-managed devices as administrator. This allows these admin users (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer which would allow them to gain persistent app authorization for whatever apps or binaries they wish. + Although applying to fewer users, Lamna still allows some IT staff to log in to its fully managed devices as administrator. This allows these admin users (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish. Possible mitigations: - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. @@ -160,7 +164,7 @@ Alice has defined a policy for Lamna's fully-managed devices that makes some tra Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction. Possible mitigations: - - Use signed WDAC policies which allow authorized signed supplemental policies only. + - Use signed WDAC policies that allow authorized signed supplemental policies only. - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection. ## Up next diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index c4dabcde4c..76199f55b5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -1,5 +1,5 @@ --- -title: Create a WDAC policy for lightly-managed devices (Windows 10) +title: Create a WDAC policy for lightly managed devices (Windows) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. keywords: security, malware ms.topic: conceptual @@ -19,29 +19,33 @@ ms.date: 11/15/2019 ms.technology: mde --- -# Create a WDAC policy for lightly-managed devices +# Create a WDAC policy for lightly managed devices **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above -This section outlines the process to create a WDAC policy for **lightly-managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC managed devices as described in later topics. +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). + +This section outlines the process to create a WDAC policy for **lightly managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC-managed devices as described in later topics. > [!NOTE] -> Some of the WDAC options described in this topic are only available on Windows 10 version 1903 and above. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. +> Some of the WDAC options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. As in the [previous topic](types-of-devices.md), we will use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. -**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing where Lamna is starting from, with very loose application usage policies and a culture of maximum app flexibility for users, Alice knows that she will need to take an incremental approach to application control and use different policies for different workloads. +**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing where Lamna is starting from, with loose application usage policies and a culture of maximum app flexibility for users, Alice knows that she will need to take an incremental approach to application control and use different policies for different workloads. For the majority of users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value. -## Define the "circle-of-trust" for lightly-managed devices +## Define the "circle-of-trust" for lightly managed devices -Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's lightly-managed devices, which currently includes most end-user devices: +Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's lightly managed devices, which currently include most end-user devices: -- All clients are running Windows 10 version 1903 or above; +- All clients are running Windows 10 version 1903 and above, or Windows 11; - All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune; > [!NOTE] @@ -53,12 +57,12 @@ Alice identifies the following key factors to arrive at the "circle-of-trust" fo Based on the above, Alice defines the pseudo-rules for the policy: -1. **“Windows works”** rules which authorizes: +1. **“Windows works”** rules that authorize: - Windows - WHQL (3rd party kernel drivers) - Windows Store signed apps -2. **"MEMCM works”** rules which includes signer and hash rules for MEMCM components to properly function +2. **"MEMCM works”** rules which include signer and hash rules for MEMCM components to properly function 3. **Allow Managed Installer** (MEMCM configured as a managed installer) 4. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization) 5. **Admin-only path rules** for the following locations: @@ -68,14 +72,14 @@ Based on the above, Alice defines the pseudo-rules for the policy: ## Create a custom base policy using an example WDAC base policy -Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly-managed devices. She decides to use MEMCM to create the initial base policy and then customize it to meet Lamna's needs. +Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. She decides to use MEMCM to create the initial base policy and then customize it to meet Lamna's needs. Alice follows these steps to complete this task: > [!NOTE] > If you do not use MEMCM or prefer to use a different [example WDAC base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the MEMCM policy path with your preferred example base policy. -1. [Use MEMCM to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above. +1. [Use MEMCM to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 and above, or Windows 11. 2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables: @@ -137,12 +141,12 @@ Alice follows these steps to complete this task: At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna. -## Security considerations of this lightly-managed policy +## Security considerations of this lightly managed policy In order to minimize user productivity impact, Alice has defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include: - **Users with administrative access**
- By far the most impactful security trade-off, this allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer which would allow them to gain persistent app authorization for whatever apps or binaries they wish. + By far the most impactful security trade-off, this allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish. Possible mitigations: - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. @@ -164,13 +168,13 @@ In order to minimize user productivity impact, Alice has defined a policy that m See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-intelligent-security-graph) Possible mitigations: - - Implement policies requiring apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature based rules. + - Implement policies requiring apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature-based rules. - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection. - **Supplemental policies**
Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction. Possible mitigations: - - Use signed WDAC policies which allow authorized signed supplemental policies only. + - Use signed WDAC policies that allow authorized signed supplemental policies only. - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection. - **FilePath rules**
See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules) @@ -181,5 +185,5 @@ In order to minimize user productivity impact, Alice has defined a policy that m ## Up next -- [Create a WDAC policy for fully-managed devices](create-wdac-policy-for-fully-managed-devices.md) +- [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) - [Prepare to deploy WDAC policies](windows-defender-application-control-deployment-guide.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index 2a3d5a91f3..52cac752d2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -1,5 +1,5 @@ --- -title: Deploy catalog files to support Windows Defender Application Control (Windows 10) +title: Deploy catalog files to support Windows Defender Application Control (Windows) description: Catalog files simplify running unsigned applications in the presence of a Windows Defender Application Control (WDAC) policy. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -23,7 +23,11 @@ ms.technology: mde **Applies to:** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). Catalog files can be important in your deployment of Windows Defender Application Control (WDAC) if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. To prepare to create WDAC policies that allow these trusted applications but block unsigned code (most malware is unsigned), you create a *catalog file* that contains information about the trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by WDAC in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index 33cc699ac1..9ea7cc663a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -1,5 +1,5 @@ --- -title: Use multiple Windows Defender Application Control Policies (Windows 10) +title: Use multiple Windows Defender Application Control Policies (Windows) description: Windows Defender Application Control supports multiple code integrity policies for one device. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -22,8 +22,12 @@ ms.technology: mde **Applies to:** -- Windows 10 version 1903 and above -- Windows Server 2022 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). Prior to Windows 10 1903, WDAC only supported a single active policy on a system at any given time. This significantly limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios: diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md index 8e8fa29002..d20e96958f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -1,5 +1,5 @@ --- -title: Deploy WDAC policies via Group Policy (Windows 10) +title: Deploy WDAC policies via Group Policy (Windows) description: Windows Defender Application Control (WDAC) policies can easily be deployed and managed with Group Policy. Learn how by following this step-by-step guide. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -22,11 +22,15 @@ ms.technology: mde **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). > [!NOTE] -> Group Policy-based deployment of WDAC policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, we recommend using an alternative method for policy deployment. +> Group Policy-based deployment of WDAC policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment. Single-policy format WDAC policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. The following procedure walks you through how to deploy a WDAC policy called **ContosoPolicy.bin** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**. @@ -61,4 +65,4 @@ To deploy and manage a WDAC policy with Group Policy: > [!NOTE] > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository. -7. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. Restarting the computer updates the WDAC policy. +7. Close the Group Policy Management Editor, and then restart the Windows test computer. Restarting the computer updates the WDAC policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 8cf09e5b2f..250600e081 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -1,5 +1,5 @@ --- -title: Deploy WDAC policies using Mobile Device Management (MDM) (Windows 10) +title: Deploy WDAC policies using Mobile Device Management (MDM) (Windows) description: You can use an MDM like Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -22,13 +22,18 @@ ms.technology: mde **Applies to:** -- Windows 10 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager (MEM) Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps. ## Use Intune's built-in policies -Intune's built-in WDAC support allows you to configure Windows 10 client computers to only run: +Intune's built-in WDAC support allows you to configure Windows client computers to only run: - Windows components - 3rd party hardware and software kernel drivers @@ -36,7 +41,7 @@ Intune's built-in WDAC support allows you to configure Windows 10 client compute - [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG) > [!NOTE] -> Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. You can use Intune's custom OMA-URI feature to deploy your own multiple-policy format WDAC policies and leverage features available on Windows 10 1903+ as described later in this topic. +> Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. You can use Intune's custom OMA-URI feature to deploy your own multiple-policy format WDAC policies and leverage features available on Windows 10 1903+ or Windows 11 as described later in this topic. > [!NOTE] > Intune currently uses the AppLocker CSP to deploy its built-in policies. The AppLocker CSP will always request a reboot when applying WDAC policies. You can use Intune's custom OMA-URI feature with the ApplicationControl CSP to deploy your own WDAC policies rebootlessly. diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index 6cbf4d90fa..ad706276ac 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -1,5 +1,5 @@ --- -title: Disable Windows Defender Application Control policies (Windows 10) +title: Disable Windows Defender Application Control policies (Windows) description: Learn how to disable both signed and unsigned Windows Defender Application Control policies, within Windows and within the BIOS. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -23,7 +23,11 @@ ms.technology: mde **Applies to:** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). This topic covers how to disable unsigned or signed WDAC policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md index 6c3b04eb5a..5dd1fd73f9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md @@ -1,5 +1,5 @@ --- -title: Enforce Windows Defender Application Control (WDAC) policies (Windows 10) +title: Enforce Windows Defender Application Control (WDAC) policies (Windows) description: Learn how to switch a WDAC policy from audit to enforced mode. keywords: security, malware ms.prod: m365-security @@ -20,13 +20,17 @@ ms.localizationpriority: medium **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). You should now have one or more WDAC policies broadly deployed in audit mode. You have analyzed events collected from the devices with those policies and you're ready to enforce. Use this procedure to prepare and deploy your WDAC policies in enforcement mode. > [!NOTE] -> Some of the steps described in this article only apply to Windows 10 version 1903 and above. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features. Evaluate the impact for any features that may be unavailable on your clients running earlier versions of Windows 10 and Windows Server. You may need to adapt this guidance to meet your specific organization's needs. +> Some of the steps described in this article only apply to Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features. Evaluate the impact for any features that may be unavailable on your clients running earlier versions of Windows 10 and Windows Server. You may need to adapt this guidance to meet your specific organization's needs. ## Convert WDAC **base** policy from audit to enforced diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md index 8457a3a69c..4e249a4f50 100644 --- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md @@ -1,5 +1,5 @@ --- -title: Example Windows Defender Application Control (WDAC) base policies (Windows 10) +title: Example Windows Defender Application Control (WDAC) base policies (Windows) description: When creating a WDAC policy for an organization, start from one of the many available example base policies. keywords: security, malware ms.topic: article @@ -23,8 +23,12 @@ ms.technology: mde **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). When creating policies for use with Windows Defender Application Control (WDAC), start from an existing base policy and then add or remove rules to build your own custom policy. Windows includes several example policies that can be used, or organizations that use the Device Guard Signing Service can download a starter policy from that service. diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md index 0f9af0978c..16eb1e9257 100644 --- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md +++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md @@ -23,16 +23,20 @@ ms.technology: mde **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). | Capability | WDAC | AppLocker | |-------------|------|-------------| -| Platform support | Available on Windows 10 | Available on Windows 8+ | +| Platform support | Available on Windows 10 and Windows 11 | Available on Windows 8+ | | SKU availability | Cmdlets are available on all SKUs on 1909+ builds.
For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
Policies deployed through MDM are effective on all SKUs. | | Management solutions |
  • [Intune](./deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)
  • [Microsoft Endpoint Manager Configuration Manager (MEMCM)](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)
  • [Group Policy](./deploy-windows-defender-application-control-policies-using-group-policy.md)
  • PowerShell
|
  • [Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)
  • MEMCM (custom policy deployment via Software Distribution only)
  • [Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)
  • PowerShell
      • | | Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ | -| Kernel mode policies | Available on all Windows 10 versions | Not available | +| Kernel mode policies | Available on all Windows 10 versions and Windows 11 | Not available | | Per-app rules | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) | Not available | | Managed Installer (MI) | [Available on 1703+](./configure-authorized-apps-deployed-with-a-managed-installer.md) | Not available | | Reputation-Based intelligence | [Available on 1709+](./use-windows-defender-application-control-with-intelligent-security-graph.md) | Not available | diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md index 4d5cd8178f..2d0ccf9451 100644 --- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md @@ -1,5 +1,5 @@ --- -title: Manage packaged apps with WDAC (Windows 10) +title: Manage packaged apps with WDAC (Windows) description: Packaged apps, also known as Universal Windows apps, allow you to control the entire app by using a single Windows Defender Application Control (WDAC) rule. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -23,7 +23,11 @@ ms.technology: mde **Applies to:** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). This topic for IT professionals describes concepts and lists procedures to help you manage packaged apps with Windows Defender Application Control (WDAC) as part of your overall application control strategy. diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md index a3a2084a23..f2561cb90c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md @@ -1,5 +1,5 @@ --- -title: Merge Windows Defender Application Control policies (WDAC) (Windows 10) +title: Merge Windows Defender Application Control policies (WDAC) (Windows) description: Learn how to merge WDAC policies as part of your policy lifecycle management. keywords: security, malware ms.prod: m365-security @@ -20,8 +20,12 @@ ms.localizationpriority: medium **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). This article shows how to merge multiple policy XML files together and how to merge rules directly into a policy. WDAC deployments often include a few base policies and optional supplemental policies for specific use cases. @@ -87,7 +91,7 @@ Now that you have your new, merged policy, you can convert and deploy the policy ``` > [!NOTE] - > In the sample commands above, for policies targeting Windows 10 version 1903+, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file. For Windows 10 versions prior to 1903, use the name SiPolicy.p7b for the binary file name. + > In the sample commands above, for policies targeting Windows 10 version 1903+ or Windows 11, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file. For Windows 10 versions prior to 1903, use the name SiPolicy.p7b for the binary file name. 2. Upload your merged policy XML and the associated binary to the source control solution you are using for your WDAC policies. such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration). diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index c69955e62b..9d1ed76f05 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -1,5 +1,5 @@ --- -title: Microsoft recommended block rules (Windows 10) +title: Microsoft recommended block rules (Windows) description: View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -22,8 +22,12 @@ ms.technology: mde **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). Members of the security community* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control. @@ -71,7 +75,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you 1 A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked. -2 If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe. +2 If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. However, if your reference system is an end-user device that is not being used in a development context, we recommend that you block msbuild.exe. * Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people: @@ -96,9 +100,9 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you > [!Note] > This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. -Certain software applications may allow additional code to run by design. +Certain software applications may allow extra code to run by design. These types of applications should be blocked by your Windows Defender Application Control policy. -In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Application Control bypass, you should add deny rules to your WDAC policies for that application’s previous, less secure versions. +Also, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Application Control bypass, you should add Deny rules to your WDAC policies for that application’s previous, less secure versions. Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Application Control. diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index f85b75d3ad..56ff102873 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -1,5 +1,5 @@ --- -title: Microsoft recommended driver block rules (Windows 10) +title: Microsoft recommended driver block rules (Windows) description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community. keywords: security, malware, kernel mode, driver ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -21,10 +21,14 @@ ms.date: **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above -Microsoft has strict requirements for code running in kernel. Consequently, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices: +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). + +Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices: - Hypervisor-protected code integrity (HVCI) enabled devices - Windows 10 in S mode (S mode) devices diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md index a9cd8c8585..848bfe1e62 100644 --- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md @@ -1,5 +1,5 @@ --- -title: Plan for WDAC policy management (Windows 10) +title: Plan for WDAC policy management (Windows) description: Learn about the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control policies. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -22,8 +22,12 @@ ms.technology: mde **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). This topic describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies. @@ -49,10 +53,10 @@ To effectively manage WDAC policies, you should store and maintain your policy X ### Set PolicyName, PolicyID, and Version metadata for each policy -Use the [Set-CIPolicyIDInfo](/powershell/module/configci/set-cipolicyidinfo) cmdlet to give each policy a descriptive name and set a unique ID in order to differentiate each policy when reviewing WDAC events or when viewing the policy XML document. Although you can specify a string value for PolicyId, for policies using the multiple policy format we recommend using the -ResetPolicyId switch to let the system auto-generate a unique ID for the policy. +Use the [Set-CIPolicyIDInfo](/powershell/module/configci/set-cipolicyidinfo) cmdlet to give each policy a descriptive name and set a unique ID in order to differentiate each policy when reviewing WDAC events or when viewing the policy XML document. Although you can specify a string value for PolicyId, for policies using the multiple policy format we recommend using the -ResetPolicyId switch to let the system autogenerate a unique ID for the policy. > [!NOTE] -> PolicyID only applies to policies using the [multiple policy format](deploy-multiple-windows-defender-application-control-policies.md) on computers running Windows 10, version 1903 and above. Running -ResetPolicyId on a policy created for pre-1903 computers will convert it to multiple policy format and prevent it from running on those earlier versions of Windows 10. +> PolicyID only applies to policies using the [multiple policy format](deploy-multiple-windows-defender-application-control-policies.md) on computers running Windows 10, version 1903 and above, or Windows 11. Running -ResetPolicyId on a policy created for pre-1903 computers will convert it to multiple policy format and prevent it from running on those earlier versions of Windows 10. > PolicyID should be set only once per policy and use different PolicyID's for the audit and enforced mode versions of each policy. In addition, we recommend using the [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion) cmdlet to increment the policy's internal version number when you make changes to the policy. The version must be defined as a standard four-part version string (e.g. "1.0.0.0"). diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 8f9b6ac45d..403aab58d8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -1,6 +1,6 @@ --- -title: Understand Windows Defender Application Control (WDAC) policy rules and file rules (Windows 10) -description: Learn how WDAC policy rules and file rules can control your Windows 10 computers. +title: Understand Windows Defender Application Control (WDAC) policy rules and file rules (Windows) +description: Learn how WDAC policy rules and file rules can control your Windows 10 and Windows 11 computers. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: m365-security @@ -22,10 +22,14 @@ ms.technology: mde **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above -Windows Defender Application Control (WDAC) can control what runs on Windows 10 by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted. +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). + +Windows Defender Application Control (WDAC) can control what runs on Windows 10 and Windows 11 by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted. ## Windows Defender Application Control policy rules @@ -58,10 +62,10 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **5 Enabled:Inherit Default Policy** | This option is reserved for future use and currently has no effect. | Yes | | **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and the certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. | Yes | | **7 Allowed:Debug Policy Augmented** | This option is not currently supported. | Yes | -| **8 Required:EV Signers** | This rule requires that drivers must be WHQL signed and have been submitted by a partner with an Extended Verification (EV) certificate. All Windows 10 and later drivers will meet this requirement. | No | +| **8 Required:EV Signers** | This rule requires that drivers must be WHQL signed and have been submitted by a partner with an Extended Verification (EV) certificate. All Windows 10 and Windows 11 drivers will meet this requirement. | No | | **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | No | | **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. | No | -| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows 10 without the proper update may have unintended results. | No | +| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows without the proper update may have unintended results. | No | | **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. | No | | **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | Yes | | **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | Yes | diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md index 936314d342..fcdf006d68 100644 --- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md @@ -1,5 +1,5 @@ --- -title: Policy creation for common WDAC usage scenarios (Windows 10) +title: Policy creation for common WDAC usage scenarios (Windows) description: Develop a plan for deploying Windows Defender Application Control (WDAC) in your organization based on these common scenarios. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -22,10 +22,14 @@ ms.technology: mde **Applies to** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above -Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It is very common for organizations to have device use cases across each of the categories described. +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). + +Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It is common for organizations to have device use cases across each of the categories described. ## Types of devices @@ -34,7 +38,7 @@ Typically, deployment of Windows Defender Application Control (WDAC) happens bes | **Lightly managed devices**: Company-owned, but users are free to install software.
      Devices are required to run organization's antivirus solution and client management tools. | WDAC can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | | **Fully managed devices**: Allowed software is restricted by IT department.
      Users can request additional software, or install from a list of applications provided by IT department.
      Examples: locked-down, company-owned desktops and laptops. | An initial baseline WDAC policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.
      WDAC policies are supported by the HVCI service. | | **Fixed-workload devices**: Perform same tasks every day.
      Lists of approved applications rarely change.
      Examples: kiosks, point-of-sale systems, call center computers. | WDAC can be deployed fully, and deployment and ongoing administration are relatively straightforward.
      After WDAC deployment, only approved applications can run. This is because of protections offered by WDAC. | -| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a block-list only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. | +| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a blocklist only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. | ## An introduction to Lamna Healthcare Company @@ -42,7 +46,7 @@ In the next set of topics, we will explore each of the above scenarios using a f Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the United States. Lamna employs thousands of people, from doctors and nurses to accountants, in-house lawyers, and IT technicians. Their device use cases are varied and include single-user workstations for their professional staff, shared kiosks used by doctors and nurses to access patient records, dedicated medical devices such as MRI scanners, and many others. Additionally, Lamna has a relaxed, bring-your-own-device policy for many of their professional staff. -Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) (MEM) in hybrid mode with both Configuration Manager (MEMCM) and Intune. Although they use MEM to deploy many applications, Lamna has always had very relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) for better endpoint detection and response. +Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) (MEM) in hybrid mode with both Configuration Manager (MEMCM) and Intune. Although they use MEM to deploy many applications, Lamna has always had relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) for better endpoint detection and response. > [!NOTE] > Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager. From 22daabf0d95e0a137832afd6849dcdc9b4a275b4 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Mon, 23 Aug 2021 15:59:29 +0530 Subject: [PATCH 06/41] TASK 5358645 : Batch 02, Windows 11 Inclusion updates Second batch of Windows 11 Inclusion updates under Windows-defender-application-control folder. (I've also made some changes to few words as per Acrolinx suggestions to meet the PR criteria). --- ...aged-apps-to-existing-applocker-rule-set.md | 11 ++++++++--- .../applocker/administer-applocker.md | 11 ++++++++--- .../applocker-architecture-and-components.md | 11 ++++++++--- .../applocker/applocker-functions.md | 11 ++++++++--- .../applocker/applocker-overview.md | 13 +++++++++---- .../applocker-policies-deployment-guide.md | 11 ++++++++--- .../applocker-policies-design-guide.md | 11 ++++++++--- .../applocker-policy-use-scenarios.md | 13 +++++++++---- .../applocker-processes-and-interactions.md | 11 ++++++++--- .../types-of-devices.md | 10 +++++++--- ...lication-control-policy-design-decisions.md | 16 ++++++++++------ ...control-for-classic-windows-applications.md | 18 +++++++++++------- ...g-portal-in-microsoft-store-for-business.md | 13 ++++++++----- ...er-application-control-against-tampering.md | 13 ++++++++----- ...ol-specific-plug-ins-add-ins-and-modules.md | 10 +++++++--- ...-control-with-intelligent-security-graph.md | 10 +++++++--- .../wdac-and-applocker-overview.md | 16 ++++++++++------ .../wdac-wizard-create-base-policy.md | 13 +++++++++---- .../wdac-wizard-create-supplemental-policy.md | 13 +++++++++---- .../wdac-wizard-editing-policy.md | 9 +++++++-- .../wdac-wizard.md | 12 ++++++++---- ...der-application-control-deployment-guide.md | 6 +++++- ...efender-application-control-design-guide.md | 17 +++++++++++------ ...er-application-control-operational-guide.md | 6 +++++- .../windows-defender-application-control.md | 10 +++++++--- 25 files changed, 203 insertions(+), 92 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md index aafd72be3d..a44ddf2ec0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md @@ -1,5 +1,5 @@ --- -title: Add rules for packaged apps to existing AppLocker rule-set (Windows 10) +title: Add rules for packaged apps to existing AppLocker rule-set (Windows) description: This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). ms.assetid: 758c2a9f-c2a3-418c-83bc-fd335a94097f ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Add rules for packaged apps to existing AppLocker rule-set **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md index 105e16241c..de30943c9e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md @@ -1,5 +1,5 @@ --- -title: Administer AppLocker (Windows 10) +title: Administer AppLocker (Windows) description: This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. ms.assetid: 511a3b6a-175f-4d6d-a6e0-c1780c02e818 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Administer AppLocker **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md index 04a1ea12ad..b0f00626d8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md @@ -1,5 +1,5 @@ --- -title: AppLocker architecture and components (Windows 10) +title: AppLocker architecture and components (Windows) description: This topic for IT professional describes AppLocker’s basic architecture and its major components. ms.assetid: efdd8494-553c-443f-bd5f-c8976535135a ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # AppLocker architecture and components **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). This topic for IT professional describes AppLocker’s basic architecture and its major components. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md index d28879a339..b411688c4c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md @@ -1,5 +1,5 @@ --- -title: AppLocker functions (Windows 10) +title: AppLocker functions (Windows) description: This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. ms.assetid: bf704198-9e74-4731-8c5a-ee0512df34d2 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # AppLocker functions **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index 29d54546be..c954daf11e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -1,5 +1,5 @@ --- -title: AppLocker (Windows 10) +title: AppLocker (Windows) description: This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. ms.assetid: 94b57864-2112-43b6-96fb-2863c985dc9a ms.reviewer: @@ -21,10 +21,15 @@ ms.technology: mde # AppLocker **Applies to** -- Windows 10 -- Windows Server -This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). + +This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. > [!NOTE] > AppLocker is unable to control processes running under the system account on any operating system. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md index 60bc44e368..5835e27fd9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md @@ -1,5 +1,5 @@ --- -title: AppLocker deployment guide (Windows 10) +title: AppLocker deployment guide (Windows) description: This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. ms.assetid: 38632795-be13-46b0-a7af-487a4340bea1 ms.reviewer: @@ -22,8 +22,13 @@ ms.technology: mde # AppLocker deployment guide **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md index 960362fe53..978a28cd60 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md @@ -1,5 +1,5 @@ --- -title: AppLocker design guide (Windows 10) +title: AppLocker design guide (Windows) description: This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. ms.assetid: 1c8e4a7b-3164-4eb4-9277-11b1d5a09c7b ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # AppLocker design guide **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md index 897753b906..7f97ef0d96 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md @@ -1,5 +1,5 @@ --- -title: AppLocker policy use scenarios (Windows 10) +title: AppLocker policy use scenarios (Windows) description: This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. ms.assetid: 33f71578-89f0-4063-ac04-cf4f4ca5c31f ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # AppLocker policy use scenarios **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. @@ -34,7 +39,7 @@ AppLocker can help you improve the management of application control and the mai 2. **Protection against unwanted software** - AppLocker has the ability to deny apps from running simply by excluding them from the list of allowed apps per business group or user. If an app is not specifically identified by its publisher, installation path, or file hash, the attempt to run the application fails. + AppLocker has the ability to deny apps from running simply by excluding them from the list of allowed apps per business group or user. If an app is not identified by its publisher, installation path, or file hash, the attempt to run the application fails. 3. **Licensing conformance** diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md index 0ffdf6a6e0..747b1b68e9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md @@ -1,5 +1,5 @@ --- -title: AppLocker processes and interactions (Windows 10) +title: AppLocker processes and interactions (Windows) description: This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. ms.assetid: 0beec616-6040-4be7-8703-b6c919755d8e ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # AppLocker processes and interactions **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md index 936314d342..cfc4e34f36 100644 --- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md @@ -1,5 +1,5 @@ --- -title: Policy creation for common WDAC usage scenarios (Windows 10) +title: Policy creation for common WDAC usage scenarios (Windows) description: Develop a plan for deploying Windows Defender Application Control (WDAC) in your organization based on these common scenarios. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -23,9 +23,13 @@ ms.technology: mde **Applies to** - Windows 10 +- Windows 11 - Windows Server 2016 and above -Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It is very common for organizations to have device use cases across each of the categories described. +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). + +Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It is common for organizations to have device use cases across each of the categories described. ## Types of devices @@ -34,7 +38,7 @@ Typically, deployment of Windows Defender Application Control (WDAC) happens bes | **Lightly managed devices**: Company-owned, but users are free to install software.
      Devices are required to run organization's antivirus solution and client management tools. | WDAC can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | | **Fully managed devices**: Allowed software is restricted by IT department.
      Users can request additional software, or install from a list of applications provided by IT department.
      Examples: locked-down, company-owned desktops and laptops. | An initial baseline WDAC policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.
      WDAC policies are supported by the HVCI service. | | **Fixed-workload devices**: Perform same tasks every day.
      Lists of approved applications rarely change.
      Examples: kiosks, point-of-sale systems, call center computers. | WDAC can be deployed fully, and deployment and ongoing administration are relatively straightforward.
      After WDAC deployment, only approved applications can run. This is because of protections offered by WDAC. | -| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a block-list only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. | +| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a blocklist only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. | ## An introduction to Lamna Healthcare Company diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md index 7640970646..ce15020a22 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md @@ -1,5 +1,5 @@ --- -title: Understand Windows Defender Application Control policy design decisions (Windows 10) +title: Understand Windows Defender Application Control policy design decisions (Windows) description: Understand Windows Defender Application Control policy design decisions. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -22,8 +22,12 @@ ms.technology: mde **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). This topic is for the IT professional and lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using Windows Defender Application Control (WDAC) within a Windows operating system environment. @@ -70,7 +74,7 @@ Traditional Win32 apps on Windows can run without being digitally signed. This p | Possible answers | Design considerations | | - | - | | All apps used in your organization must be signed. | Organizations that enforce [codesigning](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) for all executable code are best-positioned to protect their Windows computers from malicious code execution. WDAC rules can be created to authorize apps and binaries from the organization's internal development teams and from trusted independent software vendors (ISV). | -| Apps used in your organization do not need to meet any codesigning requirements. | Organizations can [use built-in Windows 10 tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Endpoint Manager offer multiple ways to distribute signed App Catalogs. | +| Apps used in your organization do not need to meet any codesigning requirements. | Organizations can [use built-in Windows tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Endpoint Manager offer multiple ways to distribute signed App Catalogs. | ### Are there specific groups in your organization that need customized application control policies? @@ -79,7 +83,7 @@ Most business teams or departments have specific security requirements that pert | Possible answers | Design considerations | | - | - | | Yes | WDAC policies can be created unique per team, or team-specific supplemental policies can be used to expand what is allowed by a common, centrally defined base policy.| -| No | WDAC policies can be applied globally to applications that are installed on PCs running Windows 10. Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.| +| No | WDAC policies can be applied globally to applications that are installed on PCs running Windows 10 and Windows 11. Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.| ### Does your IT department have resources to analyze application usage, and to design and manage the policies? @@ -88,7 +92,7 @@ The time and resources that are available to you to perform the research and ana | Possible answers | Design considerations | | - | - | | Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are constructed as simply as possible.| -| No | Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. Alternatively, you can create a policy with a broad trust profile to authorize as many apps as possible. | +| No | Consider a focused and phased deployment for specific groups by using few rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. Alternatively, you can create a policy with a broad trust profile to authorize as many apps as possible. | ### Does your organization have Help Desk support? diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md index 8e289e4bf3..dae8561c9b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md @@ -1,5 +1,5 @@ --- -title: Use code signing to simplify application control for classic Windows applications (Windows 10) +title: Use code signing to simplify application control for classic Windows applications (Windows) description: With embedded signing, your WDAC policies typically do not have to be updated when an app is updated. To set this up, you can choose from a variety of methods. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -22,12 +22,16 @@ ms.technology: mde **Applies to:** -- Windows 10 -- Windows Server 2016 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). This topic covers guidelines for using code signing control classic Windows apps. -## Reviewing your applications: application signing and catalog files +## Reviewing your applications: application signing and catalog files Typically, WDAC policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a "catalog file" from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed. @@ -49,20 +53,20 @@ To use catalog signing, you can choose from the following options: ### Catalog files -Catalog files (which you can create in Windows 10 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you do not want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by WDAC in the same way as any other signed application. +Catalog files (which you can create in Windows 10 and Windows 11 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you do not want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by WDAC in the same way as any other signed application. Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries' hash values are updated each time an application is updated, which requires the catalog file to be updated also. After you have created and signed your catalog files, you can configure your WDAC policies to trust the signer or signing certificate of those files. > [!NOTE] -> Package Inspector only works on operating systems that support Windows Defender, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT. +> Package Inspector only works on operating systems that support Windows Defender, such as Windows 10 and Windows 11 Enterprise, Windows 10 and Windows 11 Education, Windows 2016 Server, or Windows Enterprise IoT. For procedures for working with catalog files, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md). ## Windows Defender Application Control policy formats and signing -When you generate a WDAC policy, you are generating a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 Enterprise, along with restrictions on Windows 10 script hosts. You can view your original XML document in a text editor, for example if you want to check the rule options that are present in the **<Rules>** section of the file. +When you generate a WDAC policy, you are generating a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 and Windows 11 Enterprise, along with restrictions on Windows 10 and Windows 11 script hosts. You can view your original XML document in a text editor, for example if you want to check the rule options that are present in the **<Rules>** section of the file. We recommend that you keep the original XML file for use when you need to merge the WDAC policy with another policy or update its rule options. For deployment purposes, the file is converted to a binary format, which can be done using a simple Windows PowerShell command. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md index a34f45e591..73f07b3405 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md @@ -1,5 +1,5 @@ --- -title: Use the Device Guard Signing Portal in the Microsoft Store for Business (Windows 10) +title: Use the Device Guard Signing Portal in the Microsoft Store for Business (Windows) description: You can sign code integrity policies with the Device Guard signing portal to prevent them from being tampered with after they're deployed. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -22,11 +22,14 @@ ms.technology: mde **Applies to:** -- Windows 10 -- Windows Server 2019 -- Windows Server 2016 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above -You can sign code integrity policies with the Device Guard signing portal to prevent them from being tampered with after they're deployed. +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). + +You can sign code integrity policies with the Device Guard signing portal to prevent them from being tampered with after they're deployed. ## Sign your code integrity policy Before you get started, be sure to review these best practices: diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index 498c736696..11d3f0df1e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -1,6 +1,6 @@ --- -title: Use signed policies to protect Windows Defender Application Control against tampering (Windows 10) -description: Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. +title: Use signed policies to protect Windows Defender Application Control against tampering (Windows) +description: Signed WDAC policies give organizations the highest level of malware protection available in Windows 10 and Windows 11. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: m365-security @@ -22,11 +22,14 @@ ms.technology: mde **Applies to:** -- Windows 10 -- Windows Server 2016 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). -Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies. +Signed WDAC policies give organizations the highest level of malware protection available in Windows. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies. Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md index 9ffbd067e1..22a1c3c03a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md @@ -1,5 +1,5 @@ --- -title: Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules (Windows 10) +title: Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules (Windows) description: WDAC policies can be used not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -22,8 +22,12 @@ ms.technology: mde **Applies to:** -- Windows 10 -- Windows Server 2016 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). As of Windows 10, version 1703, you can use WDAC policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser): diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index d9b739c0ae..22c3b5e232 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -1,5 +1,5 @@ --- -title: Authorize reputable apps with the Intelligent Security Graph (ISG) (Windows 10) +title: Authorize reputable apps with the Intelligent Security Graph (ISG) (Windows) description: Automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -22,8 +22,12 @@ ms.technology: mde **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). Application control can be difficult to implement in organizations that don't deploy and manage applications through an IT-managed system. In such environments, users can acquire the applications they want to use for work, making it hard to build an effective application control policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md index ce2acde0e8..e8557445d0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md @@ -23,14 +23,18 @@ ms.technology: mde **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above -Windows 10 includes two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker. +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). + +Windows 10 and Windows 11 include two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker. ## Windows Defender Application Control -WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows 10 clients. It was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria), defined by the Microsoft Security Response Center (MSRC). +WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows clients. It was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria), defined by the Microsoft Security Response Center (MSRC). WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on: @@ -45,9 +49,9 @@ Note that prior to Windows 10 version 1709, Windows Defender Application Control ### WDAC System Requirements -WDAC policies can be created on any client edition of Windows 10 build 1903+, or on Windows Server 2016 and above. +WDAC policies can be created on any client edition of Windows 10 build 1903+, or Windows 11, or on Windows Server 2016 and above. -WDAC policies can be applied to devices running any edition of Windows 10, or Windows Server 2016 and above, via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition, or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10. +WDAC policies can be applied to devices running any edition of Windows 10, Windows 11, or Windows Server 2016 and above, via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 and Windows 11 Enterprise edition, or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10. For more information on which individual WDAC features are available on specific WDAC builds, see [WDAC feature availability](feature-availability.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md index 2c5382e43b..0370e86093 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md @@ -22,8 +22,13 @@ ms.technology: mde # Creating a new Base Policy with the Wizard **Applies to** -- Windows 10 -- Windows Server 2016 and above + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). When creating policies for use with Windows Defender Application Control (WDAC), it is recommended to start with a template policy and then add or remove rules to suit your application control scenario. For this reason, the WDAC Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a new application control policy from a template, configure the policy options, and the signer and file rules. @@ -63,7 +68,7 @@ A description of each policy rule, beginning with the left-most column, is provi |**[Hypervisor-protected code integrity (HVCI)](../device-guard/enable-virtualization-based-protection-of-code-integrity.md)**| When enabled, policy enforcement uses virtualization-based security to run the code integrity service inside a secure environment. HVCI provides stronger protections against kernel malware.| | **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | | **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. | -| **Require WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10–compatible driver must be WHQL certified. | +| **Require WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows–compatible driver must be WHQL certified. | | **Update Policy without Rebooting** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. | | **Unsigned System Integrity Policy** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. | | **User Mode Code Integrity** | WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. | @@ -82,7 +87,7 @@ Selecting the **+ Advanced Options** label will show another column of policy ru | **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. | | **Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries (DLLs). | | **Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.| -| **Require EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later drivers will meet this requirement. | +| **Require EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later, or Windows 11 drivers will meet this requirement. | ![Rule options UI for Windows Allowed mode](images/wdac-wizard-rule-options-UI.png) diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md index bca81708e6..ba4f9bd85e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md @@ -22,12 +22,17 @@ ms.technology: mde # Creating a new Supplemental Policy with the Wizard **Applies to** -- Windows 10 -- Windows Server 2016 and above -Beginning in Windows 10 version 1903, WDAC supports the creation of multiple active policies on a device. One or more supplemental policies allow customers to expand a [WDAC base policy](wdac-wizard-create-base-policy.md) to increase the circle of trust of the policy. A supplemental policy can expand only one base policy, but multiple supplementals can expand the same base policy. When using supplemental policies, applications allowed by the base or its supplemental policy/policies will be allowed to execute. +- Windows 10 +- Windows 11 +- Windows Server 2016 and above -Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a supplemental application control policy, configure the policy options, and the signer and file rules. +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). + +Beginning in Windows 10 version 1903, WDAC supports the creation of multiple active policies on a device. One or more supplemental policies allow customers to expand a [WDAC base policy](wdac-wizard-create-base-policy.md) to increase the circle of trust of the policy. A supplemental policy can expand only one base policy, but multiple supplementals can expand the same base policy. When using supplemental policies, applications allowed by the base or its supplemental policy/policies will be allowed to execute. + +Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a supplemental application control policy, configure the policy options, and the signer and file rules. ## Expanding a Base Policy diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md index 2b94c7f004..18e27bfb31 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md @@ -22,8 +22,13 @@ ms.technology: mde # Editing existing base and supplemental WDAC policies with the Wizard **Applies to** -- Windows 10 -- Windows Server 2016 and above + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). The WDAC Wizard makes editing and viewing WDAC policies easier than the PowerShell cmdlets or manually. The Wizard currently supports the following editing capabilities:
        diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md index e1581cb011..4cdeb72f21 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md @@ -23,14 +23,18 @@ ms.technology: mde **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above -The Windows Defender Application Control (WDAC) policy Wizard is an open source Windows desktop application written in C# and bundled as an MSIX package. The Wizard was built to provide security architects, security and system administrators with a more user-friendly means to create, edit, and merge WDAC policies. The Wizard desktop application uses the [ConfigCI PowerShell Cmdlets](/powershell/module/configci) in the backend so the output policy of the Wizard and PowerShell cmdlets is identical. +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). + +The Windows Defender Application Control (WDAC) policy Wizard is an open-source Windows desktop application written in C# and bundled as an MSIX package. The Wizard was built to provide security architects with security, and system administrators with a more user-friendly means to create, edit, and merge WDAC policies. The Wizard desktop application uses the [ConfigCI PowerShell Cmdlets](/powershell/module/configci) in the backend so the output policy of the Wizard and PowerShell cmdlets is identical. ## Downloading the application -The WDAC Wizard can be downloaded from the official [Wizard installer website](https://bit.ly/3koHwYs) as an MSIX packaged application. The Wizard's source code is available as part of Microsoft's Open Source Software offerings on GitHub at the [WDAC Wizard Repo](https://github.com/MicrosoftDocs/WDAC-Toolkit). +The WDAC Wizard can be downloaded from the official [Wizard installer website](https://bit.ly/3koHwYs) as an MSIX packaged application. The Wizard's source code is available as part of Microsoft's Open Source Software offerings on GitHub at the [WDAC Wizard Repo](https://github.com/MicrosoftDocs/WDAC-Toolkit). **Supported Clients** diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md index ab280eb0bc..40512b4dda 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md @@ -1,5 +1,5 @@ --- -title: Deploying Windows Defender Application Control (WDAC) policies (Windows 10) +title: Deploying Windows Defender Application Control (WDAC) policies (Windows) description: Learn how to plan and implement a WDAC deployment. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -23,8 +23,12 @@ ms.technology: mde **Applies to** - Windows 10 +- Windows 11 - Windows Server 2016 and above +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). + You should now have one or more WDAC policies ready to deploy. If you haven't yet completed the steps described in the [WDAC Design Guide](windows-defender-application-control-design-guide.md), do so now before proceeding. ## Plan your deployment diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md index 0f0e3e388f..57db67bee8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Application Control design guide (Windows 10) -description: Microsoft Windows Defender Application Control allows organizations to control what apps and drivers will run on their managed Windows 10 devices. +title: Windows Defender Application Control design guide (Windows) +description: Microsoft Windows Defender Application Control allows organizations to control what apps and drivers will run on their managed Windows devices. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: m365-security @@ -22,19 +22,24 @@ ms.technology: mde # Windows Defender Application Control design guide **Applies to** -- Windows 10 + +- Windows 10 +- Windows 11 - Windows Server 2016 and above +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). + This guide covers design and planning for Windows Defender Application Control (WDAC). It is intended to help security architects, security administrators, and system administrators create a plan that addresses specific application control requirements for different departments or business groups within an organization. ## Plan for success -A common refrain you may hear about application control is that it is "too hard". While it is true that application control is not as simple as flipping a switch, organizations can be very successful if they take a methodical approach and carefully plan their approach. In reality, the issues that lead to failure with application control often arise from business issues rather than technology challenges. Organizations that have successfully deployed application control have ensured the following before starting their planning: +A common refrain you may hear about application control is that it is "too hard". While it is true that application control is not as simple as flipping a switch, organizations can be successful if they take a methodical approach and carefully plan their approach. In reality, the issues that lead to failure with application control often arise from business issues rather than technology challenges. Organizations that have successfully deployed application control have ensured the following before starting their planning: - Executive sponsorship and organizational buy-in is in place. - There is a clear **business** objective for using application control and it is not being planned as a purely technical problem from IT. - The organization has a plan to handle potential helpdesk support requests for users who are blocked from running some apps. -- The organization has considered where application control can be most useful (e.g. securing sensitive workloads or business functions) and also where it may be difficult to achieve (e.g. developer workstations). +- The organization has considered where application control can be most useful (for example, securing sensitive workloads or business functions) and also where it may be difficult to achieve (for example, developer workstations). Once these business factors are in place, you are ready to begin planning your WDAC deployment. The following topics can help guide you through your planning process. @@ -46,6 +51,6 @@ Once these business factors are in place, you are ready to begin planning your W | [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. | | [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using WDAC. | | [Policy creation for common WDAC usage scenarios](types-of-devices.md) | This set of topics outlines common use case scenarios and helps you begin to develop a plan for deploying WDAC in your organization. | -| [Policy creation using the WDAC Wizard tool](wdac-wizard.md) | This set of topics describes how to use the WDAC Wizard desktop app to easily create, edit and merge WDAC policies. | +| [Policy creation using the WDAC Wizard tool](wdac-wizard.md) | This set of topics describes how to use the WDAC Wizard desktop app to easily create, edit, and merge WDAC policies. | After planning is complete, the next step is to deploy WDAC. The [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md index 8a7fec062e..31c5d1fe8e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md @@ -1,5 +1,5 @@ --- -title: Managing and troubleshooting Windows Defender Application Control policies (Windows 10) +title: Managing and troubleshooting Windows Defender Application Control policies (Windows) description: Gather information about how your deployed Windows Defender Application Control policies are behaving. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -23,8 +23,12 @@ ms.technology: mde **Applies to** - Windows 10 +- Windows 11 - Windows Server 2016 and above +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). + After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender for Endpoint Advanced Hunting feature. ## WDAC Events Overview diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index bbf2800ac4..abe51d1188 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -23,8 +23,12 @@ ms.technology: mde **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. @@ -37,7 +41,7 @@ Application control is a crucial line of defense for protecting enterprises give > [!NOTE] > Although application control can significantly harden your computers against malicious code, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio. -Windows 10 includes two technologies that can be used for application control depending on your organization's specific scenarios and requirements: +Windows 10 and Windows 11 include two technologies that can be used for application control depending on your organization's specific scenarios and requirements: - **Windows Defender Application Control**; and - **AppLocker** From 88b13a7afee79bd6e6814e8c4833d7cb95410c18 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Mon, 23 Aug 2021 16:11:18 +0530 Subject: [PATCH 07/41] Fixing the links --- ...dd-rules-for-packaged-apps-to-existing-applocker-rule-set.md | 2 +- .../applocker/administer-applocker.md | 2 +- .../applocker/applocker-architecture-and-components.md | 2 +- .../applocker/applocker-functions.md | 2 +- .../applocker/applocker-overview.md | 2 +- .../applocker/applocker-policies-deployment-guide.md | 2 +- .../applocker/applocker-policies-design-guide.md | 2 +- .../applocker/applocker-policy-use-scenarios.md | 2 +- .../applocker/applocker-processes-and-interactions.md | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md index a44ddf2ec0..9036f3e4c1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md index de30943c9e..7f2698f4c6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md index b0f00626d8..44cb55c39e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professional describes AppLocker’s basic architecture and its major components. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md index b411688c4c..c6b0e3ecf4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index c954daf11e..93a162dc9a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md index 5835e27fd9..86a8829b86 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md index 978a28cd60..a7d286ac77 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md index 7f97ef0d96..9afaf76dd4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md index 747b1b68e9..72c593b20b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. From b1dfa8c50e4e3eba877e538a1eaad0c693459233 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Mon, 23 Aug 2021 16:33:05 +0530 Subject: [PATCH 08/41] Suggestion fixes --- .../LOB-win32-apps-on-s.md | 10 +++++----- ...uthorized-apps-deployed-with-a-managed-installer.md | 4 ++-- .../configure-wdac-managed-installer.md | 2 +- .../create-wdac-policy-for-fully-managed-devices.md | 2 +- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index af1e30dca2..ab40f94622 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -47,18 +47,18 @@ The general steps for expanding the S mode base policy on your Intune-managed de Refer to [Deploy multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md) for guidance on creating supplemental policies and [Deploy Windows Defender Application Control policy rules and file rules](select-types-of-rules-to-create.md) to choose the right type of rules to create for your policy. Below are a basic set of instructions for creating an S mode supplemental policy: - - Create a new base policy using [New-CIPolicy](/powershell/module/configci/new-cipolicy?view=win10-ps) + - Create a new base policy using [New-CIPolicy](/powershell/module/configci/new-cipolicy?view=win10-ps&preserve-view=true) ```powershell New-CIPolicy -MultiplePolicyFormat -ScanPath -UserPEs -FilePath "\SupplementalPolicy.xml" -Level Publisher -Fallback Hash ``` - - Change it to a supplemental policy using [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo?view=win10-ps) + - Change it to a supplemental policy using [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo?view=win10-ps&preserve-view=true) ```powershell Set-CIPolicyIdInfo -SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784 -FilePath "\SupplementalPolicy.xml" ``` Policies which are supplementing the S mode base policy must use **-SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784**, as this is the S mode policy ID. - - Put the policy in enforce mode using [Set-RuleOption](/powershell/module/configci/set-ruleoption?view=win10-ps) + - Put the policy in enforce mode using [Set-RuleOption](/powershell/module/configci/set-ruleoption?view=win10-ps&preserve-view=true) ```powershell Set-RuleOption -FilePath "\SupplementalPolicy.xml>" -Option 3 –Delete @@ -69,7 +69,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de ```powershell Add-SignerRule -FilePath -CertificatePath -User -Update ``` - - Convert to .bin using [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) + - Convert to .bin using [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy?view=win10-ps&preserve-view=true) ```powershell ConvertFrom-CIPolicy -XmlFilePath "\SupplementalPolicy.xml" -BinaryFilePath "\SupplementalPolicy.bin> @@ -86,7 +86,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de Go to the Azure portal online and navigate to the Microsoft Intune page, then go to the Client apps blade and select 'S mode supplemental policies'. Upload the signed policy to Intune and assign it to user or device groups. Intune will generate tenant- and device- specific authorization tokens. Intune then deploys the corresponding authorization token and supplemental policy to each device in the assigned group. Together, these expand the S mode base policy on the device. > [!Note] -> When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion?view=win10-ps) for information on setting the version number. +> When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion?view=win10-ps&preserve-view=true) for information on setting the version number. ## Standard Process for Deploying Apps through Intune ![Deploying Apps through Intune](images/wdac-intune-app-deployment.png) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 76eb273ded..70e5a3a31d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -1,6 +1,6 @@ --- title: Configure authorized apps deployed with a WDAC-managed installer (Windows) -description: Explains how to configure a custom Manged Installer. +description: Explains about how to configure a custom Manged Installer. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: m365-security @@ -77,7 +77,7 @@ The identity of the managed installer executable(s) is specified in an AppLocker Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use a text editor to make the changes that are needed to an EXE or DLL rule collection policy, to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO. -1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback but other rule types can be used as well. You may need to reformat the output for readability. +1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback but other rule types can be used as well. You may need to reformat the output for readability. ```powershell Get-ChildItem | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md index 14ac17e575..a6fe5ce62e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md @@ -44,7 +44,7 @@ The identity of the managed installer executable(s) is specified in an AppLocker Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, a text editor can be used to make the simple changes needed to an EXE or DLL rule collection policy to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO. -1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback, but other rule types can be used as well. You may need to reformat the output for readability. +1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback, but other rule types can be used as well. You may need to reformat the output for readability. ```powershell Get-ChildItem | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index 3870af3447..0037968837 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -1,6 +1,6 @@ --- title: Create a WDAC policy for fully managed devices (Windows) -description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in system core. keywords: security, malware ms.topic: conceptual ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb From 2eebe307971dcd197c8cac3a5f89f79c2d5ccc6f Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Mon, 23 Aug 2021 20:11:53 +0530 Subject: [PATCH 09/41] updated-per-5358656 Windows Sandbox update for W11 - task 5358656 --- .../windows-sandbox-configure-using-wsb-file.md | 2 +- .../windows-sandbox/windows-sandbox-overview.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index 6eb53f8e15..553720a2f2 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -16,7 +16,7 @@ ms.technology: mde # Windows Sandbox configuration -Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. This feature can be used with Windows 10 build 18342 or later. Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the `.wsb` file extension. +Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. This feature can be used with Windows 10 build 18342 or Windows 11. Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the `.wsb` file extension. A configuration file enables the user to control the following aspects of Windows Sandbox: diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md index 869b04185e..5d3cb0e3e3 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md @@ -36,7 +36,7 @@ The following video provides an overview of Windows Sandbox. ## Prerequisites -- Windows 10 Pro, Enterprise or Education build 18305 or later (*Windows Sandbox is currently not supported on Home SKUs*) +- Windows 10 Pro, Enterprise or Education build 18305 or Windows 11 (*Windows Sandbox is currently not supported on Home SKUs*) - AMD64 architecture - Virtualization capabilities enabled in BIOS - At least 4 GB of RAM (8 GB recommended) @@ -45,7 +45,7 @@ The following video provides an overview of Windows Sandbox. ## Installation -1. Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or later. +1. Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or Windows 11. 2. Enable virtualization on the machine. From da923c96b7adef6879f44af483fc9862e6712237 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Mon, 23 Aug 2021 20:30:35 +0530 Subject: [PATCH 10/41] updated-per-5358718 WINDOWS: SmartScreen for W11 --- ...crosoft-defender-smartscreen-available-settings.md | 11 ++++++----- .../microsoft-defender-smartscreen-overview.md | 3 ++- ...soft-defender-smartscreen-set-individual-device.md | 3 ++- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md index f06ae93261..476c4b6291 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md @@ -1,5 +1,5 @@ --- -title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows 10) +title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows) description: A list of all available settings for Microsoft Defender SmartScreen using Group Policy and mobile device management (MDM) settings. keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen ms.prod: m365-security @@ -18,10 +18,11 @@ ms.technology: mde **Applies to:** - Windows 10 +- Windows 11 Microsoft Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Microsoft Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely. -See [Windows 10 (and later) settings to protect devices using Intune](/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune. +See [Windows 10 (and Windows 11) settings to protect devices using Intune](/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune. ## Group Policy settings @@ -45,7 +46,7 @@ SmartScreen uses registry-based Administrative Template policy settings.
- + @@ -134,7 +135,7 @@ For Microsoft Defender SmartScreen Edge MDM policies, see [Policy CSP - Browser] - + - + - +
Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)

Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)

Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)

Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)

Windows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen

Microsoft Edge on Windows 10 or laterMicrosoft Edge on Windows 10 or Windows 11 This policy setting turns on Microsoft Defender SmartScreen.

If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off.

If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.

If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.
PreventSmartScreenPromptOverrideWindows 10, Version 1511 and laterWindows 10, Version 1511 and Windows 11
  • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
    • @@ -146,7 +147,7 @@ For Microsoft Defender SmartScreen Edge MDM policies, see [Policy CSP - Browser]
PreventSmartScreenPromptOverrideForFilesWindows 10, Version 1511 and laterWindows 10, Version 1511 and Windows 11
  • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
    • diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index 80486846fb..b08aecf50b 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -1,5 +1,5 @@ --- -title: Microsoft Defender SmartScreen overview (Windows 10) +title: Microsoft Defender SmartScreen overview (Windows) description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen ms.prod: m365-security @@ -20,6 +20,7 @@ ms.technology: mde **Applies to:** - Windows 10 +- Windows 11 - Microsoft Edge Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md index 85c404a314..7d4064e3d3 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md @@ -1,5 +1,5 @@ --- -title: Set up and use Microsoft Defender SmartScreen on individual devices (Windows 10) +title: Set up and use Microsoft Defender SmartScreen on individual devices (Windows) description: Learn how employees can use Windows Security to set up Microsoft Defender SmartScreen. Microsoft Defender SmartScreen protects users from running malicious apps. keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen ms.prod: m365-security @@ -19,6 +19,7 @@ ms.technology: mde **Applies to:** - Windows 10, version 1703 +- Windows 11 - Microsoft Edge Microsoft Defender SmartScreen helps to protect users if they try to visit sites previously reported as phishing or malware websites, or if a user tries to download potentially malicious files. From 84373c8d5fc210e9c89ccf8addfbbdcfbb42db87 Mon Sep 17 00:00:00 2001 From: Michael Mardahl Date: Tue, 24 Aug 2021 10:06:20 +0200 Subject: [PATCH 11/41] Update windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md Sounds better. I like it! Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-feature-remote-desktop.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index 6590ff5250..2ff74ab038 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -25,7 +25,7 @@ ms.reviewer: - Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments - Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices -Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This functionality is not supported for key trust deployments. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) to establish an RDP connection. +Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This functionality is not supported for key trust deployments. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) to establish a remote desktop protocol connection. Microsoft continues to investigate supporting using keys trust for supplied credentials in a future release. From 941f089142938bb7f2797251621e301cd8d17724 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 24 Aug 2021 14:31:46 +0530 Subject: [PATCH 12/41] TASK 5358645 : Batch 03, Windows 11 Inclusion updates Third batch of Windows 11 Inclusion updates under Windows-defender-application-control folder. (I've also made some changes to few words as per Acrolinx suggestions to meet the PR criteria). --- .../applocker/applocker-settings.md | 11 ++++++++--- .../applocker/applocker-technical-reference.md | 11 ++++++++--- ...onfigure-an-applocker-policy-for-audit-only.md | 11 ++++++++--- ...igure-an-applocker-policy-for-enforce-rules.md | 11 ++++++++--- .../configure-exceptions-for-an-applocker-rule.md | 11 ++++++++--- .../configure-the-appLocker-reference-device.md | 11 ++++++++--- .../configure-the-application-identity-service.md | 11 ++++++++--- .../applocker/create-a-rule-for-packaged-apps.md | 15 ++++++++++----- ...eate-a-rule-that-uses-a-file-hash-condition.md | 11 ++++++++--- .../create-a-rule-that-uses-a-path-condition.md | 11 ++++++++--- ...eate-a-rule-that-uses-a-publisher-condition.md | 11 ++++++++--- .../applocker/create-applocker-default-rules.md | 11 ++++++++--- ...pplications-deployed-to-each-business-group.md | 11 ++++++++--- .../applocker/create-your-applocker-policies.md | 11 ++++++++--- .../applocker/create-your-applocker-rules.md | 11 ++++++++--- .../applocker/delete-an-applocker-rule.md | 11 ++++++++--- ...policies-by-using-the-enforce-rules-setting.md | 11 ++++++++--- ...deploy-the-applocker-policy-into-production.md | 11 ++++++++--- ...group-policy-structure-and-rule-enforcement.md | 11 ++++++++--- ...re-digitally-signed-on-a-reference-computer.md | 11 ++++++++--- ...termine-your-application-control-objectives.md | 11 ++++++++--- ...when-users-try-to-run-a-blocked-application.md | 11 ++++++++--- .../applocker/dll-rules-in-applocker.md | 11 ++++++++--- ...cy-structure-and-applocker-rule-enforcement.md | 11 ++++++++--- .../applocker/document-your-application-list.md | 11 ++++++++--- 25 files changed, 202 insertions(+), 77 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md index 56d2fcb24d..e6ffbc2ba9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md @@ -1,5 +1,5 @@ --- -title: AppLocker settings (Windows 10) +title: AppLocker settings (Windows) description: This topic for the IT professional lists the settings used by AppLocker. ms.assetid: 9cb4aa19-77c0-4415-9968-bd07dab86839 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # AppLocker settings **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional lists the settings used by AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md index db60e0f7bc..49e952d360 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md @@ -1,5 +1,5 @@ --- -title: AppLocker technical reference (Windows 10) +title: AppLocker technical reference (Windows) description: This overview topic for IT professionals provides links to the topics in the technical reference. ms.assetid: 2b2678f8-c46b-4e1d-b8c5-037c0be255ab ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # AppLocker technical reference **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This overview topic for IT professionals provides links to the topics in the technical reference. AppLocker advances the application control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md index 8995d1c8cf..44e68d79c2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md @@ -1,5 +1,5 @@ --- -title: Configure an AppLocker policy for audit only (Windows 10) +title: Configure an AppLocker policy for audit only (Windows) description: This topic for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker. ms.assetid: 10bc87d5-cc7f-4500-b7b3-9006e50afa50 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Configure an AppLocker policy for audit only **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md index 1f3d8928cf..e59657993f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md @@ -1,5 +1,5 @@ --- -title: Configure an AppLocker policy for enforce rules (Windows 10) +title: Configure an AppLocker policy for enforce rules (Windows) description: This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting. ms.assetid: 5dbbb290-a5ae-4f88-82b3-21e95972e66c ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Configure an AppLocker policy for enforce rules **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md index fea958441d..a018cafadb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md @@ -1,5 +1,5 @@ --- -title: Add exceptions for an AppLocker rule (Windows 10) +title: Add exceptions for an AppLocker rule (Windows) description: This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule. ms.assetid: d15c9d84-c14b-488d-9f48-bf31ff7ff0c5 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Add exceptions for an AppLocker rule **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md index 9b81e3d6fe..e836660931 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md @@ -1,5 +1,5 @@ --- -title: Configure the AppLocker reference device (Windows 10) +title: Configure the AppLocker reference device (Windows) description: This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer. ms.assetid: 034bd367-146d-4956-873c-e1e09e6fefee ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Configure the AppLocker reference device **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md index 83c7422028..0501a133b2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md @@ -1,5 +1,5 @@ --- -title: Configure the Application Identity service (Windows 10) +title: Configure the Application Identity service (Windows) description: This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually. ms.assetid: dc469599-37fd-448b-b23e-5b8e4f17e561 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Configure the Application Identity service **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md index e7c76c7e98..eecd667d2b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md @@ -1,5 +1,5 @@ --- -title: Create a rule for packaged apps (Windows 10) +title: Create a rule for packaged apps (Windows) description: This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition. ms.assetid: e4ffd400-7860-47b3-9118-0e6853c3dfa0 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Create a rule for packaged apps **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition. @@ -32,7 +37,7 @@ Packaged apps, also known as Universal Windows apps, are based on an app model t - Package name - Package version -All the files within a package as well as the package installer share these attributes. Therefore, an AppLocker rule for a packaged app controls both the installation as well as the running of the app. Otherwise, the publisher rules for packaged apps are no different than the rest of the rule collections; they support exceptions, can be increased or decreased in scope, and can be assigned to users and groups. +All the files within a package and the package installers share these attributes. Therefore, an AppLocker rule for a packaged app controls both the installation and the running of the app. Otherwise, the publisher rules for packaged apps are no different than the rest of the rule collections; they support exceptions, can be increased or decreased in scope, and can be assigned to users and groups. For info about the publisher condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md). @@ -67,7 +72,7 @@ You can perform this task by using the Group Policy Management Console for an Ap

Use a packaged app installer as a reference

If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name, and package version of the installer to define the rule.

Your company has developed a number of internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share, and choose the installer for the Payroll app as a reference to create your rule.

Your company has developed many internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share, and choose the installer for the Payroll app as a reference to create your rule.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md index c68870383e..141694e9b1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md @@ -1,5 +1,5 @@ --- -title: Create a rule that uses a file hash condition (Windows 10) +title: Create a rule that uses a file hash condition (Windows) description: This topic for IT professionals shows how to create an AppLocker rule with a file hash condition. ms.assetid: eb3b3524-1b3b-4979-ba5a-0a0b1280c5c7 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Create a rule that uses a file hash condition **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals shows how to create an AppLocker rule with a file hash condition. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md index fd4ebfd86a..3efd61d7e9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md @@ -1,5 +1,5 @@ --- -title: Create a rule that uses a path condition (Windows 10) +title: Create a rule that uses a path condition (Windows) description: This topic for IT professionals shows how to create an AppLocker rule with a path condition. ms.assetid: 9b2093f5-5976-45fa-90c3-da1e0e845d95 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Create a rule that uses a path condition **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals shows how to create an AppLocker rule with a path condition. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md index f7f9061767..8554f3c9f2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md @@ -1,5 +1,5 @@ --- -title: Create a rule that uses a publisher condition (Windows 10) +title: Create a rule that uses a publisher condition (Windows) description: This topic for IT professionals shows how to create an AppLocker rule with a publisher condition. ms.assetid: 345ad45f-2bc1-4c4c-946f-17804e29f55b ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Create a rule that uses a publisher condition **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals shows how to create an AppLocker rule with a publisher condition. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md index 8e818f8d12..1b41d7d17d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md @@ -1,5 +1,5 @@ --- -title: Create AppLocker default rules (Windows 10) +title: Create AppLocker default rules (Windows) description: This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run. ms.assetid: 21e9dc68-a6f4-4ebe-ac28-4c66a7ab6e18 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Create AppLocker default rules **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md index 9d57825f8a..61d80caa45 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md @@ -1,5 +1,5 @@ --- -title: Create a list of apps deployed to each business group (Windows 10) +title: Create a list of apps deployed to each business group (Windows) description: This topic describes the process of gathering app usage requirements from each business group to implement application control policies by using AppLocker. ms.assetid: d713aa07-d732-4bdc-8656-ba616d779321 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Create a list of apps deployed to each business group **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md index d0a53377ec..a4dd6d3cbb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md @@ -1,5 +1,5 @@ --- -title: Create Your AppLocker policies (Windows 10) +title: Create Your AppLocker policies (Windows) description: This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. ms.assetid: d339dee2-4da2-4d4a-b46e-f1dfb7cb4bf0 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Create Your AppLocker policies **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md index dd866880d3..49afa8e599 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md @@ -1,5 +1,5 @@ --- -title: Create Your AppLocker rules (Windows 10) +title: Create Your AppLocker rules (Windows) description: This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules. ms.assetid: b684a3a5-929c-4f70-8742-04088022f232 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Create Your AppLocker rules **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md index 37cc05e7a2..d99290ca20 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md @@ -1,5 +1,5 @@ --- -title: Delete an AppLocker rule (Windows 10) +title: Delete an AppLocker rule (Windows) description: This article for IT professionals describes the steps to delete an AppLocker rule. ms.assetid: 382b4be3-0df9-4308-89b2-dcf9df351eb5 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Delete an AppLocker rule **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This article for IT professionals describes the steps to delete an AppLocker rule. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md index bd480092c0..4eacf25176 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md @@ -1,5 +1,5 @@ --- -title: Deploy AppLocker policies by using the enforce rules setting (Windows 10) +title: Deploy AppLocker policies by using the enforce rules setting (Windows) description: This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. ms.assetid: fd3a3d25-ff3b-4060-8390-6262a90749ba ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Deploy AppLocker policies by using the enforce rules setting **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md index 64f60860f0..1cef053c49 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md @@ -1,5 +1,5 @@ --- -title: Deploy the AppLocker policy into production (Windows 10) +title: Deploy the AppLocker policy into production (Windows) description: This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. ms.assetid: ebbb1907-92dc-499e-8cee-8e637483c9ae ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Deploy the AppLocker policy into production **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md index fdeb9db2dc..4e97c71abe 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md @@ -1,5 +1,5 @@ --- -title: Determine the Group Policy structure and rule enforcement (Windows 10) +title: Determine the Group Policy structure and rule enforcement (Windows) description: This overview topic describes the process to follow when you are planning to deploy AppLocker rules. ms.assetid: f435fcbe-c7ac-4ef0-9702-729aab64163f ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Determine the Group Policy structure and rule enforcement **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This overview topic describes the process to follow when you are planning to deploy AppLocker rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md index 44775ea2d0..cd61c3ae04 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md @@ -1,5 +1,5 @@ --- -title: Find digitally signed apps on a reference device (Windows 10) +title: Find digitally signed apps on a reference device (Windows) description: This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. ms.assetid: 24609a6b-fdcb-4083-b234-73e23ff8bcb8 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Determine which apps are digitally signed on a reference device **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md index 516f7eaff2..90e037220c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md @@ -1,5 +1,5 @@ --- -title: Determine your application control objectives (Windows 10) +title: Determine your application control objectives (Windows) description: Determine which applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. ms.assetid: 0e84003e-6095-46fb-8c4e-2065869bb53b ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Determine your application control objectives **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This article helps with decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md index 4f89790b1c..0337e87f46 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md @@ -1,5 +1,5 @@ --- -title: Display a custom URL message when users try to run a blocked app (Windows 10) +title: Display a custom URL message when users try to run a blocked app (Windows) description: This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app. ms.assetid: 9a2534a5-d1fa-48a9-93c6-989d4857cf85 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Display a custom URL message when users try to run a blocked app **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md index aec41fda97..f547e9a47c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md @@ -1,5 +1,5 @@ --- -title: DLL rules in AppLocker (Windows 10) +title: DLL rules in AppLocker (Windows) description: This topic describes the file formats and available default rules for the DLL rule collection. ms.assetid: a083fd08-c07e-4534-b0e7-1e15d932ce8f ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # DLL rules in AppLocker **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the file formats and available default rules for the DLL rule collection. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md index 7c80353023..94b76c08b1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md @@ -1,5 +1,5 @@ --- -title: Document Group Policy structure & AppLocker rule enforcement (Windows 10) +title: Document Group Policy structure & AppLocker rule enforcement (Windows) description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Document the Group Policy structure and AppLocker rule enforcement **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md index 64318e0bd7..abace52005 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md @@ -1,5 +1,5 @@ --- -title: Document your app list (Windows 10) +title: Document your app list (Windows) description: This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies. ms.assetid: b155284b-f75d-4405-aecf-b74221622dc0 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Document your app list **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies. From 7d543c500b97df11fbbcd2c49706a46f5ffcf3c9 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 24 Aug 2021 15:00:19 +0530 Subject: [PATCH 13/41] TASK 5358645 : Batch 04, Windows 11 Inclusion updates Fourth batch of Windows 11 Inclusion updates under Windows-defender-application-control folder. (I've also made some changes to few words as per Acrolinx suggestions to meet the PR criteria). --- .../applocker/document-your-applocker-rules.md | 11 ++++++++--- .../applocker/edit-an-applocker-policy.md | 11 ++++++++--- .../applocker/edit-applocker-rules.md | 11 ++++++++--- .../applocker/enable-the-dll-rule-collection.md | 11 ++++++++--- .../applocker/enforce-applocker-rules.md | 11 ++++++++--- .../applocker/executable-rules-in-applocker.md | 11 ++++++++--- .../export-an-applocker-policy-from-a-gpo.md | 11 ++++++++--- .../export-an-applocker-policy-to-an-xml-file.md | 11 ++++++++--- .../applocker/how-applocker-works-techref.md | 11 ++++++++--- ...t-an-applocker-policy-from-another-computer.md | 11 ++++++++--- .../import-an-applocker-policy-into-a-gpo.md | 11 ++++++++--- .../applocker/maintain-applocker-policies.md | 11 ++++++++--- .../manage-packaged-apps-with-applocker.md | 11 ++++++++--- ...ocker-policies-by-using-set-applockerpolicy.md | 11 ++++++++--- .../merge-applocker-policies-manually.md | 11 ++++++++--- .../monitor-application-usage-with-applocker.md | 11 ++++++++--- .../applocker/optimize-applocker-performance.md | 11 ++++++++--- ...d-packaged-app-installer-rules-in-applocker.md | 11 ++++++++--- .../plan-for-applocker-policy-management.md | 11 ++++++++--- .../applocker/refresh-an-applocker-policy.md | 11 ++++++++--- ...quirements-for-deploying-applocker-policies.md | 11 ++++++++--- .../applocker/requirements-to-use-applocker.md | 15 ++++++++++----- ...run-the-automatically-generate-rules-wizard.md | 11 ++++++++--- .../applocker/script-rules-in-applocker.md | 11 ++++++++--- .../security-considerations-for-applocker.md | 11 ++++++++--- .../applocker/select-types-of-rules-to-create.md | 11 ++++++++--- 26 files changed, 210 insertions(+), 80 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md index 1000876fbf..40154a27ac 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md @@ -1,5 +1,5 @@ --- -title: Document your AppLocker rules (Windows 10) +title: Document your AppLocker rules (Windows) description: Learn how to document your AppLocker rules and associate rule conditions with files, permissions, rule source, and implementation. ms.assetid: 91a198ce-104a-45ff-b49b-487fb40cd2dd ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Document your AppLocker rules **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes what AppLocker rule conditions to associate with each file, how to associate these rule conditions, the source of the rule, and whether the file should be included or excluded. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md index 9865b4a5d9..d9503e8a00 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md @@ -1,5 +1,5 @@ --- -title: Edit an AppLocker policy (Windows 10) +title: Edit an AppLocker policy (Windows) description: This topic for IT professionals describes the steps required to modify an AppLocker policy. ms.assetid: dbc72d1f-3fe0-46c2-aeeb-96621fce7637 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Edit an AppLocker policy **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps required to modify an AppLocker policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md index 9fba4220b8..ae57316f95 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md @@ -1,5 +1,5 @@ --- -title: Edit AppLocker rules (Windows 10) +title: Edit AppLocker rules (Windows) description: This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker. ms.assetid: 80016cda-b915-46a0-83c6-5e6b0b958e32 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Edit AppLocker rules **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md index 33f8fc5205..a7127c01e3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md @@ -1,5 +1,5 @@ --- -title: Enable the DLL rule collection (Windows 10) +title: Enable the DLL rule collection (Windows) description: This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker. ms.assetid: 88ef9561-6eb2-491a-803a-b8cdbfebae27 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Enable the DLL rule collection **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md index 977c71d0cf..d5af5704b4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md @@ -1,5 +1,5 @@ --- -title: Enforce AppLocker rules (Windows 10) +title: Enforce AppLocker rules (Windows) description: This topic for IT professionals describes how to enforce application control rules by using AppLocker. ms.assetid: e1528b7b-77f2-4419-8e27-c9cc3721d96d ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Enforce AppLocker rules **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to enforce application control rules by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md index 13e0194acf..4a08f289bb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md @@ -1,5 +1,5 @@ --- -title: Executable rules in AppLocker (Windows 10) +title: Executable rules in AppLocker (Windows) description: This topic describes the file formats and available default rules for the executable rule collection. ms.assetid: 65e62f90-6caa-48f8-836a-91f8ac9018ee ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Executable rules in AppLocker **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the file formats and available default rules for the executable rule collection. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md index 6f17980018..6a31ee8659 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md @@ -1,5 +1,5 @@ --- -title: Export an AppLocker policy from a GPO (Windows 10) +title: Export an AppLocker policy from a GPO (Windows) description: This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. ms.assetid: 7db59719-a8be-418b-bbfd-22cf2176c9c0 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Export an AppLocker policy from a GPO **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md index a2c2fda488..b31a06093c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md @@ -1,5 +1,5 @@ --- -title: Export an AppLocker policy to an XML file (Windows 10) +title: Export an AppLocker policy to an XML file (Windows) description: This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. ms.assetid: 979bd23f-6815-478b-a6a4-a25239cb1080 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Export an AppLocker policy to an XML file **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md index 6e4827d32a..a69c492e7b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md @@ -1,5 +1,5 @@ --- -title: How AppLocker works (Windows 10) +title: How AppLocker works (Windows) description: This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. ms.assetid: 24bb1d73-0ff5-4af7-8b8a-2fa44d4ddbcd ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # How AppLocker works **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md index 572410407e..ee2571025c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md @@ -1,5 +1,5 @@ --- -title: Import an AppLocker policy from another computer (Windows 10) +title: Import an AppLocker policy from another computer (Windows) description: This topic for IT professionals describes how to import an AppLocker policy. ms.assetid: b48cb2b2-8ef8-4cc0-89bd-309d0b1832f6 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Import an AppLocker policy from another computer **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to import an AppLocker policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md index 10cdc3f2c5..a1f2c8e829 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md @@ -1,5 +1,5 @@ --- -title: Import an AppLocker policy into a GPO (Windows 10) +title: Import an AppLocker policy into a GPO (Windows) description: This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). ms.assetid: 0629ce44-f5e2-48a8-ba47-06544c73261f ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Import an AppLocker policy into a GPO **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). AppLocker policies can be created as local security policies and modified like any other local security policy, or they can be created as part of a GPO and managed by using Group Policy. You can create AppLocker policies on any supported computer. For info about which Windows editions are supported, see [Requirements to Use AppLocker](requirements-to-use-applocker.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md index 45ecd00528..495e5578cb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md @@ -1,5 +1,5 @@ --- -title: Maintain AppLocker policies (Windows 10) +title: Maintain AppLocker policies (Windows) description: Learn how to maintain rules within AppLocker policies. View common AppLocker maintenance scenarios and see the methods to use to maintain AppLocker policies. ms.assetid: b4fbfdfe-ef3d-49e0-a390-f2dfe74602bc ms.reviewer: @@ -20,8 +20,13 @@ ms.technology: mde # Maintain AppLocker policies **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes how to maintain rules within AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md index 5629e15a24..963ec6547b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md @@ -1,5 +1,5 @@ --- -title: Manage packaged apps with AppLocker (Windows 10) +title: Manage packaged apps with AppLocker (Windows) description: Learn concepts and lists procedures to help you manage packaged apps with AppLocker as part of your overall application control strategy. ms.assetid: 6d0c99e7-0284-4547-a30a-0685a9916650 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Manage packaged apps with AppLocker **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md index 3701ca5daf..1034d8e194 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -1,5 +1,5 @@ --- -title: Merge AppLocker policies by using Set-ApplockerPolicy (Windows 10) +title: Merge AppLocker policies by using Set-ApplockerPolicy (Windows) description: This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. ms.assetid: f1c7d5c0-463e-4fe2-a410-844a404f18d0 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Merge AppLocker policies by using Set-ApplockerPolicy **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md index 7567707461..c6beb49771 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md @@ -1,5 +1,5 @@ --- -title: Merge AppLocker policies manually (Windows 10) +title: Merge AppLocker policies manually (Windows) description: This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). ms.assetid: 3605f293-e5f2-481d-8efd-775f9f23c30f ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Merge AppLocker policies manually **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md index 56d201be4e..15bd4e6197 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md @@ -1,5 +1,5 @@ --- -title: Monitor app usage with AppLocker (Windows 10) +title: Monitor app usage with AppLocker (Windows) description: This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. ms.assetid: 0516da6e-ebe4-45b4-a97b-31daba96d1cf ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Monitor app usage with AppLocker **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md index 48b6672c34..15357f0a4c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md @@ -1,5 +1,5 @@ --- -title: Optimize AppLocker performance (Windows 10) +title: Optimize AppLocker performance (Windows) description: This topic for IT professionals describes how to optimize AppLocker policy enforcement. ms.assetid: a20efa20-bc98-40fe-bd81-28ec4905e0f6 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Optimize AppLocker performance **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to optimize AppLocker policy enforcement. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md index 5889dda71b..7cd27ec5a6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md @@ -1,5 +1,5 @@ --- -title: Packaged apps and packaged app installer rules in AppLocker (Windows 10) +title: Packaged apps and packaged app installer rules in AppLocker (Windows) description: This topic explains the AppLocker rule collection for packaged app installers and packaged apps. ms.assetid: 8fd44d08-a0c2-4c5b-a91f-5cb9989f971d ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Packaged apps and packaged app installer rules in AppLocker **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the AppLocker rule collection for packaged app installers and packaged apps. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md index f197b8f4b2..b2c76c96e0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md @@ -1,5 +1,5 @@ --- -title: Plan for AppLocker policy management (Windows 10) +title: Plan for AppLocker policy management (Windows) description: This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. ms.assetid: dccc196f-6ae0-4ae4-853a-a3312b18751b ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Plan for AppLocker policy management **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md index 462a865a4f..c306fa8809 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md @@ -1,5 +1,5 @@ --- -title: Refresh an AppLocker policy (Windows 10) +title: Refresh an AppLocker policy (Windows) description: This topic for IT professionals describes the steps to force an update for an AppLocker policy. ms.assetid: 3f24fcbc-3926-46b9-a1a2-dd036edab8a9 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Refresh an AppLocker policy **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to force an update for an AppLocker policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md index acabab7d69..a643ae51a4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md @@ -1,5 +1,5 @@ --- -title: Requirements for deploying AppLocker policies (Windows 10) +title: Requirements for deploying AppLocker policies (Windows) description: This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. ms.assetid: 3e55bda2-3cd7-42c7-bad3-c7dfbe193d48 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Requirements for deploying AppLocker policies **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md index d4778ed70d..63b249672d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md @@ -1,5 +1,5 @@ --- -title: Requirements to use AppLocker (Windows 10) +title: Requirements to use AppLocker (Windows) description: This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. ms.assetid: dc380535-071e-4794-8f9d-e5d1858156f0 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Requirements to use AppLocker **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. @@ -38,11 +43,11 @@ To use AppLocker, you need: ## Operating system requirements -The following table show the on which operating systems AppLocker features are supported. +The following table shows the on which operating systems AppLocker features are supported. | Version | Can be configured | Can be enforced | Available rules | Notes | | - | - | - | - | - | -| Windows 10| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| You can use the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) to configure AppLocker policies on any edition of Windows 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. | +| Windows 10 and Windows 11| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| You can use the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) to configure AppLocker policies on any edition of Windows 10 and Windows 11 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 and Windows 11 Enterprise, Windows 10 and Windows 11 Education, and Windows Server 2016. | | Windows Server 2019
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| | | Windows 8.1 Pro| Yes| No| N/A|| | Windows 8.1 Enterprise| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| | diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md index da19e309e8..4c9ff4b21a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md @@ -1,5 +1,5 @@ --- -title: Run the Automatically Generate Rules wizard (Windows 10) +title: Run the Automatically Generate Rules wizard (Windows) description: This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device. ms.assetid: 8cad1e14-d5b2-437c-8f88-70cffd7b3d8e ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Run the Automatically Generate Rules wizard **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index db4968297c..4b4ca99f66 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -1,5 +1,5 @@ --- -title: Script rules in AppLocker (Windows 10) +title: Script rules in AppLocker (Windows) description: This topic describes the file formats and available default rules for the script rule collection. ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Script rules in AppLocker **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the file formats and available default rules for the script rule collection. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md index 7e757f7903..006efd19a1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md @@ -1,5 +1,5 @@ --- -title: Security considerations for AppLocker (Windows 10) +title: Security considerations for AppLocker (Windows) description: This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. ms.assetid: 354a5abb-7b31-4bea-a442-aa9666117625 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Security considerations for AppLocker **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md index 174e5d8a77..9dedd807d1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md @@ -1,5 +1,5 @@ --- -title: Select the types of rules to create (Windows 10) +title: Select the types of rules to create (Windows) description: This topic lists resources you can use when selecting your application control policy rules by using AppLocker. ms.assetid: 14751169-0ed1-47cc-822c-8c01a7477784 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Select the types of rules to create **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic lists resources you can use when selecting your application control policy rules by using AppLocker. From 8f46ac52b0ad052f76d2a0e74a2ec02d915479c2 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 24 Aug 2021 16:11:30 +0530 Subject: [PATCH 14/41] Resolving suggestions Resolving suggestions and trying if Acrolinx is working! --- .../applocker/document-your-applocker-rules.md | 2 +- .../applocker/plan-for-applocker-policy-management.md | 2 +- .../applocker/requirements-for-deploying-applocker-policies.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md index 40154a27ac..61e0ea6cd7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md @@ -46,7 +46,7 @@ Document the following items for each business group or organizational unit: The following table details sample data for documenting rule type and rule condition findings. In addition, you should now consider whether to allow an app to run or deny permission for it to run. For info about these settings, see [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md). - +
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md index b2c76c96e0..5f7299192b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md @@ -143,7 +143,7 @@ The three key areas to determine for AppLocker policy management are: The following table contains the added sample data that was collected when determining how to maintain and manage AppLocker policies. -
+
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md index a643ae51a4..3d09d68ef3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md @@ -41,7 +41,7 @@ The following requirements must be met or addressed before you deploy your AppLo An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md)). -
+
From 3dacc0220839c3cff6027f3262f48b0d56e0b7e7 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 24 Aug 2021 16:46:48 +0530 Subject: [PATCH 15/41] TASK 5358645 : Batch 05, Windows 11 Inclusion updates Fifth batch of Windows 11 Inclusion updates under Windows-defender-application-control folder. (I've also made some changes to few words as per Acrolinx suggestions to meet the PR criteria). --- ...cker-policy-by-using-test-applockerpolicy.md | 11 ++++++++--- .../test-and-update-an-applocker-policy.md | 11 ++++++++--- .../applocker/tools-to-use-with-applocker.md | 11 ++++++++--- ...understand-applocker-enforcement-settings.md | 11 ++++++++--- ...erstand-applocker-policy-design-decisions.md | 17 ++++++++++++----- ...ement-setting-inheritance-in-group-policy.md | 13 +++++++++---- ...d-the-applocker-policy-deployment-process.md | 11 ++++++++--- ...applocker-allow-and-deny-actions-on-rules.md | 11 ++++++++--- .../understanding-applocker-default-rules.md | 11 ++++++++--- .../understanding-applocker-rule-behavior.md | 11 ++++++++--- .../understanding-applocker-rule-collections.md | 11 ++++++++--- ...erstanding-applocker-rule-condition-types.md | 11 ++++++++--- .../understanding-applocker-rule-exceptions.md | 11 ++++++++--- ...the-file-hash-rule-condition-in-applocker.md | 11 ++++++++--- ...ding-the-path-rule-condition-in-applocker.md | 11 ++++++++--- ...the-publisher-rule-condition-in-applocker.md | 11 ++++++++--- ...to-create-and-maintain-applocker-policies.md | 11 ++++++++--- ...e-restriction-policies-in-the-same-domain.md | 17 +++++++++++------ ...-the-applocker-windows-powershell-cmdlets.md | 11 ++++++++--- .../using-event-viewer-with-applocker.md | 11 ++++++++--- ...striction-policies-and-applocker-policies.md | 11 ++++++++--- .../applocker/what-is-applocker.md | 11 ++++++++--- .../windows-installer-rules-in-applocker.md | 11 ++++++++--- .../working-with-applocker-policies.md | 11 ++++++++--- .../applocker/working-with-applocker-rules.md | 11 ++++++++--- .../deploy-wdac-policies-with-memcm.md | 8 ++++++-- .../deploy-wdac-policies-with-script.md | 6 +++++- .../operations/known-issues.md | 9 +++++++-- 28 files changed, 226 insertions(+), 86 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md index fd78e7c563..ca0dc2f8e4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md @@ -1,5 +1,5 @@ --- -title: Test an AppLocker policy by using Test-AppLockerPolicy (Windows 10) +title: Test an AppLocker policy by using Test-AppLockerPolicy (Windows) description: This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer. ms.assetid: 048bfa38-6825-4a9a-ab20-776cf79f402a ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Test an AppLocker policy by using Test-AppLockerPolicy **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md index 2027085b0e..3a42a9d7aa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md @@ -1,5 +1,5 @@ --- -title: Test and update an AppLocker policy (Windows 10) +title: Test and update an AppLocker policy (Windows) description: This topic discusses the steps required to test an AppLocker policy prior to deployment. ms.assetid: 7d53cbef-078c-4d20-8b00-e821e33b6ea1 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Test and update an AppLocker policy **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic discusses the steps required to test an AppLocker policy prior to deployment. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md index a39370e796..19eb7cd1d3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md @@ -1,5 +1,5 @@ --- -title: Tools to use with AppLocker (Windows 10) +title: Tools to use with AppLocker (Windows) description: This topic for the IT professional describes the tools available to create and administer AppLocker policies. ms.assetid: db2b7cb3-7643-4be5-84eb-46ba551e1ad1 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Tools to use with AppLocker **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the tools available to create and administer AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md index cbd1b7c62e..7058ee0c64 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md @@ -1,5 +1,5 @@ --- -title: Understand AppLocker enforcement settings (Windows 10) +title: Understand AppLocker enforcement settings (Windows) description: This topic describes the AppLocker enforcement settings for rule collections. ms.assetid: 48773007-a343-40bf-8961-b3ff0a450d7e ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Understand AppLocker enforcement settings **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the AppLocker enforcement settings for rule collections. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md index 95dcad5fe6..ccdfd461a6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md @@ -1,5 +1,5 @@ --- -title: Understand AppLocker policy design decisions (Windows 10) +title: Understand AppLocker policy design decisions (Windows) description: Review some common considerations while you are planning to use AppLocker to deploy application control policies within a Windows environment. ms.assetid: 3475def8-949a-4b51-b480-dc88b5c1e6e6 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Understand AppLocker policy design decisions **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment. @@ -46,7 +51,7 @@ You might need to control a limited number of apps because they access sensitive | Possible answers | Design considerations| | - | - | | Control all apps | AppLocker policies control applications by creating an allowed list of applications by file type. Exceptions are also possible. AppLocker policies can only be applied to applications installed on computers running one of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).| -| Control specific apps | When you create AppLocker rules, a list of allowed apps are created. All apps on that list will be allowed to run (except those on the exception list). Apps that are not on the list will be prevented from running. AppLocker policies can only be applied to apps installed on computers running any of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).| +| Control specific apps | When you create AppLocker rules, a list of allowed apps is created. All apps on that list will be allowed to run (except those on the exception list). Apps that are not on the list will be prevented from running. AppLocker policies can only be applied to apps installed on computers running any of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).| |Control only Classic Windows applications, only Universal Windows apps, or both| AppLocker policies control apps by creating an allowed list of apps by file type. Because Universal Windows apps are categorized under the Publisher condition, Classic Windows applications and Universal Windows apps can be controlled together. AppLocker policies for Universal Windows apps can be applied only to apps that are installed on PCs that support the Microsoft Store, but Classic Windows applications can be controlled with AppLocker on all supported versions of Windows. The rules you currently have configured for Classic Windows applications can remain, and you can create new ones for Universal Windows apps.
For a comparison of Classic Windows applications and Universal Windows apps, see [Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions](#bkmk-compareclassicmetro) in this topic.| | Control apps by business group and user | AppLocker policies can be applied through a Group Policy Object (GPO) to computer objects within an organizational unit (OU). Individual AppLocker rules can be applied to individual users or to groups of users.| | Control apps by computer, not user | AppLocker is a computer-based policy implementation. If your domain or site organizational structure is not based on a logical user structure, such as an OU, you might want to set up that structure before you begin your AppLocker planning. Otherwise, you will have to identify users, their computers, and their app access requirements.| @@ -54,7 +59,7 @@ You might need to control a limited number of apps because they access sensitive >**Important:** The following list contains files or types of files that cannot be managed by AppLocker: -- AppLocker does not protect against running 16-bit DOS binaries in a NT Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or higher when there is already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it is a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the Executable rule collection for NTVDM.exe. +- AppLocker does not protect against running 16-bit DOS binaries in an NT Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or higher when there is already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it is a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the Executable rule collection for NTVDM.exe. - You cannot use AppLocker to prevent code from running outside the Win32 subsystem. In particular, this applies to the (POSIX) subsystem in Windows NT. If it is a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem. @@ -108,6 +113,7 @@ If your organization supports multiple Windows operating systems, app control po - +

SRP can also be configured in the “allowlist mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.

+ @@ -126,7 +131,7 @@ The following table compares the features and functions of Software Restriction - + diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md index 58576ff79e..ce28a56e21 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md @@ -1,5 +1,5 @@ --- -title: Use the AppLocker Windows PowerShell cmdlets (Windows 10) +title: Use the AppLocker Windows PowerShell cmdlets (Windows) description: This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. ms.assetid: 374e029c-5c0a-44ab-a57a-2a9dd17dc57d ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Use the AppLocker Windows PowerShell cmdlets **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index 7895373d6e..3015885de1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -1,5 +1,5 @@ --- -title: Using Event Viewer with AppLocker (Windows 10) +title: Using Event Viewer with AppLocker (Windows) description: This topic lists AppLocker events and describes how to use Event Viewer with AppLocker. ms.assetid: 109abb10-78b1-4c29-a576-e5a17dfeb916 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Using Event Viewer with AppLocker **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic lists AppLocker events and describes how to use Event Viewer with AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md index 5e34495965..79b2485918 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md @@ -1,5 +1,5 @@ --- -title: Use Software Restriction Policies and AppLocker policies (Windows 10) +title: Use Software Restriction Policies and AppLocker policies (Windows) description: This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. ms.assetid: c3366be7-e632-4add-bd10-9df088f74c6d ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Use Software Restriction Policies and AppLocker policies **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md index 5e8f5b2efb..b65a70c0fe 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md @@ -1,5 +1,5 @@ --- -title: What Is AppLocker (Windows 10) +title: What Is AppLocker (Windows) description: This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. ms.assetid: 44a8a2bb-0f83-4f95-828e-1f364fb65869 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # What Is AppLocker? **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md index 77b78c5a84..0975dd70c7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md @@ -1,5 +1,5 @@ --- -title: Windows Installer rules in AppLocker (Windows 10) +title: Windows Installer rules in AppLocker (Windows) description: This topic describes the file formats and available default rules for the Windows Installer rule collection. ms.assetid: 3fecde5b-88b3-4040-81fa-a2d36d052ec9 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Windows Installer rules in AppLocker **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the file formats and available default rules for the Windows Installer rule collection. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md index 276960c4b0..e4c6caae70 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md @@ -1,5 +1,5 @@ --- -title: Working with AppLocker policies (Windows 10) +title: Working with AppLocker policies (Windows) description: This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. ms.assetid: 7062d2e0-9cbb-4cb8-aa8c-b24945c3771d ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Working with AppLocker policies **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md index 67910704f3..74ce2ea9d8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md @@ -1,5 +1,5 @@ --- -title: Working with AppLocker rules (Windows 10) +title: Working with AppLocker rules (Windows) description: This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies. ms.assetid: 3966b35b-f2da-4371-8b5f-aec031db6bc9 ms.reviewer: @@ -19,8 +19,13 @@ ms.technology: mde # Working with AppLocker rules **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md index 6e4c3d3b7a..3dcca008bc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md @@ -1,5 +1,5 @@ --- -title: Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Endpoint Configuration Manager (MEMCM) (Windows 10) +title: Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Endpoint Configuration Manager (MEMCM) (Windows) description: You can use Microsoft Endpoint Configuration Manager (MEMCM) to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide. keywords: security, malware ms.prod: m365-security @@ -21,13 +21,17 @@ ms.localizationpriority: medium **Applies to:** - Windows 10 +- Windows 11 - Windows Server 2016 and above +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). + You can use Microsoft Endpoint Configuration Manager (MEMCM) to configure Windows Defender Application Control (WDAC) on client machines. ## Use MEMCM's built-in policies -MEMCM includes native support for WDAC, which allows you to configure Windows 10 client computers with a policy that will only allow: +MEMCM includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow: - Windows components - Microsoft Store apps diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index ca2d5fed65..2212ae92fb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -1,5 +1,5 @@ --- -title: Deploy Windows Defender Application Control (WDAC) policies using script (Windows 10) +title: Deploy Windows Defender Application Control (WDAC) policies using script (Windows) description: Use scripts to deploy Windows Defender Application Control (WDAC) policies. Learn how with this step-by-step guide. keywords: security, malware ms.prod: m365-security @@ -21,8 +21,12 @@ ms.localizationpriority: medium **Applies to:** - Windows 10 +- Windows 11 - Windows Server 2016 and above +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). + This topic describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host. > [!NOTE] diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md index c525c8832f..3cd76bde2b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md +++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md @@ -20,8 +20,13 @@ ms.localizationpriority: medium **Applies to:** -- Windows 10 -- Windows Server 2016 and above + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic covers tips and tricks for admins as well as known issues with WDAC. Test this configuration in your lab before enabling it in production. From 82317a45d67bd9a09a63954a1bcd46bf64cc7c76 Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Tue, 24 Aug 2021 11:47:28 -0400 Subject: [PATCH 16/41] removing article from TOC, acrolinx --- .openpublishing.redirection.json | 5 +++ .../apps-in-windows-10.md | 44 +++++++++---------- windows/application-management/index.yml | 10 ++--- .../provisioned-apps-windows-client-os.md | 6 +-- .../system-apps-windows-client-os.md | 4 +- 5 files changed, 36 insertions(+), 33 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 1e2452332b..ad9f41fa2b 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,5 +1,10 @@ { "redirections": [ + { + "source_path": "windows/application-management/msix-app-packaging-tool.md", + "redirect_url": "/windows/application-management/apps-in-windows-10", + "redirect_document_id": false + }, { "source_path": "browsers/edge/about-microsoft-edge.md", "redirect_url": "/previous-versions/windows/edge-legacy/about-microsoft-edge", diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 0b8ebbf7c7..51766c306a 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -1,14 +1,14 @@ --- title: Learn about the different app types in Windows 10 | Microsoft Docs ms.reviewer: -manager: dansimp -description: Use this article to understand the different types of apps that run on Windows 10, such as UWP and Win32 apps. +manager: dougeby +description: Learn more and understand the different types of apps that run on Windows 10 and Windows 11. For example, learn more about UWP, WPF, Win32, and Windows Forms apps, including the best way to install these apps. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobile -ms.author: greglin -author: greg-lindsay +ms.author: mandia +author: MandiOhlinger ms.localizationpriority: medium ms.topic: article --- @@ -33,9 +33,9 @@ In this article, we mention these services. If you're not managing your devices There are different types of apps that can run on your Windows client devices. This section lists some of the common apps used on Windows devices. -- **Microsoft 365 apps**: These apps are used for business and productivity, and include Outlook, Word, Teams, OneNote, and more. +- **Microsoft 365 apps**: These apps are used for business and productivity, and include Outlook, Word, Teams, OneNote, and more. Depending on the licenses your organization has, you may already have these apps. Using an MDM provider, these apps can also be deployed to mobile devices, including smartphones. - [Transform your enterprise with Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans) + For more information on the Microsoft 365 license options, and what you get, see [Transform your enterprise with Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans). - **Power Apps**: These apps connect to business data available online and on-premises, and can run in a web browser, and on mobile devices. They can be created by business analysts and professional developers. For more information, see [What is Power Apps?](/powerapps/powerapps-overview). @@ -48,12 +48,12 @@ There are different types of apps that can run on your Windows client devices. T - **Apps**: All apps installed in `C:\Program Files\WindowsApps`. There are two classes of apps: - - **Provisioned**: Installed in user account the first time you sign in with a new user account. + - **Provisioned**: Installed in user account the first time you sign in with a new user account. For a list of some common provisioned apps, see [Provisioned apps installed with the Windows client OS](provisioned-apps-windows-client-os.md). - **Installed**: Installed as part of the OS. - - **System apps**: Apps installed in the `C:\Windows\` directory. These apps are part of the Windows OS. + - **System apps**: Apps installed in the `C:\Windows\` directory. These apps are part of the Windows OS. For a list of some common system apps, see [System apps installed with the Windows client OS](system-apps-windows-client-os.md). -- **Universal Windows Platform (UWP) apps**: These apps run and can be installed on many Windows platforms, including tablets, Microsoft HoloLens, Xbox, and more. All UWP apps are Windows apps. But, not all Windows apps are UWP apps. +- **Universal Windows Platform (UWP) apps**: These apps run and can be installed on many Windows platforms, including tablets, Microsoft HoloLens, Xbox, and more. All UWP apps are Windows apps. Not all Windows apps are UWP apps. For more information, see [What's a Universal Windows Platform (UWP) app?](/windows/uwp/get-started/universal-application-platform-guide). @@ -61,7 +61,7 @@ There are different types of apps that can run on your Windows client devices. T Web apps are typically created in Visual Studio, and can be created with different languages. For more information, see [Create a Web App](https://azure.microsoft.com/get-started/web-app/). When the app is created and ready to be used, you deploy the web app to a web server. Using Azure, you can host your web apps in the cloud, instead of on-premises. For more information, see [App Service overview](/azure/app-service/overview). - Use MDM to create shortcut on devices + Use an MDM provider, you can create shortcuts to your web apps and progressive web apps on devices. - **Win32 apps**: These apps are traditional Windows apps that run on the device, and are often called desktop apps. They require direct access to Windows and the device hardware, and typically don't require a web browser. These apps run in 32-bit mode on 64-bit devices, and don't depend on a managed runtime environment, like .NET. @@ -74,25 +74,25 @@ There are different types of apps that can run on your Windows client devices. T When your apps are ready, you can add or deploy these apps to your Windows devices. This section lists some common options. -- **Manually install**: On your devices, users can install apps from the Microsoft Store and from the internet. These apps, and more, are listed in **Settings** > **Apps and Features**. +- **Manually install**: On your devices, users can install apps from the Microsoft Store, from the internet, and from an organization shared drive. These apps, and more, are listed in **Settings** > **Apps and Features**. - If you want to prevent users from downloading apps on organization owned devices, you can use an MDM provider, like Microsoft Intune. For example, you can create a policy that allows or prevents users from sideloading apps, only allow the private store, and more. For more information on the features you can restrict, see [Windows 10 (and newer) device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10). + If you want to prevent users from downloading apps on organization owned devices, use an MDM provider, like Microsoft Intune. For example, you can create a policy that allows or prevents users from sideloading apps, only allow the private store, and more. For more information on the features you can restrict, see [Windows 10 (and newer) device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10). For an overview of the different types of device policies you can create, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles). -- **Mobile device management (MDM)**: Use a MDM provider, like Microsoft Intune (cloud) or Configuration Manager (on-premises), to deploy apps. For example, you can create app policies that deploy Microsoft 365 apps, deploy Win32 apps, create shortcuts to web apps, add Store apps, and more. +- **Mobile device management (MDM)**: Use an MDM provider, like Microsoft Intune (cloud) or Configuration Manager (on-premises), to deploy apps. For example, you can create app policies that deploy Microsoft 365 apps, deploy Win32 apps, create shortcuts to web apps, add Store apps, and more. For more information, see: - [Add apps to Microsoft Intune](/mem/intune/apps/apps-add) - [Application management in Configuration Manager](/mem/configmgr/apps/understand/introduction-to-application-management) -- **Microsoft Store**: Using the Microsoft Store app, Windows users can download apps from the public store, and download apps provided by your organization, which is called the "private store". If your organization creates its own apps, you can use **Windows Package Manager** to add apps to the private store. +- **Microsoft Store**: Using the Microsoft Store app, Windows users can download apps from the public store. And, they can download apps provided by your organization, which is called the "private store". If your organization creates its own apps, you can use **Windows Package Manager** to add apps to the private store. To help manage the Microsoft Store on your devices, you can use policies: - On premises, you can use Administrative Templates in group policy to control access to the Microsoft Store app (`User Configuration\Administrative Templates\Windows Components\Store`). - - Using Microsoft Intune, you can use [Administrative Templates](/mem/intune/configuration/administrative-templates-windows) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) to control access to the Microsoft Store app. + - Using Microsoft Intune, you can use [Administrative Templates](/mem/intune/configuration/administrative-templates-windows) (opens another Microsoft web site) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) (opens another Microsoft web site) to control access to the Microsoft Store app. For more information, see: @@ -104,7 +104,7 @@ When your apps are ready, you can add or deploy these apps to your Windows devic To deploy MSIX packages and their apps, you can: - Use an MDM provider, like Microsoft Intune and Configuration Manager. - - Use an App Installer so users double-click an installer file, or select a link on a web page. + - Use an App Installer. User users double-click an installer file, or select a link on a web page. - And more. For more information, see: @@ -112,7 +112,7 @@ When your apps are ready, you can add or deploy these apps to your Windows devic - [What is MSIX?](/windows/msix/overview) - [MSIX app distribution for enterprises](/windows/msix/desktop/managing-your-msix-deployment-enterprise) -- **Windows Package Manager**: Windows Package Manager is a command line tool commonly used by developers to install Windows apps. Using the command line, you can can get apps from the Microsoft Store or from GitHub (and more), and install these apps on Windows devices. It's helpful if you want to bypass user interfaces for getting apps from organizations and from developers. +- **Windows Package Manager**: Windows Package Manager is a command line tool commonly used by developers to install Windows apps. Using the command line, you can get apps from the Microsoft Store or from GitHub (and more), and install these apps on Windows devices. It's helpful if you want to bypass user interfaces for getting apps from organizations and from developers. If your organization uses `.EXE`, `.MSIX`, or `.MSI` files, then Windows Package Manager might be the right deployment option for your organization. @@ -120,26 +120,24 @@ When your apps are ready, you can add or deploy these apps to your Windows devic - **Azure Virtual desktop with MSIX app attach**: With Azure virtual desktop, you can virtualize the Windows client OS desktop, and use virtual apps on this desktop. With MSIX app attach, you dynamically deliver MSIX packaged apps to users and user groups. - The benefit is to use the cloud to deliver virtual apps in real time, and as-needed. Users use the apps as if they were installed locally. + The benefit is to use the cloud to deliver virtual apps in real time, and as-needed. Users use the apps as if they're installed locally. - If you currently use App-V, and want to decrease your on-premises footprint, then **Azure Virtual desktop with MSIX app attach** might be the right deployment for your organization. + If you currently use App-V, and want to reduce your on-premises footprint, then **Azure Virtual desktop with MSIX app attach** might be the right deployment for your organization. For more information, see: - [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview) - [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal) -- **Application Virtualization (App-V)**: App-V allows Win32 apps to be used as virtual apps. On an on-premises server, you install and configure the App-V server components, and then install your Win32 apps. On Windows Enterprise client devices, you use the App-V client components to run the virtualized apps. They allow users to open the virtual apps using the icons and file names they're familiar with. Users use the apps as if they were installed locally. +- **Application Virtualization (App-V)**: App-V allows Win32 apps to be used as virtual apps. On an on-premises server, you install and configure the App-V server components, and then install your Win32 apps. On Windows Enterprise client devices, you use the App-V client components to run the virtualized apps. They allow users to open the virtual apps using the icons and file names they're familiar with. Users use the apps as if they're installed locally. The benefit is to deliver virtual apps in real time, and as-needed. For more information, see [Application Virtualization (App-V) for Windows overview](./app-v/appv-for-windows.md). To help manage App-V on your devices, you can use policies: - On premises, you can use Administrative Templates in group policy to deploy App-V policies (`Computer Configuration\Administrative Templates\System\App-V`). - - Using Microsoft Intune, you can use [Administrative Templates](/mem/intune/configuration/administrative-templates-windows) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) to deploy App-V policies. + - Using Microsoft Intune, you can use [Administrative Templates](/mem/intune/configuration/administrative-templates-windows) (opens another Microsoft web site) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) (opens another Microsoft web site) to deploy App-V policies. > [!TIP] > If you want to decrease your on-premises footprint, then **Azure Virtual desktop with MSIX app attach** might be the better deployment for your organization. -## Remove apps - diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index d3a95df0d0..d9d22489a8 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -13,8 +13,8 @@ metadata: ms.collection: windows-10 author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. ms.author: greglin #Required; microsoft alias of author; optional team alias. - ms.date: 04/30/2021 #Required; mm/dd/yyyy format. - localization_priority: medium + ms.date: 08/24/2021 #Required; mm/dd/yyyy format. + ms.localizationpriority : medium # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -26,11 +26,11 @@ landingContent: linkLists: - linkListType: overview links: - - text: Understand apps in Windows 10 + - text: Understand apps in Windows client OS url: apps-in-windows-10.md - - text: How to add apps and features to Windows 10 + - text: How to add apps and features url: add-apps-and-features.md - - text: Sideload LOB apps in Windows 10 + - text: Sideload LOB apps url: sideload-apps-in-windows-10.md - text: Keep removed apps from returning during an update url: remove-provisioned-apps-during-update.md diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md index c426de223d..48795d6801 100644 --- a/windows/application-management/provisioned-apps-windows-client-os.md +++ b/windows/application-management/provisioned-apps-windows-client-os.md @@ -21,9 +21,9 @@ ms.topic: article Provisioned apps are included with the OS, and automatically installed when a user signs into a Windows device the first time. They are per-user apps, and typically installed in the `C:\Program Files\WindowsApps` folder. On your Windows devices, you can use Windows PowerShell to see the provisioned apps automatically installed. -This article lists some of the built-in provisioned apps on the different Windows client OS versions, and lists the Windows Powershell command to get a list. +This article lists some of the built-in provisioned apps on the different Windows client OS versions, and lists the Windows PowerShell command to get a list. -## Use Windows Powershell +## Use Windows PowerShell To get a list of all the provisioned apps, use Windows PowerShell: @@ -382,7 +382,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. --- - - The Store app shouldn't be removed. If you remove the Store app, and want to reinstall it, you can restore your system from a backup, or reset your system. Instead of removing the Store app, use group policies to hide or disable it. + - The Store app shouldn't be removed. If you remove the Store app, and want to reinstall it, you must restore your system from a backup, or reset your system. Instead of removing the Store app, use group policies to hide or disable it. - [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | Package name: Microsoft.Xbox.TCUI - Supported versions: diff --git a/windows/application-management/system-apps-windows-client-os.md b/windows/application-management/system-apps-windows-client-os.md index 0ac52b682f..6ebea1ded8 100644 --- a/windows/application-management/system-apps-windows-client-os.md +++ b/windows/application-management/system-apps-windows-client-os.md @@ -21,9 +21,9 @@ ms.topic: article On all Windows devices, the OS automatically installs some apps. These apps are called system apps, and are typically installed in the `C:\Windows\` folder. On your Windows devices, you can use Windows PowerShell to see the system apps automatically installed. -This article lists the built-in system apps on some Windows OS versions, and lists the Windows Powershell command to get a list. +This article lists the built-in system apps on some Windows OS versions, and lists the Windows PowerShell command to get a list. -## Use Windows Powershell +## Use Windows PowerShell To get a list of all the system apps, use Windows PowerShell: From 30437e4ea787e11c9c8a1789d2c10578738081b7 Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Tue, 24 Aug 2021 12:05:03 -0400 Subject: [PATCH 17/41] fixed validation warnings --- .../add-apps-and-features.md | 4 +- .../apps-in-windows-10.md | 2 +- .../msix-app-packaging-tool.md | 42 ------------------- windows/application-management/toc.yml | 5 +-- 4 files changed, 6 insertions(+), 47 deletions(-) delete mode 100644 windows/application-management/msix-app-packaging-tool.md diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md index 2834995eab..6a6c743b1c 100644 --- a/windows/application-management/add-apps-and-features.md +++ b/windows/application-management/add-apps-and-features.md @@ -16,7 +16,9 @@ ms.topic: article # How to add apps and features to Windows 10 > Applies to: Windows 10 -Windows 10 includes a range of [applications](apps-in-windows-10.md), from [system apps](apps-in-windows-10.md#system-apps) that support the operating system (like Settings) to ["provisioned" apps](apps-in-windows-10.md#provisioned-windows-apps) (like Feedback Hub) that are installed the first time you run Windows. We also provide additional apps and features, called Features on Demand (like language packs or handwriting recognition), that you can install at any time. If you're working in a managed environment (like at work, where you have an administrator who manages your systems and resources), your admin can use [Windows Update to install Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you're working on your own device, you can add apps and features from the Settings app. +Windows 10 includes a range of [applications](apps-in-windows-10.md), from [system apps](system-apps-windows-client-os.md) that support the operating system (like Settings) to ["provisioned" apps](provisioned-apps-windows-client-os.md) (like Feedback Hub) that are installed the first time you run Windows. We also provide additional apps and features, called Features on Demand (like language packs or handwriting recognition), that you can install at any time. If you're working in a managed environment (like at work, where you have an administrator who manages your systems and resources), your admin can use [Windows Update to install Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). + +If you're working on your own device, you can add apps and features from the Settings app. Here's how you do that: diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 51766c306a..185ad28d5e 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -25,7 +25,7 @@ As organizations become more global, and to support employees working from anywh In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started: -- [Microsoft Endpoint Manager overview](mem/endpoint-manager-overview) +- [Microsoft Endpoint Manager overview](/mem/endpoint-manager-overview) - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide) - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction) diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md deleted file mode 100644 index 97a832c6e9..0000000000 --- a/windows/application-management/msix-app-packaging-tool.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: Repackage your existing win32 applications to the MSIX format. -description: Learn how to install and use the MSIX packaging tool to repackage your existing win32 applications to the MSIX format. -keywords: ["MSIX", "application", "app", "win32", "packaging tool"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: medium -ms.author: greglin -ms.topic: article -ms.date: 12/03/2018 -ms.reviewer: -manager: dansimp -author: greg-lindsay - -ROBOTS: NOINDEX ---- - -# Repackage existing win32 applications to the MSIX format - -MSIX is a packaging format built to be safe, secure and reliable, based on a combination of .msi, .appx, App-V and ClickOnce installation technologies. You can [use the MSIX packaging tool](/windows/msix/packaging-tool/create-app-package-msi-vm) to repackage your existing Win32 applications to the MSIX format. - -You can either run your installer interactively (through the UI) or create a package from the command line. Either way, you can convert an application without having the source code. Then, you can make your app available through the Microsoft Store. - -- [Package your favorite application installer](/windows/msix/packaging-tool/create-app-package-msi-vm) interactively (msi, exe, App-V 5.x and ClickOnce) in MSIX format. -- Create a [modification package](/windows/msix/packaging-tool/package-editor) to update an existing MSIX package. -- [Bundle multiple MSIX packages](/windows/msix/packaging-tool/bundle-msix-packages) for distribution. - -## Installing the MSIX Packaging Tool - -### Prerequisites - -- Windows 10, version 1809 (or later) -- Participation in the Windows Insider Program (if you're using an Insider build) -- A valid Microsoft work or school account to access the app from the Microsoft Store -- Admin privileges on your PC account - -### Get the app from the Microsoft Store - -1. Use the Microsoft work or school account login associated with your Windows Insider Program credentials in the [Microsoft Store](https://www.microsoft.com/store/r/9N5LW3JBCXKF). -2. Open the product description page. -3. Click the install icon to begin installation. \ No newline at end of file diff --git a/windows/application-management/toc.yml b/windows/application-management/toc.yml index c72329ed9e..0e0f44a1bb 100644 --- a/windows/application-management/toc.yml +++ b/windows/application-management/toc.yml @@ -4,8 +4,9 @@ items: - name: Application management items: - name: Apps in Windows client OS - href: apps-in-windows-10.md items: + - name: Common app types + href: apps-in-windows-10.md - name: Provisioned apps in Windows client OS href: provisioned-apps-windows-client-os.md - name: System apps in Windows client OS @@ -18,8 +19,6 @@ items: href: enterprise-background-activity-controls.md - name: Enable or block Windows Mixed Reality apps in the enterprise href: manage-windows-mixed-reality.md - - name: Repackage win32 apps in the MSIX format - DELETE - href: msix-app-packaging-tool.md - name: Application Virtualization (App-V) items: - name: App-V for Windows 10 overview From b6b9d3accf833e49dd7b64e3890adb0f832bac0f Mon Sep 17 00:00:00 2001 From: Alice-at-Microsoft <79878795+Alice-at-Microsoft@users.noreply.github.com> Date: Tue, 24 Aug 2021 10:11:18 -0700 Subject: [PATCH 18/41] Update policy-csp-system.md Update AllowWUfBCloudProcessing --- windows/client-management/mdm/policy-csp-system.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index b02ba826b4..0a38aefabc 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -62,7 +62,7 @@ manager: dansimp System/AllowUserToResetPhone
- System/AllowWuFBCloudProcessing + System/AllowWUfBCloudProcessing
System/BootStartDriverInitialization @@ -964,7 +964,7 @@ The following list shows the supported values:
-**System/AllowWuFBCloudProcessing** +**System/AllowWUfBCloudProcessing**
@@ -985,6 +985,15 @@ If you disable or do not configure this policy setting, devices enrolled to the
+ + +The following list shows the supported values: + +- 0 - Disabled. +- 8 - Enabled. + + + **System/BootStartDriverInitialization** From e5e0e83b89d02681d4315027d890f7321d38a040 Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Tue, 24 Aug 2021 10:46:27 -0700 Subject: [PATCH 19/41] place steps in policy --- .../mdm/policy-csp-mixedreality.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index cdf909411f..7f7e8ae961 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -40,20 +40,6 @@ manager: dansimp
-Steps to use this policy correctly: - -1. Create a device configuration profile for kiosk targeting Azure AD groups and assign it to HoloLens device(s). -1. Create a custom OMA URI based device configuration that sets this policy value to desired number of days (> 0) and assign it to HoloLens device(s). - 1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays - 1. The value can be between min / max allowed. -1. Enroll HoloLens devices and verify both configurations get applied to the device. -1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created. -1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days. -1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point here is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted. - -> [!NOTE] -> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments. -
@@ -79,6 +65,20 @@ Steps to use this policy correctly:

Your organization's computers are running a combination of the following operating systems:

    +

  • Windows 11

  • Windows 10

  • Windows 8

  • Windows 7

    • @@ -130,6 +136,7 @@ If your organization supports multiple Windows operating systems, app control po

Your organization's computers are running only the following operating systems:

    +

  • Windows 11

  • Windows 10

  • Windows 8.1

  • Windows 8

    • diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md index 5350f5c843..05ac74902a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md @@ -1,5 +1,5 @@ --- -title: Understand AppLocker rules and enforcement setting inheritance in Group Policy (Windows 10) +title: Understand AppLocker rules and enforcement setting inheritance in Group Policy (Windows) description: This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy. ms.assetid: c1c5a3d3-540a-4698-83b5-0dab5d27d871 ms.reviewer: @@ -21,12 +21,17 @@ ms.technology: mde # Understand AppLocker rules and enforcement setting inheritance in Group Policy **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy. -Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into the following collections: executable files, Windows Installer files, scripts, packaged apps and packaged app installers, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy. +Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into the following collections: executable files, Windows Installer files, scripts, packaged apps, and packaged app installers, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy. Group Policy merges AppLocker policy in two ways: diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md index 0f909bdf3d..f3554e846c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md @@ -1,5 +1,5 @@ --- -title: Understand the AppLocker policy deployment process (Windows 10) +title: Understand the AppLocker policy deployment process (Windows) description: This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. ms.assetid: 4cfd95c1-fbd3-41fa-8efc-d23c1ea6fb16 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Understand the AppLocker policy deployment process **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md index 941aa4f30d..319498a599 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md @@ -1,5 +1,5 @@ --- -title: Understanding AppLocker allow and deny actions on rules (Windows 10) +title: Understanding AppLocker allow and deny actions on rules (Windows) description: This topic explains the differences between allow and deny actions on AppLocker rules. ms.assetid: ea0370fa-2086-46b5-a0a4-4a7ead8cbed9 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Understanding AppLocker allow and deny actions on rules **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the differences between allow and deny actions on AppLocker rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md index e9e449b52e..7a33f4dde5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md @@ -1,5 +1,5 @@ --- -title: Understanding AppLocker default rules (Windows 10) +title: Understanding AppLocker default rules (Windows) description: This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied. ms.assetid: bdb03d71-05b7-41fb-96e3-a289ce1866e1 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Understanding AppLocker default rules **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md index 041eee8f69..92f40c3d8c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md @@ -1,5 +1,5 @@ --- -title: Understanding AppLocker rule behavior (Windows 10) +title: Understanding AppLocker rule behavior (Windows) description: This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker. ms.assetid: 3e2738a3-8041-4095-8a84-45c1894c97d0 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Understanding AppLocker rule behavior **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md index 319c895fd9..e8cf87080b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md @@ -1,5 +1,5 @@ --- -title: Understanding AppLocker rule collections (Windows 10) +title: Understanding AppLocker rule collections (Windows) description: This topic explains the five different types of AppLocker rules used to enforce AppLocker policies. ms.assetid: 03c05466-4fb3-4880-8d3c-0f6f59fc5579 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Understanding AppLocker rule collections **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the five different types of AppLocker rules used to enforce AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md index 8dfb91c58e..80ce31b642 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md @@ -1,5 +1,5 @@ --- -title: Understanding AppLocker rule condition types (Windows 10) +title: Understanding AppLocker rule condition types (Windows) description: This topic for the IT professional describes the three types of AppLocker rule conditions. ms.assetid: c21af67f-60a1-4f7d-952c-a6f769c74729 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Understanding AppLocker rule condition types **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the three types of AppLocker rule conditions. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md index eb3084b691..c4cf8ac3ea 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md @@ -1,5 +1,5 @@ --- -title: Understanding AppLocker rule exceptions (Windows 10) +title: Understanding AppLocker rule exceptions (Windows) description: This topic describes the result of applying AppLocker rule exceptions to rule collections. ms.assetid: e6bb349f-ee60-4c8d-91cd-6442f2d0eb9c ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Understanding AppLocker rule exceptions **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the result of applying AppLocker rule exceptions to rule collections. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md index 7a8bfc63d1..1bb2c999af 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md @@ -1,5 +1,5 @@ --- -title: Understanding the file hash rule condition in AppLocker (Windows 10) +title: Understanding the file hash rule condition in AppLocker (Windows) description: This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied. ms.assetid: 4c6d9af4-2b1a-40f4-8758-1a6f9f147756 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Understanding the file hash rule condition in AppLocker **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md index 057a3dabde..e8856ed8ee 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md @@ -1,5 +1,5 @@ --- -title: Understanding the path rule condition in AppLocker (Windows 10) +title: Understanding the path rule condition in AppLocker (Windows) description: This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied. ms.assetid: 3fa54ded-4466-4f72-bea4-2612031cad43 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Understanding the path rule condition in AppLocker **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md index 8636e3b8dd..8dade37801 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md @@ -1,5 +1,5 @@ --- -title: Understanding the publisher rule condition in AppLocker (Windows 10) +title: Understanding the publisher rule condition in AppLocker (Windows) description: This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied. ms.assetid: df61ed8f-a97e-4644-9d0a-2169f18c1c4f ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Understanding the publisher rule condition in AppLocker **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md index 228ca42a8d..a283a7ab4f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md @@ -1,5 +1,5 @@ --- -title: Use a reference device to create and maintain AppLocker policies (Windows 10) +title: Use a reference device to create and maintain AppLocker policies (Windows) description: This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer. ms.assetid: 10c3597f-f44c-4c8e-8fe5-105d4ac016a6 ms.author: macapara @@ -21,8 +21,13 @@ ms.technology: mde # Use a reference device to create and maintain AppLocker policies **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md index b6018803fb..6dcd91c001 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md @@ -1,5 +1,5 @@ --- -title: Use AppLocker and Software Restriction Policies in the same domain (Windows 10) +title: Use AppLocker and Software Restriction Policies in the same domain (Windows) description: This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. ms.assetid: 2b7e0cec-df62-49d6-a2b7-6b8e30180943 ms.reviewer: @@ -21,8 +21,13 @@ ms.technology: mde # Use AppLocker and Software Restriction Policies in the same domain **Applies to** -- Windows 10 -- Windows Server + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. @@ -71,8 +76,8 @@ The following table compares the features and functions of Software Restriction

Enforcement mode

SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file is allowed to run by default.

-

SRP can also be configured in the “allow list mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.

AppLocker by default works in the “allow list mode” where only those files are allowed to run for which there is a matching allow rule.

AppLocker by default works in the “allowlist mode” where only those files are allowed to run for which there is a matching allow rule.

File types that can be controlled

Editing the hash value

In Windows XP, you could use SRP to provide custom hash values.

Beginning with Windows 7 and Windows Server 2008 R2, you can only select the file to hash, not provide the hash value.

AppLocker computes the hash value itself. Internally, it uses the SHA2 Authenticode hash for Portable Executables (exe and dll) and Windows Installers and a SHA2 flat file hash for the rest.

AppLocker computes the hash value itself. Internally, it uses the SHA2 Authenticode hash for Portable Executables (exe and dll) and Windows Installers and an SHA2 flat file hash for the rest.

Support for different security levels

+Steps to use this policy correctly: + +1. Create a device configuration profile for kiosk targeting Azure AD groups and assign it to HoloLens device(s). +1. Create a custom OMA URI based device configuration that sets this policy value to desired number of days (> 0) and assign it to HoloLens device(s). + 1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays + 1. The value can be between min / max allowed. +1. Enroll HoloLens devices and verify both configurations get applied to the device. +1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created. +1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days. +1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point here is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted. + +> [!NOTE] +> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments. +
From 5c4750b396c242154e643b8204b6bc02b6752e8d Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 24 Aug 2021 12:56:06 -0700 Subject: [PATCH 20/41] fix links --- windows/deployment/TOC.yml | 2 ++ windows/deployment/index.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index d61509c788..967f57f92e 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -271,6 +271,8 @@ href: update/how-windows-update-works.md - name: Windows 10 upgrade paths href: upgrade/windows-10-upgrade-paths.md + - name: Windows 10 edition upgrade + href: upgrade/windows-10-edition-upgrades.md - name: Deploy Windows 10 with Microsoft 365 href: deploy-m365.md - name: Understand the Unified Update Platform diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index d938c4922b..1bb703d0bf 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -67,7 +67,7 @@ landingContent: - text: What's new in Windows deployment url: deploy-whats-new.md - text: Windows 11 overview - url: /windows/whats-new/windows-11.md + url: /windows/whats-new/windows-11 - text: Windows client deployment scenarios url: windows-10-deployment-scenarios.md - text: Basics of Windows updates, channels, and tools From d9c01d5fca28b943d6188083a4a1874104fc332a Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Wed, 25 Aug 2021 09:02:26 +0530 Subject: [PATCH 21/41] update-task-5358656 To fix suggestions --- .../windows-sandbox/windows-sandbox-architecture.md | 2 +- .../windows-sandbox/windows-sandbox-configure-using-wsb-file.md | 2 +- .../windows-sandbox/windows-sandbox-overview.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md index 1ea2225ff6..40ce6c2dea 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md @@ -1,6 +1,6 @@ --- title: Windows Sandbox architecture -description: +description: Windows Sandbox architecture ms.prod: m365-security audience: ITPro author: dansimp diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index 553720a2f2..1f1a23bd49 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -1,6 +1,6 @@ --- title: Windows Sandbox configuration -description: +description: Windows Sandbox configuration ms.prod: m365-security audience: ITPro author: dansimp diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md index 5d3cb0e3e3..47287eeff3 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md @@ -1,6 +1,6 @@ --- title: Windows Sandbox -description: +description: Windows Sandbox overview ms.prod: m365-security audience: ITPro author: dansimp From 7d5dcb5f0737fd0ea2cd300380145bced5316cc0 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Wed, 25 Aug 2021 09:39:20 +0530 Subject: [PATCH 22/41] update-per-5358718 Removed keywords tag for SEO guidelines --- .../microsoft-defender-smartscreen-available-settings.md | 1 - .../microsoft-defender-smartscreen-overview.md | 1 - .../microsoft-defender-smartscreen-set-individual-device.md | 1 - 3 files changed, 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md index 476c4b6291..9229244aa8 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md @@ -1,7 +1,6 @@ --- title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows) description: A list of all available settings for Microsoft Defender SmartScreen using Group Policy and mobile device management (MDM) settings. -keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen ms.prod: m365-security ms.mktglfcycl: explore ms.sitesec: library diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index b08aecf50b..eb3198ffba 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -1,7 +1,6 @@ --- title: Microsoft Defender SmartScreen overview (Windows) description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. -keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen ms.prod: m365-security ms.mktglfcycl: explore ms.sitesec: library diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md index 7d4064e3d3..fd30a2affc 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md @@ -1,7 +1,6 @@ --- title: Set up and use Microsoft Defender SmartScreen on individual devices (Windows) description: Learn how employees can use Windows Security to set up Microsoft Defender SmartScreen. Microsoft Defender SmartScreen protects users from running malicious apps. -keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen ms.prod: m365-security ms.mktglfcycl: explore ms.sitesec: library From c25ad29c512d2bc0042b8407df5ef6c6c6e66d65 Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Wed, 25 Aug 2021 13:21:30 -0400 Subject: [PATCH 23/41] final updates - hopefully --- .../add-apps-and-features.md | 76 ++++++++++--- .../apps-in-windows-10.md | 11 +- windows/application-management/index.yml | 2 +- .../sideload-apps-in-windows-10.md | 106 ++++++++++-------- windows/application-management/toc.yml | 2 +- 5 files changed, 125 insertions(+), 72 deletions(-) diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md index 6a6c743b1c..835543cb01 100644 --- a/windows/application-management/add-apps-and-features.md +++ b/windows/application-management/add-apps-and-features.md @@ -1,32 +1,74 @@ --- -title: Windows 10 - How to add apps from Apps & features -description: Learn how to add apps, like XPS Viewer, to your Windows 10 device with the Apps & features page in Settings +title: Add or hide optional apps and features on Windows devices | Microsoft Docs +description: Learn how to add Windows 10 and Windows 11 optional features using the Apps & features page in the Settings app. Also see the group policy objects (GPO) and MDM policies that show or hide Apps and Windows Features in the Settings app. Use Windows PowerShell to show or hide specific features in Windows Features. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: article -ms.author: greglin -author: greg-lindsay +ms.author: mandia +author: MandiOhlinger ms.localizationpriority: medium -ms.date: 04/26/2018 +ms.date: 08/25/2021 ms.reviewer: -manager: dansimp +manager: dougeby ms.topic: article --- -# How to add apps and features to Windows 10 -> Applies to: Windows 10 -Windows 10 includes a range of [applications](apps-in-windows-10.md), from [system apps](system-apps-windows-client-os.md) that support the operating system (like Settings) to ["provisioned" apps](provisioned-apps-windows-client-os.md) (like Feedback Hub) that are installed the first time you run Windows. We also provide additional apps and features, called Features on Demand (like language packs or handwriting recognition), that you can install at any time. If you're working in a managed environment (like at work, where you have an administrator who manages your systems and resources), your admin can use [Windows Update to install Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). +# Add or hide features on the Windows client OS -If you're working on your own device, you can add apps and features from the Settings app. +> Applies to: +> +> - Windows 10 -Here's how you do that: +The Windows client operating systems include more features that you and your users can install. These features are called [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (opens another Microsoft web site), and can be installed at any time. On your organization-owned devices, you may want to control access to these other features. -1. In the Search bar, search for "apps." -2. Select **Apps and features** in the results. -3. Select **Manage optional features**, and then select **Add a feature**. -4. Select the feature you want to add, like **XPS Viewer**, and then select **Install.** +This article: -And that's it. You can see the apps you have installed on the **Apps & features** page and the features on **Manage optional features**. +- Shows you how to add features using the user interface. +- Lists the group policies and Mobile device management (MDM) policies to hide Windows Features. +- Includes information on using Windows PowerShell to disable specific Windows Features. -You can manage and uninstall apps and features from the same Settings page. Just select the app or feature, and then select **Uninstall**. \ No newline at end of file +If you're working on your own device, use the **Settings** app to add features. + +## Add or uninstall features + +1. In the Search bar, search for "apps", and select **Apps and features**. +2. Select **Optional features** > **Add a feature**. +3. Select the feature you want to add, like **XPS Viewer**, and then select **Install.** + +When the installation completes, the feature is listed in **Apps & features**. In **Apps & features** > **Optional features** > **More Windows features**, there are more features that you and your users can install. + +To uninstall a feature, open the **Settings** app. Select the feature, and then select **Uninstall**. + +## Use Group Policy or MDM to hide Windows Features + +By default, the OS might show Windows Features, and allow users to install and uninstall these optional apps and features. + +To hide Windows Features on your user devices, you can use Group Policy (on-premises), or use an MDM provider, such as Microsoft Intune (cloud). + +### Group Policy + +If you use Group Policy, use the `User Configuration\Administrative Template\Control Panel\Programs\Hide "Windows Features"` policy. By default, this policy may be set to **Not configured**, which means users can add or remove features. When this setting is **Enabled**, the Windows Features is hidden on the device. + +You can't use Group Policy to disable specific Windows Features, such as XPS Viewer. If you want to disable specific features, use [Windows PowerShell](#use-windows-powershell-to-disable-specific-features) (in this article). + +If you want to hide the entire **Apps** feature in the Settings app, use the `User Configuration\Administrative Template\Control Panel\Programs\Hide "Programs and Features" page` policy. + +### MDM + +Using Microsoft Intune, you can use [Administrative Templates](/mem/intune/configuration/administrative-templates-windows) (opens another Microsoft web site) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) (opens another Microsoft web site) to hide Windows Features. + +If you want to hide the entire **Apps** feature in the Settings app, you can use a configuration policy on Intune enrolled devices. For more information on the Control Panel settings you can configure, see [Control Panel settings in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings). + +## Use Windows PowerShell to disable specific features + +To disable specific features, you can use the Windows PowerShell [Disable-WindowsOptionalFeature](/powershell/module/dism/disable-windowsoptionalfeature) command. There isn't a Group Policy that disables specific Windows Features. + +If you're looking to automate disabling specific features, you can create a scheduled task. Then, use the scheduled task to run your Windows PowerShell script. For more information about Task Scheduler, see [Task Scheduler for developers](/windows/win32/taskschd/task-scheduler-start-page). + +Microsoft Intune can also execute Windows PowerShell scripts. For more information, see [Use PowerShell scripts on Windows client devices in Intune](/mem/intune/apps/intune-management-extension). + +## Restore Windows features + +- If you use Group Policy or MDM to hide Windows Features or the entire Apps feature, you can set the policy to **Not configured**. Then, deploy your policy. When the device receives the policy, the features are shown. +- Using Windows PowerShell, you can also enable specific features using the [Enable-WindowsOptionalFeature](/powershell/module/dism/enable-windowsoptionalfeature) command. diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 185ad28d5e..0ad35e3d24 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -74,7 +74,7 @@ There are different types of apps that can run on your Windows client devices. T When your apps are ready, you can add or deploy these apps to your Windows devices. This section lists some common options. -- **Manually install**: On your devices, users can install apps from the Microsoft Store, from the internet, and from an organization shared drive. These apps, and more, are listed in **Settings** > **Apps and Features**. +- **Manually install**: On your devices, users can install apps from the Microsoft Store, from the internet, and from an organization shared drive. These apps, and more, are listed in **Settings** > **Apps** > **Apps and Features**. If you want to prevent users from downloading apps on organization owned devices, use an MDM provider, like Microsoft Intune. For example, you can create a policy that allows or prevents users from sideloading apps, only allow the private store, and more. For more information on the features you can restrict, see [Windows 10 (and newer) device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10). @@ -87,11 +87,13 @@ When your apps are ready, you can add or deploy these apps to your Windows devic - [Add apps to Microsoft Intune](/mem/intune/apps/apps-add) - [Application management in Configuration Manager](/mem/configmgr/apps/understand/introduction-to-application-management) -- **Microsoft Store**: Using the Microsoft Store app, Windows users can download apps from the public store. And, they can download apps provided by your organization, which is called the "private store". If your organization creates its own apps, you can use **Windows Package Manager** to add apps to the private store. +- **Microsoft Store**: Using the Microsoft Store app, Windows users can download apps from the public store. And, they can download apps provided by your organization, which is called the "private store". If your organization creates its own apps, you can use **[Windows Package Manager](/windows/package-manager)** to add apps to the private store. To help manage the Microsoft Store on your devices, you can use policies: - - On premises, you can use Administrative Templates in group policy to control access to the Microsoft Store app (`User Configuration\Administrative Templates\Windows Components\Store`). + - On premises, you can use Administrative Templates in Group Policy to control access to the Microsoft Store app: + - `User Configuration\Administrative Templates\Windows Components\Store` + - `Computer Configuration\Administrative Templates\Windows Components\Store` - Using Microsoft Intune, you can use [Administrative Templates](/mem/intune/configuration/administrative-templates-windows) (opens another Microsoft web site) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) (opens another Microsoft web site) to control access to the Microsoft Store app. For more information, see: @@ -135,9 +137,8 @@ When your apps are ready, you can add or deploy these apps to your Windows devic To help manage App-V on your devices, you can use policies: - - On premises, you can use Administrative Templates in group policy to deploy App-V policies (`Computer Configuration\Administrative Templates\System\App-V`). + - On premises, you can use Administrative Templates in Group Policy to deploy App-V policies (`Computer Configuration\Administrative Templates\System\App-V`). - Using Microsoft Intune, you can use [Administrative Templates](/mem/intune/configuration/administrative-templates-windows) (opens another Microsoft web site) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) (opens another Microsoft web site) to deploy App-V policies. > [!TIP] > If you want to decrease your on-premises footprint, then **Azure Virtual desktop with MSIX app attach** might be the better deployment for your organization. - diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index d9d22489a8..e6739ae97e 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -28,7 +28,7 @@ landingContent: links: - text: Understand apps in Windows client OS url: apps-in-windows-10.md - - text: How to add apps and features + - text: How to add features url: add-apps-and-features.md - text: Sideload LOB apps url: sideload-apps-in-windows-10.md diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md index 4759d12a8c..5ab1d678f5 100644 --- a/windows/application-management/sideload-apps-in-windows-10.md +++ b/windows/application-management/sideload-apps-in-windows-10.md @@ -1,93 +1,103 @@ --- -title: Sideload LOB apps in Windows 10 (Windows 10) -description: Learn how to sideload line-of-business (LOB) apps in Windows 10. When you sideload an app, you deploy a signed app package to a device. +title: Sideload LOB apps in Windows client OS | Microsoft Docs +description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems, including Windows 10. When you sideload an app, you deploy a signed app package to a device. ms.assetid: C46B27D0-375B-4F7A-800E-21595CF1D53D ms.reviewer: -manager: dansimp +manager: dougeby ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobile author: greg-lindsay -ms.date: 05/20/2019 +ms.date: 08/25/2021 +ms.localizationpriority: medium --- -# Sideload LOB apps in Windows 10 +# Sideload line of business (LOB) apps in Windows client devices -**Applies to** - -- Windows 10 +> Applies to: +> +> - Windows 10 > [!NOTE] -> As of Windows Insider Build 18956, sideloading is enabled by default. Now, you can deploy a signed package onto a device without a special configuration. +> As of Windows Insider Build 18956, sideloading is enabled by default. You can deploy a signed package onto a device without a special configuration. -"Line-of-Business" (LOB) apps are present in a wide range of businesses and organizations. Organizations value these apps because they solve problems unique to each business. +Sideloading apps is when you install apps that aren't from an official source, such as the Microsoft store. Your organization may create its own apps, including line-of-business (LOB) apps. Many organizations create their own apps to solve problems unique to their business. When you sideload an app, you deploy a signed app package to a device. You maintain the signing, hosting, and deployment of these apps. Sideloading was also available with Windows 8 and Windows 8.1 -In Windows 10, sideloading is different than in earlier versions of Windows: +Starting with Windows 10, sideloading is different than in earlier versions of Windows: -- You can unlock a device for sideloading using an enterprise policy, or through **Settings** +- You can unlock a device for sideloading using an enterprise policy, or through the **Settings** app. +- License keys aren't required. +- Devices don't have to be joined to a domain. -- License keys are not required +To allow these apps to run on your Windows devices, you might have to enable sideloading on your devices. This article shows you how to: -- Devices do not have to be joined to a domain +- **Turn on sideloading**: You can deploy using Group Policy or a mobile device management (MDM) provider. Or, you can use **Settings** apps to turn on sideloading. +- **Install the app certificate**: Import the security certificate to the local device. This certificate tells the local device to trust the app. +- **Install the app**: Use Windows PowerShell to install the app package. -## Requirements -Here's what you'll need to have: +## Prerequisites -- Devices need to be unlocked for sideloading (unlock policy enabled) +- Windows devices that are unlocked for sideloading (unlock policy enabled). Meaning, sideloading isn't blocked by a policy. +- A trusted certificate that's assigned to your app. +- An app package that's signed with your certificate. -- Certificate assigned to app +## Step 1: Turn on sideloading -- Signed app package - -And here's what you'll need to do: - -- Turn on sideloading - you can push a policy with an MDM provider, or you can use **Settings**. - -- Trust the app - import the security certificate to the local device. - -- Install the app - use PowerShell to install the app package. - -## How do I sideload an app on desktop You can sideload apps on managed or unmanaged devices. ->[!IMPORTANT] -> To install an app on Windows 10, in addition to following [these procedures](/windows/msix/app-installer/installing-windows10-apps-web), users can also double-click any APPX/MSIX package. +Managed devices are typically owned by your organization. They're managed by Group Policy (on-premises), or a Mobile Device Management (MDM) provider, such as Microsoft Intune (cloud). Bring your own devices (BYOD) and personal devices can also be managed by your organization. On managed devices, you can create a policy that turns on sideloading, and then deploy this policy to your Windows devices. +Unmanaged devices are devices that are not managed by your organization. These devices are typically personal devices owned by users. Users can turn on sideloading using the Settings app. -**To turn on sideloading for managed devices** +> [!IMPORTANT] +> To install an app on Windows 10 and later, you can: +> +> - [Install Windows 10 apps from a web page](/windows/msix/app-installer/installing-windows10-apps-web). +> - Users can double-click any `.APPX` or `.MSIX` package. -- Deploy an enterprise policy. +### User interface +If you're working on your own device, or if devices are unmanaged, use the Settings app: +1. Open the **Settings** app > **Update & Security** > **For developers**. +2. Select **Sideload apps**. -**To turn on sideloading for unmanaged devices** +For more information, see [Enable your device for development](/windows/apps/get-started/enable-your-device-for-development) and [Developer Mode features and debugging](/windows/apps/get-started/developer-mode-features-and-debugging). -1. Open **Settings**. +### Group Policy -2. Click **Update & Security** > **For developers**. +If you use Group Policy, use the `Computer Configuration\Administrative Templates\Windows Components\App Package Deployment` policies to enable or prevent sideloading apps: -3. On **Use developer features**, select **Sideload apps**. +- Allows development of Windows Store apps and installing them from an integrated development environment (IDE) +- Allow all trusted apps to install -**To import the security certificate** +By default, the OS might set these policies to **Not configured**, which means app sideloading is turned off. If you set these policies to **Enabled**, users can sideload apps. -1. Open the security certificate for the appx package, and select **Install Certificate**. +### MDM -2. On the **Certificate Import Wizard**, select **Local Machine**. +Using Microsoft Intune, you can also enable sideloading apps on managed devices. For more information, see: -3. Import the certificate to the **Trusted Root Certification Authorities** folder. +- [Sign line-of-business apps so they can be deployed to Windows devices with Intune](/mem/intune/apps/app-sideload-windows) +- [App Store device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10#app-store) + +## Step 2: Import the security certificate + +This step installs the app certificate to the local device. Installing the certificate creates the trust between the app and the device. + +1. Open the security certificate for the `.appx` package, and select **Install Certificate**. + +2. On the **Certificate Import Wizard**, select **Local Machine**. + +3. Import the certificate to the **Trusted Root Certification Authorities** folder. -OR- - You can use a runtime provisioning package to import a security certificate. For information about applying a provisioning package to a Windows 10 device, see runtime instructions on [Build and apply a provisioning package]( https://go.microsoft.com/fwlink/p/?LinkId=619162). + You can use a runtime provisioning package to import a security certificate. For information about applying a provisioning package to a Windows 10 device, see runtime instructions on [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package). -**To install the app** -- From the folder with the appx package, run the PowerShell `Add-AppxPackage` command to install the appx package. +## Step 3: Install the app - -  - -  \ No newline at end of file +From the folder with the `.appx` package, run the Windows PowerShell `Add-AppxPackage` command to install the `.appx` package. For more information on this command, see [Add-AppxPackage](/powershell/module/appx/add-appxpackage). diff --git a/windows/application-management/toc.yml b/windows/application-management/toc.yml index 0e0f44a1bb..6847361924 100644 --- a/windows/application-management/toc.yml +++ b/windows/application-management/toc.yml @@ -11,7 +11,7 @@ items: href: provisioned-apps-windows-client-os.md - name: System apps in Windows client OS href: system-apps-windows-client-os.md - - name: Add apps and features in Windows 10 + - name: Add features in Windows client href: add-apps-and-features.md - name: Sideload apps href: sideload-apps-in-windows-10.md From 98f0716d6228609e0487c8de90c296bc8d2f41f5 Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Wed, 25 Aug 2021 13:31:13 -0400 Subject: [PATCH 24/41] fixed small things --- .../sideload-apps-in-windows-10.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md index 5ab1d678f5..2895977bac 100644 --- a/windows/application-management/sideload-apps-in-windows-10.md +++ b/windows/application-management/sideload-apps-in-windows-10.md @@ -27,15 +27,17 @@ Sideloading apps is when you install apps that aren't from an official source, s When you sideload an app, you deploy a signed app package to a device. You maintain the signing, hosting, and deployment of these apps. Sideloading was also available with Windows 8 and Windows 8.1 -Starting with Windows 10, sideloading is different than in earlier versions of Windows: +Starting with Windows 10, sideloading is different than earlier versions of Windows: - You can unlock a device for sideloading using an enterprise policy, or through the **Settings** app. - License keys aren't required. - Devices don't have to be joined to a domain. -To allow these apps to run on your Windows devices, you might have to enable sideloading on your devices. This article shows you how to: +To allow these apps to run on your Windows devices, you might have to enable sideloading on your devices. -- **Turn on sideloading**: You can deploy using Group Policy or a mobile device management (MDM) provider. Or, you can use **Settings** apps to turn on sideloading. +This article shows you how to: + +- **Turn on sideloading**: You can deploy using Group Policy or a mobile device management (MDM) provider. Or, you can use the **Settings** app to turn on sideloading. - **Install the app certificate**: Import the security certificate to the local device. This certificate tells the local device to trust the app. - **Install the app**: Use Windows PowerShell to install the app package. @@ -75,7 +77,7 @@ If you use Group Policy, use the `Computer Configuration\Administrative Template - Allows development of Windows Store apps and installing them from an integrated development environment (IDE) - Allow all trusted apps to install -By default, the OS might set these policies to **Not configured**, which means app sideloading is turned off. If you set these policies to **Enabled**, users can sideload apps. +By default, the OS might set these policies to **Not configured**, which means app sideloading is turned off. If you set these policies to **Enabled**, then users can sideload apps. ### MDM @@ -100,4 +102,6 @@ This step installs the app certificate to the local device. Installing the certi ## Step 3: Install the app -From the folder with the `.appx` package, run the Windows PowerShell `Add-AppxPackage` command to install the `.appx` package. For more information on this command, see [Add-AppxPackage](/powershell/module/appx/add-appxpackage). +From the folder with the `.appx` package, run the Windows PowerShell `Add-AppxPackage` command to install the `.appx` package. + +For more information on this command, see [Add-AppxPackage](/powershell/module/appx/add-appxpackage). From b5f096d970edb28d63a2a66c3abebacbb1a02a68 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 26 Aug 2021 08:40:13 -0700 Subject: [PATCH 25/41] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 0a38aefabc..d627137d97 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 10/14/2020 +ms.date: 08/26/2021 ms.reviewer: manager: dansimp --- From 1f0920d20a05ae66d0f4b4f807a3d7dddf66db2a Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 26 Aug 2021 16:39:52 -0700 Subject: [PATCH 26/41] update --- windows/deployment/upgrade/setupdiag.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index 9e7a29631c..361081ed5e 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -29,10 +29,10 @@ ms.topic: article ## About SetupDiag -Current downloadable version of SetupDiag: 1.6.2107.27002 ->Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues. +Current downloadable version of SetupDiag: 1.6.2107.27002. +> Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues. -SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. +SetupDiag is a diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. SetupDiag works by examining Windows Setup log files. It attempts to parse these log files to determine the root cause of a failure to update or upgrade the computer to Windows 10. SetupDiag can be run on the computer that failed to update, or you can export logs from the computer to another location and run SetupDiag in offline mode. @@ -344,6 +344,10 @@ Each rule name and its associated unique rule identifier are listed with a descr ## Release notes +07/27/2021 - SetupDiag v1.6.2107.27002 is released with 61 rules, as a standalone tool available in the Download Center. +- This version contains compliance updates and minor bug fixes. +- With this release and subsequent releases, the version number of the downloadable SetupDiag tool is different from the one included with Windows Setup. + 05/06/2021 - SetupDiag v1.6.1.0 is released with 61 rules, as a standalone tool available in the Download Center. - This version of SetupDiag is included with Windows 10, version 21H1. - A new rule is added: UserProfileSuffixMismatch. From e87ef8501d40b3c702f8ea2aea542b91cc179bf2 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Fri, 27 Aug 2021 11:58:56 +0530 Subject: [PATCH 27/41] Revert "Merge branch 'master' into aljupudi-w11defender-branch01" This reverts commit 6e47b57bcd3bccd4020bf71580e90b8a10cd716e, reversing changes made to 4467c6631d67200cfabcdd9d4ff576855e14a2e5. --- CONTRIBUTING.md | 10 +- ...ct-data-using-enterprise-site-discovery.md | 14 +- ...rprise-mode-logging-and-data-collection.md | 18 +- ...-on-enterprise-mode-and-use-a-site-list.md | 4 +- ...control-and-logging-for-enterprise-mode.md | 4 +- ...ct-data-using-enterprise-site-discovery.md | 14 +- .../deprecated-document-modes.md | 2 +- ...doc-modes-and-enterprise-mode-site-list.md | 6 +- .../out-of-date-activex-control-blocking.md | 6 +- ...-the-default-browser-using-group-policy.md | 2 +- ...rprise-mode-logging-and-data-collection.md | 18 +- ...s-and-tricks-to-manage-ie-compatibility.md | 4 +- ...-on-enterprise-mode-and-use-a-site-list.md | 4 +- ...control-and-logging-for-enterprise-mode.md | 4 +- .../licensing-version-and-features-ieak11.md | 52 ++--- .../educator-tib-get-started.md | 62 +++--- education/trial-in-a-box/index.md | 4 +- .../trial-in-a-box/itadmin-tib-get-started.md | 46 ++--- education/trial-in-a-box/support-options.md | 12 +- education/windows/autopilot-reset.md | 8 +- education/windows/change-to-pro-education.md | 20 +- .../windows/chromebook-migration-guide.md | 4 +- .../configure-windows-for-education.md | 10 +- .../deploy-windows-10-in-a-school-district.md | 16 +- .../windows/deploy-windows-10-in-a-school.md | 14 +- .../windows/edu-deployment-recommendations.md | 12 +- .../education-scenarios-store-for-business.md | 4 +- .../windows/get-minecraft-for-education.md | 6 +- education/windows/index.md | 10 +- education/windows/school-get-minecraft.md | 46 ++--- .../set-up-school-pcs-azure-ad-join.md | 2 +- .../set-up-students-pcs-to-join-domain.md | 2 +- .../windows/set-up-students-pcs-with-apps.md | 26 +-- education/windows/set-up-windows-10.md | 2 +- education/windows/take-a-test-multiple-pcs.md | 14 +- education/windows/take-a-test-single-pc.md | 4 +- education/windows/take-tests-in-windows-10.md | 2 +- education/windows/teacher-get-minecraft.md | 22 +- .../windows/use-set-up-school-pcs-app.md | 2 +- smb/cloud-mode-business-setup.md | 92 ++++----- smb/index.md | 6 +- ...quire-apps-microsoft-store-for-business.md | 2 +- .../billing-understand-your-invoice-msfb.md | 6 +- ...or-business-education-powershell-module.md | 2 +- ...oubleshoot-microsoft-store-for-business.md | 10 +- ...-new-microsoft-store-business-education.md | 4 +- .../working-with-line-of-business-apps.md | 2 +- ...ation-publishing-and-client-interaction.md | 6 +- .../app-v/appv-deployment-checklist.md | 6 +- .../app-v/appv-install-the-sequencer.md | 2 +- .../app-v/appv-planning-checklist.md | 12 +- ...enterprise-background-activity-controls.md | 6 +- .../per-user-services-in-windows.md | 14 +- .../svchost-service-refactoring.md | 8 +- .../administrative-tools-in-windows-10.md | 4 +- ...nced-troubleshooting-802-authentication.md | 20 +- .../advanced-troubleshooting-boot-problems.md | 2 +- ...eshooting-wireless-network-connectivity.md | 4 +- ...t-removal-policy-external-storage-media.md | 2 +- .../connect-to-remote-aadj-pc.md | 4 +- .../client-management/img-boot-sequence.md | 2 +- .../introduction-page-file.md | 6 +- ...e-device-installation-with-group-policy.md | 38 ++-- .../manage-settings-app-with-group-policy.md | 2 +- ...-in-your-organization-modern-management.md | 2 +- .../mandatory-user-profile.md | 16 +- .../mdm/accountmanagement-csp.md | 2 +- ...ure-ad-tenant-and-azure-ad-subscription.md | 32 +-- .../client-management/mdm/applocker-csp.md | 6 +- .../mdm/appv-deploy-and-config.md | 2 +- ...e-active-directory-integration-with-mdm.md | 6 +- ...omatic-mdm-enrollment-in-the-new-portal.md | 4 +- .../client-management/mdm/bootstrap-csp.md | 2 +- .../mdm/browserfavorite-csp.md | 2 +- ...ollment-using-windows-provisioning-tool.md | 16 +- .../mdm/cellularsettings-csp.md | 2 +- .../mdm/cm-cellularentries-csp.md | 2 +- ...onfiguration-service-provider-reference.md | 60 +++--- .../mdm/device-update-management.md | 14 +- .../mdm/deviceinstanceservice-csp.md | 2 +- .../client-management/mdm/devicelock-csp.md | 2 +- .../diagnose-mdm-failures-in-windows-10.md | 20 +- .../disconnecting-from-mdm-unenrollment.md | 2 +- .../mdm/eap-configuration.md | 22 +- .../mdm/enable-admx-backed-policies-in-mdm.md | 12 +- ...dded-8-1-handheld-devices-to-windows-10.md | 44 ++-- ...device-automatically-using-group-policy.md | 44 ++-- .../mdm/enterprise-app-management.md | 2 +- .../mdm/enterpriseappmanagement-csp.md | 2 +- .../client-management/mdm/filesystem-csp.md | 2 +- .../mdm/healthattestation-csp.md | 2 +- windows/client-management/mdm/hotspot-csp.md | 2 +- ...rver-side-mobile-application-management.md | 2 +- ...ent-tool-for-windows-store-for-business.md | 6 +- .../mdm/mdm-enrollment-of-windows-devices.md | 76 +++---- .../client-management/mdm/messaging-csp.md | 2 +- .../mdm/mobile-device-enrollment.md | 2 +- windows/client-management/mdm/napdef-csp.md | 4 +- ...ew-in-windows-mdm-enrollment-management.md | 10 +- .../mdm/passportforwork-csp.md | 4 +- .../policy-configuration-service-provider.md | 2 +- .../mdm/policy-csp-deviceinstallation.md | 8 +- .../mdm/policy-csp-mixedreality.md | 28 +-- .../mdm/policy-csp-system.md | 15 +- .../mdm/push-notification-windows-mdm.md | 16 +- .../client-management/mdm/pxlogical-csp.md | 4 +- ...ree-azure-active-directory-subscription.md | 6 +- .../mdm/securitypolicy-csp.md | 2 +- .../mdm/understanding-admx-backed-policies.md | 4 +- .../mdm/unifiedwritefilter-csp.md | 2 +- windows/client-management/mdm/vpn-csp.md | 2 +- .../mdm/w4-application-csp.md | 2 +- .../mdm/w7-application-csp.md | 2 +- windows/client-management/mdm/wifi-csp.md | 2 +- .../mdm/windows-mdm-enterprise-settings.md | 2 +- .../windowsadvancedthreatprotection-csp.md | 2 +- .../mdm/wmi-providers-supported-in-windows.md | 60 +++--- windows/client-management/quick-assist.md | 2 +- .../troubleshoot-inaccessible-boot-device.md | 16 +- .../troubleshoot-stop-errors.md | 4 +- .../troubleshoot-tcpip-connectivity.md | 16 +- .../troubleshoot-tcpip-netmon.md | 8 +- .../troubleshoot-tcpip-port-exhaust.md | 18 +- .../troubleshoot-tcpip-rpc-errors.md | 10 +- .../windows-version-search.md | 10 +- .../configure-windows-10-taskbar.md | 16 +- .../cortana-at-work/cortana-at-work-crm.md | 4 +- .../cortana-at-work-powerbi.md | 26 +-- .../cortana-at-work-voice-commands.md | 2 +- .../customize-and-export-start-layout.md | 2 +- ...-10-start-screens-by-using-group-policy.md | 4 +- ...-by-using-provisioning-packages-and-icd.md | 2 +- ...ation-user-model-id-of-an-installed-app.md | 2 +- windows/configuration/kiosk-methods.md | 12 +- windows/configuration/kiosk-prepare.md | 4 +- windows/configuration/kiosk-shelllauncher.md | 2 +- windows/configuration/kiosk-single-app.md | 10 +- windows/configuration/kiosk-troubleshoot.md | 2 +- .../lock-down-windows-10-applocker.md | 8 +- .../lock-down-windows-10-to-specific-apps.md | 14 +- .../manage-wifi-sense-in-enterprise.md | 6 +- .../mobile-devices/lockdown-xml.md | 30 +-- .../mobile-lockdown-designer.md | 28 +-- .../provisioning-configure-mobile.md | 6 +- .../mobile-devices/provisioning-nfc.md | 2 +- ...kiosk-for-windows-10-for-mobile-edition.md | 12 +- .../mobile-devices/start-layout-xml-mobile.md | 2 +- windows/configuration/provisioning-apn.md | 4 +- ...can-use-configuration-service-providers.md | 10 +- .../provision-pcs-for-initial-deployment.md | 6 +- ...rovision-pcs-with-apps-and-certificates.md | 8 +- .../provision-pcs-with-apps.md | 10 +- .../provisioning-apply-package.md | 14 +- .../provisioning-create-package.md | 10 +- .../provisioning-install-icd.md | 2 +- .../provisioning-multivariant.md | 2 +- .../provisioning-packages.md | 2 +- .../provisioning-script-to-install-app.md | 4 +- .../set-up-shared-or-guest-pc.md | 8 +- .../start-layout-troubleshoot.md | 14 +- .../configuration/start-secondary-tiles.md | 8 +- .../uev-deploy-uev-for-custom-applications.md | 2 +- windows/configuration/ue-v/uev-for-windows.md | 4 +- .../ue-v/uev-prepare-for-deployment.md | 16 +- .../uev-upgrade-uev-from-previous-releases.md | 2 +- .../configuration/wcd/wcd-admxingestion.md | 4 +- ...ws-10-start-layout-options-and-policies.md | 4 +- windows/configuration/windows-spotlight.md | 8 +- windows/deployment/TOC.yml | 2 - .../deployment/deploy-enterprise-licenses.md | 6 +- windows/deployment/deploy-m365.md | 4 +- windows/deployment/deploy-whats-new.md | 2 +- ...ystem-image-using-configuration-manager.md | 4 +- ...-windows-pe-using-configuration-manager.md | 16 +- ...e-boot-image-with-configuration-manager.md | 10 +- ...ence-with-configuration-manager-and-mdt.md | 4 +- ...-windows-10-using-configuration-manager.md | 4 +- ...-10-using-pxe-and-configuration-manager.md | 30 +-- ...0-deployment-with-configuration-manager.md | 12 +- ...f-windows-10-with-configuration-manager.md | 22 +- ...-windows-10-using-configuration-manager.md | 22 +- ...-windows-10-using-configuration-manager.md | 24 +-- ...to-windows-10-with-configuraton-manager.md | 16 +- .../assign-applications-using-roles-in-mdt.md | 6 +- ...d-environment-for-windows-10-deployment.md | 10 +- .../configure-mdt-settings.md | 2 +- .../create-a-windows-10-reference-image.md | 28 +-- .../deploy-a-windows-10-image-using-mdt.md | 38 ++-- ...d-with-the-microsoft-deployment-toolkit.md | 8 +- ...prepare-for-windows-deployment-with-mdt.md | 10 +- ...sh-a-windows-7-computer-with-windows-10.md | 6 +- ...s-7-computer-with-a-windows-10-computer.md | 12 +- .../set-up-mdt-for-bitlocker.md | 6 +- ...ows-10-deployment-in-a-test-environment.md | 4 +- ...0-with-the-microsoft-deployment-toolkit.md | 8 +- .../use-orchestrator-runbooks-with-mdt.md | 20 +- ...stage-windows-10-deployment-information.md | 8 +- .../use-web-services-in-mdt.md | 16 +- windows/deployment/index.yml | 2 +- windows/deployment/mbr-to-gpt.md | 2 +- ...compatibility-administrator-users-guide.md | 2 +- ...oyment-considerations-for-windows-to-go.md | 12 +- ...rstanding-and-using-compatibility-fixes.md | 4 +- .../deployment/planning/using-the-sua-tool.md | 2 +- .../planning/using-the-sua-wizard.md | 2 +- .../windows-10-infrastructure-requirements.md | 2 +- windows/deployment/s-mode.md | 4 +- windows/deployment/update/PSFxWhitepaper.md | 8 +- windows/deployment/update/WIP4Biz-intro.md | 2 +- .../deployment/update/check-release-health.md | 12 +- .../update/deployment-service-overview.md | 4 +- .../get-started-updates-channels-tools.md | 12 +- .../update/how-windows-update-works.md | 14 +- .../deployment/update/media-dynamic-update.md | 2 +- .../olympia/olympia-enrollment-guidelines.md | 14 +- .../deployment/update/plan-define-strategy.md | 4 +- windows/deployment/update/safeguard-holds.md | 2 +- ...update-compliance-delivery-optimization.md | 2 +- ...update-compliance-feature-update-status.md | 2 +- .../update-compliance-need-attention.md | 2 +- ...pdate-compliance-security-update-status.md | 2 +- .../update/update-compliance-using.md | 8 +- .../deployment/update/waas-configure-wufb.md | 2 +- .../waas-delivery-optimization-setup.md | 2 +- .../update/waas-delivery-optimization.md | 2 +- ...aas-deployment-rings-windows-10-updates.md | 12 +- .../deployment/update/waas-integrate-wufb.md | 2 +- .../update/waas-manage-updates-wsus.md | 48 ++--- .../update/waas-manage-updates-wufb.md | 14 +- .../waas-optimize-windows-10-updates.md | 16 +- windows/deployment/update/waas-overview.md | 14 +- windows/deployment/update/waas-restart.md | 19 +- ...s-servicing-channels-windows-10-updates.md | 24 +-- .../update/waas-servicing-differences.md | 6 +- ...s-servicing-strategy-windows-10-updates.md | 14 +- .../deployment/update/waas-wufb-csp-mdm.md | 18 +- .../update/waas-wufb-group-policy.md | 18 +- windows/deployment/update/waas-wufb-intune.md | 20 +- .../deployment/update/windows-update-logs.md | 10 +- .../update/windows-update-overview.md | 2 +- .../update/wufb-compliancedeadlines.md | 12 +- .../deployment/update/wufb-manageupdate.md | 2 +- windows/deployment/upgrade/quick-fixes.md | 8 +- windows/deployment/upgrade/setupdiag.md | 14 +- windows/deployment/upgrade/submit-errors.md | 4 +- .../upgrade/troubleshoot-upgrade-errors.md | 14 +- .../upgrade/windows-10-edition-upgrades.md | 42 ++-- .../upgrade/windows-error-reporting.md | 2 +- .../usmt/migration-store-types-overview.md | 2 +- .../usmt/usmt-common-migration-scenarios.md | 4 +- ...ctive-directory-based-activation-client.md | 12 +- ...ivate-using-key-management-service-vamt.md | 12 +- .../activate-windows-10-clients-vamt.md | 4 +- .../add-remove-computers-vamt.md | 2 +- .../configure-client-computers-vamt.md | 2 +- .../volume-activation/install-vamt.md | 4 +- .../volume-activation/introduction-vamt.md | 4 +- .../plan-for-volume-activation-client.md | 6 +- .../scenario-online-activation-vamt.md | 2 +- .../scenario-proxy-activation-vamt.md | 2 +- ...olume-activation-management-tool-client.md | 4 +- .../volume-activation/vamt-known-issues.md | 2 +- .../windows-10-deployment-posters.md | 4 +- windows/deployment/windows-10-media.md | 4 +- windows/deployment/windows-10-poc-mdt.md | 4 +- .../windows-10-poc-sc-config-mgr.md | 18 +- windows/deployment/windows-10-poc.md | 16 +- .../windows-10-subscription-activation.md | 14 +- .../demonstrate-deployment-on-vm.md | 128 ++++++------ .../windows-deployment-scenarios-and-tools.md | 28 +-- .../privacy/Microsoft-DiagnosticDataViewer.md | 4 +- .../diagnostic-data-viewer-overview.md | 16 +- ...system-components-to-microsoft-services.md | 192 +++++++++--------- .../active-directory-accounts.md | 30 +-- .../access-control/local-accounts.md | 16 +- .../access-control/security-identifiers.md | 2 +- .../access-control/security-principals.md | 2 +- .../identity-protection/configure-s-mime.md | 8 +- .../credential-guard-how-it-works.md | 2 +- .../credential-guard-manage.md | 4 +- .../enterprise-certificate-pinning.md | 12 +- .../feature-multifactor-unlock.md | 4 +- .../hello-adequate-domain-controllers.md | 10 +- .../hello-cert-trust-adfs.md | 20 +- .../hello-cert-trust-validate-ad-prereq.md | 2 +- .../hello-deployment-rdp-certs.md | 6 +- .../hello-errors-during-pin-creation.md | 2 +- .../hello-feature-pin-reset.md | 8 +- .../hello-feature-remote-desktop.md | 2 +- .../hello-how-it-works-authentication.md | 10 +- .../hello-how-it-works-provisioning.md | 12 +- .../hello-hybrid-aadj-sso-base.md | 52 ++--- .../hello-hybrid-aadj-sso-cert.md | 94 ++++----- .../hello-hybrid-cert-trust-devreg.md | 18 +- .../hello-hybrid-cert-whfb-provision.md | 8 +- .../hello-hybrid-key-whfb-provision.md | 8 +- .../hello-key-trust-adfs.md | 20 +- .../hello-for-business/hello-overview.md | 2 +- .../hello-prepare-people-to-use.md | 6 +- .../passwordless-strategy.md | 20 +- .../retired/hello-how-it-works.md | 2 +- .../remote-credential-guard.md | 6 +- .../smart-card-and-remote-desktop-services.md | 2 +- .../smart-cards/smart-card-architecture.md | 8 +- ...rt-card-certificate-propagation-service.md | 2 +- ...ertificate-requirements-and-enumeration.md | 12 +- .../smart-card-removal-policy-service.md | 2 +- .../how-user-account-control-works.md | 10 +- ...l-smart-card-deploy-virtual-smart-cards.md | 2 +- .../virtual-smart-card-evaluate-security.md | 2 +- .../virtual-smart-card-get-started.md | 22 +- ...tual-smart-card-use-virtual-smart-cards.md | 2 +- .../vpn/vpn-authentication.md | 2 +- .../vpn/vpn-auto-trigger-profile.md | 4 +- .../vpn/vpn-conditional-access.md | 2 +- .../vpn/vpn-connection-type.md | 6 +- .../vpn/vpn-name-resolution.md | 2 +- .../vpn/vpn-profile-options.md | 2 +- .../identity-protection/vpn/vpn-routing.md | 4 +- .../vpn/vpn-security-features.md | 2 +- ...dential-theft-mitigation-guide-abstract.md | 2 +- .../bitlocker/bitlocker-countermeasures.md | 4 +- .../bitlocker-deployment-comparison.md | 48 ++--- .../bitlocker-recovery-guide-plan.md | 16 +- ...ve-encryption-tools-to-manage-bitlocker.md | 2 +- .../bitlocker/troubleshoot-bitlocker.md | 4 +- .../ts-bitlocker-cannot-encrypt-issues.md | 4 +- .../ts-bitlocker-decode-measured-boot-logs.md | 16 +- .../bitlocker/ts-bitlocker-intune-issues.md | 38 ++-- .../kernel-dma-protection-for-thunderbolt.md | 10 +- .../secure-the-windows-10-boot-process.md | 4 +- .../tpm/how-windows-uses-the-tpm.md | 4 +- ...reate-and-verify-an-efs-dra-certificate.md | 2 +- ...e-vpn-and-wip-policy-using-intune-azure.md | 8 +- .../create-wip-policy-using-configmgr.md | 40 ++-- .../create-wip-policy-using-intune-azure.md | 56 ++--- .../deploy-wip-policy-using-intune-azure.md | 2 +- .../wip-app-enterprise-context.md | 4 +- .../wip-learning.md | 8 +- ...tion-based-protection-of-code-integrity.md | 4 +- .../coordinated-malware-eradication.md | 2 +- .../intelligence/fileless-threats.md | 4 +- .../intelligence/malware-naming.md | 2 +- .../intelligence/phishing.md | 2 +- .../portal-submission-troubleshooting.md | 14 +- .../intelligence/worms-malware.md | 2 +- .../mbsa-removal-and-guidance.md | 4 +- .../install-md-app-guard.md | 6 +- .../md-app-guard-overview.md | 2 +- .../test-scenarios-md-app-guard.md | 34 ++-- ...microsoft-defender-smartscreen-overview.md | 2 +- ...ender-smartscreen-set-individual-device.md | 2 +- ...tions-for-app-related-security-policies.md | 6 +- ...iew-of-threat-mitigations-in-windows-10.md | 4 +- ...-the-health-of-windows-10-based-devices.md | 26 +-- ...-information-when-the-session-is-locked.md | 2 +- .../security-policy-settings.md | 8 +- ...arding-to-assist-in-intrusion-detection.md | 8 +- .../windows-10-mobile-security-guide.md | 2 +- .../LOB-win32-apps-on-s.md | 6 +- .../plan-for-applocker-policy-management.md | 2 +- ...ent-setting-inheritance-in-group-policy.md | 2 +- ...the-applocker-policy-deployment-process.md | 2 +- ...s-defender-application-control-policies.md | 2 +- ...s-defender-application-control-policies.md | 2 +- ...or-windows-defender-application-control.md | 8 +- ...rt-windows-defender-application-control.md | 20 +- ...ion-control-policies-using-group-policy.md | 6 +- ...plication-control-policies-using-intune.md | 2 +- ...defender-application-control-management.md | 2 +- .../wdac-wizard-create-base-policy.md | 10 +- .../wdac-wizard-create-supplemental-policy.md | 12 +- .../wdac-wizard-editing-policy.md | 4 +- .../wdac-wizard-merging-policies.md | 2 +- .../wdsc-account-protection.md | 2 +- .../wdsc-app-browser-control.md | 2 +- .../wdsc-customize-contact-information.md | 4 +- .../wdsc-device-performance-health.md | 2 +- .../wdsc-device-security.md | 2 +- .../wdsc-family-options.md | 2 +- .../wdsc-firewall-network-protection.md | 2 +- .../wdsc-virus-threat-protection.md | 2 +- .../wdsc-windows-10-in-s-mode.md | 2 +- .../windows-defender-security-center.md | 10 +- ...sed-root-of-trust-helps-protect-windows.md | 4 +- ...-guard-secure-launch-and-smm-protection.md | 8 +- .../best-practices-configuring.md | 14 +- .../windows-firewall/boundary-zone.md | 2 +- ...create-windows-firewall-rules-in-intune.md | 2 +- .../domain-isolation-policy-design-example.md | 2 +- .../domain-isolation-policy-design.md | 2 +- .../filter-origin-documentation.md | 10 +- .../firewall-policy-design-example.md | 2 +- ...wall-with-advanced-security-design-plan.md | 2 +- .../windows-firewall/quarantine.md | 4 +- ...n-accessing-sensitive-network-resources.md | 2 +- ...cess-to-only-specified-users-or-devices.md | 2 +- ...restrict-access-to-only-trusted-devices.md | 2 +- ...to-end-ipsec-connections-by-using-ikev2.md | 6 +- .../server-isolation-policy-design-example.md | 2 +- .../server-isolation-policy-design.md | 2 +- ...-administration-with-windows-powershell.md | 4 +- .../windows-security-baselines.md | 6 +- .../windows-security-baselines.md | 6 +- windows/whats-new/contribute-to-a-topic.md | 10 +- .../ltsc/whats-new-windows-10-2019.md | 20 +- .../whats-new-windows-10-version-1703.md | 8 +- .../whats-new-windows-10-version-1809.md | 36 ++-- .../whats-new-windows-10-version-1903.md | 2 +- .../whats-new-windows-10-version-2004.md | 2 +- 410 files changed, 2121 insertions(+), 2137 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index ef3a69ff52..75cb7255c8 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -20,7 +20,7 @@ We've tried to make editing an existing, public file as simple as possible. 1. Go to the page on docs.microsoft.com that you want to update, and then click **Edit**. - ![GitHub Web, showing the Edit link.](images/contribute-link.png) + ![GitHub Web, showing the Edit link](images/contribute-link.png) 2. Log into (or sign up for) a GitHub account. @@ -28,7 +28,7 @@ We've tried to make editing an existing, public file as simple as possible. 3. Click the **Pencil** icon (in the red box) to edit the content. - ![GitHub Web, showing the Pencil icon in the red box.](images/pencil-icon.png) + ![GitHub Web, showing the Pencil icon in the red box](images/pencil-icon.png) 4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see: - **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring) @@ -37,11 +37,11 @@ We've tried to make editing an existing, public file as simple as possible. 5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct. - ![GitHub Web, showing the Preview Changes tab.](images/preview-changes.png) + ![GitHub Web, showing the Preview Changes tab](images/preview-changes.png) 6. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change** to create a fork in your personal GitHub account. - ![GitHub Web, showing the Propose file change button.](images/propose-file-change.png) + ![GitHub Web, showing the Propose file change button](images/propose-file-change.png) The **Comparing changes** screen appears to see what the changes are between your fork and the original content. @@ -49,7 +49,7 @@ We've tried to make editing an existing, public file as simple as possible. If there are no problems, you’ll see the message, **Able to merge**. - ![GitHub Web, showing the Comparing changes screen.](images/compare-changes.png) + ![GitHub Web, showing the Comparing changes screen](images/compare-changes.png) 8. Click **Create pull request**. diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md index d4f9600d8b..4fc4fb1ecc 100644 --- a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md +++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md @@ -34,11 +34,11 @@ Before you start, you need to make sure you have the following: 1. Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**. - ![microsoft security bulletin techcenter.](images/securitybulletin-filter.png) + ![microsoft security bulletin techcenter](images/securitybulletin-filter.png) 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table. - ![affected software section.](images/affectedsoftware.png) + ![affected software section](images/affectedsoftware.png) 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section. @@ -280,13 +280,13 @@ You can collect your hardware inventory using the MOF Editor, while you’re con 1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. - ![Configuration Manager, showing the hardware inventory settings for client computers.](images/configmgrhardwareinventory.png) + ![Configuration Manager, showing the hardware inventory settings for client computers](images/configmgrhardwareinventory.png) 2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes. 3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**. - ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box.](images/ie11-inventory-addclassconnectscreen.png) + ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box](images/ie11-inventory-addclassconnectscreen.png) 4. Select the check boxes next to the following classes, and then click **OK**: @@ -393,12 +393,12 @@ The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sam ### SCCM Report Sample – ActiveX.rdl Gives you a list of all of the ActiveX-related sites visited by the client computer. -![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer.](images/configmgractivexreport.png) +![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer](images/configmgractivexreport.png) ### SCCM Report Sample – Site Discovery.rdl Gives you a list of all of the sites visited by the client computer. -![Site Discovery.rdl report, lists all websites visited by the client computer.](images/ie-site-discovery-sample-report.png) +![Site Discovery.rdl report, lists all websites visited by the client computer](images/ie-site-discovery-sample-report.png) ## View the collected XML data After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like: @@ -436,7 +436,7 @@ You can import this XML data into the correct version of the Enterprise Mode Sit 1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**. - ![Enterprise Mode Site List Manager with Bulk add from file option.](images/bulkadd-emiesitelistmgr.png) + ![Enterprise Mode Site List Manager with Bulk add from file option](images/bulkadd-emiesitelistmgr.png) 2. Go to your XML file to add the included sites to the tool, and then click **Open**.
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md index 923d4dfe04..47322f0c03 100644 --- a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md +++ b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md @@ -27,11 +27,11 @@ ms.date: 07/27/2017 Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu. -![enterprise mode option on the tools menu.](images/ie-emie-toolsmenu.png) +![enterprise mode option on the tools menu](images/ie-emie-toolsmenu.png) The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic. -![group policy to turn on enterprise mode.](images/ie-emie-grouppolicy.png) +![group policy to turn on enterprise mode](images/ie-emie-grouppolicy.png) Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system. @@ -47,11 +47,11 @@ This lets you create an ASP form that accepts the incoming POST messages. 3. Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port. - ![IIS Manager, editing website bindings.](images/ie-emie-editbindings.png) + ![IIS Manager, editing website bindings](images/ie-emie-editbindings.png) 4. Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box. - ![IIS Manager, setting logging options.](images/ie-emie-logging.png) + ![IIS Manager, setting logging options](images/ie-emie-logging.png) 5. Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.

Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users. @@ -72,7 +72,7 @@ This code logs your POST fields to your IIS log file, where you can review all o ### IIS log file information This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode. -![Enterprise Mode log file.](images/ie-emie-logfile.png) +![Enterprise Mode log file](images/ie-emie-logfile.png) ## Using the GitHub sample to collect your data @@ -99,14 +99,14 @@ The required packages are automatically downloaded and included in the solution. 1. Right-click on the name, PhoneHomeSample, and click **Publish**. - ![Visual Studio, Publish menu.](images/ie-emie-publishsolution.png) + ![Visual Studio, Publish menu](images/ie-emie-publishsolution.png) 2. In the **Publish Web** wizard, pick the publishing target and options that work for your organization. **Important**
Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website.  - ![Visual Studio, Publish Web wizard.](images/ie-emie-publishweb.png) + ![Visual Studio, Publish Web wizard](images/ie-emie-publishweb.png) After you finish the publishing process, you need to test to make sure the app deployed successfully. @@ -131,7 +131,7 @@ The required packages are automatically downloaded and included in the solution. - Go to `https:///List` to see the report results.

If you’re already on the webpage, you’ll need to refresh the page to see the results. - ![Enterprise Mode Result report with details.](images/ie-emie-reportwdetails.png) + ![Enterprise Mode Result report with details](images/ie-emie-reportwdetails.png) ### Troubleshooting publishing errors @@ -141,7 +141,7 @@ If you have errors while you’re publishing your project, you should try to upd 1. From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**. - ![Nuget Package Manager for package updates.](images/ie-emie-packageupdate.png) + ![Nuget Package Manager for package updates](images/ie-emie-packageupdate.png) 2. Click **Updates** on the left side of the tool, and click the **Update All** button.

You may need to do some additional package cleanup to remove older package versions. diff --git a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md index 4573423115..4651adf5cf 100644 --- a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md +++ b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md @@ -9,7 +9,7 @@ centralized control, you can create one global list of websites that render usin 1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Enterprise Mode Site List** setting.

Turning this setting on also requires you to create and store a site list. 2. Click **Enabled**, and then in the **Options** area, type the location to your site list. @@ -24,7 +24,7 @@ All of your managed devices must have access to this location if you want them t 2. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file.

For example: + ![Enterprise mode with site list in the registry](../edge/images/enterprise-mode-value-data.png) --> - **HTTPS location:** `"SiteList"="https://localhost:8080/sites.xml"` diff --git a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md index c8ef3d030c..b34f9be63f 100644 --- a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md +++ b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md @@ -33,7 +33,7 @@ Besides turning on this feature, you also have the option to provide a URL for E 1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting. - ![group policy editor with emie setting.](images/ie-emie-editpolicy.png) + ![group policy editor with emie setting](images/ie-emie-editpolicy.png) 2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu. @@ -45,7 +45,7 @@ Besides turning on this feature, you also have the option to provide a URL for E 3. Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates. - ![edit registry string for data collection location.](images/ie-emie-editregistrystring.png) + ![edit registry string for data collection location](images/ie-emie-editregistrystring.png) Your **Value data** location can be any of the following types: diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md index 65fbb8eaaf..1acd936993 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md +++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md @@ -38,11 +38,11 @@ Before you start, you need to make sure you have the following: 1. Go to the [Microsoft Security Bulletin](/security-updates/) page, and change the filter to **Windows Internet Explorer 11**. - ![microsoft security bulletin techcenter.](images/securitybulletin-filter.png) + ![microsoft security bulletin techcenter](images/securitybulletin-filter.png) 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table. - ![affected software section.](images/affectedsoftware.png) + ![affected software section](images/affectedsoftware.png) 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section. @@ -284,13 +284,13 @@ You can collect your hardware inventory using the MOF Editor, while you’re con 1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. - ![Configuration Manager, showing the hardware inventory settings for client computers.](images/configmgrhardwareinventory.png) + ![Configuration Manager, showing the hardware inventory settings for client computers](images/configmgrhardwareinventory.png) 2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes. 3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**. - ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box.](images/ie11-inventory-addclassconnectscreen.png) + ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box](images/ie11-inventory-addclassconnectscreen.png) 4. Select the check boxes next to the following classes, and then click **OK**: @@ -397,12 +397,12 @@ The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sam ### SCCM Report Sample – ActiveX.rdl Gives you a list of all of the ActiveX-related sites visited by the client computer. -![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer.](images/configmgractivexreport.png) +![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer](images/configmgractivexreport.png) ### SCCM Report Sample – Site Discovery.rdl Gives you a list of all of the sites visited by the client computer. -![Site Discovery.rdl report, lists all websites visited by the client computer.](images/ie-site-discovery-sample-report.png) +![Site Discovery.rdl report, lists all websites visited by the client computer](images/ie-site-discovery-sample-report.png) ## View the collected XML data After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like: @@ -440,7 +440,7 @@ You can import this XML data into the correct version of the Enterprise Mode Sit 1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**. - ![Enterprise Mode Site List Manager with Bulk add from file option.](images/bulkadd-emiesitelistmgr.png) + ![Enterprise Mode Site List Manager with Bulk add from file option](images/bulkadd-emiesitelistmgr.png) 2. Go to your XML file to add the included sites to the tool, and then click **Open**.
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). diff --git a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md index 5cfa201d18..e8d1ec3d7d 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md +++ b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md @@ -48,7 +48,7 @@ The compatibility improvements made in IE11 lets older websites just work in the ## Document mode selection flowchart This flowchart shows how IE11 works when document modes are used. -![Flowchart detailing how document modes are chosen in IE11.](images/docmode-decisions-sm.png)
+![Flowchart detailing how document modes are chosen in IE11](images/docmode-decisions-sm.png)
[Click this link to enlarge image](img-ie11-docmode-lg.md) ## Known Issues with Internet Explorer 8 document mode in Enterprise Mode diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md index 9ec7ddf862..333686dc07 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md @@ -45,7 +45,7 @@ To see if this fix might help you, run through this process one step at a time, 1. Go to a site having compatibility problems, press **F12** to open the **F12 Developer Tools**, and go to the **Emulation** tool. - ![Emulation tool showing document mode selection.](images/docmode-f12.png) + ![Emulation tool showing document mode selection](images/docmode-f12.png) 2. Starting with the **11 (Default)** option, test your broken scenario.
If that doesn’t work, continue down to the next lowest document mode, stopping as soon as you find a document mode that fixes your problems. For more information about the Emulation tool, see [Emulate browsers, screen sizes, and GPS locations](/previous-versions/windows/internet-explorer/ie-developer/samples/dn255001(v=vs.85)). @@ -62,7 +62,7 @@ There are two versions of the Enterprise Mode site list schema and the Enterpris 1. Open the Enterprise Mode Site List Manager, and click **Add**. - ![Enterprise Mode Site List Manager, showing the available modes.](images/emie-listmgr.png) + ![Enterprise Mode Site List Manager, showing the available modes](images/emie-listmgr.png) 2. Add the **URL** and pick the document mode from the **Launch in** box. This should be the same document mode you found fixed your problems while testing the site.
Similar to Enterprise Mode, you can specify a document mode for a particular web path—such as contoso.com/ERP—or at a domain level. In the above, the entire contoso.com domain loads in Enterprise Mode, while microsoft.com is forced to load into IE8 Document Mode and bing.com loads in IE11. @@ -74,7 +74,7 @@ For more information about Enterprise Mode, see [What is Enterprise Mode?](what- ### Review your Enterprise Mode site list Take a look at your Enterprise Mode site list and make sure everything is the way you want it. The next step will be to turn the list on and start to use it in your company. The Enterprise Mode Site List Manager will look something like: -![Enterprise Mode Site List Manager, showing the different modes.](images/emie-sitelistmgr.png) +![Enterprise Mode Site List Manager, showing the different modes](images/emie-sitelistmgr.png) And the underlying XML code will look something like: diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md index 4eed39657f..75283c1f64 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md +++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md @@ -62,15 +62,15 @@ When IE blocks an outdated ActiveX control, you’ll see a notification bar simi **Internet Explorer 9 through Internet Explorer 11** -![Warning about outdated activex controls (ie9+).](images/outdatedcontrolwarning.png) +![Warning about outdated activex controls (ie9+)](images/outdatedcontrolwarning.png) **Windows Internet Explorer 8** -![Warning about outdated activex controls (ie8).](images/ieoutdatedcontrolwarning.png) +![Warning about outdated activex controls (ie8)](images/ieoutdatedcontrolwarning.png) Out-of-date ActiveX control blocking also gives you a security warning that tells you if a webpage tries to launch specific outdated apps, outside of IE: -![Warning about outdated activex controls outside ie.](images/ieoutdatedcontroloutsideofie.png) +![Warning about outdated activex controls outside ie](images/ieoutdatedcontroloutsideofie.png) ## How do I fix an outdated ActiveX control or app? diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md index 9424e5e32f..6edccdda73 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md @@ -27,7 +27,7 @@ You can use the Group Policy setting, **Set a default associations configuration 1. Open your Group Policy editor and go to the **Computer Configuration\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.

Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268). - ![set default associations group policy setting.](images/setdefaultbrowsergp.png) + ![set default associations group policy setting](images/setdefaultbrowsergp.png) 2. Click **Enabled**, and then in the **Options** area, type the location to your default associations configuration file.

If this setting is turned on and your employee's device is domain-joined, this file is processed and default associations are applied at logon. If this setting isn't configured or is turned off, or if your employee's device isn't domain-joined, no default associations are applied at logon. diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md index b42426f1d7..dd26f8e369 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md @@ -31,11 +31,11 @@ ms.date: 07/27/2017 Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu. -![enterprise mode option on the tools menu.](images/ie-emie-toolsmenu.png) +![enterprise mode option on the tools menu](images/ie-emie-toolsmenu.png) The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic. -![group policy to turn on enterprise mode.](images/ie-emie-grouppolicy.png) +![group policy to turn on enterprise mode](images/ie-emie-grouppolicy.png) Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system. @@ -51,11 +51,11 @@ When you turn logging on, you need a valid URL that points to a server that can 3. Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port. - ![IIS Manager, editing website bindings.](images/ie-emie-editbindings.png) + ![IIS Manager, editing website bindings](images/ie-emie-editbindings.png) 4. Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box. - ![IIS Manager, setting logging options.](images/ie-emie-logging.png) + ![IIS Manager, setting logging options](images/ie-emie-logging.png) 5. Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.

Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users. @@ -76,7 +76,7 @@ When you turn logging on, you need a valid URL that points to a server that can ### IIS log file information This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode. -![Enterprise Mode log file.](images/ie-emie-logfile.png) +![Enterprise Mode log file](images/ie-emie-logfile.png) ## Using the GitHub sample to collect your data @@ -103,14 +103,14 @@ For logging, you’re going to need a valid URL that points to a server that can 5. Right-click on the name, PhoneHomeSample, and click **Publish**. - ![Visual Studio, Publish menu.](images/ie-emie-publishsolution.png) + ![Visual Studio, Publish menu](images/ie-emie-publishsolution.png) 6. In the **Publish Web** wizard, pick the publishing target and options that work for your organization. **Important**
Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website.  - ![Visual Studio, Publish Web wizard.](images/ie-emie-publishweb.png) + ![Visual Studio, Publish Web wizard](images/ie-emie-publishweb.png) After you finish the publishing process, you need to test to make sure the app deployed successfully. @@ -135,7 +135,7 @@ For logging, you’re going to need a valid URL that points to a server that can - Go to `https:///List` to see the report results.

If you’re already on the webpage, you’ll need to refresh the page to see the results. - ![Enterprise Mode Result report with details.](images/ie-emie-reportwdetails.png) + ![Enterprise Mode Result report with details](images/ie-emie-reportwdetails.png) ### Troubleshooting publishing errors @@ -145,7 +145,7 @@ If you have errors while you’re publishing your project, you should try to upd 1. From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**. - ![Nuget Package Manager for package updates.](images/ie-emie-packageupdate.png) + ![Nuget Package Manager for package updates](images/ie-emie-packageupdate.png) 2. Click **Updates** on the left side of the tool, and click the **Update All** button.

You may need to do some additional package cleanup to remove older package versions. diff --git a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md index ec77071c73..14bd40e745 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md +++ b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md @@ -28,7 +28,7 @@ Jump to: [Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md) can be very effective in providing backward compatibility for older web apps. The Enterprise Mode Site List includes the ability to put any web app in any document mode, include IE8 and IE7 Enterprise Modes, without changing a single line of code on the website. -![Internet Explorer Enterprise Modes and document modes.](images/img-enterprise-mode-site-list-xml.jpg) +![Internet Explorer Enterprise Modes and document modes](images/img-enterprise-mode-site-list-xml.jpg) Sites in the \ section can be rendered in any document mode, as shown in blue above. Some sites designed for older versions of Internet Explorer may require better backward compatibility, and these can leverage the \ section of the Enterprise Mode Site List. IE8 Enterprise Mode provides higher-fidelity emulation for Internet Explorer 8 by using, among other improvements, the original Internet Explorer 8 user agent string. IE7 Enterprise Mode further improves emulation by adding Compatibility View. @@ -84,7 +84,7 @@ To see if the site works in the Internet Explorer 5, Internet Explorer 7, Intern - Open the site in Internet Explorer 11, load the F12 tools by pressing the **F12** key or by selecting **F12 Developer Tools** from the **Tools** menu, and select the **Emulation** tab. - ![F12 Developer Tools Emulation tab.](images/img-f12-developer-tools-emulation.jpg) + ![F12 Developer Tools Emulation tab](images/img-f12-developer-tools-emulation.jpg) - Run the site in each document mode until you find the mode in which the site works. diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md index 1b32fa64ad..8c84054dc3 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md @@ -39,7 +39,7 @@ Before you can use a site list with Enterprise Mode, you need to turn the functi 1. Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list` setting.

Turning this setting on also requires you to create and store a site list. For more information about creating your site list, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics. - ![local group policy editor for using a site list.](images/ie-emie-grouppolicysitelist.png) + ![local group policy editor for using a site list](images/ie-emie-grouppolicysitelist.png) 2. Click **Enabled**, and then in the **Options** area, type the location to your site list. @@ -51,7 +51,7 @@ Before you can use a site list with Enterprise Mode, you need to turn the functi 4. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file. For example: - ![enterprise mode with site list in the registry.](images/ie-emie-registrysitelist.png) + ![enterprise mode with site list in the registry](images/ie-emie-registrysitelist.png) - **HTTPS location**: `"SiteList"="https://localhost:8080/sites.xml"` diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md index 897b27ceed..b4db0fb7a4 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md @@ -37,7 +37,7 @@ Besides turning on this feature, you also have the option to provide a URL for E 1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting. - ![group policy editor with emie setting.](images/ie-emie-editpolicy.png) + ![group policy editor with emie setting](images/ie-emie-editpolicy.png) 2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu. @@ -49,7 +49,7 @@ Besides turning on this feature, you also have the option to provide a URL for E 5. Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates. - ![edit registry string for data collection location.](images/ie-emie-editregistrystring.png) + ![edit registry string for data collection location](images/ie-emie-editregistrystring.png) Your **Value data** location can be any of the following types: diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md index 54ae269373..fd6904f4a8 100644 --- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md @@ -33,32 +33,32 @@ During installation, you must pick a version of IEAK 11, either **External** or | Feature | Internal | External | |-------------------------------------------|:--------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------:| -| Welcome screen | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| File locations | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Platform selection | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Language selection | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Package type selection | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Feature selection | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Automatic Version Synchronization (AVS) | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Custom components | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Internal install | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | -| User experience | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | -| Browser user interface | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Search providers | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Important URLs – Home page and support | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Accelerators | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Favorites, Favorites bar, and feeds | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Browsing options | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | -| First Run wizard and Welcome page options | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Connection manager | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Connection settings | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Automatic configuration | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | -| Proxy settings | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Security and privacy settings | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | -| Add a root certificate | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | -| Programs | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Additional settings | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | -| Wizard complete | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Welcome screen | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| File locations | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Platform selection | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Language selection | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Package type selection | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Feature selection | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Automatic Version Synchronization (AVS) | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Custom components | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Internal install | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | +| User experience | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | +| Browser user interface | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Search providers | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Important URLs – Home page and support | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Accelerators | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Favorites, Favorites bar, and feeds | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Browsing options | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | +| First Run wizard and Welcome page options | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Connection manager | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Connection settings | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Automatic configuration | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | +| Proxy settings | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Security and privacy settings | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | +| Add a root certificate | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | +| Programs | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Additional settings | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | +| Wizard complete | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | --- diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md index bbf1be6015..d0251e80ba 100644 --- a/education/trial-in-a-box/educator-tib-get-started.md +++ b/education/trial-in-a-box/educator-tib-get-started.md @@ -24,13 +24,13 @@ manager: dansimp | Tool | Description | | :---: |:--- | -| [![Connect the device to Wi-Fi.](images/edu-TIB-setp-1-v3.png)](#edu-task1) | [Log in](#edu-task1) to **Device A** with your Teacher credentials and connect to the school network. | -| [![Try Learning Tools Immersive Reader.](images/edu-TIB-setp-2-v3.png)](#edu-task2) | **Interested in significantly improving your students' reading speed and comprehension?[1](#footnote1)**
Try the [Learning Tools Immersive Reader](#edu-task2) to see how kids can learn to read faster, using text read aloud, and highlighting words for syntax. | -| [![Launch Microsoft Teams.](images/edu-TIB-setp-3-v3.png)](#edu-task3) | **Looking to foster collaboration, communication, and critical thinking in the classroom?**
Launch [Microsoft Teams](#edu-task3) and learn how to set up digital classroom discussions, respond to student questions, and organize class content. | -| [![Open OneNote.](images/edu-TIB-setp-4-v3.png)](#edu-task4) | **Trying to expand classroom creativity and interaction between students?**
Open [OneNote](#edu-task4) and create an example group project for your class. | -| [![Try Photos app.](images/edu-tib-setp-5-v4.png)](#edu-task5) | **Curious about telling stories through video?**
Try the [Photos app](#edu-task5) to make your own example video. | -| [![Play with Minecraft: Education Edition.](images/edu-tib-setp-6-v4.png)](#edu-task6) | **Want to teach kids to further collaborate and problem solve?**
Play with [Minecraft: Education Edition](#edu-task6) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. | -| [![Do Math with Windows Ink.](images/edu-tib-setp-7-v1.png)](#edu-task7) | **Want to provide a personal math tutor for your students?**
Use [Windows Ink and the Math Assistant feature](#edu-task7) in OneNote to give students step-by-step instructions and interactive 2D graphs for math problems. | +| [![Connect the device to Wi-Fi](images/edu-TIB-setp-1-v3.png)](#edu-task1) | [Log in](#edu-task1) to **Device A** with your Teacher credentials and connect to the school network. | +| [![Try Learning Tools Immersive Reader](images/edu-TIB-setp-2-v3.png)](#edu-task2) | **Interested in significantly improving your students' reading speed and comprehension?[1](#footnote1)**
Try the [Learning Tools Immersive Reader](#edu-task2) to see how kids can learn to read faster, using text read aloud, and highlighting words for syntax. | +| [![Launch Microsoft Teams](images/edu-TIB-setp-3-v3.png)](#edu-task3) | **Looking to foster collaboration, communication, and critical thinking in the classroom?**
Launch [Microsoft Teams](#edu-task3) and learn how to set up digital classroom discussions, respond to student questions, and organize class content. | +| [![Open OneNote](images/edu-TIB-setp-4-v3.png)](#edu-task4) | **Trying to expand classroom creativity and interaction between students?**
Open [OneNote](#edu-task4) and create an example group project for your class. | +| [![Try Photos app](images/edu-tib-setp-5-v4.png)](#edu-task5) | **Curious about telling stories through video?**
Try the [Photos app](#edu-task5) to make your own example video. | +| [![Play with Minecraft: Education Edition](images/edu-tib-setp-6-v4.png)](#edu-task6) | **Want to teach kids to further collaborate and problem solve?**
Play with [Minecraft: Education Edition](#edu-task6) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. | +| [![Do Math with Windows Ink](images/edu-tib-setp-7-v1.png)](#edu-task7) | **Want to provide a personal math tutor for your students?**
Use [Windows Ink and the Math Assistant feature](#edu-task7) in OneNote to give students step-by-step instructions and interactive 2D graphs for math problems. |
@@ -41,7 +41,7 @@ manager: dansimp
-![Log in to Device A and connect to the school network.](images/edu-TIB-setp-1-jump.png) +![Log in to Device A and connect to the school network](images/edu-TIB-setp-1-jump.png) ## 1. Log in and connect to the school network To try out the educator tasks, start by logging in as a teacher. @@ -55,7 +55,7 @@ To try out the educator tasks, start by logging in as a teacher.

-![Improve student reading speed and comprehension.](images/edu-TIB-setp-2-jump.png) +![Improve student reading speed and comprehension](images/edu-TIB-setp-2-jump.png) ## 2. Significantly improve student reading speed and comprehension > [!VIDEO https://www.youtube.com/embed/GCzSAslq_2Y] @@ -78,7 +78,7 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse 4. Select the **Immersive Reader** button. - ![Word's Immersive Reader.](images/word_online_immersive_reader.png) + ![Word's Immersive Reader](images/word_online_immersive_reader.png) 5. Press the **Play** button to hear text read aloud. @@ -86,14 +86,14 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse | Text to Speech | Text Preferences | Grammar Options | Line Focus | | :------------: | :--------------: | :-------------: | :--------: | - | ![Word Text to Speech.](images/wordonline_tts.png) | ![Word Text Preferences](images/wordonline_text_preferences.png) | ![Word Grammar Options](images/wordonline_grammar_options.png) | ![Word Line Focus](images/wordonline_line_focus.png) | + | ![Word Text to Speech](images/wordonline_tts.png) | ![Word Text Preferences](images/wordonline_text_preferences.png) | ![Word Grammar Options](images/wordonline_grammar_options.png) | ![Word Line Focus](images/wordonline_line_focus.png) |

-![Spark communication, critical thinking, and creativity with Microsoft Teams.](images/edu-TIB-setp-3-jump.png) +![Spark communication, critical thinking, and creativity with Microsoft Teams](images/edu-TIB-setp-3-jump.png) ## 3. Spark communication, critical thinking, and creativity in the classroom > [!VIDEO https://www.youtube.com/embed/riQr4Dqb8B8] @@ -114,7 +114,7 @@ Take a guided tour of Microsoft Teams and test drive this digital hub.

-![Expand classroom collaboration and interaction with OneNote.](images/edu-TIB-setp-4-jump.png) +![Expand classroom collaboration and interaction with OneNote](images/edu-TIB-setp-4-jump.png) ## 4. Expand classroom collaboration and interaction between students > [!VIDEO https://www.youtube.com/embed/dzDSWMb_fIE] @@ -135,16 +135,16 @@ When you're not using the pen, just use the magnet to stick it to the left side 3. Follow the instructions for the project. Look for the **Try this!** callouts to experiment with these engaging activities. - Discover the power of digital ink by selecting the Draw tab. Choose your pen and get scribbling. - ![OneNote Draw tab.](images/onenote_draw.png) + ![OneNote Draw tab](images/onenote_draw.png) - Type anywhere on the page! Just click your cursor where you want to place text. - Use the checkmark in the **Home** tab to keep track of completed tasks. - ![OneNote To Do Tag.](images/onenote_checkmark.png) + ![OneNote To Do Tag](images/onenote_checkmark.png) - To find information without leaving OneNote, use the Researcher tool found under the Insert tab. - ![OneNote Researcher.](images/onenote_researcher.png) + ![OneNote Researcher](images/onenote_researcher.png)

@@ -178,7 +178,7 @@ Use video to create a project summary. 8. Drag the videos to the Storyboard, one by one. Your project should look roughly like this: - ![Photos app layout showing videos added in previous steps.](images/photo_app_1.png) + ![Photos app layout showing videos added in previous steps](images/photo_app_1.png) 9. Select the first card in the Storyboard (the video of the project materials) and select **Text**, type a title in, a text style, a layout, and select **Done**. @@ -191,7 +191,7 @@ Use video to create a project summary. 4. Play back your effect. 5. Select **Done** when you have it where you want it. - ![Lighting bolt effect being added to a video clip.](images/photo_app_2.png) + ![Lighting bolt effect being added to a video clip](images/photo_app_2.png) 12. Select **Music** and select a track from the **Recommended** music collection. 1. The music will update automatically to match the length of your video project, even as you make changes. @@ -208,7 +208,7 @@ Check out this use case video of the Photos team partnering with the Bureau Of F

-![Further collaborate and problem solve with Minecraft: Education Edition.](images/edu-TIB-setp-5-jump.png) +![Further collaborate and problem solve with Minecraft: Education Edition](images/edu-TIB-setp-5-jump.png) ## 6. Get kids to further collaborate and problem solve > [!VIDEO https://www.youtube.com/embed/QI_bRNUugog] @@ -226,7 +226,7 @@ Today, we'll explore a Minecraft world through the eyes of a student. 3. Scroll down to the **Details** section and select **Download World**. - ![Select the download world link.](images/mcee_downloadworld.png) + ![Select the download world link](images/mcee_downloadworld.png) 4. When prompted, save the world. @@ -250,7 +250,7 @@ Today, we'll explore a Minecraft world through the eyes of a student. To try more advanced movements or building within Minecraft, use the Minecraft Controls Diagram. - ![Minecraft mouse and keyboard controls.](images/mcee_keyboard_mouse_controls.png) + ![Minecraft mouse and keyboard controls](images/mcee_keyboard_mouse_controls.png) 12. Access and adapt over 300 lesson plans, spanning all grades and subjects, to meet your needs. Enjoy exploring new worlds and happy crafting. @@ -260,13 +260,13 @@ Today, we'll explore a Minecraft world through the eyes of a student. 2. Click **Class Resources**. 3. Click **Find a Lesson**. - ![Access and adapt over 300 Minecraft lesson plans.](images/minecraft_lesson_plans.png) + ![Access and adapt over 300 Minecraft lesson plans](images/minecraft_lesson_plans.png)


-![Help students understand new math concepts with the Math Assistant in OneNote.](images/Inking.png) +![Help students understand new math concepts with the Math Assistant in OneNote](images/Inking.png) ## 7. Use Windows Ink to provide a personal math tutor for your students The **Math Assistant** and **Ink Replay** features available in the OneNote app give your students step-by-step instructions on how to solve their math problems and help them visualize math functions on an interactive 2D graph. @@ -275,15 +275,15 @@ The **Math Assistant** and **Ink Replay** features available in the OneNote app To get started: 1. Open the OneNote app for Windows 10 (not OneNote 2016). - ![OneNote icon.](images/OneNote_logo.png) + ![OneNote icon](images/OneNote_logo.png) 2. In the top left corner, click on the **<** arrow to access your notebooks and pages. - ![OneNote back arrow navigation button.](images/left_arrow.png) + ![OneNote back arrow navigation button](images/left_arrow.png) 3. Click **Add Page** to launch a blank work space. - ![Select add page button.](images/plus-page.png) + ![Select add page button](images/plus-page.png) 4. Make sure your pen is paired to the device. To pair, see Connect to Bluetooth devices. @@ -292,26 +292,26 @@ To solve the equation 3x+4=7, follow these instructions: 2. If you wrote the equation using digital ink, use the **Lasso tool** to circle the equation. If you typed the equation, highlight it using your mouse. - ![Lasso button.](images/lasso.png) + ![Lasso button](images/lasso.png) 3. On the **Draw** tab, click the **Math** button. - ![Math button.](images/math-button.png) + ![Math button](images/math-button.png) 4. From the drop-down menu in the **Math** pane, select the option to **Solve for x**. You can now see the final solution of the equation. - ![Solve for x menu.](images/solve-for-x.png) + ![Solve for x menu](images/solve-for-x.png) 5. From the second drop-down below, choose **Steps for Solving Linear Formula**, which shows you the step-by-step solution of this equation. 6. On the **View** tab, click the **Replay** button. Use your mouse to select the written equation and watch your text in replay. Replay is great for students to review how the teacher solved the equation and for teachers to review how students approached a problem. - ![Replay button.](images/replay.png) + ![Replay button](images/replay.png) To graph the equation 3x+4=7, follow these instructions: 1. From the drop-down menu in the **Math** pane, select the option to **Graph Both Sides in 2D**. You can play with the interactive graph of your equation - use a single finger to move the graph position or two fingers to change the **zoom** level. - ![Graph both sides in 2D.](images/graph-for-x.png) + ![Graph both sides in 2D](images/graph-for-x.png) 2. Click the **Insert on Page** button below the graph to add a screenshot of the graph to your page.
diff --git a/education/trial-in-a-box/index.md b/education/trial-in-a-box/index.md index 5f1c865bce..f21a0ddcf4 100644 --- a/education/trial-in-a-box/index.md +++ b/education/trial-in-a-box/index.md @@ -16,7 +16,7 @@ ms.date: 12/11/2017 # Microsoft Education Trial in a Box -![Microsoft Education Trial in a Box - Unlock Limitless Learning.](images/Unlock-Limitless-Learning.png) +![Microsoft Education Trial in a Box - Unlock Limitless Learning](images/Unlock-Limitless-Learning.png)
@@ -28,7 +28,7 @@ Welcome to Microsoft Education Trial in a Box. We built this trial to make it ea
-| [![Get started for Educators.](images/teacher_rotated_resized.png)](educator-tib-get-started.md) | [![Get started for IT Admins](images/itadmin_rotated_resized.png)](itadmin-tib-get-started.md) | +| [![Get started for Educators](images/teacher_rotated_resized.png)](educator-tib-get-started.md) | [![Get started for IT Admins](images/itadmin_rotated_resized.png)](itadmin-tib-get-started.md) | | :---: | :---: | | **Educator**
Enhance students of all abilities by unleashing their creativity, collaboration, and improving problem-solving skills.
[Get started](educator-tib-get-started.md) | **IT Admin**
Quickly implement and deploy a full cloud infrastructure that's secure and easy to manage.
[Get started](itadmin-tib-get-started.md) | diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md index d0ba6a05b3..be9a131941 100644 --- a/education/trial-in-a-box/itadmin-tib-get-started.md +++ b/education/trial-in-a-box/itadmin-tib-get-started.md @@ -24,11 +24,11 @@ manager: dansimp |  |  | | :---: |:--- | -| [![Log in to Device A.](images/admin-TIB-setp-1-v3.png)](#it-task1) | [Log in](#it-task1) to **Device A** with your IT Admin credentials and connect to your school's network. | -| [![Configure Device B with Set up School PCs.](images/admin-TIB-setp-2-v3.png)](#it-task2) | [Configure Device B](#it-task2) with the Set up School PCs app. | -| [![Configure Intune for Education.](images/admin-TIB-setp-3-v3.png)](#it-task3) | [Express configure Intune for Education](#it-task3) to manage devices, users, and policies. | -| [![Find and deploy apps.](images/admin-TIB-setp-4-v3.png)](#it-task4) | [Find apps from the Microsoft Store for Education](#it-task4) and deploy them to manage devices in your tenant. | -| [![Create custom folders.](images/admin-TIB-setp-5-v3.png)](#it-task5) | [Create custom folders](#it-task5) that will appear on each managed device's **Start** menu. | +| [![Log in to Device A](images/admin-TIB-setp-1-v3.png)](#it-task1) | [Log in](#it-task1) to **Device A** with your IT Admin credentials and connect to your school's network. | +| [![Configure Device B with Set up School PCs](images/admin-TIB-setp-2-v3.png)](#it-task2) | [Configure Device B](#it-task2) with the Set up School PCs app. | +| [![Configure Intune for Education](images/admin-TIB-setp-3-v3.png)](#it-task3) | [Express configure Intune for Education](#it-task3) to manage devices, users, and policies. | +| [![Find and deploy apps](images/admin-TIB-setp-4-v3.png)](#it-task4) | [Find apps from the Microsoft Store for Education](#it-task4) and deploy them to manage devices in your tenant. | +| [![Create custom folders](images/admin-TIB-setp-5-v3.png)](#it-task5) | [Create custom folders](#it-task5) that will appear on each managed device's **Start** menu. |
@@ -42,7 +42,7 @@ If you run into any problems while following the steps in this guide, or you hav
-![Log in to Device A.](images/admin-TIB-setp-1-jump.png) +![Log in to Device A](images/admin-TIB-setp-1-jump.png) ## 1. Log in to Device A with your IT Admin credentials and connect to the school network To try out the IT admin tasks, start by logging in as an IT admin. @@ -56,7 +56,7 @@ To try out the IT admin tasks, start by logging in as an IT admin.
-![Configure Device B with Set up School PCs.](images/admin-TIB-setp-2-jump.png) +![Configure Device B with Set up School PCs](images/admin-TIB-setp-2-jump.png) ## 2. Configure Device B with Set up School PCs Now you're ready to learn how to configure a brand new device. You will start on **Device A** by downloading and running the Set up School PCs app. Then, you will configure **Device B**. @@ -66,11 +66,11 @@ If you've previously used Set up School PCs to provision student devices, you ca 1. From the **Start** menu, find and then click **Microsoft Store** to launch the Store. - ![Microsoft Store from the Start menu.](images/start_microsoft_store.png) + ![Microsoft Store from the Start menu](images/start_microsoft_store.png) 2. Search for the **Set up School PCs** app. - ![Set up School PCs on Microsoft Store.](images/microsoft_store_suspc_install.png) + ![Set up School PCs on Microsoft Store](images/microsoft_store_suspc_install.png) 3. Click **Install**. @@ -78,7 +78,7 @@ If you've previously used Set up School PCs to provision student devices, you ca 1. On **Device A**, launch the Set up School PCs app. - ![Launch the Set up School PCs app.](images/suspc_start.png) + ![Launch the Set up School PCs app](images/suspc_start.png) 2. Click **Get started**. 3. Select **Sign-in**. @@ -95,7 +95,7 @@ If you've previously used Set up School PCs to provision student devices, you ca We recommend checking the highlighted settings below: - ![Configure student PC settings.](images/suspc_configure_pcsettings_selected.png) + ![Configure student PC settings](images/suspc_configure_pcsettings_selected.png) - **Remove apps pre-installed by the device manufacturer** - If you select this option, this will reset the machine and the provisioning process will take longer (about 30 minutes). - **Allow local storage (not recommended for shared devices)** lets students save files to the **Desktop** and **Documents** folder on the student PC. @@ -108,7 +108,7 @@ If you've previously used Set up School PCs to provision student devices, you ca 7. **Set up the Take a Test app** configures the device for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. Windows will lock down the student PC so that students can't access anything else while taking the test. - ![Configure the Take a Test app.](images/suspc_takeatest.png) + ![Configure the Take a Test app](images/suspc_takeatest.png) 1. Specify if you want to create a Take a Test button on the students' sign-in screens. 2. Select **Advanced settings** to allow keyboard text suggestions to appear and to allow teachers to monitor online tests. @@ -120,7 +120,7 @@ If you've previously used Set up School PCs to provision student devices, you ca 8. **Add recommended apps** lets you choose from a set of recommended Microsoft Store apps to provision. - ![Recommended apps in Set up School PCs package configuration.](images/suspc_configure_recommendedapps_v2.png) + ![Recommended apps in Set up School PCs package configuration](images/suspc_configure_recommendedapps_v2.png) The recommended apps include the following: * **Office 365 for Windows 10 S (Education Preview)** - Optional. This works well for the Trial in a Box PCs running Windows 10 S. However, if you try to install this app on other editions of Windows 10, setup will fail. Also note that if you select **Office 365 for Windows 10 S (Education Preview)**, it will take about 30-45 minutes longer for Set up School PCs to create the provisioning package as the app downloads Office 365 for Windows 10 S (Education Preview) from the Microsoft Store. @@ -131,7 +131,7 @@ If you've previously used Set up School PCs to provision student devices, you ca To change any of the settings, select the page or section (such as **Sign-in** or **Settings**) to go back to that page and make your changes. - ![Select the section or page name to make a change.](images/suspc_review_summary.png) + ![Select the section or page name to make a change](images/suspc_review_summary.png) 10. Accept the summary and then insert a USB drive in **Device A**. Use the USB drive that came in the Trial in a Box accessories box to save the provisioning package. 11. Select the drive and then **Save** to create the provisioning package. @@ -153,7 +153,7 @@ A provisioning package is a method for applying settings to Windows 10 without n 1. Start with **Device B** turned off or with the PC on the first-run setup screen. In Windows 10 S Fall Creators Update, the first-run setup screen says **Let's start with region. Is this right?**. - ![The first screen to set up a new PC in Windows 10 Fall Creators Update.](images/win10_oobe_firstscreen.png) + ![The first screen to set up a new PC in Windows 10 Fall Creators Update](images/win10_oobe_firstscreen.png) If you go past the region selection screen, select **Ctrl + Shift + F3** which will prompt the "System Preparation Tool." Select **Okay** in the tool to return to the region selection screen. If this doesn't work, reset the PC by going to **Settings > Update & Security > Recovery > Reset this PC.** @@ -166,20 +166,20 @@ You can complete the rest of the IT admin tasks using **Device A**.
-![Express configure Intune for Education.](images/admin-TIB-setp-3-jump.png) +![Express configure Intune for Education](images/admin-TIB-setp-3-jump.png) ## 3. Express configure Intune for Education to manage devices, users, and policies Intune for Education provides an **Express configuration** option so you can get going right away. We'll use that option here. 1. Log into the Intune for Education console. 2. On the Intune for Education dashboard, click **Launch Express Configuration** or select the **Express configuration**. - ![Intune for Education dashboard.](images/i4e_dashboard_expressconfig.png) + ![Intune for Education dashboard](images/i4e_dashboard_expressconfig.png) 3. In the **Welcome to Intune for Education** screen, click **Get started** and follow the prompts until you get to the **Choose group** screen. 4. In the **Choose group** screen, select **All Users** so that all apps and settings that we select during express setup will apply to this group. 5. In the **Choose apps** screen, you will see a selection of desktop (Win32) apps, Web apps, and Microsoft Store apps. - ![Choose apps you want to provision to the group.](images/i4e_expressconfig_chooseapps.png) + ![Choose apps you want to provision to the group](images/i4e_expressconfig_chooseapps.png) 6. Add or remove apps by clicking on them. A blue checkmark means the app is added and will be installed for all members of the group selected in step 5. @@ -197,7 +197,7 @@ Intune for Education provides an **Express configuration** option so you can get
-![Find apps from the Microsoft Store for Education.](images/admin-TIB-setp-4-jump.png) +![Find apps from the Microsoft Store for Education](images/admin-TIB-setp-4-jump.png) ## 4. Find apps from the Microsoft Store for Education and deploy them to managed devices in your tenant The Microsoft Store for Education is where you can shop for more apps for your school. @@ -205,7 +205,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s 2. In the **Store apps** section, select **+ New app** to go to the Microsoft Store for Education. 3. Select **Sign in** and start shopping for apps for your school. - ![Microsoft Store for Education site.](images/msfe_portal.png) + ![Microsoft Store for Education site](images/msfe_portal.png) 4. Check some of the categories for suggested apps or search the Store for a free educational or reference app. Find ones that you haven't already installed during express configuration for Intune for Education. For example, these apps are free: - Duolingo - Learn Languages for Free @@ -222,7 +222,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s The apps will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant. - ![List of apps bought for the school.](images/msfe_boughtapps.png) + ![List of apps bought for the school](images/msfe_boughtapps.png) In the **Private store** column of the **Products & services** page, the status for some apps will indicate that it's "In private store" while others will say "Adding to private store" or "Not applicable". Learn more about this in Distribute apps using your private store. @@ -231,7 +231,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s
-![Create custom folders that appear on managed devices.](images/admin-TIB-setp-5-jump.png) +![Create custom folders that appear on managed devices](images/admin-TIB-setp-5-jump.png) ## 5. Create custom folders that will appear on each managed device's Start menu Update settings for all devices in your tenant by adding the **Documents** and **Downloads** folders to all devices managed in Intune for Education. @@ -239,7 +239,7 @@ Update settings for all devices in your tenant by adding the **Documents** and * 2. Select **Group > All Devices > Settings** and expand **Windows interface settings**. 3. In **Choose folders that appear in the Start menu**, select **Documents** and **Downloads**. - ![Choose folders that appear in the Start menu.](images/screenshot-bug.png) + ![Choose folders that appear in the Start menu](images/screenshot-bug.png) 4. **Save** your changes. diff --git a/education/trial-in-a-box/support-options.md b/education/trial-in-a-box/support-options.md index 627a78c9ef..9cb32351de 100644 --- a/education/trial-in-a-box/support-options.md +++ b/education/trial-in-a-box/support-options.md @@ -38,7 +38,7 @@ For more information about checking for updates, and how to optionally turn on a > [!NOTE] > For the alternate email address, make sure you use a different address from your Office 365 email address. - ![Complete your contact details.](images/o365_adminaccountinfo.png) + ![Complete your contact details](images/o365_adminaccountinfo.png) 4. Click **Save**. @@ -46,17 +46,17 @@ For more information about checking for updates, and how to optionally turn on a 1. Click the **Need help?** button in the lower right-hand corner of the Office 365 console. - ![Select Need help to get support.](images/o365_needhelp.png) + ![Select Need help to get support](images/o365_needhelp.png) You will see a sidebar window open up on the right-hand side of the screen. - ![Option to have a support representative call you.](images/o365_needhelp_callingoption.png) + ![Option to have a support representative call you](images/o365_needhelp_callingoption.png) If you chose to have a support representative call you, a new support ticket will be opened and you can track these in **Support tickets**. - ![Track your support tickets.](images/o365_needhelp_supporttickets.png) + ![Track your support tickets](images/o365_needhelp_supporttickets.png) -2. Click the **question button** ![Question button.](images/o365_needhelp_questionbutton.png) in the top navigation of the sidebar window. +2. Click the **question button** ![Question button](images/o365_needhelp_questionbutton.png) in the top navigation of the sidebar window. 3. In the field below **Need help?**, enter a description of your help request. 4. Click the **Get help button**. 5. In the **Let us call you** section, enter a phone number where you can be reached. @@ -69,7 +69,7 @@ Forget your password? Follow these steps to recover it. 1. Go to https://portal.office.com 2. Select **Can't access your account** and follow the prompts to get back into your account. - ![Recover your account.](images/officeportal_cantaccessaccount.png) + ![Recover your account](images/officeportal_cantaccessaccount.png) diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index c0ac95e03e..00b99a4c75 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -61,7 +61,7 @@ You can set the policy using one of these methods: - When using [Set up School PCs](use-set-up-school-pcs-app.md), in the **Configure student PC settings** screen, select **Enable Windows 10 Autopilot Reset** among the list of settings for the student PC as shown in the following example: - ![Configure student PC settings in Set up School PCs.](images/suspc_configure_pc2.jpg) + ![Configure student PC settings in Set up School PCs](images/suspc_configure_pc2.jpg) ## Trigger Autopilot Reset Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it's done, the device is again ready for use. @@ -70,7 +70,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo 1. From the Windows device lock screen, enter the keystroke: **CTRL + Windows key + R**. - ![Enter CTRL+Windows key+R on the Windows lockscreen.](images/autopilot-reset-lockscreen.png) + ![Enter CTRL+Windows key+R on the Windows lockscreen](images/autopilot-reset-lockscreen.png) This will open up a custom login screen for Autopilot Reset. The screen serves two purposes: @@ -78,7 +78,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo 2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process. - ![Custom login screen for Autopilot Reset.](images/autopilot-reset-customlogin.png) + ![Custom login screen for Autopilot Reset](images/autopilot-reset-customlogin.png) 2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger Autopilot Reset. @@ -97,7 +97,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo - Is returned to a known good managed state, connected to Azure AD and MDM. - ![Notification that provisioning is complete.](images/autopilot-reset-provisioningcomplete.png) + ![Notification that provisioning is complete](images/autopilot-reset-provisioningcomplete.png) Once provisioning is complete, the device is again ready for use. diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index ea30225b3e..b104042dbc 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -65,7 +65,7 @@ See [change using Microsoft Store for Education](#change-using-microsoft-store-f **Figure 1** - Enter the details for the Windows edition change - ![Enter the details for the Windows edition change.](images/i4e_editionupgrade.png) + ![Enter the details for the Windows edition change](images/i4e_editionupgrade.png) 3. The change will automatically be applied to the group you selected. @@ -78,7 +78,7 @@ You can use Windows Configuration Designer to create a provisioning package that **Figure 2** - Enter the license key - ![Enter the license key to change to Windows 10 Pro Education.](images/wcd_productkey.png) + ![Enter the license key to change to Windows 10 Pro Education](images/wcd_productkey.png) 3. Complete the rest of the process for creating a provisioning package and then apply the package to the devices you want to change to Windows 10 Pro Education. @@ -123,7 +123,7 @@ Once you enable the setting to change to Windows 10 Pro Education, the change wi **Figure 3** - Check the box to confirm - ![Check the box to confirm.](images/msfe_manage_benefits_checktoconfirm.png) + ![Check the box to confirm](images/msfe_manage_benefits_checktoconfirm.png) 5. Click **Change all my devices**. @@ -169,13 +169,13 @@ If the Windows device is running Windows 10, version 1703, follow these steps. **Figure 4** - Select how you'd like to set up the device - ![Select how you'd like to set up the device.](images/1_howtosetup.png) + ![Select how you'd like to set up the device](images/1_howtosetup.png) 2. On the **Sign in with Microsoft** page, enter the username and password to use with Office 365 or other services from Microsoft, and then click **Next**. **Figure 5** - Enter the account details - ![Enter the account details you use with Office 365 or other Microsoft services.](images/2_signinwithms.png) + ![Enter the account details you use with Office 365 or other Microsoft services](images/2_signinwithms.png) 3. Go through the rest of Windows device setup. Once you're done, the device will be Azure AD joined to your school's subscription. @@ -188,21 +188,21 @@ If the Windows device is running Windows 10, version 1703, follow these steps. **Figure 6** - Go to **Access work or school** in Settings - ![Go to Access work or school in Settings.](images/settings_workorschool_1.png) + ![Go to Access work or school in Settings](images/settings_workorschool_1.png) 2. In **Access work or school**, click **Connect**. 3. In the **Set up a work or school account** window, click the **Join this device to Azure Active Directory** option at the bottom. **Figure 7** - Select the option to join the device to Azure Active Directory - ![Select the option to join the device to Azure Active Directory.](images/settings_setupworkorschoolaccount_2.png) + ![Select the option to join the device to Azure Active Directory](images/settings_setupworkorschoolaccount_2.png) 4. On the **Let's get you signed in** window, enter the Azure AD credentials (username and password) and sign in. This will join the device to the school's Azure AD. 5. To verify that the device was successfully joined to Azure AD, go back to **Settings > Accounts > Access work or school**. You should now see a connection under the **Connect to work or school** section that indicates the device is connected to Azure AD. **Figure 8** - Verify the device connected to Azure AD - ![Verify the device is connected to Azure AD.](images/settings_connectedtoazuread_3.png) + ![Verify the device is connected to Azure AD](images/settings_connectedtoazuread_3.png) #### Step 2: Sign in using Azure AD account @@ -286,7 +286,7 @@ Once the automatic change to Windows 10 Pro Education is turned off, the change **Figure 12** - Revert to Windows 10 Pro - ![Revert to Windows 10 Pro.](images/msfe_manage_reverttowin10pro.png) + ![Revert to Windows 10 Pro](images/msfe_manage_reverttowin10pro.png) 4. You will be asked if you're sure that you want to turn off automatic changes to Windows 10 Pro Education. Click **Yes**. 5. Click **Close** in the **Success** page. @@ -304,7 +304,7 @@ You need to synchronize these identities so that users will have a *single ident **Figure 13** - On-premises AD DS integrated with Azure AD -![Illustration of Azure Active Directory Connect.](images/windows-ad-connect.png) +![Illustration of Azure Active Directory Connect](images/windows-ad-connect.png) For more information about integrating on-premises AD DS domains with Azure AD, see these resources: - [Integrating your on-premises identities with Azure Active Directory](/azure/active-directory/hybrid/whatis-hybrid-identity) diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index d927aef072..59da859362 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -118,7 +118,7 @@ At the end of this section, you should have a list of Chromebook user and device You use the Google Admin Console (as shown in Figure 1) to manage user and device settings. These settings are applied to all the Chromebook devices in your institution that are enrolled in the Google Admin Console. Review the user and device settings in the Google Admin Console and determine which settings are appropriate for your Windows devices. -![figure 1.](images/chromebook-fig1-googleadmin.png) +![figure 1](images/chromebook-fig1-googleadmin.png) Figure 1. Google Admin Console @@ -221,7 +221,7 @@ Table 3. Settings in the Security node in the Google Admin Console In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you will migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2). -![figure 2.](images/fig2-locallyconfig.png) +![figure 2](images/fig2-locallyconfig.png) Figure 2. Locally-configured settings on Chromebook diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index 27b3806af5..f662b8ac78 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -94,19 +94,19 @@ Use one of these methods to set this policy. - Data type: Integer - Value: 0 - ![Create an OMA URI for AllowCortana.](images/allowcortana_omauri.png) + ![Create an OMA URI for AllowCortana](images/allowcortana_omauri.png) ### Group Policy Set **Computer Configuration > Administrative Templates > Windows Components > Search > AllowCortana** to **Disabled**. -![Set AllowCortana to disabled through Group Policy.](images/allowcortana_gp.png) +![Set AllowCortana to disabled through Group Policy](images/allowcortana_gp.png) ### Provisioning tools - [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates. - [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - Under **Runtime settings**, click the **Policies** settings group, set **Experience > Cortana** to **No**. - ![Set AllowCortana to No in Windows Configuration Designer.](images/allowcortana_wcd.png) + ![Set AllowCortana to No in Windows Configuration Designer](images/allowcortana_wcd.png) ## SetEduPolicies **SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It is a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp). @@ -123,7 +123,7 @@ Use one of these methods to set this policy. - Data type: Boolean - Value: true - ![Create an OMA URI for SetEduPolices.](images/setedupolicies_omauri.png) + ![Create an OMA URI for SetEduPolices](images/setedupolicies_omauri.png) ### Group Policy **SetEduPolicies** is not natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc). @@ -147,7 +147,7 @@ For example: - [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - Under **Runtime settings**, click the **SharedPC** settings group, set **PolicyCustomization > SetEduPolicies** to **True**. - ![Set SetEduPolicies to True in Windows Configuration Designer.](images/setedupolicies_wcd.png) + ![Set SetEduPolicies to True in Windows Configuration Designer](images/setedupolicies_wcd.png) ## Ad-free search with Bing Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index 9dcdd7ca81..5ca4cb7ea0 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -34,21 +34,21 @@ Proper preparation is essential for a successful district deployment. To avoid c As part of preparing for your district deployment, you need to plan your district configuration — the focus of this guide. Figure 1 illustrates a typical finished district configuration that you can use as a model (the blueprint in our builder analogy) for the finished state. > [!div class="mx-imgBorder"] -> ![Typical district configuration for this guide.](images/edu-districtdeploy-fig1.png "Typical district configuration for this guide") +> ![Typical district configuration for this guide](images/edu-districtdeploy-fig1.png "Typical district configuration for this guide") *Figure 1. Typical district configuration for this guide* A *district* consists of multiple schools, typically at different physical locations. Figure 2 illustrates a typical school configuration within the district that this guide uses. > [!div class="mx-imgBorder"] -> ![Typical school configuration for this guide.](images/edu-districtdeploy-fig2.png "Typical school configuration for this guide") +> ![Typical school configuration for this guide](images/edu-districtdeploy-fig2.png "Typical school configuration for this guide") *Figure 2. Typical school configuration for this guide* Finally, each school consists of multiple classrooms. Figure 3 shows the classroom configuration this guide uses. > [!div class="mx-imgBorder"] -> ![Typical classroom configuration in a school.](images/edu-districtdeploy-fig3.png "Typical classroom configuration in a school") +> ![Typical classroom configuration in a school](images/edu-districtdeploy-fig3.png "Typical classroom configuration in a school") *Figure 3. Typical classroom configuration in a school* @@ -181,7 +181,7 @@ The high-level process for deploying and configuring devices within individual c 9. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS–Azure AD integration. > [!div class="mx-imgBorder"] -> ![How district configuration works.](images/edu-districtdeploy-fig4.png "How district configuration works") +> ![How district configuration works](images/edu-districtdeploy-fig4.png "How district configuration works") *Figure 4. How district configuration works* @@ -768,7 +768,7 @@ In this method, you have an on-premises AD DS domain. As shown in Figure 5, the > Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)). > [!div class="mx-imgBorder"] -> ![Automatic synchronization between AD DS and Azure AD.](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Azure AD") +> ![Automatic synchronization between AD DS and Azure AD](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Azure AD") *Figure 5. Automatic synchronization between AD DS and Azure AD* @@ -779,7 +779,7 @@ For more information about how to perform this step, see the [Integrate on-premi In this method, you have no on-premises AD DS domain. As shown in Figure 6, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies. > [!div class="mx-imgBorder"] -> ![Bulk import into Azure AD from other sources.](images/edu-districtdeploy-fig6.png "Bulk import into Azure AD from other sources") +> ![Bulk import into Azure AD from other sources](images/edu-districtdeploy-fig6.png "Bulk import into Azure AD from other sources") *Figure 6. Bulk import into Azure AD from other sources* @@ -812,14 +812,14 @@ You can deploy the Azure AD Connect tool: - **On premises.** As shown in Figure 7, Azure AD Connect runs on premises, which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server. > [!div class="mx-imgBorder"] - > ![Azure AD Connect on premises.](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises") + > ![Azure AD Connect on premises](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises") *Figure 7. Azure AD Connect on premises* - **In Azure.** As shown in Figure 8, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises. > [!div class="mx-imgBorder"] - > ![Azure AD Connect in Azure.](images/edu-districtdeploy-fig8.png "Azure AD Connect in Azure") + > ![Azure AD Connect in Azure](images/edu-districtdeploy-fig8.png "Azure AD Connect in Azure") *Figure 8. Azure AD Connect in Azure* diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index 318b892188..3b464f9fa6 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -30,13 +30,13 @@ Proper preparation is essential for a successful school deployment. To avoid com As part of preparing for your school deployment, you need to plan your configuration—the focus of this guide. Figure 1 illustrates a typical finished school configuration that you can use as a model (the blueprint in our builder analogy) for the finished state. -![fig 1.](images/deploy-win-10-school-figure1.png) +![fig 1](images/deploy-win-10-school-figure1.png) *Figure 1. Typical school configuration for this guide* Figure 2 shows the classroom configuration this guide uses. -![fig 2.](images/deploy-win-10-school-figure2.png) +![fig 2](images/deploy-win-10-school-figure2.png) *Figure 2. Typical classroom configuration in a school* @@ -112,7 +112,7 @@ The high-level process for deploying and configuring devices within individual c 6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10. 7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Azure AD integration. -![fig 3.](images/deploy-win-10-school-figure3.png) +![fig 3](images/deploy-win-10-school-figure3.png) *Figure 3. How school configuration works* @@ -346,7 +346,7 @@ In this method, you have an on-premises AD DS domain. As shown in Figure 4, the **Note**  Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)?f=255&MSPPError=-2147217396). -![fig 4.](images/deploy-win-10-school-figure4.png) +![fig 4](images/deploy-win-10-school-figure4.png) *Figure 4. Automatic synchronization between AD DS and Azure AD* @@ -356,7 +356,7 @@ For more information about how to perform this step, see the [Integrate on-premi In this method, you have no on-premises AD DS domain. As shown in Figure 5, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies. -![fig 5.](images/deploy-win-10-school-figure5.png) +![fig 5](images/deploy-win-10-school-figure5.png) *Figure 5. Bulk import into Azure AD from other sources* @@ -383,13 +383,13 @@ You can deploy the Azure AD Connect tool by using one of the following methods: - **On premises.** As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server. - ![fig 6.](images/deploy-win-10-school-figure6.png) + ![fig 6](images/deploy-win-10-school-figure6.png) *Figure 6. Azure AD Connect on premises* - **In Azure**. As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises. - ![fig 7.](images/deploy-win-10-school-figure7.png) + ![fig 7](images/deploy-win-10-school-figure7.png) *Figure 7. Azure AD Connect in Azure* diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md index 03a761c858..eaa2f7c35b 100644 --- a/education/windows/edu-deployment-recommendations.md +++ b/education/windows/edu-deployment-recommendations.md @@ -55,11 +55,11 @@ To turn off access to contacts for all apps on individual Windows devices: 1. On the computer, go to **Settings** and select **Privacy**. - ![Privacy settings.](images/win10_settings_privacy.png) + ![Privacy settings](images/win10_settings_privacy.png) 2. Under the list of **Privacy** areas, select **Contacts**. - ![Contacts privacy settings.](images/win10_settings_privacy_contacts.png) + ![Contacts privacy settings](images/win10_settings_privacy_contacts.png) 3. Turn off **Let apps access my contacts**. @@ -73,7 +73,7 @@ For IT-managed Windows devices, you can use a Group Policy to turn off the setti If you want to allow only certain apps to have access to contacts, you can use the switch for each app to specify which ones you want on or off. -![Choose apps with access to contacts.](images/win10_settings_privacy_contacts_apps.png) +![Choose apps with access to contacts](images/win10_settings_privacy_contacts_apps.png) The list of apps on the Windows-based device may vary from the above example. The list depends on what apps you have installed and which of these apps access contacts. @@ -83,7 +83,7 @@ To allow only certain apps to have access to contacts, you can: * Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** and then specify the default for each app by adding the app's Package Family Name under the default behavior you want to enforce. - ![App privacy Group Policy.](images/gp_letwinappsaccesscontacts.png) + ![App privacy Group Policy](images/gp_letwinappsaccesscontacts.png) ## Skype and Xbox settings @@ -109,7 +109,7 @@ Skype uses the user’s contact details to deliver important information about t To manage and edit your profile in the Skype UWP app, follow these steps: -1. In the Skype UWP app, select the user profile icon ![Skype profile icon.](images/skype_uwp_userprofile_icon.png) to go to the user’s profile page. +1. In the Skype UWP app, select the user profile icon ![Skype profile icon](images/skype_uwp_userprofile_icon.png) to go to the user’s profile page. 2. In the account page, select **Manage account** for the Skype account that you want to change. This will take you to the online Skype portal. @@ -127,7 +127,7 @@ To manage and edit your profile in the Skype UWP app, follow these steps: 6. To change the profile picture, go to the Skype app and click on the current profile picture or avatar. The **Manage Profile Picture** window pops up. - ![Skype profile icon.](images/skype_uwp_manageprofilepic.png) + ![Skype profile icon](images/skype_uwp_manageprofilepic.png) * To take a new picture, click the camera icon in the pop up window. To upload a new picture, click the three dots (**...**). diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md index f4ea0cf4ef..586d6ea6b8 100644 --- a/education/windows/education-scenarios-store-for-business.md +++ b/education/windows/education-scenarios-store-for-business.md @@ -39,7 +39,7 @@ Admins can control whether or not teachers are automatically assigned the **Basi 2. Click **Manage**, and then click **Settings**. 3. On **Shop**, select or clear **Make everyone a Basic Purchaser**. -![manage settings to control Basic Purchaser role assignment.](images/sfe-make-everyone-bp.png) +![manage settings to control Basic Purchaser role assignment](images/sfe-make-everyone-bp.png) > [!NOTE] > **Make everyone a Basic Purchaser** is on by default. @@ -52,7 +52,7 @@ When **Make everyone a Basic Purchaser** is turned off, admins can manually assi 2. Click **Manage**, and then choose **Permissions**. 3. On **Roles**, click **Assign roles**, type and select a name, choose the role you want to assign, and then click **Save**. - ![Permission page for Microsoft Store for Business.](images/sfe-roles.png) + ![Permission page for Microsoft Store for Business](images/sfe-roles.png) **Blocked Basic Purchasers** diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index a89e29de02..78f1759c45 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -29,7 +29,7 @@ ms.topic: conceptual Teachers and IT administrators can now get early access to **Minecraft: Education Edition** and add it their Microsoft Store for Business for distribution. - + ## Prerequisites @@ -39,11 +39,11 @@ Teachers and IT administrators can now get early access to **Minecraft: Educatio - Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://products.office.com/academic/office-365-education-plan) - If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](/windows/client-management/mdm/register-your-free-azure-active-directory-subscription) - + [Learn how teachers can get and distribute **Minecraft: Education Edition**](teacher-get-minecraft.md) - + [Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft. \ No newline at end of file diff --git a/education/windows/index.md b/education/windows/index.md index cf961bfe83..81e3f97634 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -14,15 +14,15 @@ ms.date: 10/13/2017 # Windows 10 for Education -![Windows 10 Education and Windows 10 Pro Education.](images/windows-10-for-education-banner.png) +![Windows 10 Education and Windows 10 Pro Education](images/windows-10-for-education-banner.png) -## ![Learn more about Windows.](images/education.png) Learn +## ![Learn more about Windows](images/education.png) Learn

Windows 10 editions for education customers
Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.

Compare each Windows edition
Find out more about the features and functionality we support in each edition of Windows.

Get Windows 10 Education or Windows 10 Pro Education
When you've made your decision, find out how to buy Windows for your school.

-## ![Plan for Windows 10 in your school.](images/clipboard.png) Plan +## ![Plan for Windows 10 in your school](images/clipboard.png) Plan

Windows 10 configuration recommendations for education customers
Provides guidance on ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.

Deployment recommendations for school IT administrators
Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.

@@ -30,14 +30,14 @@ ms.date: 10/13/2017

Take tests in Windows 10
Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.

Chromebook migration guide
Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.

-## ![Deploy Windows 10 for Education.](images/PCicon.png) Deploy +## ![Deploy Windows 10 for Education](images/PCicon.png) Deploy

Set up Windows devices for education
Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.

Deploy Windows 10 in a school
Get step-by-step guidance to help you deploy Windows 10 in a school environment.

Deploy Windows 10 in a school district
Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.

Test Windows 10 S on existing Windows 10 education devices
Test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us.

-## ![Switch to Windows 10 for Education.](images/windows.png) Switch +## ![Switch to Windows 10 for Education](images/windows.png) Switch

Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S
If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.

diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index a728b75a41..e3900603b6 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -50,15 +50,15 @@ If you’ve been approved and are part of the Enrollment for Education Solutions 1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **GET STARTED**. - + 2. Enter your email address, and select Educator, Administrator, or Student.
If your email address isn't associated to an Azure AD or Office 365 Education tenant, you'll be asked to create one. - + 3. Select **Get the app**. This will take you to the Microsoft Store for Education to download the app. You will also receive an email with instructions and a link to the Store. - + 4. Sign in to Microsoft Store for Education with your email address. @@ -66,7 +66,7 @@ If you’ve been approved and are part of the Enrollment for Education Solutions 6. **Minecraft: Education Edition** opens in the Microsoft Store for Education. Select **Get the app**. This places **Minecraft: Education Edition** in your Store inventory. - + Now that the app is in your Microsoft Store for Education inventory, you can choose how to distribute Minecraft. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft). @@ -113,11 +113,11 @@ After you've finished the purchase, you can find your invoice by checking **Mine 2. Click **Minecraft: Education Edition** in the list of apps. 3. On **Minecraft: Education Edition**, click **View Bills**. - ![Minecraft: Education Edition app details page with view bills link highlighted.](images/mcee-view-bills.png) + ![Minecraft: Education Edition app details page with view bills link highlighted](images/mcee-view-bills.png) 4. On **Invoice Bills**, click the invoice number to view and download your invoice. It downloads as a .pdf. - ![Minecraft: Education Edition app details page with view bills link highlighted.](images/mcee-invoice-bills.png) + ![Minecraft: Education Edition app details page with view bills link highlighted](images/mcee-invoice-bills.png) The **Payment Instructions** section on the first page of the invoice has information on invoice amount, due date, and how to pay with electronic funds transfer, or with a check. @@ -133,11 +133,11 @@ Admins can also add Minecraft: Education Edition to the private store. This allo ### Configure automatic subscription assignment @@ -168,7 +168,7 @@ You can install the app on your PC. This gives you a chance to test the app and 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then click **Install**. - + 3. Click **Install**. @@ -180,33 +180,33 @@ Enter email addresses for your students, and each student will get an email with 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**. - ![Minecraft Education Edition product page.](images/mc-install-for-me-teacher.png) + ![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png) 3. Click **Invite people**. 4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**. You can only assign the app to students with work or school accounts. If you don't find the student, you might need to add a work or school account for the student. - ![Assign to people showing student name.](images/minecraft-assign-to-people-name.png) + ![Assign to people showing student name](images/minecraft-assign-to-people-name.png) **To finish Minecraft install (for students)** 1. Students will receive an email with a link that will install the app on their PC.
- ![Email with Get the app link.](images/minecraft-student-install-email.png) + ![Email with Get the app link](images/minecraft-student-install-email.png) 2. Click **Get the app** to start the app install in Microsoft Store app. 3. In Microsoft Store app, click **Install**. - ![Microsoft Store app with Minecraft page.](images/minecraft-in-windows-store-app.png) + ![Microsoft Store app with Minecraft page](images/minecraft-in-windows-store-app.png) After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**. Microsoft Store app is preinstalled with Windows 10. - ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png) + ![Microsoft Store app showing access to My Library](images/minecraft-private-store.png) When students click **My Library** they'll find apps assigned to them. - ![My Library for example student.](images/minecraft-my-library.png) + ![My Library for example student](images/minecraft-my-library.png) ### Download for others Download for others allows teachers or IT admins to download an app that they can install on PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when: @@ -225,11 +225,11 @@ Minecraft: Education Edition will not install if there are updates pending for o 1. Start Microsoft Store app on the PC (click **Start**, and type **Store**). 2. Click the account button, and then click **Downloads and updates**. - ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png) + ![Microsoft Store app showing access to My Library](images/minecraft-private-store.png) 3. Click **Check for updates**, and install all available updates. - ![Microsoft Store app showing access to My Library.](images/mc-check-for-updates.png) + ![Microsoft Store app showing access to My Library](images/mc-check-for-updates.png) 4. Restart the computer before installing Minecraft: Education Edition. @@ -238,7 +238,7 @@ You'll download a .zip file, extract the files, and then use one of the files to 1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**. - ![Microsoft Store app showing access to My Library.](images/mc-dnld-others-teacher.png) + ![Microsoft Store app showing access to My Library](images/mc-dnld-others-teacher.png) 2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**. 3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC. @@ -257,7 +257,7 @@ However, tenant admins can control whether or not teachers automatically sign up To prevent educators from automatically signing up for Microsoft Store for Business 1. In Microsoft Store for Business, click **Settings**, and then click **Permissions**. - ![Permission page for Microsoft Store for Business.](images/minecraft-admin-permissions.png) + ![Permission page for Microsoft Store for Business](images/minecraft-admin-permissions.png) 2. Click **Allow educators in my organization to sign up for the Microsoft Store for Business.** @@ -269,7 +269,7 @@ Minecraft: Education Edition adds a new role for teachers: **Basic Purchaser**. - Acquire and manage the app - Info on Support page (including links to documentation and access to support through customer service) - ![assign roles to manage Minecraft permissions.](images/minecraft-perms.png) + ![assign roles to manage Minecraft permissions](images/minecraft-perms.png) **To assign Basic Purchaser role** @@ -280,15 +280,15 @@ Minecraft: Education Edition adds a new role for teachers: **Basic Purchaser**. 2. Click **Settings**, and then choose **Permissions**. - ![Permission page for Microsoft Store for Business.](images/minecraft-admin-permissions.png) + ![Permission page for Microsoft Store for Business](images/minecraft-admin-permissions.png) 3. Click **Add people**, type a name, select the correct person, choose the role you want to assign, and click **Save**. - ![Permission page for Microsoft Store for Business.](images/minecraft-assign-roles.png) + ![Permission page for Microsoft Store for Business](images/minecraft-assign-roles.png) Microsoft Store for Business updates the list of people and permissions. - ![Permission page for Microsoft Store for Business.](images/minecraft-assign-roles-2.png) + ![Permission page for Microsoft Store for Business](images/minecraft-assign-roles-2.png) --> diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md index 02198518ca..6d62b6bb55 100644 --- a/education/windows/set-up-school-pcs-azure-ad-join.md +++ b/education/windows/set-up-school-pcs-azure-ad-join.md @@ -48,7 +48,7 @@ Active Directory** \> **Devices** \> **Device settings**. for Azure AD by selecting **All** or **Selected**. If you choose the latter option, select the teachers and IT staff to allow them to connect to Azure AD. -![Select the users you want to let join devices to Azure AD.](images/suspc-enable-shared-pc-1807.png) +![Select the users you want to let join devices to Azure AD](images/suspc-enable-shared-pc-1807.png) You can also create an account that holds the exclusive rights to join devices. When a student PC needs to be set up, provide the account credentials to the appropriate teachers or staff. diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index 328b2f80a1..22d45b09fc 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -43,7 +43,7 @@ Follow the steps in [Provision PCs with common settings for initial deployment ( **Figure 7** - Add the account to use for test-taking - ![Add the account to use for test-taking.](images/wcd_settings_assignedaccess.png) + ![Add the account to use for test-taking](images/wcd_settings_assignedaccess.png) The account can be in one of the following formats: - username diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md index f0bb65fa78..7d803777e5 100644 --- a/education/windows/set-up-students-pcs-with-apps.md +++ b/education/windows/set-up-students-pcs-with-apps.md @@ -35,7 +35,7 @@ You can apply a provisioning package on a USB drive to off-the-shelf devices dur 2. 2. On the **Finish** page, select **Switch to advanced editor**. - ![Switch to advanced editor.](images/icd-school-adv-edit.png) + ![Switch to advanced editor](images/icd-school-adv-edit.png) **Next steps** - [Add a desktop app to your package](#add-a-desktop-app-to-your-package) @@ -52,7 +52,7 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi 2. Click **Advanced provisioning**. - ![ICD start options.](images/icdstart-option.png) + ![ICD start options](images/icdstart-option.png) 3. Name your project and click **Next**. @@ -89,17 +89,17 @@ Universal apps that you can distribute in the provisioning package can be line-o 2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page. - ![details for offline app package.](images/uwp-family.png) + ![details for offline app package](images/uwp-family.png) 3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). 4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. - ![required frameworks for offline app package.](images/uwp-dependencies.png) + ![required frameworks for offline app package](images/uwp-dependencies.png) 5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Microsoft Store for Business, you generate the license for the app on the app's download page. - ![generate license for offline app.](images/uwp-license.png) + ![generate license for offline app](images/uwp-license.png) [Learn more about distributing offline apps from the Microsoft Store for Business.](/microsoft-store/distribute-offline-apps) @@ -168,7 +168,7 @@ If your build is successful, the name of the provisioning package, output direct **During initial setup, from a USB drive** 1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. - ![The first screen to set up a new PC.](images/oobe.jpg) + ![The first screen to set up a new PC](images/oobe.jpg) 2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**. @@ -176,11 +176,11 @@ If your build is successful, the name of the provisioning package, output direct 3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. - ![Provision this device.](images/prov.jpg) + ![Provision this device](images/prov.jpg) 4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. - ![Choose a package.](images/choose-package.png) + ![Choose a package](images/choose-package.png) 5. Select **Yes, add it**. @@ -188,11 +188,11 @@ If your build is successful, the name of the provisioning package, output direct 6. Read and accept the Microsoft Software License Terms. - ![Sign in.](images/license-terms.png) + ![Sign in](images/license-terms.png) 7. Select **Use Express settings**. - ![Get going fast.](images/express-settings.png) + ![Get going fast](images/express-settings.png) 8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**. @@ -200,18 +200,18 @@ If your build is successful, the name of the provisioning package, output direct 9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**. - ![Connect to Azure AD.](images/connect-aad.png) + ![Connect to Azure AD](images/connect-aad.png) 10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive. - ![Sign in.](images/sign-in-prov.png) + ![Sign in](images/sign-in-prov.png) **After setup, from a USB drive, network folder, or SharePoint site** On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and select the package to install. -![add a package option.](images/package.png) +![add a package option](images/package.png) --> diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md index e1acdf9f1d..b401df97ef 100644 --- a/education/windows/set-up-windows-10.md +++ b/education/windows/set-up-windows-10.md @@ -27,7 +27,7 @@ Choose the tool that is appropriate for how your students will sign in (Active D You can use the following diagram to compare the tools. -![Which tool to use to set up Windows 10.](images/suspc_wcd_featureslist.png) +![Which tool to use to set up Windows 10](images/suspc_wcd_featureslist.png) ## In this section diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index 10e2d2f7e0..3044c770e5 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -39,7 +39,7 @@ If you set up Take a Test, this adds a **Take a Test** button on the student PC' **Figure 1** - Configure Take a Test in the Set up School PCs app -![Configure Take a Test in the Set up School PCs app.](images/suspc_choosesettings_setuptakeatest.png) +![Configure Take a Test in the Set up School PCs app](images/suspc_choosesettings_setuptakeatest.png) ### Set up a test account in Intune for Education You can set up a test-taking account in Intune for Education. To do this, follow these steps: @@ -49,7 +49,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow **Figure 2** - Add a test profile in Intune for Education - ![Add a test profile in Intune for Education.](images/i4e_takeatestprofile_addnewprofile.png) + ![Add a test profile in Intune for Education](images/i4e_takeatestprofile_addnewprofile.png) 3. In the new profile page: 1. Enter a name for the profile. @@ -60,7 +60,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow **Figure 3** - Add information about the test profile - ![Add information about the test profile.](images/i4e_takeatestprofile_newtestaccount.png) + ![Add information about the test profile](images/i4e_takeatestprofile_newtestaccount.png) After you save the test profile, you will see a summary of the settings that you configured for Take a Test. Next, you'll need to assign the test profile to a group that will be using the test account. @@ -68,13 +68,13 @@ You can set up a test-taking account in Intune for Education. To do this, follow **Figure 4** - Assign the test account to a group - ![Assign the test account to a group.](images/i4e_takeatestprofile_accountsummary.png) + ![Assign the test account to a group](images/i4e_takeatestprofile_accountsummary.png) 5. In the **Groups** page, click **Change group assignments**. **Figure 5** - Change group assignments - ![Change group assignments.](images/i4e_takeatestprofile_groups_changegroupassignments.png) + ![Change group assignments](images/i4e_takeatestprofile_groups_changegroupassignments.png) 6. In the **Change group assignments** page: 1. Select a group from the right column and click **Add Members** to select the group and assign the test-taking account to that group. You can select more than one group. @@ -82,7 +82,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow **Figure 6** - Select the group(s) that will use the test account - ![Select the groups that will use the test account.](images/i4e_takeatestprofile_groupassignment_selected.png) + ![Select the groups that will use the test account](images/i4e_takeatestprofile_groupassignment_selected.png) And that's it! When the students from the selected group sign in to the student PCs using the Take a Test user name that you selected, the PC will be locked down and Take a Test will open the assessment URL and students can start taking tests. @@ -136,7 +136,7 @@ To set up a test account through Windows Configuration Designer, follow these st **Figure 7** - Add the account to use for test-taking - ![Add the account to use for test-taking.](images/wcd_settings_assignedaccess.png) + ![Add the account to use for test-taking](images/wcd_settings_assignedaccess.png) The account can be in one of the following formats: - username diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index 9d26301975..1286a5aec8 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -30,13 +30,13 @@ To configure the assessment URL and a dedicated testing account on a single PC, **Figure 1** - Use the Settings app to set up a test-taking account - ![Use the Settings app to set up a test-taking account.](images/tat_settingsapp_workorschoolaccess_setuptestaccount.png) + ![Use the Settings app to set up a test-taking account](images/tat_settingsapp_workorschoolaccess_setuptestaccount.png) 4. In the **Set up an account for taking tests** window, choose an existing account to use as the dedicated testing account. **Figure 2** - Choose the test-taking account - ![Choose the test-taking account.](images/tat_settingsapp_setuptesttakingaccount_1703.png) + ![Choose the test-taking account](images/tat_settingsapp_setuptesttakingaccount_1703.png) > [!NOTE] > If you don't have an account on the device, you can create a new account. To do this, go to **Settings > Accounts > Other people > Add someone else to this PC > I don’t have this person’s sign-in information > Add a user without a Microsoft account**. diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index f9ba6a9479..7e016c22c0 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -32,7 +32,7 @@ Many schools use online testing for formative and summative assessments. It's cr ## How to use Take a Test -![Set up and user flow for the Take a Test app.](images/take_a_test_flow_dark.png) +![Set up and user flow for the Take a Test app](images/take_a_test_flow_dark.png) There are several ways to configure devices for assessments, depending on your use case: diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 6f0d1d4341..136499ee4c 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -65,7 +65,7 @@ After Minecraft: Education Edition licenses have been purchased, either directly - You can assign the app to others. - You can download the app to distribute. - + ### Install for me You can install the app on your PC. This gives you a chance to work with the app before using it with your students. @@ -73,7 +73,7 @@ You can install the app on your PC. This gives you a chance to work with the app 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then click **Install**. - + 3. Click **Install**. @@ -84,13 +84,13 @@ Enter email addresses for your students, and each student will get an email with 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**. - + 3. Click **Invite people**. 4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**. - ![Assign to people showing student name.](images/minecraft-assign-to-people-name.png) + ![Assign to people showing student name](images/minecraft-assign-to-people-name.png) You can assign the app to students with work or school accounts.
If you don't find the student, you can still assign the app to them if self-service sign up is supported for your domain. Students will receive an email with a link to Microsoft 365 admin center where they can create an account, and then install **Minecraft: Education Edition**. Questions about self-service sign up? Check with your admin. @@ -100,20 +100,20 @@ Enter email addresses for your students, and each student will get an email with Students will receive an email with a link that will install the app on their PC. -![Email with Get the app link.](images/minecraft-student-install-email.png) +![Email with Get the app link](images/minecraft-student-install-email.png) 1. Click **Get the app** to start the app install in Microsoft Store app. 2. In Microsoft Store app, click **Install**. - ![Microsoft Store app with Minecraft page.](images/minecraft-in-windows-store-app.png) + ![Microsoft Store app with Minecraft page](images/minecraft-in-windows-store-app.png) After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**. - ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png) + ![Microsoft Store app showing access to My Library](images/minecraft-private-store.png) When students click **My Library** they'll find apps assigned to them. - ![My Library for example student.](images/minecraft-my-library.png) + ![My Library for example student](images/minecraft-my-library.png) ### Download for others Download for others allows teachers or IT admins to download a packages that they can install on student PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when: @@ -132,11 +132,11 @@ Minecraft: Education Edition will not install if there are updates pending for o 1. Start Microsoft Store app on the PC (click **Start**, and type **Store**). 2. Click the account button, and then click **Downloads and updates**. - ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png) + ![Microsoft Store app showing access to My Library](images/minecraft-private-store.png) 3. Click **Check for updates**, and install all available updates. - ![Microsoft Store app showing access to My Library.](images/mc-check-for-updates.png) + ![Microsoft Store app showing access to My Library](images/mc-check-for-updates.png) 4. Restart the computer before installing Minecraft: Education Edition. @@ -145,7 +145,7 @@ You'll download a .zip file, extract the files, and then use one of the files to 1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**. - ![Microsoft Store app showing access to My Library.](images/mc-dnld-others-teacher.png) + ![Microsoft Store app showing access to My Library](images/mc-dnld-others-teacher.png) 2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**. 3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC. diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index ca36e12e5a..3f31119391 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -103,7 +103,7 @@ We strongly recommend that you avoid changing preset policies. Changes can slow The **Set up School PCs** app guides you through the configuration choices for the student PCs. To begin, open the app on your PC and click **Get started**. - ![Launch the Set up School PCs app.](images/suspc_getstarted_050817.png) + ![Launch the Set up School PCs app](images/suspc_getstarted_050817.png) ### Package name Type a unique name to help distinguish your school's provisioning packages. The name appears: diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md index 3b6a109ef3..4294d7199e 100644 --- a/smb/cloud-mode-business-setup.md +++ b/smb/cloud-mode-business-setup.md @@ -18,7 +18,7 @@ ms.topic: conceptual # Get started: Deploy and manage a full cloud IT solution for your business -![Learn how to set up a full cloud infrastructure for your business.](images/business-cloud-mode.png) +![Learn how to set up a full cloud infrastructure for your business](images/business-cloud-mode.png) **Applies to:** @@ -61,7 +61,7 @@ If this is the first time you're setting this up, and you'd like to see how it's **Figure 1** - Try or buy Office 365 - ![Office 365 for business sign up.](images/office365_tryorbuy_now.png) + ![Office 365 for business sign up](images/office365_tryorbuy_now.png) 2. Fill out the sign up form and provide information about you and your company. 3. Create a user ID and password to use to sign into your account. @@ -76,7 +76,7 @@ If this is the first time you're setting this up, and you'd like to see how it's **Figure 2** - Microsoft 365 admin center - ![Microsoft 365 admin center.](images/office365_portal.png) + ![Microsoft 365 admin center](images/office365_portal.png) 6. Select the **Admin** tile to go to the admin center. @@ -86,7 +86,7 @@ If this is the first time you're setting this up, and you'd like to see how it's **Figure 3** - Admin center - ![Microsoft 365 admin center.](images/office365_admin_portal.png) + ![Microsoft 365 admin center](images/office365_admin_portal.png) 8. Go back to the admin center to add or buy a domain. @@ -94,14 +94,14 @@ If this is the first time you're setting this up, and you'd like to see how it's **Figure 4** - Option to add or buy a domain - ![Add or buy a domain in admin center.](images/office365_buy_domain.png) + ![Add or buy a domain in admin center](images/office365_buy_domain.png) 2. In the **Home > Domains** page, you will see the Microsoft-provided domain, such as *fabrikamdesign.onmicrosoft.com*. **Figure 5** - Microsoft-provided domain - ![Microsoft-provided domain.](images/office365_ms_provided_domain.png) + ![Microsoft-provided domain](images/office365_ms_provided_domain.png) - If you already have a domain, select **+ Add domain** to add your existing domain. If you select this option, you'll be required to verify that you own the domain. Follow the steps in the wizard to verify your domain. - If you don't already own a domain, select **+ Buy domain**. If you're using a trial plan, you'll be required to upgrade your trial plan in order to buy a domain. Choose the subscription plan to use for your business and provide the details to complete your order. @@ -110,7 +110,7 @@ If this is the first time you're setting this up, and you'd like to see how it's **Figure 6** - Domains - ![Verify your domains in the admin center.](images/office365_additional_domain.png) + ![Verify your domains in the admin center](images/office365_additional_domain.png) ### 1.2 Add users and assign product licenses Once you've set up Office and added your domain, it's time to add users so they have access to Office 365. People in your organization need an account before they can sign in and access Office 365. The easiest way to add users is to add them one at a time in the Microsoft 365 admin center. @@ -123,7 +123,7 @@ When adding users, you can also assign admin privileges to certain users in your **Figure 7** - Add users - ![Add Office 365 users.](images/office365_users.png) + ![Add Office 365 users](images/office365_users.png) 2. In the **Home > Active users** page, add users individually or in bulk. - To add users one at a time, select **+ Add a user**. @@ -132,7 +132,7 @@ When adding users, you can also assign admin privileges to certain users in your **Figure 8** - Add an individual user - ![Add an individual user.](images/office365_add_individual_user.png) + ![Add an individual user](images/office365_add_individual_user.png) - To add multiple users at once, select **More** and then choose **+ Import multiple users**. If you select this option, you'll need to create and upload a CSV file containing the list of users. @@ -140,13 +140,13 @@ When adding users, you can also assign admin privileges to certain users in your **Figure 9** - Import multiple users - ![Import multiple users.](images/office365_import_multiple_users.png) + ![Import multiple users](images/office365_import_multiple_users.png) 3. Verify that all the users you added appear in the list of **Active users**. The **Status** should indicate the product licenses that were assigned to them. **Figure 10** - List of active users - ![Verify users and assigned product licenses.](images/o365_active_users.png) + ![Verify users and assigned product licenses](images/o365_active_users.png) ### 1.3 Add Microsoft Intune Microsoft Intune provides mobile device management, app management, and PC management capabilities from the cloud. Using Intune, organizations can provide their employees with access to apps, data, and corporate resources from anywhere on almost any device while helping to keep corporate information secure. To learn more, see What is Intune? @@ -160,14 +160,14 @@ Microsoft Intune provides mobile device management, app management, and PC manag **Figure 11** - Assign Intune licenses - ![Assign Microsoft Intune licenses to users.](images/o365_assign_intune_license.png) + ![Assign Microsoft Intune licenses to users](images/o365_assign_intune_license.png) 5. In the admin center, confirm that **Intune** shows up in the list under **Admin centers**. If it doesn't, sign out and then sign back in and then check again. 6. Select **Intune**. This will take you to the Intune management portal. **Figure 12** - Microsoft Intune management portal - ![Microsoft Intune management portal.](images/intune_portal_home.png) + ![Microsoft Intune management portal](images/intune_portal_home.png) Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Microsoft Store for Business for app distribution](#17-configure-microsoft-store-for-business-for-app-distribution). @@ -185,21 +185,21 @@ Microsoft Azure is an open and flexible cloud platform that enables you to quick **Figure 13** - Access to Azure AD is not available - ![Access to Azure AD not available.](images/azure_ad_access_not_available.png) + ![Access to Azure AD not available](images/azure_ad_access_not_available.png) 3. From the error message, select the country/region for your business. This should match with the location you specified when you signed up for Office 365. 4. Click **Azure subscription**. This will take you to a free trial sign up screen. **Figure 14** - Sign up for Microsoft Azure - ![Sign up for Microsoft Azure.](images/azure_ad_sign_up_screen.png) + ![Sign up for Microsoft Azure](images/azure_ad_sign_up_screen.png) 5. In the **Free trial sign up** screen, fill in the required information and then click **Sign up**. 6. After you sign up, you should see the message that your subscription is ready. Click **Start managing my service**. **Figure 15** - Start managing your Azure subscription - ![Start managing your Azure subscription.](images/azure_ad_successful_signup.png) + ![Start managing your Azure subscription](images/azure_ad_successful_signup.png) This will take you to the Microsoft Azure portal. @@ -216,26 +216,26 @@ To add Azure AD group(s), we will use the Microsoft Store for Business using the same tenant account that you used to sign into Intune. 4. Accept the EULA. @@ -312,20 +312,20 @@ In this part of the walkthrough, we'll be working on the Intune management portal, select **Admin > Mobile Device Management**, expand **Windows**, and then choose **Store for Business**. 8. In the **Microsoft Store for Business** page, select **Configure Sync** to sync your Store for Business volume-purchased apps with Intune. **Figure 26** - Configure Store for Business sync in Intune - ![Configure Store for Business sync in Intune.](images/intune_admin_mdm_store_sync.png) + ![Configure Store for Business sync in Intune](images/intune_admin_mdm_store_sync.png) 9. In the **Configure Microsoft Store for Business app sync** dialog box, check **Enable Microsoft Store for Business sync**. In the **Language** dropdown list, choose the language in which you want apps from the Store to be displayed in the Intune console and then click **OK**. **Figure 27** - Enable Microsoft Store for Business sync in Intune - ![Enable Store for Business sync in Intune.](images/intune_configure_store_app_sync_dialog.png) + ![Enable Store for Business sync in Intune](images/intune_configure_store_app_sync_dialog.png) The **Microsoft Store for Business** page will refresh and it will show the details from the sync. @@ -348,7 +348,7 @@ In the following example, we'll show you how to buy apps through the Microsoft S **Figure 28** - Shop for Store apps - ![Shop for Store apps.](images/wsfb_shop_microsoft_apps.png) + ![Shop for Store apps](images/wsfb_shop_microsoft_apps.png) 2. Click to select an app, such as **Reader**. This opens the app page. 3. In the app's Store page, click **Get the app**. You should see a dialog that confirms your order. Click **Close**. This will refresh the app's Store page. @@ -358,7 +358,7 @@ In the following example, we'll show you how to buy apps through the Microsoft S **Figure 29** - App inventory shows the purchased apps - ![Confirm that your inventory shows purchased apps.](images/wsfb_manage_inventory_newapps.png) + ![Confirm that your inventory shows purchased apps](images/wsfb_manage_inventory_newapps.png) > [!NOTE] > Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune to sync all your purchased apps. You can force a sync to make this process happen faster. For more info, see [To sync recently purchased apps](#forceappsync). @@ -372,7 +372,7 @@ If you need to sync your most recently purchased apps and have it appear in your **Figure 30** - Force a sync in Intune - ![Force a sync in Intune.](images/intune_admin_mdm_forcesync.png) + ![Force a sync in Intune](images/intune_admin_mdm_forcesync.png) **To view purchased apps** - In the Intune management portal, select **Apps > Apps** and then choose **Volume-Purchased Apps** to see the list of available apps. Verify that the apps you purchased were imported correctly. @@ -393,7 +393,7 @@ To set up new Windows devices, go through the Windows initial device setup or fi **Figure 31** - First screen in Windows device setup - ![First screen in Windows device setup.](images/win10_hithere.png) + ![First screen in Windows device setup](images/win10_hithere.png) > [!NOTE] > During setup, if you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired/Ethernet connection. @@ -403,13 +403,13 @@ To set up new Windows devices, go through the Windows initial device setup or fi **Figure 32** - Choose how you'll connect your Windows device - ![Choose how you'll connect the Windows device.](images/win10_choosehowtoconnect.png) + ![Choose how you'll connect the Windows device](images/win10_choosehowtoconnect.png) 4. In the **Let's get you signed in** screen, sign in using one of the user accounts you added in section [1.2 Add users and assign product licenses](#12-add-users-and-assign-product-licenses). We suggest signing in as one of the global administrators. Later, sign in on another device using one of the non-admin accounts. **Figure 33** - Sign in using one of the accounts you added - ![Sign in using one of the accounts you added.](images/win10_signin_admin_account.png) + ![Sign in using one of the accounts you added](images/win10_signin_admin_account.png) 5. If this is the first time you're signing in, you will be asked to update your password. Update the password and continue with sign-in and setup. @@ -430,7 +430,7 @@ In the Intune management **Figure 34** - Check the PC name on your device - ![Check the PC name on your device.](images/win10_settings_pcname.png) + ![Check the PC name on your device](images/win10_settings_pcname.png) 2. Log in to the Intune management portal. 3. Select **Groups** and then go to **Devices**. @@ -441,7 +441,7 @@ In the Intune management **Figure 35** - Check that the device appears in Intune - ![Check that the device appears in Intune.](images/intune_groups_devices_list.png) + ![Check that the device appears in Intune](images/intune_groups_devices_list.png) ## 3. Manage device settings and features You can use Microsoft Intune admin settings and policies to manage features on your organization's mobile devices and computers. For more info, see [Manage settings and features on your devices with Microsoft Intune policies](/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). @@ -460,7 +460,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the **Figure 36** - Reconfigure an app's deployment setting in Intune - ![Reconfigure app deployment settings in Intune.](images/intune_apps_deploymentaction.png) + ![Reconfigure app deployment settings in Intune](images/intune_apps_deploymentaction.png) 6. Click **Finish**. 7. Repeat steps 2-6 for other apps that you want to deploy to the device(s) as soon as possible. @@ -470,7 +470,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the **Figure 37** - Confirm that additional apps were deployed to the device - ![Confirm that additional apps were deployed to the device.](images/win10_deploy_apps_immediately.png) + ![Confirm that additional apps were deployed to the device](images/win10_deploy_apps_immediately.png) ### 3.2 Configure other settings in Intune @@ -486,7 +486,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the **Figure 38** - Add a configuration policy - ![Add a configuration policy.](images/intune_policy_disablecamera.png) + ![Add a configuration policy](images/intune_policy_disablecamera.png) 7. Click **Save Policy**. A confirmation window will pop up. 8. On the **Deploy Policy** confirmation window, select **Yes** to deploy the policy now. @@ -495,7 +495,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the **Figure 39** - The new policy should appear in the **Policies** list. - ![New policy appears on the list.](images/intune_policies_newpolicy_deployed.png) + ![New policy appears on the list](images/intune_policies_newpolicy_deployed.png) **To turn off Windows Hello and PINs during device setup** 1. In the Intune management portal, select **Admin**. @@ -504,7 +504,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the **Figure 40** - Policy to disable Windows Hello for Business - ![Disable Windows Hello for Business.](images/intune_policy_disable_windowshello.png) + ![Disable Windows Hello for Business](images/intune_policy_disable_windowshello.png) 4. Click **Save**. @@ -531,32 +531,32 @@ For other devices, such as those personally-owned by employees who need to conne **Figure 41** - Add an Azure AD account to the device - ![Add an Azure AD account to the device.](images/win10_add_new_user_join_aad.png) + ![Add an Azure AD account to the device](images/win10_add_new_user_join_aad.png) 4. In the **Let's get you signed in** window, enter the work credentials for the account and then click **Sign in** to authenticate the user. **Figure 42** - Enter the account details - ![Enter the account details.](images/win10_add_new_user_account_aadwork.png) + ![Enter the account details](images/win10_add_new_user_account_aadwork.png) 5. You will be asked to update the password so enter a new password. 6. Verify the details to make sure you're connecting to the right organization and then click **Join**. **Figure 43** - Make sure this is your organization - ![Make sure this is your organization.](images/win10_confirm_organization_details.png) + ![Make sure this is your organization](images/win10_confirm_organization_details.png) 7. You will see a confirmation window that says the device is now connected to your organization. Click **Done**. **Figure 44** - Confirmation that the device is now connected - ![Confirmation that the device is now connected.](images/win10_confirm_device_connected_to_org.png) + ![Confirmation that the device is now connected](images/win10_confirm_device_connected_to_org.png) 8. The **Connect to work or school** window will refresh and will now include an entry that shows you're connected to your organization's Azure AD. This means the device is now registered in Azure AD and enrolled in MDM and the account should have access to the organization's resources. **Figure 45** - Device is now enrolled in Azure AD - ![Device is enrolled in Azure AD.](images/win10_device_enrolled_in_aad.png) + ![Device is enrolled in Azure AD](images/win10_device_enrolled_in_aad.png) 9. You can confirm that the new device and user are showing up as Intune-managed by going to the Intune management portal and following the steps in [2.3 Verify the device is Azure AD joined](#23-verify-the-device-is-azure-ad-joined). It may take several minutes before the new device shows up so check again later. diff --git a/smb/index.md b/smb/index.md index a6ae7f1200..cc4c596a1c 100644 --- a/smb/index.md +++ b/smb/index.md @@ -17,16 +17,16 @@ audience: itpro # Windows 10 for SMB -![Windows 10 for SMB.](images/smb_portal_banner.png) +![Windows 10 for SMB](images/smb_portal_banner.png) -## ![Learn more about Windows and other resources for SMBs.](images/learn.png) Learn +## ![Learn more about Windows and other resources for SMBs](images/learn.png) Learn

Windows 10 for business
Learn how Windows 10 and Windows devices can help your business.

SMB blog
Read about the latest stories, technology insights, and business strategies for SMBs.

How to buy
Go here when you're ready to buy or want to learn more about Microsoft products you can use to help transform your business.

-## ![Deploy a Microsoft solution for your business.](images/deploy.png) Deploy +## ![Deploy a Microsoft solution for your business](images/deploy.png) Deploy

Get started: Deploy and manage a full cloud IT solution for your business
Find out how easy it is to deploy and manage a full cloud IT solution for your small to midsize business using Microsoft cloud services and tools.

diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md index 882b7e57ba..73c2ce1f3d 100644 --- a/store-for-business/acquire-apps-microsoft-store-for-business.md +++ b/store-for-business/acquire-apps-microsoft-store-for-business.md @@ -55,7 +55,7 @@ There are a couple of things we need to know when you pay for apps. You can add 2. Select **Manage**, and then select **Settings**. 3. On **Shop**, , under **Shopping behavior**, turn on or turn off **Allow users to shop**. -![manage settings to control Basic Purchaser role assignment.](images/sfb-allow-shop-setting.png) +![manage settings to control Basic Purchaser role assignment](images/sfb-allow-shop-setting.png) ## Allow app requests diff --git a/store-for-business/billing-understand-your-invoice-msfb.md b/store-for-business/billing-understand-your-invoice-msfb.md index bee1e82435..26bb2598f8 100644 --- a/store-for-business/billing-understand-your-invoice-msfb.md +++ b/store-for-business/billing-understand-your-invoice-msfb.md @@ -51,7 +51,7 @@ invoice and descriptions for each term. The **Invoice Summary** is on the top of the first page and shows information about your billing profile and how you pay. -![Invoice summary section.](images/invoicesummary.png) +![Invoice summary section](images/invoicesummary.png) | Term | Description | @@ -68,7 +68,7 @@ The **Invoice Summary** is on the top of the first page and shows information ab The **Billing Summary** shows the charges against the billing profile since the previous billing period, any credits that were applied, tax, and the total amount due. -![Billing summary section.](images/billingsummary.png) +![Billing summary section](images/billingsummary.png) | Term | Description | | --- | --- | @@ -91,7 +91,7 @@ The total amount due for each service family is calculated by subtracting Azure `Total = Charges/Credits - Azure Credit + Tax` -![Details by invoice section.](images/invoicesectiondetails.png) +![Details by invoice section](images/invoicesectiondetails.png) | Term |Description | | --- | --- | diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md index 3bdd7d61bc..bb29be21a9 100644 --- a/store-for-business/microsoft-store-for-business-education-powershell-module.md +++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md @@ -91,7 +91,7 @@ Get-MSStoreInventory >1. Sign in to [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845) or [Microsoft Store for Education](https://businessstore.microsoft.com/). >2. Click **Manage** and then choose **Apps & software**. >3. Click the line-of-business app. The URL of the page will contain the product ID and SKU as part of the URL. For example: ->![Url after apps/ is product id and next is SKU.](images/lob-sku.png) +>![Url after apps/ is product id and next is SKU](images/lob-sku.png) ## View people assigned to a product Most items in **Products and Services** in **Microsoft Store for Business and Education** need to be assigned to people in your org. You can view the people in your org assigned to a specific product by using these commands: diff --git a/store-for-business/troubleshoot-microsoft-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md index 0a66d2a739..784e422a8a 100644 --- a/store-for-business/troubleshoot-microsoft-store-for-business.md +++ b/store-for-business/troubleshoot-microsoft-store-for-business.md @@ -36,23 +36,23 @@ The private store for your organization is a page in Microsoft Store app that co 1. Click the people icon in Microsoft Store app, and click **Sign in**. - ![Sign in to Store app with a different account.](images/wsfb-wsappsignin.png) + ![Sign in to Store app with a different account](images/wsfb-wsappsignin.png) 2. Click **Add account**, and then click **Work or school account**. - ![Choose an account to use.](images/wsfb-wsappaddacct.png) + ![Choose an account to use](images/wsfb-wsappaddacct.png) 3. Type the email account and password, and click **Sign in**. - ![Sign in for work or school account.](images/wsfb-wsappworkacct.png) + ![Sign in for work or school account](images/wsfb-wsappworkacct.png) 4. You should see the private store for your organization. In our example, the page is named **Contoso publishing**. - ![Private store with name highlighted.](images/wsfb-wsappprivatestore.png) + ![Private store with name highlighted](images/wsfb-wsappprivatestore.png) Click the private store to see apps in your private store. - ![Private store for Contoso publishing.](images/wsfb-privatestoreapps.png) + ![Private store for Contoso publishing](images/wsfb-privatestoreapps.png) ## Troubleshooting Microsoft Store for Business integration with Microsoft Endpoint Configuration Manager diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index 4b0cd1e47d..66f34fdabe 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -26,7 +26,7 @@ Microsoft Store for Business and Education regularly releases new and improved f :::row::: :::column span="1"::: - ![Security groups.](images/security-groups-icon.png) + ![Security groups](images/security-groups-icon.png) :::column-end::: :::column span="1"::: **Use security groups with Private store apps**

On the details page for apps in your private store, you can set **Private store availability**. This allows you to choose which security groups can see an app in the private store.

[Get more info](./app-inventory-management-microsoft-store-for-business.md#private-store-availability)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education @@ -38,7 +38,7 @@ Microsoft Store for Business and Education regularly releases new and improved f We’ve been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new features! | | | |-----------------------|---------------------------------| -| ![Private store performance icon.](images/perf-improvement-icon.png) |**Performance improvements in private store**

We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them.

[Get more info](./manage-private-store-settings.md#private-store-performance)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | +| ![Private store performance icon](images/perf-improvement-icon.png) |**Performance improvements in private store**

We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them.

[Get more info](./manage-private-store-settings.md#private-store-performance)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | | | **Manage Windows device deployment with Windows Autopilot Deployment**

In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device.

[Get more info](add-profile-to-devices.md)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | | ![Microsoft Store for Business Settings page, Distribute tab showing app requests setting.](images/msfb-wn-1709-app-request.png) |**Request an app**

People in your organization can request additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases.

[Get more info](./acquire-apps-microsoft-store-for-business.md#request-apps)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | || ![Image showing Add a Collection.](images/msfb-add-collection.png) |**Private store collections**

You can groups of apps in your private store with **Collections**. This can help you organize apps and help people find apps for their job or classroom.

[Get more info](https://review.docs.microsoft.com/microsoft-store/manage-private-store-settings?branch=msfb-14856406#add-a-collection)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md index 8efc8effad..2150c9e7c3 100644 --- a/store-for-business/working-with-line-of-business-apps.md +++ b/store-for-business/working-with-line-of-business-apps.md @@ -46,7 +46,7 @@ You'll need to set up: - LOB publishers need to have an app in Microsoft Store, or have an app ready to submit to the Store. The process and timing look like this: -![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for MSFB admin, LOB publisher, and Developer.](images/lob-workflow.png) +![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for MSFB admin, LOB publisher, and Developer](images/lob-workflow.png) ## Add an LOB publisher (Admin) Admins need to invite developer or ISVs to become an LOB publisher. diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md index 130ad633ee..b0bdee5283 100644 --- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md +++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md @@ -423,7 +423,7 @@ The process then configures the client for package or connection group additions This completes an App-V package add for the publishing refresh process. The next step is publishing the package to a specific target (machine or user). -![Package add file and registry data.](images/packageaddfileandregistrydata.png) +![Package add file and registry data](images/packageaddfileandregistrydata.png) **Package add file and registry data** @@ -454,7 +454,7 @@ During the Publishing Refresh operation, the specific publishing operation, **Pu Publishing an App-V Package that is part of a Connection Group is very similar to the above process. For connection groups, the path that stores the specific catalog information includes PackageGroups as a child of the Catalog Directory. Review the Machine and User Catalog information in the preceding sections for details. -![package add file and registry data - global.](images/packageaddfileandregistrydata-global.png) +![package add file and registry data - global](images/packageaddfileandregistrydata-global.png) **Package add file and registry data—global** @@ -481,7 +481,7 @@ After the Publishing Refresh process, the user launches and then relaunches an A 7. The Application launches. For any missing files in the package store (sparse files), App-V will stream fault the files on an as-needed basis. - ![package add file and registry data - stream.](images/packageaddfileandregistrydata-stream.png) + ![package add file and registry data - stream](images/packageaddfileandregistrydata-stream.png) **Package add file and registry data—stream** diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md index 4183212c31..501a6eae9f 100644 --- a/windows/application-management/app-v/appv-deployment-checklist.md +++ b/windows/application-management/app-v/appv-deployment-checklist.md @@ -20,9 +20,9 @@ This checklist outlines the recommended steps and items to consider when deployi |Status|Task|References|Notes| |---|---|---|---| -|![Checklist box.](../app-v/images/checklistbox.gif)|Prepare the computing environment for App-V deployment during your planning phase.|[App-V planning checklist](appv-planning-checklist.md)|| -|![Checklist box.](../app-v/images/checklistbox.gif)|Review App-V's supported configurations.|[App-V supported configurations](appv-supported-configurations.md)|| -|![Checklist box.](../app-v/images/checklistbox.gif)|Run App-V Setup to deploy the required App-V features for your environment.|[How to install the sequencer](appv-install-the-sequencer.md)
[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)
[How to deploy the App-V server](appv-deploy-the-appv-server.md)|| +|![Checklist box](../app-v/images/checklistbox.gif)|Prepare the computing environment for App-V deployment during your planning phase.|[App-V planning checklist](appv-planning-checklist.md)|| +|![Checklist box](../app-v/images/checklistbox.gif)|Review App-V's supported configurations.|[App-V supported configurations](appv-supported-configurations.md)|| +|![Checklist box](../app-v/images/checklistbox.gif)|Run App-V Setup to deploy the required App-V features for your environment.|[How to install the sequencer](appv-install-the-sequencer.md)
[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)
[How to deploy the App-V server](appv-deploy-the-appv-server.md)|| >[!NOTE] >Keep track of server names and associated URLs you create during installation. You'll need this information throughout the installation process. diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md index 9bde5d0531..e8785b3d7f 100644 --- a/windows/application-management/app-v/appv-install-the-sequencer.md +++ b/windows/application-management/app-v/appv-install-the-sequencer.md @@ -28,7 +28,7 @@ The App-V Sequencer is included in the Windows 10 Assessment and Deployment Kit 1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). 2. Select the **Get Windows ADK for Windows 10** button on the page to start the ADK installer. Make sure that **Microsoft Application Virtualization (App-V) Sequencer** is selected during the installation. - ![Selecting APP-V features in ADK.](images/app-v-in-adk.png) + ![Selecting APP-V features in ADK](images/app-v-in-adk.png) 3. To open the Sequencer, go to the **Start** menu and select **Microsoft Application Virtualization (App-V) Sequencer**. See [Creating and managing virtual applications](appv-creating-and-managing-virtualized-applications.md) and the [Application Virtualization Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V%205.0%20Sequencing%20Guide.docx) for information about creating virtual applications with the Sequencer. diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md index 50887ca724..e838f04c45 100644 --- a/windows/application-management/app-v/appv-planning-checklist.md +++ b/windows/application-management/app-v/appv-planning-checklist.md @@ -23,12 +23,12 @@ This checklist can be used to help you plan for preparing your organization for |Status|Task|References|Notes| |---|---|---|---| -|![Checklist box.](../app-v/images/checklistbox.gif)|Review the getting started information about App-V to gain a basic understanding of the product before beginning deployment planning.|[Getting started with App-V](appv-getting-started.md)|| -|![Checklist box.](../app-v/images/checklistbox.gif)|Plan for App-V deployment prerequisites and prepare your computing environment.|[App-V prerequisites](appv-prerequisites.md)|| -|![Checklist box.](../app-v/images/checklistbox.gif)|If you plan to use the App-V management server, plan for the required roles.|[Planning for the App-V server deployment](appv-planning-for-appv-server-deployment.md)|| -|![Checklist box.](../app-v/images/checklistbox.gif)|Plan for the App-V sequencer and client to create and run virtualized applications.|[Planning for the App-V Sequencer and client deployment](appv-planning-for-sequencer-and-client-deployment.md)|| -|![Checklist box.](../app-v/images/checklistbox.gif)|If applicable, review the options and steps for migrating from a previous version of App-V.|[Migrating to App-V from a previous version](appv-migrating-to-appv-from-a-previous-version.md)|| -|![Checklist box.](../app-v/images/checklistbox.gif)|Decide whether to configure App-V clients in Shared Content Store mode.|[Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md)|| +|![Checklist box](../app-v/images/checklistbox.gif)|Review the getting started information about App-V to gain a basic understanding of the product before beginning deployment planning.|[Getting started with App-V](appv-getting-started.md)|| +|![Checklist box](../app-v/images/checklistbox.gif)|Plan for App-V deployment prerequisites and prepare your computing environment.|[App-V prerequisites](appv-prerequisites.md)|| +|![Checklist box](../app-v/images/checklistbox.gif)|If you plan to use the App-V management server, plan for the required roles.|[Planning for the App-V server deployment](appv-planning-for-appv-server-deployment.md)|| +|![Checklist box](../app-v/images/checklistbox.gif)|Plan for the App-V sequencer and client to create and run virtualized applications.|[Planning for the App-V Sequencer and client deployment](appv-planning-for-sequencer-and-client-deployment.md)|| +|![Checklist box](../app-v/images/checklistbox.gif)|If applicable, review the options and steps for migrating from a previous version of App-V.|[Migrating to App-V from a previous version](appv-migrating-to-appv-from-a-previous-version.md)|| +|![Checklist box](../app-v/images/checklistbox.gif)|Decide whether to configure App-V clients in Shared Content Store mode.|[Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md)|| diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index 0a72c19e87..d123957cd1 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -23,15 +23,15 @@ Enterprise users want the same ability to enable or limit background activity. I Users have the ability to control background activity for their device through two interfaces in the **Settings** app: the **Background apps** page and the **Battery usage by app** page. The **Background apps** page has a master switch to turn background activity on or off for all apps, and provides individual switches to control each app's ability to run in the background.  -![Background apps settings page.](images/backgroundapps-setting.png) +![Background apps settings page](images/backgroundapps-setting.png) The **Battery usage by app** page allows fine-grained tuning of background activity. Users have the ability to set background activity to by **Managed By Windows**, as well as turning it on or off for each app. Only devices with a battery have this page available in the **Settings** app. Here is the set of available controls on desktop:  -![Battery usage by app on desktop.](images/battery-usage-by-app-desktop.png) +![Battery usage by app on desktop](images/battery-usage-by-app-desktop.png) Here is the set of available controls for mobile devices:  -![Battery usage by app on mobile.](images/battery-usage-by-app-mobile.png) +![Battery usage by app on mobile](images/battery-usage-by-app-mobile.png) Although the user interface differs across editions of the operating system, the policy and developer interface is consistent across Windows 10. For more information about these controls, see [Optimize background activity](/windows/uwp/debug-test-perf/optimize-background-activity). diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index 4483687ba8..0cda2dc8c9 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -102,19 +102,19 @@ If a per-user service can't be disabled using a the security template, you can d 5. Right-click **Registry** > **New** > **Registry Item**. - ![Group Policy preferences disabling per-user services.](media/gpp-per-user-services.png) + ![Group Policy preferences disabling per-user services](media/gpp-per-user-services.png) 6. Make sure that HKEY_Local_Machine is selected for Hive and then click ... (the ellipses) next to Key Path. - ![Choose HKLM.](media/gpp-hklm.png) + ![Choose HKLM](media/gpp-hklm.png) 7. Browse to **System\CurrentControlSet\Services\PimIndexMaintenanceSvc**. In the list of values, highlight **Start** and click **Select**. - ![Select Start.](media/gpp-svc-start.png) + ![Select Start](media/gpp-svc-start.png) 8. Change **Value data** from **00000003** to **00000004** and click **OK**. Note setting the Value data to **4** = **Disabled**. - ![Startup Type is Disabled.](media/gpp-svc-disabled.png) + ![Startup Type is Disabled](media/gpp-svc-disabled.png) 9. To add the other services that cannot be managed with a Group Policy templates, edit the policy and repeat steps 5-8. @@ -140,14 +140,14 @@ REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t RE If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the template services, change the Startup Type for each service to 4 (disabled): -![Using Regedit to change servive Starup Type.](media/regedit-change-service-startup-type.png) +![Using Regedit to change servive Starup Type](media/regedit-change-service-startup-type.png) > [!CAUTION] > We recommend that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the Registry Editor or by the Windows operating system before they are applied. As a result, incorrect values can be stored, and this can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as the Microsoft Management Console (MMC) to accomplish tasks. If you must edit the registry, use extreme caution. Beginning with Windows 10, version 1709 and Windows Server, version 1709, you can prevent the per-user service from being created by setting **UserServiceFlags** to 0 under the same service configuration in the registry: -![Create per-user services in disabled state.](media/user-service-flag.png) +![Create per-user services in disabled state](media/user-service-flag.png) ### Manage template services by modifying the Windows image @@ -186,4 +186,4 @@ For example, you might see the following per-user services listed in the Service You can query the service configuration from the command line. The **Type** value indicates whether the service is a user-service template or user-service instance. -![Use sc.exe to view service type.](media/cmd-type.png) \ No newline at end of file +![Use sc.exe to view service type](media/cmd-type.png) \ No newline at end of file diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md index 8482a3497c..4130fde7e5 100644 --- a/windows/application-management/svchost-service-refactoring.md +++ b/windows/application-management/svchost-service-refactoring.md @@ -48,11 +48,11 @@ Refactoring also makes it easier to view running processes in Task Manager. You For example, here are the running processes displayed in Task Manager in Windows 10 version 1607: -![Running processes in Task Manager, version 1607.](media/svchost-grouped-processes.png) +![Running processes in Task Manager, version 1607](media/svchost-grouped-processes.png) Compare that to the same view of running processes in Windows 10 version 1703: -![Running processes in Task Manager, version 1703.](media/svchost-separated-processes.png) +![Running processes in Task Manager, version 1703](media/svchost-separated-processes.png) @@ -66,7 +66,7 @@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. The default value of **1** prevents the service from being split. For example, this is the registry key configuration for BFE: -![Example of a service that cannot be separated.](media/svchost-separation-disabled.png) +![Example of a service that cannot be separated](media/svchost-separation-disabled.png) ## Memory footprint @@ -77,7 +77,7 @@ Consider the following: |Grouped Services (< 3.5GB) | Split Services (3.5GB+) |--------------------------------------- | ------------------------------------------ | -|![Memory utilization for grouped services.](media/svchost-grouped-utilization.png) |![Memory utilization for separated services](media/svchost-separated-utilization.png) | +|![Memory utilization for grouped services](media/svchost-grouped-utilization.png) |![Memory utilization for separated services](media/svchost-separated-utilization.png) | > [!NOTE] > The above represents the peak observed values. diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index 6da0fdfdb9..260944a53c 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -23,11 +23,11 @@ ms.topic: article Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. -![Screenshot of Control Panel.](images/admin-tools.png) +![Screenshot of Control Panel](images/admin-tools.png) The tools in the folder might vary depending on which edition of Windows you are using. -![Screenshot of folder of admin tools.](images/admin-tools-folder.png) +![Screenshot of folder of admin tools](images/admin-tools-folder.png) These tools were included in previous versions of Windows. The associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders. diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index c2a8ea0c57..ac96c101cf 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -41,53 +41,53 @@ Check Windows Security Event log on the NPS Server for NPS events that correspon In the event message, scroll to the very bottom, and then check the [Reason Code](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it. - ![example of an audit failure.](images/auditfailure.png) + ![example of an audit failure](images/auditfailure.png) *Example: event ID 6273 (Audit Failure)*

‎ - ![example of an audit success.](images/auditsuccess.png) + ![example of an audit success](images/auditsuccess.png) *Example: event ID 6272 (Audit Success)*
‎The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one. On the client side, go to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, go to **..\Wired-AutoConfig/Operational**. See the following example: -![event viewer screenshot showing wired-autoconfig and WLAN autoconfig.](images/eventviewer.png) +![event viewer screenshot showing wired-autoconfig and WLAN autoconfig](images/eventviewer.png) Most 802.1X authentication issues are because of problems with the certificate that's used for client or server authentication. Examples include invalid certificate, expiration, chain verification failure, and revocation check failure. First, validate the type of EAP method that's used: -![eap authentication type comparison.](images/comparisontable.png) +![eap authentication type comparison](images/comparisontable.png) If a certificate is used for its authentication method, check whether the certificate is valid. For the server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Select and hold (or right-click) the policy, and then select **Properties**. In the pop-up window, go to the **Constraints** tab, and then select the **Authentication Methods** section. -![Constraints tab of the secure wireless connections properties.](images/eappropertymenu.png) +![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png) The CAPI2 event log is useful for troubleshooting certificate-related issues. By default, this log isn't enabled. To enable this log, expand **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, select and hold (or right-click) **Operational**, and then select **Enable Log**. -![screenshot of event viewer.](images/capi.png) +![screenshot of event viewer](images/capi.png) For information about how to analyze CAPI2 event logs, see [Troubleshooting PKI Problems on Windows Vista](/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29). When troubleshooting complex 802.1X authentication issues, it's important to understand the 802.1X authentication process. Here's an example of wireless connection process with 802.1X authentication: -![authenticator flow chart.](images/authenticator_flow_chart.png) +![authenticator flow chart](images/authenticator_flow_chart.png) If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter for a client-side capture, and **EAP** for an NPS-side capture. See the following examples: -![client-side packet capture data.](images/clientsidepacket_cap_data.png) +![client-side packet capture data](images/clientsidepacket_cap_data.png) *Client-side packet capture data*

-![NPS-side packet capture data.](images/NPS_sidepacket_capture_data.png) +![NPS-side packet capture data](images/NPS_sidepacket_capture_data.png) *NPS-side packet capture data*
‎ > [!NOTE] > If you have a wireless trace, you can also [view ETL files with network monitor](/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. If you need to load the required [parser](/archive/blogs/netmon/parser-profiles-in-network-monitor-3-4), see the instructions under the **Help** menu in Network Monitor. Here's an example: -![ETL parse.](images/etl.png) +![ETL parse](images/etl.png) ## Audit policy diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md index d039c10c17..646585085e 100644 --- a/windows/client-management/advanced-troubleshooting-boot-problems.md +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -50,7 +50,7 @@ The kernel passes control to the session manager process (Smss.exe) which initia Here is a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement. -![thumbnail of boot sequence flowchart.](images/boot-sequence-thumb.png)
+![thumbnail of boot sequence flowchart](images/boot-sequence-thumb.png)
[Click to enlarge](img-boot-sequence.md)
diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md index 57d2cc10a8..ce4154396e 100644 --- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md +++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md @@ -152,7 +152,7 @@ The important components of the MSM include: - Security Manager (SecMgr) - handles all pre and post-connection security operations. - Authentication Engine (AuthMgr) – Manages 802.1x auth requests - ![MSM details.](images/msmdetails.png) + ![MSM details](images/msmdetails.png) Each of these components has their own individual state machines which follow specific transitions. Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** filters in TextAnalysisTool for more detail. @@ -327,4 +327,4 @@ Copy and paste all the lines below and save them into a text file named "wifi.ta In the following example, the **View** settings are configured to **Show Only Filtered Lines**. -![TAT filter example.](images/tat.png) \ No newline at end of file +![TAT filter example](images/tat.png) \ No newline at end of file diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/change-default-removal-policy-external-storage-media.md index d59710d70b..69fa51d4e4 100644 --- a/windows/client-management/change-default-removal-policy-external-storage-media.md +++ b/windows/client-management/change-default-removal-policy-external-storage-media.md @@ -54,4 +54,4 @@ To change the policy for an external storage device: 7. Select the policy that you want to use. - ![Policy options for disk management.](./images/change-def-rem-policy-2.png) + ![Policy options for disk management](./images/change-def-rem-policy-2.png) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 4d8f35673e..275869bf99 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -24,7 +24,7 @@ ms.topic: article From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). -![Remote Desktop Connection client.](images/rdp.png) +![Remote Desktop Connection client](images/rdp.png) ## Set up @@ -40,7 +40,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu 2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. - ![Allow remote connections to this computer.](images/allow-rdp.png) + ![Allow remote connections to this computer](images/allow-rdp.png) 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies: diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md index 6ce343dade..b1077e5be6 100644 --- a/windows/client-management/img-boot-sequence.md +++ b/windows/client-management/img-boot-sequence.md @@ -14,4 +14,4 @@ ms.prod: w10 Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
-![Full-sized boot sequence flowchart.](images/boot-sequence.png) +![Full-sized boot sequence flowchart](images/boot-sequence.png) diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md index 9354d9c8c9..376916c1d3 100644 --- a/windows/client-management/introduction-page-file.md +++ b/windows/client-management/introduction-page-file.md @@ -56,13 +56,13 @@ Page files extend how much "committed memory" (also known as "virtual memory") i The system commit memory limit is the sum of physical memory and all page files combined. It represents the maximum system-committed memory (also known as the "system commit charge") that the system can support. -![Task manager.](images/task-manager.png) +![Task manager](images/task-manager.png) The system commit charge is the total committed or "promised" memory of all committed virtual memory in the system. If the system commit charge reaches the system commit limit, the system and processes might not get committed memory. This condition can cause freezing, crashing, and other malfunctions. Therefore, make sure that you set the system commit limit high enough to support the system commit charge during peak usage. -![Out of memory.](images/out-of-memory.png) +![Out of memory](images/out-of-memory.png) -![Task Manager.](images/task-manager-commit.png) +![Task Manager](images/task-manager-commit.png) The system committed charge and system committed limit can be measured on the **Performance** tab in Task Manager or by using the "\Memory\Committed Bytes" and "\Memory\Commit Limit" performance counters. The \Memory\% Committed Bytes In Use counter is a ratio of \Memory\Committed Bytes to \Memory\Commit Limit values. diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md index db00986ab0..263dd24430 100644 --- a/windows/client-management/manage-device-installation-with-group-policy.md +++ b/windows/client-management/manage-device-installation-with-group-policy.md @@ -212,7 +212,7 @@ This policy setting will change the evaluation order in which Allow and Prevent Some of these policies take precedence over other policies. The flowchart shown below illustrates how Windows processes them to determine whether a user can install a device or not, as shown in Figure below. -![Device Installation policies flow chart.](images/device-installation-flowchart.png)
_Device Installation policies flow chart_ +![Device Installation policies flow chart](images/device-installation-flowchart.png)
_Device Installation policies flow chart_ @@ -261,17 +261,17 @@ To find device identification strings using Device Manager 4. Find the “Printers” section and find the target printer - ![Selecting the printer in Device Manager.](images/device-installation-dm-printer-by-device.png)
_Selecting the printer in Device Manager_ + ![Selecting the printer in Device Manager](images/device-installation-dm-printer-by-device.png)
_Selecting the printer in Device Manager_ 5. Double-click the printer and move to the ‘Details’ tab. - ![‘Details’ tab.](images/device-installation-dm-printer-details-screen.png)
_Open the ‘Details’ tab to look for the device identifiers_ + ![‘Details’ tab](images/device-installation-dm-printer-details-screen.png)
_Open the ‘Details’ tab to look for the device identifiers_ 6. From the ‘Value’ window, copy the most detailed Hardware ID – we will use this in the policies. - ![HWID.](images/device-installation-dm-printer-hardware-ids.png) + ![HWID](images/device-installation-dm-printer-hardware-ids.png) - ![Compatible ID.](images/device-installation-dm-printer-compatible-ids.png)
_HWID and Compatible ID_ + ![Compatible ID](images/device-installation-dm-printer-compatible-ids.png)
_HWID and Compatible ID_ > [!TIP] > You can also determine your device identification strings by using the PnPUtil command-line utility. For more information, see [PnPUtil - Windows drivers](/windows-hardware/drivers/devtest/pnputil) in Microsoft Docs. @@ -360,7 +360,7 @@ Creating the policy to prevent all printers from being installed: 6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} - ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ + ![List of prevent Class GUIDs](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ 7. Click ‘OK’. @@ -399,7 +399,7 @@ Getting the right device identifier to prevent it from being installed: 1. Get your printer’s Hardware ID – in this example we will use the identifier we found previously - ![Printer Hardware ID identifier.](images/device-installation-dm-printer-hardware-ids.png)
_Printer Hardware ID_ + ![Printer Hardware ID identifier](images/device-installation-dm-printer-hardware-ids.png)
_Printer Hardware ID_ 2. Write down the device ID (in this case Hardware ID) – WSDPRINT\CanonMX920_seriesC1A0; Take the more specific identifier to make sure you block a specific printer and not a family of printers @@ -417,7 +417,7 @@ Creating the policy to prevent a single printer from being installed: 5. Enter the printer device ID you found above – WSDPRINT\CanonMX920_seriesC1A0 - ![Prevent Device ID list.](images/device-installation-gpo-prevent-device-id-list-printer.png)
_Prevent Device ID list_ + ![Prevent Device ID list](images/device-installation-gpo-prevent-device-id-list-printer.png)
_Prevent Device ID list_ 6. Click ‘OK’. @@ -477,7 +477,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} - ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ + ![List of prevent Class GUIDs](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ 7. Click ‘OK’. @@ -489,7 +489,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one ![Image of Local Group Policy Editor that shows the policies under "Device Installation Restrictions" and the policy named in this step.](images/device-installation-apply-layered_policy-1.png) - ![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.".](images/device-installation-apply-layered-policy-2.png)
_Apply layered order of evaluation policy_ + ![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria."](images/device-installation-apply-layered-policy-2.png)
_Apply layered order of evaluation policy_ 9. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. @@ -497,7 +497,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 11. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0. - ![Allow Printer Hardware ID.](images/device-installation-gpo-allow-device-id-list-printer.png)
_Allow Printer Hardware ID_ + ![Allow Printer Hardware ID](images/device-installation-gpo-allow-device-id-list-printer.png)
_Allow Printer Hardware ID_ 12. Click ‘OK’. @@ -532,22 +532,22 @@ Getting the right device identifier to prevent it from being installed and its l 3. Find the USB thumb-drive and select it. - ![Selecting the usb thumb-drive in Device Manager.](images/device-installation-dm-usb-by-device.png)
_Selecting the usb thumb-drive in Device Manager_ + ![Selecting the usb thumb-drive in Device Manager](images/device-installation-dm-usb-by-device.png)
_Selecting the usb thumb-drive in Device Manager_ 4. Change View (in the top menu) to ‘Devices by connections’. This view represents the way devices are installed in the PnP tree. - ![Changing view in Device Manager to see the PnP connection tree.](images/device-installation-dm-usb-by-connection.png)
_Changing view in Device Manager to see the PnP connection tree_ + ![Changing view in Device Manager to see the PnP connection tree](images/device-installation-dm-usb-by-connection.png)
_Changing view in Device Manager to see the PnP connection tree_ > [!NOTE] > When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a “Generic USB Hub” from being installed, all the devices that lay below a “Generic USB Hub” will be blocked. - ![Blocking nested devices from the root.](images/device-installation-dm-usb-by-connection-blocked.png)
_When blocking one device, all the devices that are nested below it will be blocked as well_ + ![Blocking nested devices from the root](images/device-installation-dm-usb-by-connection-blocked.png)
_When blocking one device, all the devices that are nested below it will be blocked as well_ 5. Double-click the USB thumb-drive and move to the ‘Details’ tab. 6. From the ‘Value’ window, copy the most detailed Hardware ID—we will use this in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07 - ![USB device hardware IDs.](images/device-installation-dm-usb-hwid.png)
_USB device hardware IDs_ + ![USB device hardware IDs](images/device-installation-dm-usb-hwid.png)
_USB device hardware IDs_ Creating the policy to prevent a single USB thumb-drive from being installed: @@ -563,7 +563,7 @@ Creating the policy to prevent a single USB thumb-drive from being installed: 5. Enter the USB thumb-drive device ID you found above – USBSTOR\DiskGeneric_Flash_Disk______8.07 - ![Prevent Device IDs list.](images/device-installation-gpo-prevent-device-id-list-usb.png)
_Prevent Device IDs list_ + ![Prevent Device IDs list](images/device-installation-gpo-prevent-device-id-list-usb.png)
_Prevent Device IDs list_ 6. Click ‘OK’. @@ -620,7 +620,7 @@ As mentioned in scenario #4, it is not enough to enable only a single hardware I - “USB Root Hub (USB 3.0)” -> USB\ROOT_HUB30 - “Generic USB Hub” -> USB\USB20_HUB -![USB devices nested in the PnP tree.](images/device-installation-dm-usb-by-connection-layering.png)
_USB devices nested under each other in the PnP tree_ +![USB devices nested in the PnP tree](images/device-installation-dm-usb-by-connection-layering.png)
_USB devices nested under each other in the PnP tree_ These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them should not enable any external/peripheral device from being installed on the machine. @@ -663,7 +663,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 9. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it – this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device. - ![Apply layered order of evaluation policy.](images/device-installation-apply-layered_policy-1.png)
_Apply layered order of evaluation policy_ + ![Apply layered order of evaluation policy](images/device-installation-apply-layered_policy-1.png)
_Apply layered order of evaluation policy_ 10. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. @@ -671,7 +671,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 12. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation – USBSTOR\DiskGeneric_Flash_Disk______8.07 - ![Image of an example list of devices that have been configured for the policy "Allow installation of devices that match any of these Device IDs.".](images/device-installation-gpo-allow-device-id-list-usb.png)
_Allowed USB Device IDs list_ + ![Image of an example list of devices that have been configured for the policy "Allow installation of devices that match any of these Device IDs."](images/device-installation-gpo-allow-device-id-list-usb.png)
_Allowed USB Device IDs list_ 13. Click ‘OK’. diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md index f64ee0de0c..a177277d07 100644 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ b/windows/client-management/manage-settings-app-with-group-policy.md @@ -35,7 +35,7 @@ Policy paths: **User Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. -![Settings page visibility policy.](images/settings-page-visibility-gp.png) +![Settings page visibility policy](images/settings-page-visibility-gp.png) ## Configuring the Group Policy diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 0e9dd8a789..22ba2d74a8 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -92,7 +92,7 @@ For more information about how Windows 10 and Azure AD optimize access to work r As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD. -![Decision tree for device authentication options.](images/windows-10-management-cyod-byod-flow.png) +![Decision tree for device authentication options](images/windows-10-management-cyod-byod-flow.png) ## Settings and Configuration diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 7b77f47742..b5b30659d6 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -75,7 +75,7 @@ First, you create a default user profile with the customizations that you want, > [!TIP] > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following: > - > ![Microsoft Bing Translator package error.](images/sysprep-error.png) + > ![Microsoft Bing Translator package error](images/sysprep-error.png) > > Use the [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true) and [Remove-AppxPackage -AllUsers](/powershell/module/appx/remove-appxpackage?view=win10-ps&preserve-view=true) cmdlet in Windows PowerShell to uninstall the app that is listed in the log. @@ -86,11 +86,11 @@ First, you create a default user profile with the customizations that you want, 1. In **User Profiles**, click **Default Profile**, and then click **Copy To**. - ![Example of User Profiles UI.](images/copy-to.png) + ![Example of User Profiles UI](images/copy-to.png) 1. In **Copy To**, under **Permitted to use**, click **Change**. - ![Example of Copy To UI.](images/copy-to-change.png) + ![Example of Copy To UI](images/copy-to-change.png) 1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**. @@ -98,11 +98,11 @@ First, you create a default user profile with the customizations that you want, - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path. - ![Example of Copy profile to.](images/copy-to-path.png) + ![Example of Copy profile to](images/copy-to-path.png) - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location. - ![Example of Copy To UI with UNC path.](images/copy-to-path.png) + ![Example of Copy To UI with UNC path](images/copy-to-path.png) 1. Click **OK** to copy the default user profile. @@ -139,9 +139,9 @@ When a user is configured with a mandatory profile, Windows 10 starts as though | Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 | | --- | --- | --- | --- | --- | -| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | -| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | -| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported.](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | +| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | +| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | +| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | > [!NOTE] > The Group Policy settings above can be applied in Windows 10 Professional edition. diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md index 42722f7bd7..930343209f 100644 --- a/windows/client-management/mdm/accountmanagement-csp.md +++ b/windows/client-management/mdm/accountmanagement-csp.md @@ -22,7 +22,7 @@ AccountManagement CSP is used to configure setting in the Account Manager servic The following diagram shows the AccountManagement configuration service provider in tree format. -![accountmanagement csp.](images/provisioning-csp-accountmanagement.png) +![accountmanagement csp](images/provisioning-csp-accountmanagement.png) **./Vendor/MSFT/AccountManagement** Root node for the AccountManagement configuration service provider. diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md index 64394a6989..34f60116f4 100644 --- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md +++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md @@ -21,45 +21,45 @@ Here's a step-by-step guide to adding an Azure Active Directory tenant, adding a 1. Sign up for Azure AD tenant from [this website](https://account.windowsazure.com/organization) by creating an administrator account for your organization. - ![sign up for azure ad tenant.](images/azure-ad-add-tenant1.png) + ![sign up for azure ad tenant](images/azure-ad-add-tenant1.png) 2. Enter the information for your organization. Select **check availability** to verify that domain name that you selected is available. - ![sign up for azure ad.](images/azure-ad-add-tenant2.png) + ![sign up for azure ad](images/azure-ad-add-tenant2.png) 3. Complete the login and country information. Enter a valid phone number, then select **Send text message** or **Call me**. - ![create azure account.](images/azure-ad-add-tenant3.png) + ![create azure account](images/azure-ad-add-tenant3.png) 4. Enter the code that you receive and then select **Verify code**. After the code is verified and the continue button turns green, select **continue**. - ![add aad tenant.](images/azure-ad-add-tenant3-b.png) + ![add aad tenant](images/azure-ad-add-tenant3-b.png) 5. After you finish creating your Azure account, you can add an Azure AD subscription. If you don't have a paid subscription to any Microsoft service, you can purchase an Azure AD premium subscription. Go to the Office 356 portal at https://portal.office.com/, and then sign in using the admin account that you created in Step 4 (for example, user1@contosoltd.onmicrosoftcom). - ![login to office 365.](images/azure-ad-add-tenant4.png) + ![login to office 365](images/azure-ad-add-tenant4.png) 6. Select **Install software**. - ![login to office 365.](images/azure-ad-add-tenant5.png) + ![login to office 365](images/azure-ad-add-tenant5.png) 7. In the Microsoft 365 admin center, select **Purchase Services** from the left navigation. - ![purchase service option in admin center menu.](images/azure-ad-add-tenant6.png) + ![purchase service option in admin center menu](images/azure-ad-add-tenant6.png) 8. On the **Purchase services** page, scroll down until you see **Azure Active Directory Premium**, then select to purchase. - ![azure active directory option in purchase services page.](images/azure-ad-add-tenant7.png) + ![azure active directory option in purchase services page](images/azure-ad-add-tenant7.png) 9. Continue with your purchase. - ![azure active directory premium payment page.](images/azure-ad-add-tenant8.png) + ![azure active directory premium payment page](images/azure-ad-add-tenant8.png) 10. After the purchase is completed, you can log in to your Office 365 Admin Portal and you will see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint, Exchange, etc....). - ![admin center left navigation menu.](images/azure-ad-add-tenant9.png) + ![admin center left navigation menu](images/azure-ad-add-tenant9.png) When you choose Azure AD, it will take you to the Azure AD portal where you can manage your Azure AD applications. @@ -69,27 +69,27 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent 1. Sign in to the Microsoft 365 admin center at using your organization's account. - ![register azuread.](images/azure-ad-add-tenant10.png) + ![register azuread](images/azure-ad-add-tenant10.png) 2. On the **Home** page, select on the Admin tools icon. - ![register azuread.](images/azure-ad-add-tenant11.png) + ![register azuread](images/azure-ad-add-tenant11.png) 3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information. - ![register azuread.](images/azure-ad-add-tenant12.png) + ![register azuread](images/azure-ad-add-tenant12.png) 4. On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**. - ![register azuread.](images/azure-ad-add-tenant13.png) + ![register azuread](images/azure-ad-add-tenant13.png) 5. It may take a few minutes to process the request. - ![register azuread.](images/azure-ad-add-tenant14.png) + ![register azuread](images/azure-ad-add-tenant14.png) 6. You will see a welcome page when the process completes. - ![register azuread.](images/azure-ad-add-tenant15.png) + ![register azuread](images/azure-ad-add-tenant15.png) diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 5669fcf0f8..3df830bda7 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -263,16 +263,16 @@ Supported operations are Get, Add, Delete, and Replace. The **Device Portal** page opens on your browser. - ![device portal screenshot.](images/applocker-screenshot1.png) + ![device portal screenshot](images/applocker-screenshot1.png) 8. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**. 9. On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps. - ![device portal app manager.](images/applocker-screenshot3.png) + ![device portal app manager](images/applocker-screenshot3.png) 10. If you do not see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. - ![app manager.](images/applocker-screenshot2.png) + ![app manager](images/applocker-screenshot2.png) The following table shows the mapping of information to the AppLocker publisher rule field. diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index 4c8f6eaecd..157bf6f4d0 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -23,7 +23,7 @@ manager: dansimp [EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md) -![enterpriseappvmanagement csp.](images/provisioning-csp-enterpriseappvmanagement.png) +![enterpriseappvmanagement csp](images/provisioning-csp-enterpriseappvmanagement.png)

(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.

diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 97f22aae88..82a11f3eb6 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -90,7 +90,7 @@ After the users accepts the Terms of Use, the device is registered in Azure AD a The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Subsequently, the device is enrolled for management with the MDM. This is done by calling the enrollment endpoint and requesting enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is made available to the MDM in the form of claims within an access token presented at the enrollment endpoint. -![azure ad enrollment flow.](images/azure-ad-enrollment-flow.png) +![azure ad enrollment flow](images/azure-ad-enrollment-flow.png) The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this topic. @@ -173,7 +173,7 @@ IT administrators use the Azure AD app gallery to add an MDM for their organizat The following image illustrates how MDM applications will show up in the Azure app gallery in a category dedicated to MDM software. -![azure ad add an app for mdm.](images/azure-ad-app-gallery.png) +![azure ad add an app for mdm](images/azure-ad-app-gallery.png) ### Add cloud-based MDM to the app gallery @@ -732,7 +732,7 @@ Response: When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data. -![aadj unenrollment.](images/azure-ad-unenrollment.png) +![aadj unenrollment](images/azure-ad-unenrollment.png) ## Error codes diff --git a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index ce25592491..21499425a9 100644 --- a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -20,10 +20,10 @@ manager: dansimp 2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app. 3. Select **Microsoft Intune** and configure the blade. -![How to get to the Blade.](images/azure-mdm-intune.png) +![How to get to the Blade](images/azure-mdm-intune.png) Configure the blade -![Configure the Blade.](images/azure-intune-configure-scope.png) +![Configure the Blade](images/azure-intune-configure-scope.png) You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users). diff --git a/windows/client-management/mdm/bootstrap-csp.md b/windows/client-management/mdm/bootstrap-csp.md index e07354fa81..0bb9326924 100644 --- a/windows/client-management/mdm/bootstrap-csp.md +++ b/windows/client-management/mdm/bootstrap-csp.md @@ -27,7 +27,7 @@ The BOOTSTRAP configuration service provider sets the Trusted Provisioning Serve The following image shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. -![bootstrap csp (cp).](images/provisioning-csp-bootstrap-cp.png) +![bootstrap csp (cp)](images/provisioning-csp-bootstrap-cp.png) **CONTEXT-ALLOW** Optional. Specifies a context for the TPS. Only one context is supported, so this parameter is ignored and "0" is assumed for its value. diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md index 15a939f7eb..46ee3a5e98 100644 --- a/windows/client-management/mdm/browserfavorite-csp.md +++ b/windows/client-management/mdm/browserfavorite-csp.md @@ -30,7 +30,7 @@ This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID The following diagram shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. -![browserfavorite csp (cp).](images/provisioning-csp-browserfavorite-cp.png) +![browserfavorite csp (cp)](images/provisioning-csp-browserfavorite-cp.png) ***favorite name*** Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer. diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index d1db6d514e..4fabdbc971 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -57,7 +57,7 @@ Using the WCD, create a provisioning package using the enrollment information re 1. Open the WCD tool. 2. Click **Advanced Provisioning**. - ![icd start page.](images/bulk-enrollment7.png) + ![icd start page](images/bulk-enrollment7.png) 3. Enter a project name and click **Next**. 4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then click **Next**. 5. Skip **Import a provisioning package (optional)** and click **Finish**. @@ -74,20 +74,20 @@ Using the WCD, create a provisioning package using the enrollment information re For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md). Here is the screenshot of the WCD at this point. - ![bulk enrollment screenshot.](images/bulk-enrollment.png) + ![bulk enrollment screenshot](images/bulk-enrollment.png) 9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). 10. When you are done adding all the settings, on the **File** menu, click **Save**. 11. On the main menu click **Export** > **Provisioning package**. - ![icd menu for export.](images/bulk-enrollment2.png) + ![icd menu for export](images/bulk-enrollment2.png) 12. Enter the values for your package and specify the package output location. - ![enter package information.](images/bulk-enrollment3.png) - ![enter additional information for package information.](images/bulk-enrollment4.png) - ![specify file location.](images/bulk-enrollment6.png) + ![enter package information](images/bulk-enrollment3.png) + ![enter additional information for package information](images/bulk-enrollment4.png) + ![specify file location](images/bulk-enrollment6.png) 13. Click **Build**. - ![icb build window.](images/bulk-enrollment5.png) + ![icb build window](images/bulk-enrollment5.png) 14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). 15. Apply the package to your devices. @@ -108,7 +108,7 @@ Using the WCD, create a provisioning package using the enrollment information re 5. Set **ExportCertificate** to False. 6. For **KeyLocation**, select **Software only**. - ![icd certificates section.](images/bulk-enrollment8.png) + ![icd certificates section](images/bulk-enrollment8.png) 7. Specify the workplace settings. 1. Got to **Workplace** > **Enrollments**. 2. Enter the **UPN** for the enrollment and then click **Add**. diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md index ab4cb97c8f..64372f26a8 100644 --- a/windows/client-management/mdm/cellularsettings-csp.md +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -21,7 +21,7 @@ The CellularSettings configuration service provider is used to configure cellula The following image shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider. -![provisioning for cellular settings.](images/provisioning-csp-cellularsettings.png) +![provisioning for cellular settings](images/provisioning-csp-cellularsettings.png) **DataRoam**

Optional. Integer. Specifies the default roaming value. Valid values are:

diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 1d42413872..5063181c3f 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -20,7 +20,7 @@ This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capa The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider. -![cm\-cellularentries csp.](images/provisioning-csp-cm-cellularentries.png) +![cm\-cellularentries csp](images/provisioning-csp-cm-cellularentries.png) ***entryname***

Defines the name of the connection.

diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index d4793c91e6..cce8060fe3 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2555,36 +2555,36 @@ The following list shows the CSPs supported in HoloLens devices: | Configuration service provider | HoloLens (1st gen) Development Edition | HoloLens (1st gen) Commercial Suite | HoloLens 2 | |------|--------|--------|--------| -| [AccountManagement CSP](accountmanagement-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) -| [Accounts CSP](accounts-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [ApplicationControl CSP](applicationcontrol-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | -| [AppLocker CSP](applocker-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![cross mark](images/crossmark.png) | -| [AssignedAccess CSP](assignedaccess-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | -| [CertificateStore CSP](certificatestore-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png)| ![check mark](images/checkmark.png) | -| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DevDetail CSP](devdetail-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DeveloperSetup CSP](developersetup-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) 2 (runtime provisioning via provisioning packages only; no MDM support)| ![check mark](images/checkmark.png) | -| [DeviceManageability CSP](devicemanageability-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | -| [DeviceStatus CSP](devicestatus-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DevInfo CSP](devinfo-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DiagnosticLog CSP](diagnosticlog-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DMAcc CSP](dmacc-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DMClient CSP](dmclient-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | -| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [NetworkProxy CSP](networkproxy-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | -| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 8| -| [NodeCache CSP](nodecache-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -[PassportForWork CSP](passportforwork-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [Policy CSP](policy-configuration-service-provider.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [RemoteFind CSP](remotefind-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | -| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | -| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | -| [Update CSP](update-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [VPNv2 CSP](vpnv2-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [WiFi CSP](wifi-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [WindowsLicensing CSP](windowslicensing-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![cross mark](images/crossmark.png) | +| [AccountManagement CSP](accountmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) +| [Accounts CSP](accounts-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [ApplicationControl CSP](applicationcontrol-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [AppLocker CSP](applocker-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![cross mark](images/crossmark.png) | +| [AssignedAccess CSP](assignedaccess-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | +| [CertificateStore CSP](certificatestore-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)| ![check mark](images/checkmark.png) | +| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DevDetail CSP](devdetail-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DeveloperSetup CSP](developersetup-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 2 (runtime provisioning via provisioning packages only; no MDM support)| ![check mark](images/checkmark.png) | +| [DeviceManageability CSP](devicemanageability-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [DeviceStatus CSP](devicestatus-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DevInfo CSP](devinfo-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DiagnosticLog CSP](diagnosticlog-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DMAcc CSP](dmacc-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DMClient CSP](dmclient-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | +| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [NetworkProxy CSP](networkproxy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 8| +| [NodeCache CSP](nodecache-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +[PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [Policy CSP](policy-configuration-service-provider.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | +| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | +| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | +| [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [VPNv2 CSP](vpnv2-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [WiFi CSP](wifi-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [WindowsLicensing CSP](windowslicensing-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![cross mark](images/crossmark.png) | ## CSPs supported in Microsoft Surface Hub diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index cc589f1f13..8e886f3661 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -42,7 +42,7 @@ For more information about the CSPs, see [Update CSP](update-csp.md) and the upd The following diagram provides a conceptual overview of how this works: -![mobile device update management.](images/mdm-update-sync.png) +![mobile device update management](images/mdm-update-sync.png) The diagram can be roughly divided into three areas: @@ -56,7 +56,7 @@ The Microsoft Update Catalog is huge and contains many updates that are not need This section describes how this is done. The following diagram shows the server-server sync protocol process. -![mdm server-server sync.](images/deviceupdateprocess2.png) +![mdm server-server sync](images/deviceupdateprocess2.png) MSDN provides much information about the Server-Server sync protocol. In particular: @@ -140,7 +140,7 @@ The enterprise IT can configure auto-update polices via OMA DM using the [Policy The following diagram shows the Update policies in a tree format. -![update policies.](images/update-policies.png) +![update policies](images/update-policies.png) **Update/ActiveHoursEnd** > [!NOTE] @@ -676,7 +676,7 @@ Example The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following diagram shows the Update CSP in tree format.. -![provisioning csp update.](images/provisioning-csp-update.png) +![provisioning csp update](images/provisioning-csp-update.png) **Update** The root node. @@ -889,9 +889,9 @@ Here is the list of older policies that are still supported for backward compati The following screenshots of the administrator console show the list of update titles, approval status, and additional metadata fields. -![mdm update management screenshot.](images/deviceupdatescreenshot1.png) +![mdm update management screenshot](images/deviceupdatescreenshot1.png) -![mdm update management metadata screenshot.](images/deviceupdatescreenshot2.png) +![mdm update management metadata screenshot](images/deviceupdatescreenshot2.png) ## SyncML example @@ -945,5 +945,5 @@ Set auto update to notify and defer. The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog. -![mdm device update management screenshot3.](images/deviceupdatescreenshot3.png)![mdm device update management screenshot4](images/deviceupdatescreenshot4.png)![mdm device update management screenshot5](images/deviceupdatescreenshot5.png)![mdm device update management screenshot6](images/deviceupdatescreenshot6.png)![mdm device update management screenshot7](images/deviceupdatescreenshot7.png)![mdm device update management screenshot8](images/deviceupdatescreenshot8.png)![mdm device update management screenshot9](images/deviceupdatescreenshot9.png) +![mdm device update management screenshot3](images/deviceupdatescreenshot3.png)![mdm device update management screenshot4](images/deviceupdatescreenshot4.png)![mdm device update management screenshot5](images/deviceupdatescreenshot5.png)![mdm device update management screenshot6](images/deviceupdatescreenshot6.png)![mdm device update management screenshot7](images/deviceupdatescreenshot7.png)![mdm device update management screenshot8](images/deviceupdatescreenshot8.png)![mdm device update management screenshot9](images/deviceupdatescreenshot9.png) diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md index 0db22bf159..f24564545c 100644 --- a/windows/client-management/mdm/deviceinstanceservice-csp.md +++ b/windows/client-management/mdm/deviceinstanceservice-csp.md @@ -26,7 +26,7 @@ The DeviceInstance CSP is only supported in Windows 10 Mobile. The following diagram shows the DeviceInstanceService configuration service provider in tree format. -![provisioning\-csp\-deviceinstanceservice.](images/provisioning-csp-deviceinstanceservice.png) +![provisioning\-csp\-deviceinstanceservice](images/provisioning-csp-deviceinstanceservice.png) **Roaming** A boolean value that specifies the roaming status of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/Roaming is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/Roaming. diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md index 9933e58a23..cef65071ec 100644 --- a/windows/client-management/mdm/devicelock-csp.md +++ b/windows/client-management/mdm/devicelock-csp.md @@ -32,7 +32,7 @@ The DevicePasswordEnabled setting must be set to 0 (device password is enabled) The following image shows the DeviceLock configuration service provider in tree format. -![devicelock csp.](images/provisioning-csp-devicelock.png) +![devicelock csp](images/provisioning-csp-devicelock.png) **Provider** Required. An interior node to group all policy providers. Scope is permanent. Supported operation is Get. diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index 92ed52968c..6043b61d8c 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -20,13 +20,13 @@ To help diagnose enrollment or device management issues in Windows 10 devices m 1. On your managed device go to **Settings** > **Accounts** > **Access work or school**. 1. Click your work or school account, then click **Info.** - ![Access work or school page in Settings.](images/diagnose-mdm-failures15.png) + ![Access work or school page in Settings](images/diagnose-mdm-failures15.png) 1. At the bottom of the **Settings** page, click **Create report**. - ![Access work or school page and then Create report.](images/diagnose-mdm-failures16.png) + ![Access work or school page and then Create report](images/diagnose-mdm-failures16.png) 1. A window opens that shows the path to the log files. Click **Export**. - ![Access work or school log files.](images/diagnose-mdm-failures17.png) + ![Access work or school log files](images/diagnose-mdm-failures17.png) 1. In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report. @@ -59,7 +59,7 @@ Starting with the Windows 10, version 1511, MDM logs are captured in the Event Here's a screenshot: -![mdm event viewer.](images/diagnose-mdm-failures1.png) +![mdm event viewer](images/diagnose-mdm-failures1.png) In this location, the **Admin** channel logs events by default. However, if you need more details logs you can enable **Debug** logs by choosing **Show Analytic and Debug** logs option in **View** menu in Event Viewer. @@ -238,26 +238,26 @@ For best results, ensure that the PC or VM on which you are viewing logs matches 1. Open eventvwr.msc. 2. Right-click on **Event Viewer(Local)** and select **Open Saved Log**. - ![event viewer screenshot.](images/diagnose-mdm-failures9.png) + ![event viewer screenshot](images/diagnose-mdm-failures9.png) 3. Navigate to the etl file that you got from the device and then open the file. 4. Click **Yes** when prompted to save it to the new log format. - ![event viewer prompt.](images/diagnose-mdm-failures10.png) + ![event viewer prompt](images/diagnose-mdm-failures10.png) - ![diagnose mdm failures.](images/diagnose-mdm-failures11.png) + ![diagnose mdm failures](images/diagnose-mdm-failures11.png) 5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu. - ![event viewer actions.](images/diagnose-mdm-failures12.png) + ![event viewer actions](images/diagnose-mdm-failures12.png) 6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**. - ![event filter for Device Management.](images/diagnose-mdm-failures13.png) + ![event filter for Device Management](images/diagnose-mdm-failures13.png) 7. Now you are ready to start reviewing the logs. - ![event viewer review logs.](images/diagnose-mdm-failures14.png) + ![event viewer review logs](images/diagnose-mdm-failures14.png) ## Collect device state data diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index 5f48d033a0..35fe6568b0 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -137,7 +137,7 @@ You can only use the Work Access page to unenroll under the following conditions When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data. -![aadj unenerollment.](images/azure-ad-unenrollment.png) +![aadj unenerollment](images/azure-ad-unenrollment.png) When a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be re-imaged. When devices are remotely unenrolled from MDM, the AAD association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state. diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md index 2ef69ad6c3..43882781ec 100644 --- a/windows/client-management/mdm/eap-configuration.md +++ b/windows/client-management/mdm/eap-configuration.md @@ -24,35 +24,35 @@ To get the EAP configuration from your desktop using the rasphone tool that is s 1. Run rasphone.exe. - ![vpnv2 rasphone.](images/vpnv2-csp-rasphone.png) + ![vpnv2 rasphone](images/vpnv2-csp-rasphone.png) 1. If you don't currently have a VPN connection and you see the following message, select **OK**. - ![vpnv2 csp network connections.](images/vpnv2-csp-networkconnections.png) + ![vpnv2 csp network connections](images/vpnv2-csp-networkconnections.png) 1. In the wizard, select **Workplace network**. - ![vpnv2 csp set up connection.](images/vpnv2-csp-setupnewconnection.png) + ![vpnv2 csp set up connection](images/vpnv2-csp-setupnewconnection.png) 1. Enter an Internet address and connection name. These can be fake since it does not impact the authentication parameters. - ![vpnv2 csp set up connection 2.](images/vpnv2-csp-setupnewconnection2.png) + ![vpnv2 csp set up connection 2](images/vpnv2-csp-setupnewconnection2.png) 1. Create a fake VPN connection. In the UI shown here, select **Properties**. - ![vpnv2 csp choose nw connection.](images/vpnv2-csp-choosenetworkconnection.png) + ![vpnv2 csp choose nw connection](images/vpnv2-csp-choosenetworkconnection.png) 1. In the **Test Properties** dialog, select the **Security** tab. - ![vpnv2 csp test props.](images/vpnv2-csp-testproperties.png) + ![vpnv2 csp test props](images/vpnv2-csp-testproperties.png) 1. On the **Security** tab, select **Use Extensible Authentication Protocol (EAP)**. - ![vpnv2 csp test props2.](images/vpnv2-csp-testproperties2.png) + ![vpnv2 csp test props2](images/vpnv2-csp-testproperties2.png) 1. From the drop-down menu, select the EAP method that you want to configure, and then select **Properties** to configure as needed. - ![vpnv2 csp test props3.](images/vpnv2-csp-testproperties3.png)![vpnv2 csp test props4](images/vpnv2-csp-testproperties4.png) + ![vpnv2 csp test props3](images/vpnv2-csp-testproperties3.png)![vpnv2 csp test props4](images/vpnv2-csp-testproperties4.png) 1. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML. @@ -267,7 +267,7 @@ Alternatively, you can use the following procedure to create an EAP configuratio 1. Follow steps 1 through 7 in the EAP configuration article. 1. In the **Microsoft VPN SelfHost Properties** dialog box, select **Microsoft: Smart Card or other Certificate** from the drop-down menu (this selects EAP TLS). - ![vpn self host properties window.](images/certfiltering1.png) + ![vpn self host properties window](images/certfiltering1.png) > [!NOTE] > For PEAP or TTLS, select the appropriate method and continue following this procedure. @@ -277,11 +277,11 @@ Alternatively, you can use the following procedure to create an EAP configuratio 1. Select the **Properties** button underneath the drop-down menu. 1. On the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. - ![smart card or other certificate properties window.](images/certfiltering2.png) + ![smart card or other certificate properties window](images/certfiltering2.png) 1. On the **Configure Certificate Selection** menu, adjust the filters as needed. - ![configure certificate window.](images/certfiltering3.png) + ![configure certificate window](images/certfiltering3.png) 1. Select **OK** to close the windows and get back to the main rasphone.exe dialog box. 1. Close the rasphone dialog box. diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index cfc9928a0b..d6a0127bab 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -47,19 +47,19 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune]( 2. Under **Best match**, click **Edit group policy** to launch it. - ![GPEdit search.](images/admx-gpedit-search.png) + ![GPEdit search](images/admx-gpedit-search.png) 3. In **Local Computer Policy** navigate to the policy you want to configure. In this example, navigate to **Administrative Templates > System > App-V**. - ![App-V policies.](images/admx-appv.png) + ![App-V policies](images/admx-appv.png) 4. Double-click **Enable App-V Client**. The **Options** section is empty, which means there are no parameters necessary to enable the policy. If the **Options** section is not empty, follow the procedure in [Enable a policy that requires parameters](#enable-a-policy-that-requires-parameters) - ![Enable App-V client.](images/admx-appv-enableapp-vclient.png) + ![Enable App-V client](images/admx-appv-enableapp-vclient.png) 3. Create the SyncML to enable the policy that does not require any parameter. @@ -99,15 +99,15 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune]( 1. Double-click **Publishing Server 2 Settings** to see the parameters you need to configure when you enable this policy. - ![Enable publishing server 2 policy.](images/admx-appv-publishingserver2.png) + ![Enable publishing server 2 policy](images/admx-appv-publishingserver2.png) - ![Enable publishing server 2 settings.](images/admx-app-v-enablepublishingserver2settings.png) + ![Enable publishing server 2 settings](images/admx-app-v-enablepublishingserver2settings.png) 2. Find the variable names of the parameters in the ADMX file. You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](policy-configuration-service-provider.md#appvirtualization-publishingallowserver2). - ![Publishing server 2 policy description.](images/admx-appv-policy-description.png) + ![Publishing server 2 policy description](images/admx-appv-policy-description.png) 3. Navigate to **C:\Windows\PolicyDefinitions** (default location of the admx files) and open appv.admx. diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md index bab52cb7fd..f4c951af17 100644 --- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md +++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md @@ -84,7 +84,7 @@ After the upgrade to Windows 10 is complete, if you decide to push down a new we The following diagram shows a high-level overview of the process. -![update process for windows embedded 8.1 devices.](images/windowsembedded-update.png) +![update process for windows embedded 8.1 devices](images/windowsembedded-update.png) ## Step 1: Prepare a test device to download updates from Microsoft Update @@ -107,15 +107,15 @@ Trigger the device to check for updates either manually or using Microsoft Endpo 1. Remotely trigger a scan of the test device by deploying a Trigger Scan configuration baseline. - ![device scan using Configuration Manager.](images/windowsembedded-update2.png) + ![device scan using Configuration Manager](images/windowsembedded-update2.png) 2. Set the value of this OMA-URI by going to **Configuration Item**, and then selecting the newly created Trigger Scan settings from the previous step. - ![device scan using Configuration Manager.](images/windowsembedded-update3.png) + ![device scan using Configuration Manager](images/windowsembedded-update3.png) 3. Ensure that the value that is specified for this URI is greater than the value on the device(s), and that the **Remediate noncompliant rules when supported** option is selected. For the first time, any value that is greater than 0 will work, but for subsequent configurations, ensure that you specify an incremented value. - ![device scan using Configuration Manager.](images/windowsembedded-update4.png) + ![device scan using Configuration Manager](images/windowsembedded-update4.png) 4. Create a configuration baseline for Trigger Scan and Deploy. We recommend that this configuration baseline be deployed after the Controlled Updates baseline has been applied to the device. (The corresponding files are deployed on the device through a device sync session.) 5. Follow the prompts for downloading the updates, but do not install the updates on the device. @@ -216,11 +216,11 @@ The deployment process has three parts: 1. Create a configuration item. In the **Browse Settings** window, select **Device File** as a filter, and then select **Select**. - ![embedded device update.](images/windowsembedded-update18.png) + ![embedded device update](images/windowsembedded-update18.png) 2. Browse to the DUControlledUpdates.xml that was created from the test device, and then specify the file path and name on the device as `NonPersistent\DUControlledUpdates.xml`. - ![embedded device update.](images/windowsembedded-update19.png) + ![embedded device update](images/windowsembedded-update19.png) 3. Select **Remediate noncompliant settings**, and then select **OK**. @@ -231,7 +231,7 @@ The deployment process has three parts: 1. Create a configuration item and specify the file path and name on the device as `NonPersistent\DUCustomContentURIs.xml` 2. Select **Remediate noncompliant settings**. - ![embedded device update.](images/windowsembedded-update21.png) + ![embedded device update](images/windowsembedded-update21.png) 3. Select **OK**. @@ -242,11 +242,11 @@ The deployment process has three parts: 1. Create a configuration baseline item and give it a name (such as ControlledUpdates). 2. Add the DUControlledUpdates and DUCustomContentURIs configuration items, and then select **OK**. - ![embedded device update.](images/windowsembedded-update22.png) + ![embedded device update](images/windowsembedded-update22.png) 3. Deploy the configuration baseline to the appropriate device or device collection. - ![embedded device update.](images/windowsembedded-update23.png) + ![embedded device update](images/windowsembedded-update23.png) 4. Select **OK**. @@ -472,57 +472,57 @@ Use this procedure for pre-GDR1 devices: 2. In Microsoft Endpoint Configuration Manager, under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Items**. 3. Select **Create Configuration Item**. - ![device update using Configuration Manager.](images/windowsembedded-update5.png) + ![device update using Configuration Manager](images/windowsembedded-update5.png) 4. Enter a filename (such as GetDUReport), and then select **Mobile Device**. 5. On the **Mobile Device Settings** page, select **Configure Additional Settings that are not in the default settings group**, and then select **Next**. - ![device update using Configuration Manager.](images/windowsembedded-update6.png) + ![device update using Configuration Manager](images/windowsembedded-update6.png) 6. On the **Additional Settings** page, select **Add**. - ![device update using Configuration Manager.](images/windowsembedded-update7.png) + ![device update using Configuration Manager](images/windowsembedded-update7.png) 7. On the **Browse Settings** page, select **Create Setting**. - ![device update.](images/windowsembedded-update8.png) + ![device update](images/windowsembedded-update8.png) 8. Enter a unique **Name**. For **Setting type**, select **OMA-URI**, and for **Data type**, select **String**. 9. In the **OMA-URI** text box, enter `./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml`, and then select **OK**. - ![handheld device update.](images/windowsembedded-update9.png) + ![handheld device update](images/windowsembedded-update9.png) 10. On the **Browse Settings** page, select **Close**. 11. On the **Create Configuration Item Wizard** page, select **All Windows Embedded 8.1 Handheld** as the supported platform, and then select **Next**. - ![embedded device update.](images/windowsembedded-update10.png) + ![embedded device update](images/windowsembedded-update10.png) 12. Close the **Create Configuration Item Wizard** page. 13. Right-click on the newly create configuration item, and then select the **Compliance Rules** tab. 14. Select the new created mobile device setting (such as DUReport), and then select **Select**. 15. Enter a dummy value (such as zzz) that is different from the one on the device. - ![embedded device update.](images/windowsembedded-update11.png) + ![embedded device update](images/windowsembedded-update11.png) 16. Disable remediation by deselecting the **Remediate noncompliant rules when supported** option. 17. Select **OK** to close the **Edit Rule** page. 18. Create a new configuration baseline. Under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Baselines**. 19. Select **Create Configuration Item**. - ![embedded device update.](images/windowsembedded-update12.png) + ![embedded device update](images/windowsembedded-update12.png) 20. Enter a baseline name (such as RetrieveDUReport). 21. Add the configuration item that you just created. Select **Add**, and then select the configuration item that you just created (such as DUReport). - ![embedded device update.](images/windowsembedded-update13.png) + ![embedded device update](images/windowsembedded-update13.png) 22. Select **OK**, and then select **OK** again to complete the configuration baseline. 23. Deploy the newly created configuration baseline to the appropriate device collection. Right-click on the configuration baseline that you created, and then select **Deploy**. - ![embedded device update.](images/windowsembedded-update14.png) + ![embedded device update](images/windowsembedded-update14.png) 24. Select **Remediate noncompliant rules when supported**. 25. Select the appropriate device collection and define the schedule. - ![device update.](images/windowsembedded-update15.png) + ![device update](images/windowsembedded-update15.png) 26. To view the DUReport content, select the appropriate deployment for the configuration baseline that you created. Right-click on the deployment, and then select **View Status**. 27. Select **Run Summarization**, and then select **Refresh**. The test device(s) should be listed on the **Non-Compliant** tab. 28. Under **Asset Details**, right-click on the test device, and then select **Mode Details**. - ![device update.](images/windowsembedded-update16.png) + ![device update](images/windowsembedded-update16.png) 29. On the **Non-compliant** tab, you can see the DUReport, but you cannot retrieve the content from here. - ![device update.](images/windowsembedded-update17.png) + ![device update](images/windowsembedded-update17.png) 30. To retrieve the DUReport, open C:\\Program Files\\SMS\_CCM\\SMS\_DM.log. 31. In the log file, search from the bottom for "./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml" RuleExression="Equals zzz," where zzz is the dummy value. Just above this, copy the information for UpdateData and use this information to create the DUControlledUpdates.xml. diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index c9f13235e0..322e4dbc40 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -46,11 +46,11 @@ To ensure that the auto-enrollment feature is working as expected, you must veri The following steps demonstrate required settings using the Intune service: 1. Verify that the user who is going to enroll the device has a valid Intune license. - ![Intune license verification.](images/auto-enrollment-intune-license-verification.png) + ![Intune license verification](images/auto-enrollment-intune-license-verification.png) 2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). - ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png) + ![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png) > [!IMPORTANT] > For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled. @@ -62,23 +62,23 @@ The following steps demonstrate required settings using the Intune service: You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**. - ![Auto-enrollment device status result.](images/auto-enrollment-device-status-result.png) + ![Auto-enrollment device status result](images/auto-enrollment-device-status-result.png) Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**. - ![Auto-enrollment Azure AD prt verification.](images/auto-enrollment-azureadprt-verification.png) + ![Auto-enrollment Azure AD prt verification](images/auto-enrollment-azureadprt-verification.png) This information can also be found on the Azure AD device list. - ![Azure AD device list.](images/azure-ad-device-list.png) + ![Azure AD device list](images/azure-ad-device-list.png) 5. Verify that the MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc - ![MDM discovery URL.](images/auto-enrollment-mdm-discovery-url.png) + ![MDM discovery URL](images/auto-enrollment-mdm-discovery-url.png) 6. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**. - ![Mobility setting MDM intune.](images/auto-enrollment-microsoft-intune-setting.png) + ![Mobility setting MDM intune](images/auto-enrollment-microsoft-intune-setting.png) 7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully. @@ -87,7 +87,7 @@ You may contact your domain administrators to verify if the group policy has bee 9. Verify that Microsoft Intune should allow enrollment of Windows devices. - ![Enrollment of Windows devices.](images/auto-enrollment-enrollment-of-windows-devices.png) + ![Enrollment of Windows devices](images/auto-enrollment-enrollment-of-windows-devices.png) ## Configure the auto-enrollment Group Policy for a single PC @@ -102,18 +102,18 @@ Requirements: Click Start, then in the text box type gpedit. - ![GPEdit desktop app search result.](images/autoenrollment-gpedit.png) + ![GPEdit desktop app search result](images/autoenrollment-gpedit.png) 2. Under **Best match**, click **Edit group policy** to launch it. 3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**. > [!div class="mx-imgBorder"] - > ![MDM policies.](images/autoenrollment-mdm-policies.png) + > ![MDM policies](images/autoenrollment-mdm-policies.png) 4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use. - ![MDM autoenrollment policy.](images/autoenrollment-policy.png) + ![MDM autoenrollment policy](images/autoenrollment-policy.png) 5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**. @@ -129,7 +129,7 @@ Requirements: If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot. - ![Two-factor authentication notification.](images/autoenrollment-2-factor-auth.png) + ![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png) > [!Tip] > You can avoid this behavior by using Conditional Access Policies in Azure AD. @@ -139,7 +139,7 @@ Requirements: 7. Click **Info** to see the MDM enrollment information. - ![Work School Settings.](images/autoenrollment-settings-work-school.png) + ![Work School Settings](images/autoenrollment-settings-work-school.png) If you do not see the **Info** button or the enrollment information, it is possible that the enrollment failed. Check the status in [Task Scheduler app](#task-scheduler-app). @@ -148,13 +148,13 @@ Requirements: 1. Click **Start**, then in the text box type **task scheduler**. - ![Task Scheduler search result.](images/autoenrollment-task-schedulerapp.png) + ![Task Scheduler search result](images/autoenrollment-task-schedulerapp.png) 2. Under **Best match**, click **Task Scheduler** to launch it. 3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**. - ![Auto-enrollment scheduled task.](images/autoenrollment-scheduled-task.png) + ![Auto-enrollment scheduled task](images/autoenrollment-scheduled-task.png) To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab. @@ -239,13 +239,13 @@ To collect Event Viewer logs: 3. Search for event ID 75, which represents a successful auto-enrollment. Here is an example screenshot that shows the auto-enrollment completed successfully: - ![Event ID 75.](images/auto-enrollment-troubleshooting-event-id-75.png) + ![Event ID 75](images/auto-enrollment-troubleshooting-event-id-75.png) If you cannot find event ID 75 in the logs, it indicates that the auto-enrollment failed. This can happen because of the following reasons: - The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here is an example screenshot that shows that the auto-enrollment failed: - ![Event ID 76.](images/auto-enrollment-troubleshooting-event-id-76.png) + ![Event ID 76](images/auto-enrollment-troubleshooting-event-id-76.png) To troubleshoot, check the error code that appears in the event. See [Troubleshooting Windows device enrollment problems in Microsoft Intune](https://support.microsoft.com/en-ph/help/4469913/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for more information. @@ -253,7 +253,7 @@ To collect Event Viewer logs: The auto-enrollment process is triggered by a task (**Microsoft > Windows > EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is successfully deployed to the target machine as shown in the following screenshot: - ![Task scheduler.](images/auto-enrollment-task-scheduler.png) + ![Task scheduler](images/auto-enrollment-task-scheduler.png) > [!Note] > This task isn't visible to standard users - run Scheduled Tasks with administrative credentials to find the task. @@ -262,24 +262,24 @@ To collect Event Viewer logs: **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from AAD is triggered by event ID 107. - ![Event ID 107.](images/auto-enrollment-event-id-107.png) + ![Event ID 107](images/auto-enrollment-event-id-107.png) When the task is completed, a new event ID 102 is logged. - ![Event ID 102.](images/auto-enrollment-event-id-102.png) + ![Event ID 102](images/auto-enrollment-event-id-102.png) Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment. If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required. One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen: - ![Outdated enrollment entries.](images/auto-enrollment-outdated-enrollment-entries.png) + ![Outdated enrollment entries](images/auto-enrollment-outdated-enrollment-entries.png) By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016. A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot: - ![Manually deleted entries.](images/auto-enrollment-activation-verification-less-entries.png) + ![Manually deleted entries](images/auto-enrollment-activation-verification-less-entries.png) ### Related topics diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md index c29e2047ad..b809041a65 100644 --- a/windows/client-management/mdm/enterprise-app-management.md +++ b/windows/client-management/mdm/enterprise-app-management.md @@ -41,7 +41,7 @@ These classifications are represented as nodes in the EnterpriseModernAppManagem The following diagram shows the EnterpriseModernAppManagement CSP in a tree format. -![enterprisemodernappmanagement csp diagram.](images/provisioning-csp-enterprisemodernappmanagement.png) +![enterprisemodernappmanagement csp diagram](images/provisioning-csp-enterprisemodernappmanagement.png) Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System). diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md index 98249aad50..51c1a6581f 100644 --- a/windows/client-management/mdm/enterpriseappmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md @@ -23,7 +23,7 @@ The EnterpriseAppManagement enterprise configuration service provider is used to The following diagram shows the EnterpriseAppManagement configuration service provider in tree format. -![enterpriseappmanagement csp.](images/provisioning-csp-enterpriseappmanagement.png) +![enterpriseappmanagement csp](images/provisioning-csp-enterpriseappmanagement.png) ***EnterpriseID*** Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications. diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md index 3df7b51be2..12547591ba 100644 --- a/windows/client-management/mdm/filesystem-csp.md +++ b/windows/client-management/mdm/filesystem-csp.md @@ -24,7 +24,7 @@ The FileSystem configuration service provider is used to query, add, modify, and The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider. -![filesystem csp (dm).](images/provisioning-csp-filesystem-dm.png) +![filesystem csp (dm)](images/provisioning-csp-filesystem-dm.png) **FileSystem** Required. Defines the root of the file system management object. It functions as the root directory for file system queries. diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 03fb5b432d..9f691cab8c 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -104,7 +104,7 @@ The following is a list of functions performed by the Device HealthAttestation C - Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device - Receives attestation requests (DHA-Requests) from a DHA-Enabled-MDM, and replies with a device health report (DHA-Report) -![healthattestation service diagram.](images/healthattestation_2.png) +![healthattestation service diagram](images/healthattestation_2.png) diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md index af7934b674..36a979715e 100644 --- a/windows/client-management/mdm/hotspot-csp.md +++ b/windows/client-management/mdm/hotspot-csp.md @@ -27,7 +27,7 @@ The HotSpot configuration service provider is used to configure and enable Inter The following diagram shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider. -![hotspot csp (cp).](images/provisioning-csp-hotspot-cp.png) +![hotspot csp (cp)](images/provisioning-csp-hotspot-cp.png) **Enabled** Required. Specifies whether to enable Internet sharing on the device. The default is false. diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index 68633b48af..08a455f462 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -44,7 +44,7 @@ To make applications WIP-aware, app developers need to include the following dat MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.  -![Mobile application management app.](images/implement-server-side-mobile-application-management.png) +![Mobile application management app](images/implement-server-side-mobile-application-management.png) MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. Please note: if the MDM service in an organization is not integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.  diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index 875c7d0ded..12e50c7af7 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -59,13 +59,13 @@ The Store for Business provides services that enable a management tool to synchr The following diagram provides an overview of app distribution from acquisition of an offline-licensed application to distribution to a client. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. -![business store offline app distribution.](images/businessstoreportalservices2.png) +![business store offline app distribution](images/businessstoreportalservices2.png) ### Online-licensed application distribution The following diagram provides an overview of app distribution from acquisition of an online-licensed application to distribution to a client. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. For online-licensed applications, the management tool calls back into the Store for Business management services to assign an application prior to issuing the policy to install the application. -![business store online app distribution.](images/businessstoreportalservices3.png) +![business store online app distribution](images/businessstoreportalservices3.png) ## Integrate with Azure Active Directory @@ -105,7 +105,7 @@ After registering your management tool with Azure AD, the management tool can ca The diagram below shows the call patterns for acquiring a new or updated application. -![business store portal service flow diagram.](images/businessstoreportalservicesflow.png) +![business store portal service flow diagram](images/businessstoreportalservicesflow.png) **Here is the list of available operations**: diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index 6dbe747d92..d1e7b033f2 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -25,7 +25,7 @@ In today’s cloud-first world, enterprise IT departments increasingly want to l You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 does not require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain. -![active directory azure ad signin.](images/unifiedenrollment-rs1-1.png) +![active directory azure ad signin](images/unifiedenrollment-rs1-1.png) ### Connect your device to an Active Directory domain (join a domain) @@ -40,15 +40,15 @@ Joining your device to an Active Directory domain during the out-of-box-experien 1. On the **Who Owns this PC?** page, select **My work or school owns it**. - ![oobe local account creation.](images/unifiedenrollment-rs1-2.png) + ![oobe local account creation](images/unifiedenrollment-rs1-2.png) 2. Next, select **Join a domain**. - ![select domain or azure ad.](images/unifiedenrollment-rs1-3.png) + ![select domain or azure ad](images/unifiedenrollment-rs1-3.png) 3. You'll see a prompt to set up a local account on the device. Enter your local account details, and then select **Next** to continue. - ![create pc account.](images/unifiedenrollment-rs1-4.png) + ![create pc account](images/unifiedenrollment-rs1-4.png) ### Use the Settings app @@ -56,27 +56,27 @@ To create a local account and connect the device: 1. Launch the Settings app. - ![windows settings page.](images/unifiedenrollment-rs1-5.png) + ![windows settings page](images/unifiedenrollment-rs1-5.png) 2. Next, select **Accounts**. - ![windows settings accounts select.](images/unifiedenrollment-rs1-6.png) + ![windows settings accounts select](images/unifiedenrollment-rs1-6.png) 3. Navigate to **Access work or school**. - ![select access work or school.](images/unifiedenrollment-rs1-7.png) + ![select access work or school](images/unifiedenrollment-rs1-7.png) 4. Select **Connect**. - ![connect to work or school.](images/unifiedenrollment-rs1-8.png) + ![connect to work or school](images/unifiedenrollment-rs1-8.png) 5. Under **Alternate actions**, select **Join this device to a local Active Directory domain**. - ![join account to active directory domain.](images/unifiedenrollment-rs1-9.png) + ![join account to active directory domain](images/unifiedenrollment-rs1-9.png) 6. Type in your domain name, follow the instructions, and then select **Next** to continue. After you complete the flow and restart your device, it should be connected to your Active Directory domain. You can now sign in to the device using your domain credentials. - ![type in domain name.](images/unifiedenrollment-rs1-10.png) + ![type in domain name](images/unifiedenrollment-rs1-10.png) ### Help with connecting to an Active Directory domain @@ -101,11 +101,11 @@ To join a domain: 1. Select **My work or school owns it**, then select **Next.** - ![oobe local account creation.](images/unifiedenrollment-rs1-11.png) + ![oobe local account creation](images/unifiedenrollment-rs1-11.png) 2. Select **Join Azure AD**, and then select **Next.** - ![select domain or azure ad.](images/unifiedenrollment-rs1-12.png) + ![select domain or azure ad](images/unifiedenrollment-rs1-12.png) 3. Type in your Azure AD username. This is the email address you use to log into Microsoft Office 365 and similar services. @@ -113,7 +113,7 @@ To join a domain: Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization’s Azure AD domain. - ![azure ad signin.](images/unifiedenrollment-rs1-13.png) + ![azure ad signin](images/unifiedenrollment-rs1-13.png) ### Use the Settings app @@ -121,27 +121,27 @@ To create a local account and connect the device: 1. Launch the Settings app. - ![windows settings page.](images/unifiedenrollment-rs1-14.png) + ![windows settings page](images/unifiedenrollment-rs1-14.png) 2. Next, navigate to **Accounts**. - ![windows settings accounts select.](images/unifiedenrollment-rs1-15.png) + ![windows settings accounts select](images/unifiedenrollment-rs1-15.png) 3. Navigate to **Access work or school**. - ![select access work or school.](images/unifiedenrollment-rs1-16.png) + ![select access work or school](images/unifiedenrollment-rs1-16.png) 4. Select **Connect**. - ![connect to work or school.](images/unifiedenrollment-rs1-17.png) + ![connect to work or school](images/unifiedenrollment-rs1-17.png) 5. Under **Alternate Actions**, selct **Join this device to Azure Active Directory**. - ![join work or school account to azure ad.](images/unifiedenrollment-rs1-18.png) + ![join work or school account to azure ad](images/unifiedenrollment-rs1-18.png) 6. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services. - ![azure ad sign in.](images/unifiedenrollment-rs1-19.png) + ![azure ad sign in](images/unifiedenrollment-rs1-19.png) 7. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication. @@ -151,7 +151,7 @@ To create a local account and connect the device: After you reach the end of the flow, your device should be connected to your organization’s Azure AD domain. You may now log out of your current account and sign in using your Azure AD username. - ![corporate sign in.](images/unifiedenrollment-rs1-20.png) + ![corporate sign in](images/unifiedenrollment-rs1-20.png) ### Help with connecting to an Azure AD domain @@ -183,19 +183,19 @@ To create a local account and connect the device: 1. Launch the Settings app, and then select **Accounts** >**Start** > **Settings** > **Accounts**. - ![windows settings page.](images/unifiedenrollment-rs1-21-b.png) + ![windows settings page](images/unifiedenrollment-rs1-21-b.png) 2. Navigate to **Access work or school**. - ![select access work or school.](images/unifiedenrollment-rs1-23-b.png) + ![select access work or school](images/unifiedenrollment-rs1-23-b.png) 3. Select **Connect**. - ![connect to work or school.](images/unifiedenrollment-rs1-24-b.png) + ![connect to work or school](images/unifiedenrollment-rs1-24-b.png) 4. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services. - ![join work or school account to azure ad.](images/unifiedenrollment-rs1-25-b.png) + ![join work or school account to azure ad](images/unifiedenrollment-rs1-25-b.png) 5. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication. @@ -205,11 +205,11 @@ To create a local account and connect the device: Starting in Windows 10, version 1709, you will see the status page that shows the progress of your device being set up. - ![corporate sign in.](images/unifiedenrollment-rs1-26.png) + ![corporate sign in](images/unifiedenrollment-rs1-26.png) 6. After you complete the flow, your Microsoft account will be connected to your work or school account. - ![account successfully added.](images/unifiedenrollment-rs1-27.png) + ![account successfully added](images/unifiedenrollment-rs1-27.png) ### Connect to MDM on a desktop (enrolling in device management) @@ -221,29 +221,29 @@ To create a local account and connect the device: 1. Launch the Settings app. - ![windows settings page.](images/unifiedenrollment-rs1-28.png) + ![windows settings page](images/unifiedenrollment-rs1-28.png) 2. Next, navigate to **Accounts**. - ![windows settings accounts page.](images/unifiedenrollment-rs1-29.png) + ![windows settings accounts page](images/unifiedenrollment-rs1-29.png) 3. Navigate to **Access work or school**. - ![access work or school.](images/unifiedenrollment-rs1-30.png) + ![access work or school](images/unifiedenrollment-rs1-30.png) 4. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link). - ![connect to work or school.](images/unifiedenrollment-rs1-31.png) + ![connect to work or school](images/unifiedenrollment-rs1-31.png) 5. Type in your work email address. - ![set up work or school account.](images/unifiedenrollment-rs1-32.png) + ![set up work or school account](images/unifiedenrollment-rs1-32.png) 6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you will see the enrollment progress on screen. - ![corporate sign in.](images/unifiedenrollment-rs1-33-b.png) + ![corporate sign in](images/unifiedenrollment-rs1-33-b.png) After you complete the flow, your device will be connected to your organization’s MDM. @@ -300,7 +300,7 @@ To connect your devices to MDM using deep links: - IT admins can add this link to a welcome email that users can select to enroll into MDM. - ![using enrollment deeplink in email.](images/deeplinkenrollment1.png) + ![using enrollment deeplink in email](images/deeplinkenrollment1.png) - IT admins can also add this link to an internal web page that users refer to enrollment instructions. @@ -308,20 +308,20 @@ To connect your devices to MDM using deep links: Type in your work email address. - ![set up work or school account.](images/deeplinkenrollment3.png) + ![set up work or school account](images/deeplinkenrollment3.png) 3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. After you complete the flow, your device will be connected to your organization's MDM. - ![corporate sign in.](images/deeplinkenrollment4.png) + ![corporate sign in](images/deeplinkenrollment4.png) ## Manage connections To manage your work or school connections, select **Settings** > **Accounts** > **Access work or school**. Your connections will show on this page and selecting one will expand options for that connection. -![managing work or school account.](images/unifiedenrollment-rs1-34-b.png) +![managing work or school account](images/unifiedenrollment-rs1-34-b.png) ### Info @@ -335,7 +335,7 @@ Selecting the **Info** button will open a new page in the Settings app that prov Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screenshot. -![work or school info.](images/unifiedenrollment-rs1-35-b.png) +![work or school info](images/unifiedenrollment-rs1-35-b.png) > [!NOTE] > Starting in Windows 10, version 1709, the **Manage** button is no longer available. @@ -357,7 +357,7 @@ You can collect diagnostic logs around your work connections by going to **Setti Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you will see the button to create a report, as shown here. -![collecting enrollment management log files.](images/unifiedenrollment-rs1-37-c.png) +![collecting enrollment management log files](images/unifiedenrollment-rs1-37-c.png) diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md index ad2d4edddc..e9383e871f 100644 --- a/windows/client-management/mdm/messaging-csp.md +++ b/windows/client-management/mdm/messaging-csp.md @@ -17,7 +17,7 @@ The Messaging configuration service provider is used to configure the ability to The following diagram shows the Messaging configuration service provider in tree format. -![messaging csp.](images/provisioning-csp-messaging.png) +![messaging csp](images/provisioning-csp-messaging.png) **./User/Vendor/MSFT/Messaging** diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index 6c898afe02..32f9b5ee66 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -68,7 +68,7 @@ Devices that are joined to an on-premises Active Directory can enroll into MDM v Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**. -![Disable MDM enrollment policy in GP Editor.](images/mdm-enrollment-disable-policy.png) +![Disable MDM enrollment policy in GP Editor](images/mdm-enrollment-disable-policy.png) Here is the corresponding registry key: diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md index 0b715c1a53..1b5f5ecdd4 100644 --- a/windows/client-management/mdm/napdef-csp.md +++ b/windows/client-management/mdm/napdef-csp.md @@ -27,11 +27,11 @@ The NAPDEF configuration service provider is used to add, modify, or delete WAP The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider. -![napdef csp (cp) (initial bootstrapping).](images/provisioning-csp-napdef-cp.png) +![napdef csp (cp) (initial bootstrapping)](images/provisioning-csp-napdef-cp.png) The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider. -![napdef csp (cp) (update bootstrapping).](images/provisioning-csp-napdef-cp-2.png) +![napdef csp (cp) (update bootstrapping)](images/provisioning-csp-napdef-cp-2.png) **NAPAUTHINFO** Defines a group of authentication settings. diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 272489e4a8..ce79fdb702 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -240,7 +240,7 @@ Passing CDATA in data in SyncML to ConfigManager and CSPs does not work in Windo The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10. In Windows Phone 8.1, when you set the client certificate to "Accept," it works fine. -![ssl settings.](images/ssl-settings.png) +![ssl settings](images/ssl-settings.png) ### MDM enrollment fails on the mobile device when traffic is going through proxy @@ -439,7 +439,7 @@ Alternatively you can use the following procedure to create an EAP Configuration 1. Follow steps 1 through 7 in the [EAP configuration](eap-configuration.md) article. 2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop down (this selects EAP TLS.) - ![vpn selfhost properties window.](images/certfiltering1.png) + ![vpn selfhost properties window](images/certfiltering1.png) > [!NOTE] > For PEAP or TTLS, select the appropriate method and continue following this procedure. @@ -447,10 +447,10 @@ Alternatively you can use the following procedure to create an EAP Configuration 3. Click the **Properties** button underneath the drop down menu. 4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. - ![smart card or other certificate properties window.](images/certfiltering2.png) + ![smart card or other certificate properties window](images/certfiltering2.png) 5. In the **Configure Certificate Selection** menu, adjust the filters as needed. - ![configure certificate selection window.](images/certfiltering3.png) + ![configure certificate selection window](images/certfiltering3.png) 6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box. 7. Close the rasphone dialog box. 8. Continue following the procedure in the [EAP configuration](eap-configuration.md) article from Step 9 to get an EAP TLS profile with appropriate filtering. @@ -492,7 +492,7 @@ No. Only one MDM is allowed. 4. Click **Configure**. 5. Set quota to unlimited. - ![aad maximum joined devices.](images/faq-max-devices.png) + ![aad maximum joined devices](images/faq-max-devices.png) ### **What is dmwappushsvc?** diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 84ff8f5e34..c73d5fdc8d 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -23,13 +23,13 @@ The PassportForWork configuration service provider is used to provision Windows The following diagram shows the PassportForWork configuration service provider in tree format. -![passportforwork csp.](images/provisioning-csp-passportforwork.png) +![passportforwork csp](images/provisioning-csp-passportforwork.png) ### Device configuration diagram The following diagram shows the PassportForWork configuration service provider in tree format. -![passportforwork diagram.](images/provisioning-csp-passportforwork2.png) +![passportforwork diagram](images/provisioning-csp-passportforwork2.png) **PassportForWork** Root node for PassportForWork configuration service provider. diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index da0f0543dc..ddeb61f84a 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -44,7 +44,7 @@ The Policy configuration service provider has the following sub-categories: The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. -![policy csp diagram.](images/provisioning-csp-policy.png) +![policy csp diagram](images/provisioning-csp-policy.png) **./Vendor/MSFT/Policy** diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 013edacaec..9d7aa06011 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -549,7 +549,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and ``` You can also change the evaluation order of device installation policy settings by using a custom profile in Intune. -:::image type="content" source="images/edit-row.png" alt-text="This is a edit row image."::: +:::image type="content" source="images/edit-row.png" alt-text="This is a edit row image"::: @@ -743,7 +743,7 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i You can also block installation by using a custom profile in Intune. -![Custom profile prevent devices.](images/custom-profile-prevent-other-devices.png) +![Custom profile prevent devices](images/custom-profile-prevent-other-devices.png) @@ -863,7 +863,7 @@ You can also block installation and usage of prohibited peripherals by using a c For example, this custom profile blocks installation and usage of USB devices with hardware IDs "USB\Composite" and "USB\Class_FF", and applies to USB devices with matching hardware IDs that are already installed. -![Custom profile prevent device ids.](images/custom-profile-prevent-device-ids.png) +![Custom profile prevent device ids](images/custom-profile-prevent-device-ids.png) @@ -977,7 +977,7 @@ You can also block installation and usage of prohibited peripherals by using a c For example, this custom profile prevents installation of devices with matching device instance IDs. -![Custom profile.](images/custom-profile-prevent-device-instance-ids.png) +![Custom profile](images/custom-profile-prevent-device-instance-ids.png) To prevent installation of devices with matching device instance IDs by using custom profile in Intune: 1. Locate the device instance ID. diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index 7f7e8ae961..cdf909411f 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -40,6 +40,20 @@ manager: dansimp +Steps to use this policy correctly: + +1. Create a device configuration profile for kiosk targeting Azure AD groups and assign it to HoloLens device(s). +1. Create a custom OMA URI based device configuration that sets this policy value to desired number of days (> 0) and assign it to HoloLens device(s). + 1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays + 1. The value can be between min / max allowed. +1. Enroll HoloLens devices and verify both configurations get applied to the device. +1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created. +1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days. +1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point here is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted. + +> [!NOTE] +> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments. +
@@ -65,20 +79,6 @@ manager: dansimp
-Steps to use this policy correctly: - -1. Create a device configuration profile for kiosk targeting Azure AD groups and assign it to HoloLens device(s). -1. Create a custom OMA URI based device configuration that sets this policy value to desired number of days (> 0) and assign it to HoloLens device(s). - 1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays - 1. The value can be between min / max allowed. -1. Enroll HoloLens devices and verify both configurations get applied to the device. -1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created. -1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days. -1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point here is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted. - -> [!NOTE] -> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments. -
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index d627137d97..b02ba826b4 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 08/26/2021 +ms.date: 10/14/2020 ms.reviewer: manager: dansimp --- @@ -62,7 +62,7 @@ manager: dansimp System/AllowUserToResetPhone
- System/AllowWUfBCloudProcessing + System/AllowWuFBCloudProcessing
System/BootStartDriverInitialization @@ -964,7 +964,7 @@ The following list shows the supported values:
-**System/AllowWUfBCloudProcessing** +**System/AllowWuFBCloudProcessing**
@@ -985,15 +985,6 @@ If you disable or do not configure this policy setting, devices enrolled to the
- - -The following list shows the supported values: - -- 0 - Disabled. -- 8 - Enabled. - - - **System/BootStartDriverInitialization** diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md index 92df20eba2..a0a34ee244 100644 --- a/windows/client-management/mdm/push-notification-windows-mdm.md +++ b/windows/client-management/mdm/push-notification-windows-mdm.md @@ -52,34 +52,34 @@ To get a PFN and WNS credentials, you must create an Microsoft Store app. 1. Go to the Windows [Dashboard](https://dev.windows.com/en-US/dashboard) and sign in with your developer account. - ![mdm push notification1.](images/push-notification1.png) + ![mdm push notification1](images/push-notification1.png) 2. Create a new app. - ![mdm push notification2.](images/push-notification2.png) + ![mdm push notification2](images/push-notification2.png) 3. Reserve an app name. - ![mdm push notification3.](images/push-notification3.png) + ![mdm push notification3](images/push-notification3.png) 4. Click **Services**. - ![mdm push notification4.](images/push-notification4.png) + ![mdm push notification4](images/push-notification4.png) 5. Click **Push notifications**. - ![mdm push notification5.](images/push-notification5.png) + ![mdm push notification5](images/push-notification5.png) 6. Click **Live Services site**. A new window opens for the **Application Registration Portal** page. - ![mdm push notification6.](images/push-notification6.png) + ![mdm push notification6](images/push-notification6.png) 7. In the **Application Registration Portal** page, you will see the properties for the app that you created, such as: - Application Id - Application Secrets - Microsoft Store Package SID, Application Identity, and Publisher. - ![mdm push notification7.](images/push-notification7.png) + ![mdm push notification7](images/push-notification7.png) 8. Click **Save**. 9. Close the **Application Registration Portal** window and go back to the Windows Dev Center Dashboard. 10. Select your app from the list on the left. 11. From the left nav, expand **App management** and then click **App identity**. - ![mdm push notification10.](images/push-notification10.png) + ![mdm push notification10](images/push-notification10.png) 12. In the **App identity** page, you will see the **Package Family Name (PFN)** of your app.   diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md index e2d40a822a..48baff3fe8 100644 --- a/windows/client-management/mdm/pxlogical-csp.md +++ b/windows/client-management/mdm/pxlogical-csp.md @@ -23,11 +23,11 @@ The PXLOGICAL configuration service provider is used to add, remove, or modify W The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for initial bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider. -![pxlogical csp (cp) (initial bootstrapping).](images/provisioning-csp-pxlogical-cp.png) +![pxlogical csp (cp) (initial bootstrapping)](images/provisioning-csp-pxlogical-cp.png) The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for updating the bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider. -![pxlogical csp (cp) (update bootstrapping).](images/provisioning-csp-pxlogical-cp-2.png) +![pxlogical csp (cp) (update bootstrapping)](images/provisioning-csp-pxlogical-cp-2.png) **PXPHYSICAL** Defines a group of logical proxy settings. diff --git a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md index 28e198aa1f..be9c8a5339 100644 --- a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md +++ b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md @@ -23,15 +23,15 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent 1. Sign in to the Microsoft 365 admin center at using your organization's account. - ![register azuread.](images/azure-ad-add-tenant10.png) + ![register azuread](images/azure-ad-add-tenant10.png) 2. On the **Home** page, click on the Admin tools icon. - ![register azuread.](images/azure-ad-add-tenant11.png) + ![register azuread](images/azure-ad-add-tenant11.png) 3. On the **Admin center** page, under Admin Centers on the left, click **Azure Active Directory**. This will take you to the Azure Active Directory portal. - ![Azure-AD-updated.](https://user-images.githubusercontent.com/41186174/71594506-e4845300-2b40-11ea-9a08-c21c824e12a4.png) + ![Azure-AD-updated](https://user-images.githubusercontent.com/41186174/71594506-e4845300-2b40-11ea-9a08-c21c824e12a4.png) diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md index 4ffdbad557..9e203d4d39 100644 --- a/windows/client-management/mdm/securitypolicy-csp.md +++ b/windows/client-management/mdm/securitypolicy-csp.md @@ -25,7 +25,7 @@ For the SecurityPolicy CSP, you cannot use the Replace command unless the node a The following diagram shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. -![securitypolicy csp (dm,cp).](images/provisioning-csp-securitypolicy-dmandcp.png) +![securitypolicy csp (dm,cp)](images/provisioning-csp-securitypolicy-dmandcp.png) ***PolicyID*** Defines the security policy identifier as a decimal value. diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index 21f39c4389..5b211a0f55 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -56,11 +56,11 @@ Group Policy option button setting: The following diagram shows the main display for the Group Policy Editor. -![Group Policy editor.](images/group-policy-editor.png) +![Group Policy editor](images/group-policy-editor.png) The following diagram shows the settings for the "Publishing Server 2 Settings" Group Policy in the Group Policy Editor. -![Group Policy publisher server 2 settings.](images/group-policy-publisher-server-2-settings.png) +![Group Policy publisher server 2 settings](images/group-policy-publisher-server-2-settings.png) Note that most Group Policies are a simple Boolean type. For a Boolean Group Policy, if you select **Enabled**, the options panel contains no data input fields and the payload of the SyncML is simply ``. However, if there are data input fields in the options panel, the MDM server must supply this data. The following *Enabling a Group Policy* example illustrates this complexity. In this example, 10 name-value pairs are described by `` tags in the payload, which correspond to the 10 data input fields in the Group Policy Editor options panel for the "Publishing Server 2 Settings" Group Policy. The ADMX file, which defines the Group Policies, is consumed by the MDM server, similarly to how the Group Policy Editor consumes it. The Group Policy Editor displays a UI to receive the complete Group Policy instance data, which the MDM server's IT administrator console must also do. For every `` element and id attribute in the ADMX policy definition, there must be a corresponding `` element and id attribute in the payload. The ADMX file drives the policy definition and is required by the MDM server via the SyncML protocol. diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md index 00d2b86cd5..7916778bec 100644 --- a/windows/client-management/mdm/unifiedwritefilter-csp.md +++ b/windows/client-management/mdm/unifiedwritefilter-csp.md @@ -119,7 +119,7 @@ Currently SwapfileSize should not be relied for determining or controlling the o **CurrentSession/MaximumOverlaySize** or **NextSession/MaximumOverlaySize** should be used for that purpose. -:::image type="content" source="images/overlaysetting.png" alt-text="This is the overlay setting."::: +:::image type="content" source="images/overlaysetting.png" alt-text="This is the overlay setting"::: > [!NOTE] > Only single swapfile is supported in current implementation and creating swapfile on specific volume will disable any other swapfile created on other volumes. diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md index 42a6882673..3f6badf192 100644 --- a/windows/client-management/mdm/vpn-csp.md +++ b/windows/client-management/mdm/vpn-csp.md @@ -33,7 +33,7 @@ Important considerations: The following diagram shows the VPN configuration service provider in tree format. -![provisioning\-csp\-vpnimg.](images/provisioning-csp-vpn.png) +![provisioning\-csp\-vpnimg](images/provisioning-csp-vpn.png) ***ProfileName*** Unique alpha numeric Identifier for the profile. The profile name must not include a forward slash (/). diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index e7321b1888..d6b9110b32 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -25,7 +25,7 @@ The default security roles are defined in the root characteristic, and map to ea The following diagram shows the configuration service provider in tree format as used by OMA Client Provisioning. -![w4 application csp (cp).](images/provisioning-csp-w4-application-cp.png) +![w4 application csp (cp)](images/provisioning-csp-w4-application-cp.png) **APPID** Required. This parameter takes a string value. The only supported value for configuring MMS is "w4". diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md index 7aaa801796..20f21f79bc 100644 --- a/windows/client-management/mdm/w7-application-csp.md +++ b/windows/client-management/mdm/w7-application-csp.md @@ -23,7 +23,7 @@ The APPLICATION configuration service provider that has an APPID of w7 is used f The following image shows the configuration service provider in tree format as used by OMA Client Provisioning. -![w7 application csp (dm).](images/provisioning-csp-w7-application-dm.png) +![w7 application csp (dm)](images/provisioning-csp-w7-application-dm.png) > **Note**   All parm names and characteristic types are case sensitive and must use all uppercase. Both APPSRV and CLIENT credentials must be provided in provisioning XML. diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index e867ae66ef..125bbfb687 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -31,7 +31,7 @@ Programming considerations: The following image shows the WiFi configuration service provider in tree format. -![wi-fi csp diagram.](images/provisioning-csp-wifi.png) +![wi-fi csp diagram](images/provisioning-csp-wifi.png) The following list shows the characteristics and parameters. diff --git a/windows/client-management/mdm/windows-mdm-enterprise-settings.md b/windows/client-management/mdm/windows-mdm-enterprise-settings.md index e5e7511669..a8be6bba9c 100644 --- a/windows/client-management/mdm/windows-mdm-enterprise-settings.md +++ b/windows/client-management/mdm/windows-mdm-enterprise-settings.md @@ -25,7 +25,7 @@ The DM client is configured during the enrollment process to be invoked by the t The following diagram shows the work flow between server and client. -![windows client and server mdm diagram.](images/enterprise-workflow.png) +![windows client and server mdm diagram](images/enterprise-workflow.png) ## Management workflow diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index fc13fd3034..c68424cd04 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -19,7 +19,7 @@ The Windows Defender Advanced Threat Protection (WDATP) configuration service pr The following diagram shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM). -![windowsadvancedthreatprotection csp diagram.](images/provisioning-csp-watp.png) +![windowsadvancedthreatprotection csp diagram](images/provisioning-csp-watp.png) The following list describes the characteristics and parameters. diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md index 2fe71b5e76..2f3cdf7fc7 100644 --- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md +++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md @@ -213,16 +213,16 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw | Class | Test completed in Windows 10 for desktop | |--------------------------------------------------------------------------|------------------------------------------| -| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | -| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | -| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | -| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | +| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | +| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | +| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | +| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | | [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | | -| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | -| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | -| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | -| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | -| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | +| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | +| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | +| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | +| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | +| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | @@ -232,17 +232,17 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw |--------------------------------------------------------------------------|------------------------------------------| [**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) | [**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) | -[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | ![cross mark.](images/checkmark.png) -[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | ![cross mark.](images/checkmark.png) +[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | ![cross mark](images/checkmark.png) +[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | ![cross mark](images/checkmark.png) [**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) | -[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | ![cross mark.](images/checkmark.png) -[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | ![cross mark.](images/checkmark.png) -[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | ![cross mark.](images/checkmark.png) +[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | ![cross mark](images/checkmark.png) +[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | ![cross mark](images/checkmark.png) +[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | ![cross mark](images/checkmark.png) [**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) | -[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |![cross mark.](images/checkmark.png) -[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | ![cross mark.](images/checkmark.png) +[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |![cross mark](images/checkmark.png) +[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | ![cross mark](images/checkmark.png) [**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) | -[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | ![cross mark.](images/checkmark.png) +[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | ![cross mark](images/checkmark.png) [**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) | [**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) | [**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) | @@ -252,23 +252,23 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw [**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) | [**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) | [**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) | -[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | ![cross mark.](images/checkmark.png) +[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | ![cross mark](images/checkmark.png) [**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) | -[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | ![cross mark.](images/checkmark.png) +[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | ![cross mark](images/checkmark.png) [**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) | -[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | ![cross mark.](images/checkmark.png) +[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | ![cross mark](images/checkmark.png) [**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) | [**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) | [**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) | [**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) | [**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) | -[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | ![cross mark.](images/checkmark.png) +[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | ![cross mark](images/checkmark.png) [**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) | [**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) | [**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) | [**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) | [**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) | -[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | ![cross mark.](images/checkmark.png) +[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | ![cross mark](images/checkmark.png) [**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) | [**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) | [**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) | @@ -277,25 +277,25 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw [**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) | [**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) | [**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) | -[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | ![cross mark.](images/checkmark.png) -[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | ![cross mark.](images/checkmark.png) +[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | ![cross mark](images/checkmark.png) +[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | ![cross mark](images/checkmark.png) [**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) | [**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) | [**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) | [**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) | [**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) | -[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | ![cross mark.](images/checkmark.png) -[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | ![cross mark.](images/checkmark.png) +[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | ![cross mark](images/checkmark.png) +[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | ![cross mark](images/checkmark.png) [**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) | [**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) | -[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | ![cross mark.](images/checkmark.png) +[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | ![cross mark](images/checkmark.png) [**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) | -[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | ![cross mark.](images/checkmark.png) +[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | ![cross mark](images/checkmark.png) [**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) | -[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | ![cross mark.](images/checkmark.png) +[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | ![cross mark](images/checkmark.png) [**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) | [**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) | -[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | ![cross mark.](images/checkmark.png) +[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | ![cross mark](images/checkmark.png) [**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) | **Win32\_WindowsUpdateAgentVersion** | diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index acdcd2d268..6a50151342 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -57,7 +57,7 @@ Both the helper and sharer must be able to reach these endpoints over port 443: 7. RDP shares the video to the helper over https (port 443) through the RDP relay service to the helper's RDP control. Input is shared from the helper to the sharer through the RDP relay service. -:::image type="content" source="images/quick-assist-flow.png" lightbox="images/quick-assist-flow.png" alt-text="Schematic flow of connections when a Quick Assist session is established."::: +:::image type="content" source="images/quick-assist-flow.png" lightbox="images/quick-assist-flow.png" alt-text="Schematic flow of connections when a Quick Assist session is established"::: ### Data and privacy diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index 490b24075a..e0afd3d480 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -119,7 +119,7 @@ To verify the BCD entries: > [!NOTE] > If the computer is UEFI-based, the file path value that's specified in the **path** parameter of **{bootmgr}** and **{default}** contains an **.efi** extension. - ![bcdedit.](images/screenshot1.png) + ![bcdedit](images/screenshot1.png) If any of the information is wrong or missing, we recommend that you create a backup of the BCD store. To do this, run `bcdedit /export C:\temp\bcdbackup`. This command creates a backup in **C:\\temp\\** that's named **bcdbackup**. To restore the backup, run `bcdedit /import C:\temp\bcdbackup`. This command overwrites all BCD settings by using the settings in **bcdbackup**. @@ -179,11 +179,11 @@ Dism /Image:: /Get-packages After you run this command, you'll see the **Install pending** and **Uninstall Pending** packages: -![Dism output pending update.](images/pendingupdate.png) +![Dism output pending update](images/pendingupdate.png) 1. Run the `dism /Image:C:\ /Cleanup-Image /RevertPendingActions` command. Replace **C:** with the system partition for your computer. - ![Dism output revert pending.](images/revertpending.png) + ![Dism output revert pending](images/revertpending.png) 2. Navigate to ***OSdriveLetter*:\Windows\WinSxS**, and then check whether the **pending.xml** file exists. If it does, rename it to **pending.xml.old**. @@ -193,14 +193,14 @@ After you run this command, you'll see the **Install pending** and **Uninstall P 5. Navigate to ***OSdriveLetter*:\Windows\System32\config**, select the file that's named **COMPONENT** (with no extension), and then select **Open**. When you're prompted, enter the name **OfflineComponentHive** for the new hive. - ![Load Hive.](images/loadhive.png) + ![Load Hive](images/loadhive.png) 6. Expand **HKEY_LOCAL_MACHINE\OfflineComponentHive**, and check whether the **PendingXmlIdentifier** key exists. Create a backup of the **OfflineComponentHive** key, and then delete the **PendingXmlIdentifier** key. 7. Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File** > **Unload hive**. > [!div class="mx-imgBorder"] - > ![Unload Hive.](images/unloadhive.png)![Unload Hive](images/unloadhive1.png) + > ![Unload Hive](images/unloadhive.png)![Unload Hive](images/unloadhive1.png) 8. Select **HKEY_LOCAL_MACHINE**, go to **File** > **Load Hive**, navigate to ***OSdriveLetter*:\Windows\System32\config**, select the file that's named **SYSTEM** (with no extension), and then select **Open**. When you're prompted, enter the name **OfflineSystemHive** for the new hive. @@ -256,7 +256,7 @@ Check whether there are any non-Microsoft upper and lower filter drivers on the \Control\Class\\{71A27CDD-812A-11D0-BEC7-08002BE2092F} > [!div class="mx-imgBorder"] - > ![Registry.](images/controlset.png) + > ![Registry](images/controlset.png) If an **UpperFilters** or **LowerFilters** entry is non-standard (for example, it's not a Windows default filter driver, such as PartMgr), remove the entry. To remove it, double-click it in the right pane, and then delete only that value. @@ -274,8 +274,8 @@ Check whether there are any non-Microsoft upper and lower filter drivers on the * `chkdsk /f /r OsDrive:` - ![Check disk.](images/check-disk.png) + ![Check disk](images/check-disk.png) * `sfc /scannow /offbootdir=OsDrive:\ /offwindir=OsDrive:\Windows` - ![SFC scannow.](images/sfc-scannow.png) + ![SFC scannow](images/sfc-scannow.png) diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md index 390add3169..454101462a 100644 --- a/windows/client-management/troubleshoot-stop-errors.md +++ b/windows/client-management/troubleshoot-stop-errors.md @@ -165,13 +165,13 @@ You can use the tools such as Windows Software Development KIT (SDK) and Symbols 6. Click on **Open Crash Dump**, and then open the memory.dmp file that you copied. See the example below. - ![WinDbg img.](images/windbg.png) + ![WinDbg img](images/windbg.png) 7. There should be a link that says **!analyze -v** under **Bugcheck Analysis**. Click that link. This will enter the command !analyze -v in the prompt at the bottom of the page. 8. A detailed bugcheck analysis will appear. See the example below. - ![Bugcheck analysis.](images/bugcheck-analysis.png) + ![Bugcheck analysis](images/bugcheck-analysis.png) 9. Scroll down to the section where it says **STACK_TEXT**. There will be rows of numbers with each row followed by a colon and some text. That text should tell you what DLL is causing the crash and if applicable what service is crashing the DLL. diff --git a/windows/client-management/troubleshoot-tcpip-connectivity.md b/windows/client-management/troubleshoot-tcpip-connectivity.md index 10ae554304..77e524634d 100644 --- a/windows/client-management/troubleshoot-tcpip-connectivity.md +++ b/windows/client-management/troubleshoot-tcpip-connectivity.md @@ -44,17 +44,17 @@ If the initial TCP handshake is failing because of packet drops, then you would Source side connecting on port 445: -![Screenshot of frame summary in Network Monitor.](images/tcp-ts-6.png) +![Screenshot of frame summary in Network Monitor](images/tcp-ts-6.png) Destination side: applying the same filter, you do not see any packets. -![Screenshot of frame summary with filter in Network Monitor.](images/tcp-ts-7.png) +![Screenshot of frame summary with filter in Network Monitor](images/tcp-ts-7.png) For the rest of the data, TCP will retransmit the packets five times. **Source 192.168.1.62 side trace:** -![Screenshot showing packet side trace.](images/tcp-ts-8.png) +![Screenshot showing packet side trace](images/tcp-ts-8.png) **Destination 192.168.1.2 side trace:** @@ -79,15 +79,15 @@ In the below screenshots, you see that the packets seen on the source and the de **Source Side** -![Screenshot of packets on source side in Network Monitor.](images/tcp-ts-9.png) +![Screenshot of packets on source side in Network Monitor](images/tcp-ts-9.png) **On the destination-side trace** -![Screenshot of packets on destination side in Network Monitor.](images/tcp-ts-10.png) +![Screenshot of packets on destination side in Network Monitor](images/tcp-ts-10.png) You also see an ACK+RST flag packet in a case when the TCP establishment packet SYN is sent out. The TCP SYN packet is sent when the client wants to connect on a particular port, but if the destination/server for some reason does not want to accept the packet, it would send an ACK+RST packet. -![Screenshot of packet flag.](images/tcp-ts-11.png) +![Screenshot of packet flag](images/tcp-ts-11.png) The application that's causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection. @@ -110,8 +110,8 @@ auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /fai You can then review the Security event logs to see for a packet drop on a particular port-IP and a filter ID associated with it. -![Screenshot of Event Properties.](images/tcp-ts-12.png) +![Screenshot of Event Properties](images/tcp-ts-12.png) Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. After you open this file and filter for the ID that you find in the above event (2944008), you'll be able to see a firewall rule name that's associated with this ID that's blocking the connection. -![Screenshot of wfpstate.xml file.](images/tcp-ts-13.png) +![Screenshot of wfpstate.xml file](images/tcp-ts-13.png) diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md index daa23de8b1..b432191920 100644 --- a/windows/client-management/troubleshoot-tcpip-netmon.md +++ b/windows/client-management/troubleshoot-tcpip-netmon.md @@ -21,7 +21,7 @@ In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is To get started, [download Network Monitor tool](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image: -![Adapters.](images/nm-adapters.png) +![Adapters](images/nm-adapters.png) When the driver gets hooked to the network interface card (NIC) during installation, the NIC is reinitialized, which might cause a brief network glitch. @@ -29,15 +29,15 @@ When the driver gets hooked to the network interface card (NIC) during installat 1. Run netmon in an elevated status by choosing Run as Administrator. - ![Image of Start search results for Netmon.](images/nm-start.png) + ![Image of Start search results for Netmon](images/nm-start.png) 2. Network Monitor opens with all network adapters displayed. Select the network adapters where you want to capture traffic, click **New Capture**, and then click **Start**. - ![Image of the New Capture option on menu.](images/tcp-ts-4.png) + ![Image of the New Capture option on menu](images/tcp-ts-4.png) 3. Reproduce the issue, and you will see that Network Monitor grabs the packets on the wire. - ![Frame summary of network packets.](images/tcp-ts-5.png) + ![Frame summary of network packets](images/tcp-ts-5.png) 4. Select **Stop**, and go to **File > Save as** to save the results. By default, the file will be saved as a ".cap" file. diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index 4c1e8b1b7f..ca8551b1dd 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -58,19 +58,19 @@ Since outbound connections start to fail, you will see a lot of the below behavi - Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work. - ![Screenshot of error for NETLOGON in Event Viewer.](images/tcp-ts-14.png) + ![Screenshot of error for NETLOGON in Event Viewer](images/tcp-ts-14.png) - Group Policy update failures: - ![Screenshot of event properties for Group Policy failure.](images/tcp-ts-15.png) + ![Screenshot of event properties for Group Policy failure](images/tcp-ts-15.png) - File shares are inaccessible: - ![Screenshot of error message "Windows cannot access."](images/tcp-ts-16.png) + ![Screenshot of error message "Windows cannot access"](images/tcp-ts-16.png) - RDP from the affected server fails: - ![Screenshot of error when Remote Desktop is unable to connect.](images/tcp-ts-17.png) + ![Screenshot of error when Remote Desktop is unable to connect](images/tcp-ts-17.png) - Any other application running on the machine will start to give out errors @@ -84,15 +84,15 @@ If you suspect that the machine is in a state of port exhaustion: a. **Event ID 4227** - ![Screenshot of event id 4227 in Event Viewer.](images/tcp-ts-18.png) + ![Screenshot of event id 4227 in Event Viewer](images/tcp-ts-18.png) b. **Event ID 4231** - ![Screenshot of event id 4231 in Event Viewer.](images/tcp-ts-19.png) + ![Screenshot of event id 4231 in Event Viewer](images/tcp-ts-19.png) 3. Collect a `netstat -anob` output from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID. - ![Screenshot of netstate command output.](images/tcp-ts-20.png) + ![Screenshot of netstate command output](images/tcp-ts-20.png) After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state. @@ -136,7 +136,7 @@ If method 1 does not help you identify the process (prior to Windows 10 and Wind 1. Add a column called “handles” under details/processes. 2. Sort the column handles to identify the process with the highest number of handles. Usually the process with handles greater than 3000 could be the culprit except for processes like System, lsass.exe, store.exe, sqlsvr.exe. - ![Screenshot of handles column in Windows Task Maner.](images/tcp-ts-21.png) + ![Screenshot of handles column in Windows Task Maner](images/tcp-ts-21.png) 3. If any other process than these has a higher number, stop that process and then try to login using domain credentials and see if it succeeds. @@ -157,7 +157,7 @@ Steps to use Process explorer: File \Device\AFD - ![Screenshot of Process Explorer.](images/tcp-ts-22.png) + ![Screenshot of Process Explorer](images/tcp-ts-22.png) 10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app. diff --git a/windows/client-management/troubleshoot-tcpip-rpc-errors.md b/windows/client-management/troubleshoot-tcpip-rpc-errors.md index ba02501c81..37b4dfa002 100644 --- a/windows/client-management/troubleshoot-tcpip-rpc-errors.md +++ b/windows/client-management/troubleshoot-tcpip-rpc-errors.md @@ -16,7 +16,7 @@ manager: dansimp You might encounter an **RPC server unavailable** error when connecting to Windows Management Instrumentation (WMI), SQL Server, during a remote connection, or for some Microsoft Management Console (MMC) snap-ins. The following image is an example of an RPC error. -![The following error has occurred: the RPC server is unavailable.](images/rpc-error.png) +![The following error has occurred: the RPC server is unavailable](images/rpc-error.png) This is a commonly encountered error message in the networking world and one can lose hope very fast without trying to understand much, as to what is happening ‘under the hood’. @@ -37,7 +37,7 @@ Before getting in to troubleshooting the *RPC server unavailable- error Client A wants to execute some functions or wants to make use of a service running on the remote server, will first establish the connection with the Remote Server by doing a three-way handshake. -![Diagram illustrating connection to remote server.](images/rpc-flow.png) +![Diagram illustrating connection to remote server](images/rpc-flow.png) RPC ports can be given from a specific range as well. ### Configure RPC dynamic port allocation @@ -162,13 +162,13 @@ Open the traces in [Microsoft Network Monitor 3.4](troubleshoot-tcpip-netmon.md) - Now check if you are getting a response from the server. If you get a response, note the dynamic port number that you have been allocated to use. - ![Screenshot of Network Monitor with dynamic port highlighted.](images/tcp-ts-23.png) + ![Screenshot of Network Monitor with dynamic port highlighted](images/tcp-ts-23.png) - Check if we are connecting successfully to this Dynamic port successfully. - The filter should be something like this: `tcp.port==` and `ipv4.address==` - ![Screenshot of Network Monitor with filter applied.](images/tcp-ts-24.png) + ![Screenshot of Network Monitor with filter applied](images/tcp-ts-24.png) This should help you verify the connectivity and isolate if any network issues are seen. @@ -177,7 +177,7 @@ This should help you verify the connectivity and isolate if any network issues a The most common reason why we would see the RPC server unavailable is when the dynamic port that the client tries to connect is not reachable. The client side trace would then show TCP SYN retransmits for the dynamic port. -![Screenshot of Network Monitor with TCP SYN retransmits.](images/tcp-ts-25.png) +![Screenshot of Network Monitor with TCP SYN retransmits](images/tcp-ts-25.png) The port cannot be reachable due to one of the following reasons: diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md index 16c416a9cd..29a781be98 100644 --- a/windows/client-management/windows-version-search.md +++ b/windows/client-management/windows-version-search.md @@ -22,27 +22,27 @@ Click **Start** > **Settings** > **System** > click **About** from the bottom of You'll now see **Edition**, **Version**, and **OS Build** information. Something like this: -![screenshot of the system properties window for a device running Windows 10.](images/systemcollage.png) +![screenshot of the system properties window for a device running Windows 10](images/systemcollage.png) ## Using Keyword Search You can simply type the following in the search bar and press **ENTER** to see version details for your device. **“winver”** -![screenshot of the About Windows display text.](images/winver.png) +![screenshot of the About Windows display text](images/winver.png) **“msinfo”** or **"msinfo32"** to open **System Information**: -![screenshot of the System Information display text.](images/msinfo32.png) +![screenshot of the System Information display text](images/msinfo32.png) ## Using Command Prompt or PowerShell At the Command Prompt or PowerShell interface, type **"systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"** and then press **ENTER** -![screenshot of system information display text.](images/refcmd.png) +![screenshot of system information display text](images/refcmd.png) At the Command Prompt or PowerShell, type **"slmgr /dlv"**, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the image below: -![screenshot of software licensing manager.](images/slmgr_dlv.png) +![screenshot of software licensing manager](images/slmgr_dlv.png) ## What does it all mean? diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index 5f433844ac..15407ebc50 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -31,7 +31,7 @@ The order of apps in the XML file dictates the order of pinned apps on the taskb The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square). -![Windows left, user center, enterprise to the right.](images/taskbar-generic.png) +![Windows left, user center, enterprise to the right](images/taskbar-generic.png) ## Configure taskbar (general) @@ -142,11 +142,11 @@ The `` section will append listed apps to the tas ``` **Before:** -![default apps pinned to taskbar.](images/taskbar-default.png) +![default apps pinned to taskbar](images/taskbar-default.png) **After:** - ![additional apps pinned to taskbar.](images/taskbar-default-plus.png) + ![additional apps pinned to taskbar](images/taskbar-default-plus.png) ## Remove default apps and add your own @@ -175,11 +175,11 @@ If you only want to remove some of the default pinned apps, you would use this m ``` **Before:** -![Taskbar with default apps.](images/taskbar-default.png) +![Taskbar with default apps](images/taskbar-default.png) **After:** -![Taskbar with default apps removed.](images/taskbar-default-removed.png) +![Taskbar with default apps removed](images/taskbar-default-removed.png) ## Remove default apps @@ -250,15 +250,15 @@ The following example shows you how to configure taskbars by country or region. When the preceding example XML file is applied, the resulting taskbar for computers in the US or UK: -![taskbar for US and UK locale.](images/taskbar-region-usuk.png) +![taskbar for US and UK locale](images/taskbar-region-usuk.png) The resulting taskbar for computers in Germany or France: -![taskbar for DE and FR locale.](images/taskbar-region-defr.png) +![taskbar for DE and FR locale](images/taskbar-region-defr.png) The resulting taskbar for computers in any other country region: -![taskbar for all other regions.](images/taskbar-region-other.png) +![taskbar for all other regions](images/taskbar-region-other.png) > [!NOTE] diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md index 1190119050..e8a0cdee55 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md @@ -19,7 +19,7 @@ Cortana integration is a Preview feature that's available for your test or dev e >[!NOTE] >For more info about Dynamics CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](https://go.microsoft.com/fwlink/p/?LinkId=746819). -![Cortana at work, showing the sales data pulled from Dynamics CRM.](../images/cortana-crm-screen.png) +![Cortana at work, showing the sales data pulled from Dynamics CRM](../images/cortana-crm-screen.png) ## Turn on Cortana with Dynamics CRM in your organization You must be a CRM administrator to turn on and use Preview features. For more info about what Preview features are and how to use them, see [What are Preview features and how do I enable them](https://go.microsoft.com/fwlink/p/?LinkId=746817)? @@ -43,7 +43,7 @@ You must tell your employees to turn on Cortana, before they’ll be able to use 2. Click on **Connected Services**, click **Dynamics CRM**, and then click **Connect**. - ![Cotana at work, showing how to turn on the connected services for Dynamics CRM.](../images/cortana-connect-crm.png) + ![Cotana at work, showing how to turn on the connected services for Dynamics CRM](../images/cortana-connect-crm.png) The employee can also disconnect by clicking **Disconnect** from the **Dynamics CRM** screen. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md index 481cb27659..65919eb8e8 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md @@ -48,35 +48,35 @@ Before you can start this testing scenario, you must first set up your test envi 2. Expand the left rail by clicking the **Show the navigation pane** icon. - ![Cortana at work, showing the navigation expand icon in Power BI.](../images/cortana-powerbi-expand-nav.png) + ![Cortana at work, showing the navigation expand icon in Power BI](../images/cortana-powerbi-expand-nav.png) 3. Click **Get Data** from the left-hand navigation in Power BI. - ![Cortana at work, showing the Get Data link.](../images/cortana-powerbi-getdata.png) + ![Cortana at work, showing the Get Data link](../images/cortana-powerbi-getdata.png) 4. Click **Samples** from the **Content Pack Library** area of the **Get Data** screen. - ![Cortana at work, showing the Samples link.](../images/cortana-powerbi-getdata-samples.png) + ![Cortana at work, showing the Samples link](../images/cortana-powerbi-getdata-samples.png) 5. Click **Retail Analysis Sample**, and then click **Connect**. - ![Cortana at work, showing the Samples link.](../images/cortana-powerbi-retail-analysis-sample.png) + ![Cortana at work, showing the Samples link](../images/cortana-powerbi-retail-analysis-sample.png) The sample data is imported and you’re returned to the **Power BI** screen. 6. Click **Dashboards** from the left pane of the **Power BI** screen, and then click **Retail Analysis Sample**. - ![Cortana at work, showing a dashboard view of the sample data.](../images/cortana-powerbi-retail-analysis-dashboard.png) + ![Cortana at work, showing a dashboard view of the sample data](../images/cortana-powerbi-retail-analysis-dashboard.png) 7. In the upper right-hand menu, click the **Settings** icon, and then click **Settings**. - ![Cortana at work, showing where to find the Settings option.](../images/cortana-powerbi-settings.png) + ![Cortana at work, showing where to find the Settings option](../images/cortana-powerbi-settings.png) 8. Click the **Datasets** tab, and then pick the **Retail Analysis Sample** dataset from the list. 9. Click **Q&A and Cortana**, check the **Allow Cortana to access this dataset** box, and then click **Apply**. - ![Cortana at work, showing where to find the dataset options.](../images/cortana-powerbi-retail-analysis-dataset.png) + ![Cortana at work, showing where to find the dataset options](../images/cortana-powerbi-retail-analysis-dataset.png) >[!NOTE] >It can take up to 30 minutes for a new dataset to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.

If you enable a dataset for Cortana, and that dataset is part of a content pack you own, you’ll need to re-publish for your colleagues to also use it with Cortana. @@ -92,7 +92,7 @@ After you’ve finished creating your Answer Page, you can continue to the inclu **To create a custom sales data Answer Page for Cortana** 1. In Power BI, click **My Workspace**, click **Create**, and then click **Report**. - ![Cortana at work, showing where to create the new report.](../images/cortana-powerbi-create-report.png) + ![Cortana at work, showing where to create the new report](../images/cortana-powerbi-create-report.png) 2. In the **Create Report** screen, click the **Retail Analysis Sample**, and then click **Create**. @@ -100,11 +100,11 @@ After you’ve finished creating your Answer Page, you can continue to the inclu 3. In the **Visualizations** pane, click the paint roller icon, expand **Page Size**, and then pick **Cortana** from the **Type** drop-down list. - ![Cortana at work, showing the Visualizations options.](../images/cortana-powerbi-pagesize.png) + ![Cortana at work, showing the Visualizations options](../images/cortana-powerbi-pagesize.png) 4. In the **Fields** pane, click to expand **Sales**, expand **This year sales**, and then add both **Value** and **Goal**. - ![Cortana at work, showing the Field options.](../images/cortana-powerbi-field-selection.png) + ![Cortana at work, showing the Field options](../images/cortana-powerbi-field-selection.png) The automatically generated graph is added to your blank report. You have the option to change colors, add borders, add additional visualizations, and modify this page so that it answers the question about sales data as precisely, and in as custom a way, as you want. You just need to make sure that it all stays within the page borders. @@ -112,7 +112,7 @@ After you’ve finished creating your Answer Page, you can continue to the inclu The alternate names help Cortana to know what questions to look for and when to show this report. To also improve your results, you should avoid using the names of your report columns. - ![Cortana at work, showing the page info for your specific report.](../images/cortana-powerbi-report-qna.png) + ![Cortana at work, showing the page info for your specific report](../images/cortana-powerbi-report-qna.png) 6. Click **File**, click **Save as**, and save the report as _Sales data 2016_. @@ -128,13 +128,13 @@ Now that you’ve set up your device, you can use Cortana to show your info from Cortana shows you the available results. - ![Cortana at work, showing the best matches based on the Power BI data.](../images/cortana-powerbi-search.png) + ![Cortana at work, showing the best matches based on the Power BI data](../images/cortana-powerbi-search.png) 3. In the **Power BI** area, click **This year in sales – in Retail Analysis Sample**. Cortana returns your custom report. - ![Cortana at work, showing your custom report from Power BI.](../images/cortana-powerbi-myreport.png) + ![Cortana at work, showing your custom report from Power BI](../images/cortana-powerbi-myreport.png) >[!NOTE] >For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/). diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md index c701623a88..478aeb7938 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md @@ -49,7 +49,7 @@ While these aren't line-of-business apps, we've worked to make sure to implement 2. Click on **Connected Services**, click **Uber**, and then click **Connect**. - ![Cortana at work, showing where to connect the Uber service to Cortana.](../images/cortana-connect-uber.png) + ![Cortana at work, showing where to connect the Uber service to Cortana](../images/cortana-connect-uber.png) **To use the voice-enabled commands with Cortana** 1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box). diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index f50e213ce8..601ad70810 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -161,7 +161,7 @@ When you have the Start layout that you want your users to see, use the [Export- A partial Start layout enables you to add one or more customized tile groups to users' Start screens or menus, while still allowing users to make changes to other parts of the Start layout. All groups that you add are *locked*, meaning users cannot change the contents of those tile groups, however users can change the location of those groups. Locked groups are identified with an icon, as shown in the following image. -![locked tile group.](images/start-pinned-app.png) +![locked tile group](images/start-pinned-app.png) When a partial Start layout is applied for the first time, the new groups are added to the users' existing Start layouts. If an app tile is in both an existing group and in a new locked group, the duplicate app tile is removed from the existing (unlocked) group. diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 7b7dcaed64..12f62c8444 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -92,13 +92,13 @@ This procedure adds the customized Start and taskbar layout to the user configur 2. Go to **User Configuration** or **Computer Configuration** > **Administrative Templates** >**Start Menu and Taskbar**. - ![start screen layout policy settings.](images/starttemplate.jpg) + ![start screen layout policy settings](images/starttemplate.jpg) 3. Right-click **Start Layout** in the right pane, and click **Edit**. This opens the **Start Layout** policy settings. - ![policy settings for start screen layout.](images/startlayoutpolicy.jpg) + ![policy settings for start screen layout](images/startlayoutpolicy.jpg) 4. Enter the following settings, and then click **OK**: diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 42b70e6248..ea856b24cd 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -87,7 +87,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L 7. Open the customizations.xml file in a text editor. The **<Customizations>** section will look like this: - ![Customizations file with the placeholder text to replace highlighted.](images/customization-start.png) + ![Customizations file with the placeholder text to replace highlighted](images/customization-start.png) 7. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape). diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index f5540c6ddd..aa195fb89f 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -50,7 +50,7 @@ To get the names and AUMIDs for all apps installed for the current user, perform 3. In the **Choose Details** window, select **AppUserModelId**, and then select **OK**. (You might need to change the **View** setting from **Tiles** to **Details**.) -![Image of the Choose Details options.](images/aumid-file-explorer.png) +![Image of the Choose Details options](images/aumid-file-explorer.png) ## To find the AUMID of an installed app for the current user by using the registry diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index 9efa2b652d..bd502511d7 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -24,13 +24,13 @@ Some desktop devices in an enterprise serve a special purpose, such as a PC in t A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen. - ![Illustration of a full-screen kiosk experience.](images/kiosk-fullscreen.png) + ![Illustration of a full-screen kiosk experience](images/kiosk-fullscreen.png) - **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. - ![Illustration of a kiosk Start screen.](images/kiosk-desktop.png) + ![Illustration of a kiosk Start screen](images/kiosk-desktop.png) Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. @@ -38,25 +38,25 @@ There are several kiosk configuration methods that you can choose from, dependin - **Which type of app will your kiosk run?** - ![icon that represents apps.](images/office-logo.png) + ![icon that represents apps](images/office-logo.png) Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), simply select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md) - **Which type of kiosk do you need?** - ![icon that represents a kiosk.](images/kiosk.png) + ![icon that represents a kiosk](images/kiosk.png) If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#uwp) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop). - **Which edition of Windows 10 will the kiosk run?** - ![icon that represents Windows.](images/windows.png) + ![icon that represents Windows](images/windows.png) All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. - **Which type of user account will be the kiosk account?** - ![icon that represents a user account.](images/user.png) + ![icon that represents a user account](images/user.png) The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method. diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index ba1aaa2b58..154b35c3d0 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -54,7 +54,7 @@ Disable removable media. | Go to **Group Policy Editor** > **Computer Con Logs can help you [troubleshoot issues](./kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. -![Event Viewer, right-click Operational, select enable log.](images/enable-assigned-access-log.png) +![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png) ## Automatic logon @@ -257,7 +257,7 @@ A single-app kiosk configuration runs an app above the lock screen. It doesn't w When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** is not selected in the **View** menu; that means it's a basic session. -![VM windows, View menu, Extended session is not selected.](images/vm-kiosk.png) +![VM windows, View menu, Extended session is not selected](images/vm-kiosk.png) To connect to a VM in a basic session, do not select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog. diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md index 73e724bd75..f510b637bd 100644 --- a/windows/configuration/kiosk-shelllauncher.md +++ b/windows/configuration/kiosk-shelllauncher.md @@ -137,7 +137,7 @@ The OMA-URI path is `./Device/Vendor/MSFT/AssignedAccess/ShellLauncher`. For the value, you can select data type `String` and paste the desired configuration file content into the value box. If you wish to upload the xml instead of pasting the content, choose data type `String (XML file)`. -![Screenshot of custom OMA-URI settings.](images/slv2-oma-uri.png) +![Screenshot of custom OMA-URI settings](images/slv2-oma-uri.png) After you configure the profile containing the custom Shell Launcher setting, select **All Devices** or selected groups of devices to apply the profile to. Don't assign the profile to users or user groups. diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index eac49be093..8baee6a466 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -24,7 +24,7 @@ ms.topic: article A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app. -![Illustration of a single-app kiosk experience.](images/kiosk-fullscreen-sm.png) +![Illustration of a single-app kiosk experience](images/kiosk-fullscreen-sm.png) >[!IMPORTANT] >[User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode. @@ -66,7 +66,7 @@ When your kiosk is a local device that is not managed by Active Directory or Azu - If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. -![Screenshot of automatic sign-in setting.](images/auto-signin.png) +![Screenshot of automatic sign-in setting](images/auto-signin.png) ### Instructions for Windows 10, version 1809 @@ -98,7 +98,7 @@ To remove assigned access, select the account tile on the **Set up a kiosk** pag When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) -![The Set up assigned access page in Settings.](images/kiosk-settings.png) +![The Set up assigned access page in Settings](images/kiosk-settings.png) **To set up assigned access in PC settings** @@ -131,7 +131,7 @@ To remove assigned access, choose **Turn off assigned access and sign out of the > >Account type: Local standard user -![PowerShell windows displaying Set-AssignedAccess cmdlet.](images/set-assignedaccess.png) +![PowerShell windows displaying Set-AssignedAccess cmdlet](images/set-assignedaccess.png) You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. @@ -191,7 +191,7 @@ Clear-AssignedAccess > >Account type: Local standard user, Active Directory -![Kiosk wizard option in Windows Configuration Designer.](images/kiosk-wizard.png) +![Kiosk wizard option in Windows Configuration Designer](images/kiosk-wizard.png) >[!IMPORTANT] diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md index e34bee8204..75781737fb 100644 --- a/windows/configuration/kiosk-troubleshoot.md +++ b/windows/configuration/kiosk-troubleshoot.md @@ -53,7 +53,7 @@ For example: 3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration. 4. Additional logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. -![Event Viewer, right-click Operational, select enable log.](images/enable-assigned-access-log.png) +![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png) ### Automatic logon issues diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md index 5c2cfa795b..c2221b549a 100644 --- a/windows/configuration/lock-down-windows-10-applocker.md +++ b/windows/configuration/lock-down-windows-10-applocker.md @@ -34,7 +34,7 @@ AppLocker rules are organized into collections based on file format. If no AppLo This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy. -![install create lockdown customize.](images/lockdownapps.png) +![install create lockdown customize](images/lockdownapps.png) ## Install apps @@ -50,13 +50,13 @@ After you install the desired apps, set up AppLocker rules to only allow specifi 2. Go to **Security Settings** > **Application Control Policies** > **AppLocker**, and select **Configure rule enforcement**. - ![configure rule enforcement.](images/apprule.png) + ![configure rule enforcement](images/apprule.png) 3. Check **Configured** under **Executable rules**, and then click **OK**. 4. Right-click **Executable Rules** and then click **Automatically generate rules**. - ![automatically generate rules.](images/genrule.png) + ![automatically generate rules](images/genrule.png) 5. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps. @@ -68,7 +68,7 @@ After you install the desired apps, set up AppLocker rules to only allow specifi 9. Read the message and click **Yes**. - ![default rules warning.](images/appwarning.png) + ![default rules warning](images/appwarning.png) 10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users. diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 2bbcd7f1a3..702221c085 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -81,7 +81,7 @@ Let's start by looking at the basic structure of the XML file. - A profile has no effect if it’s not associated to a config section. - ![profile = app and config = account.](images/profile-config.png) + ![profile = app and config = account](images/profile-config.png) You can start your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this topic. You can see a full sample version in the [Assigned access XML reference.](kiosk-xml.md) @@ -271,7 +271,7 @@ This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, >[!NOTE] >If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen. -![What the Start screen looks like when the XML sample is applied.](images/sample-start.png) +![What the Start screen looks like when the XML sample is applied](images/sample-start.png) ##### Taskbar @@ -494,7 +494,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L 7. In the center pane, click **Browse** to locate and select the assigned access configuration XML file that you created. - ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer.](images/multiappassignedaccesssettings.png) + ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](images/multiappassignedaccesssettings.png) 8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed. @@ -544,7 +544,7 @@ Provisioning packages can be applied to a device during the first-run experience 1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. - ![The first screen to set up a new PC.](images/oobe.jpg) + ![The first screen to set up a new PC](images/oobe.jpg) 2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**. @@ -552,11 +552,11 @@ Provisioning packages can be applied to a device during the first-run experience 3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. - ![Provision this device.](images/prov.jpg) + ![Provision this device](images/prov.jpg) 4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. - ![Choose a package.](images/choose-package.png) + ![Choose a package](images/choose-package.png) 5. Select **Yes, add it**. @@ -570,7 +570,7 @@ Provisioning packages can be applied to a device during the first-run experience >[!NOTE] >if your provisioning package doesn’t include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device. -![add a package option.](images/package.png) +![add a package option](images/package.png) ### Use MDM to deploy the multi-app configuration diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md index 6dc4c73ddb..d577b69cff 100644 --- a/windows/configuration/manage-wifi-sense-in-enterprise.md +++ b/windows/configuration/manage-wifi-sense-in-enterprise.md @@ -46,7 +46,7 @@ You can manage your Wi-Fi Sense settings by using Group Policy and your Group Po 1. Open your Group Policy editor and go to the `Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services` setting. - ![Group Policy Editor, showing the Wi-Fi Sense setting.](images/wifisense-grouppolicy.png) + ![Group Policy Editor, showing the Wi-Fi Sense setting](images/wifisense-grouppolicy.png) 2. Turn Wi-Fi Sense on (enabled) or off (disabled), based on your company's environment. @@ -60,7 +60,7 @@ You can manage your Wi-Fi Sense settings by using registry keys and the Registry 2. Create and set a new **DWORD (32-bit) Value** named, **AutoConnectAllowedOEM**, with a **Value data** of **0 (zero)**.

Setting this value to 0 turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see How to configure Wi-Fi Sense on Windows 10 in an enterprise. - ![Registry Editor, showing the creation of a new DWORD value.](images/wifisense-registry.png) + ![Registry Editor, showing the creation of a new DWORD value](images/wifisense-registry.png) ### Using the Windows Provisioning settings You can manage your Wi-Fi Sense settings by changing the Windows provisioning setting, **WiFISenseAllowed**. @@ -81,7 +81,7 @@ If your company still uses Unattend, you can manage your Wi-Fi Sense settings by ### How employees can change their own Wi-Fi Sense settings If you don’t turn off the ability for your employees to use Wi-Fi Sense, they can turn it on locally by selecting **Settings > Network & Internet > Wi-Fi > Manage Wi-Fi settings**, and then turning on **Connect to suggested open hotspots**. -![Wi-Fi Sense options shown to employees if it's not turned off.](images/wifisense-settingscreens.png) +![Wi-Fi Sense options shown to employees if it's not turned off](images/wifisense-settingscreens.png) **Important**
The service that was used to share networks with Facebook friends, Outlook.com contacts, or Skype contacts is no longer available. This means: diff --git a/windows/configuration/mobile-devices/lockdown-xml.md b/windows/configuration/mobile-devices/lockdown-xml.md index 87f2b7b7cf..ecf485cb1d 100644 --- a/windows/configuration/mobile-devices/lockdown-xml.md +++ b/windows/configuration/mobile-devices/lockdown-xml.md @@ -62,7 +62,7 @@ The settings for the Default role and other roles must be listed in your XML fil ## Action Center -![XML for Action Center.](../images/ActionCenterXML.jpg) +![XML for Action Center](../images/ActionCenterXML.jpg) The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. @@ -92,7 +92,7 @@ The following example is a complete lockdown XML file that disables Action Cente ## Apps -![XML for Apps.](../images/AppsXML.png) +![XML for Apps](../images/AppsXML.png) The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running. @@ -110,7 +110,7 @@ The following example makes Outlook Calendar available on the device. When you list an app, you can also set the app to be pinned to the Start screen by specifying the tile size and location. Tip: draw a grid and mark your app tiles on it to make sure you get the result you want. The width (X axis) in the following example is the limit for Windows 10 Mobile, but the length (Y axis) is unlimited. The number of columns available to you depends on the value for [StartScreenSize](#start-screen-size). -![Grid to lay out tiles for Start.](../images/StartGrid.jpg) +![Grid to lay out tiles for Start](../images/StartGrid.jpg) Tile sizes are: * Small: 1x1 @@ -152,7 +152,7 @@ In the following example, Outlook Calendar and Outlook Mail are pinned to the St That layout would appear on a device like this: -![Example of the layout on a Start screen.](../images/StartGridPinnedApps.jpg) +![Example of the layout on a Start screen](../images/StartGridPinnedApps.jpg) You can create and pin folders to Start by using the Apps setting. Each folder requires a **folderId**, which must be a consecutive positive integer starting with `1`. You can also specify a **folderName** (optional) which will be displayed on Start. @@ -203,7 +203,7 @@ When an app is contained in a folder, its **PinToStart** configuration (tile siz ## Buttons -![XML for buttons.](../images/ButtonsXML.jpg) +![XML for buttons](../images/ButtonsXML.jpg) In the Buttons setting, you use ButtonLockdownList to disable hardware buttons and ButtonRemapList to change button events to open an app that you specify. @@ -213,11 +213,11 @@ When a user taps a button that is in the lockdown list, nothing will happen. The Button | Press | PressAndHold | All ---|:---:|:---:|:--:|- -Start | ![no.](../images/crossmark.png) | ![yes](../images/checkmark.png) | ![no](../images/crossmark.png) -Back | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) -Search | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) -Camera | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) -Custom 1, 2, and 3 | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) +Start | ![no](../images/crossmark.png) | ![yes](../images/checkmark.png) | ![no](../images/crossmark.png) +Back | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) +Search | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) +Camera | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) +Custom 1, 2, and 3 | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) > [!NOTE] > Custom buttons are hardware buttons that can be added to devices by OEMs. @@ -270,7 +270,7 @@ In the following example, when a user presses the Search button, the phone diale ## CSPRunner -![XML for CSP Runner.](../images/CSPRunnerXML.jpg) +![XML for CSP Runner](../images/CSPRunnerXML.jpg) You can use CSPRunner to include settings that are not defined in AssignedAccessXML. For example, you can include settings from other sections of EnterpriseAssignedAccess CSP, such as lockscreen, theme, and time zone. You can also include settings from other CSPs, such as [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) or [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). @@ -317,7 +317,7 @@ SyncML entry | Description ## Menu items -![XML for menu items.](../images/MenuItemsXML.png) +![XML for menu items](../images/MenuItemsXML.png) Use DisableMenuItems to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Apps list. You can include this entry in the default profile and in any additional user role profiles that you create. @@ -329,7 +329,7 @@ Use DisableMenuItems to prevent use of the context menu, which is displayed when ## Settings -![XML for settings.](../images/SettingsXML.png) +![XML for settings](../images/SettingsXML.png) The **Settings** section contains an `allow` list of pages in the Settings app and quick actions. The following example allows all settings. @@ -363,7 +363,7 @@ For a list of the settings and quick actions that you can allow or block, see [S ## Tiles - ![XML for tiles.](../images/TilesXML.png) + ![XML for tiles](../images/TilesXML.png) By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile. @@ -446,7 +446,7 @@ Use the Windows ICD tool included in the Windows Assessment and Deployment Kit ( 3. In the center pane, click **Browse** to locate and select the lockdown XML file that you created. - ![browse button.](../images/icdbrowse.png) + ![browse button](../images/icdbrowse.png) 4. On the **File** menu, select **Save.** diff --git a/windows/configuration/mobile-devices/mobile-lockdown-designer.md b/windows/configuration/mobile-devices/mobile-lockdown-designer.md index a7d82f6088..68774e0da5 100644 --- a/windows/configuration/mobile-devices/mobile-lockdown-designer.md +++ b/windows/configuration/mobile-devices/mobile-lockdown-designer.md @@ -16,7 +16,7 @@ manager: dansimp # Use the Lockdown Designer app to create a Lockdown XML file -![Lockdown Designer in the Store.](../images/ldstore.png) +![Lockdown Designer in the Store](../images/ldstore.png) Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. @@ -55,7 +55,7 @@ Perform these steps on the device running Windows 10 Mobile that you will use to >[!IMPORTANT] >Check **Settings > Personalization > Start > Show more tiles** on the test mobile device. If **Show more tiles** is **On**, you must select **Large** on the [**Start screen** page](#start) in Lockdown Designer. If you want to apply a **Small** layout, set **Show more tiles** on the test mobile device to **Off**. > ->![turn off show more tiles for small start screen size.](../images/show-more-tiles.png) +>![turn off show more tiles for small start screen size](../images/show-more-tiles.png) ## Prepare the PC @@ -89,7 +89,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf 3. Click **Pair**. - ![Pair.](../images/ld-pair.png) + ![Pair](../images/ld-pair.png) **Connect to remote device** appears. @@ -99,7 +99,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf 6. Next, click **Sync** to pull information from the device in to Lockdown Designer. - ![Sync.](../images/ld-sync.png) + ![Sync](../images/ld-sync.png) 7. Click the **Save** icon and enter a name for your project. @@ -113,7 +113,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf 3. On the **Project setting** > **General settings** page, click **Pair**. - ![Pair.](../images/ld-pair.png) + ![Pair](../images/ld-pair.png) **Connect to remote device** appears. @@ -123,7 +123,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf 6. Next, click **Sync** to pull information from the device in to Lockdown Designer. - ![Sync.](../images/ld-sync.png) + ![Sync](../images/ld-sync.png) 7. Click the **Save** icon and enter a name for your project. @@ -134,13 +134,13 @@ The apps and settings available in the pages of Lockdown Designer should now be | Page | Description | | --- | --- | -| ![Applications.](../images/ld-apps.png) | Each app from the test mobile device is listed. Select the apps that you want visible to users.

You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. | -| ![CSP Runner.](../images/ld-csp.png) | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner) | -| ![Settings.](../images/ld-settings.png) | On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI. | -| ![Quick actions.](../images/ld-quick.png) | On this page, you select the settings that you want visible to users. | -| ![Buttons.](../images/ld-buttons.png) | Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.

Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. | -| ![Other settings.](../images/ld-other.png) | This page contains several settings that you can configure:

- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.

- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.

- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. | -| ![Start screen.](../images/ld-start.png) | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)

On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.

When you are done changing the layout on the test mobile device, click **Accept** on the PC. | +| ![Applications](../images/ld-apps.png) | Each app from the test mobile device is listed. Select the apps that you want visible to users.

You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. | +| ![CSP Runner](../images/ld-csp.png) | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner) | +| ![Settings](../images/ld-settings.png) | On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI. | +| ![Quick actions](../images/ld-quick.png) | On this page, you select the settings that you want visible to users. | +| ![Buttons](../images/ld-buttons.png) | Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.

Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. | +| ![Other settings](../images/ld-other.png) | This page contains several settings that you can configure:

- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.

- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.

- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. | +| ![Start screen](../images/ld-start.png) | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)

On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.

When you are done changing the layout on the test mobile device, click **Accept** on the PC. | ## Validate and export @@ -169,4 +169,4 @@ You can create additional roles for the device and have unique configurations fo 4. Configure the settings for the role as above, but make sure on each page that you select the correct role. - ![Current role selection box.](../images/ld-role.png) \ No newline at end of file + ![Current role selection box](../images/ld-role.png) \ No newline at end of file diff --git a/windows/configuration/mobile-devices/provisioning-configure-mobile.md b/windows/configuration/mobile-devices/provisioning-configure-mobile.md index ebd4218503..1d321fd9cb 100644 --- a/windows/configuration/mobile-devices/provisioning-configure-mobile.md +++ b/windows/configuration/mobile-devices/provisioning-configure-mobile.md @@ -66,13 +66,13 @@ You can apply a provisioning package to a device running Windows 10 Mobile by us 1. Insert an SD card containing the provisioning package into the device. 2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. - ![add a package option.](../images/packages-mobile.png) + ![add a package option](../images/packages-mobile.png) 3. Click **Add**. 4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. - ![Is this package from a source you trust.](../images/package-trust.png) + ![Is this package from a source you trust](../images/package-trust.png) ### Copying the provisioning package to the device @@ -82,7 +82,7 @@ You can apply a provisioning package to a device running Windows 10 Mobile by us 3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. - ![Is this package from a source you trust.](../images/package-trust.png) + ![Is this package from a source you trust](../images/package-trust.png) ## Related topics diff --git a/windows/configuration/mobile-devices/provisioning-nfc.md b/windows/configuration/mobile-devices/provisioning-nfc.md index 42ff3ff229..571a1488af 100644 --- a/windows/configuration/mobile-devices/provisioning-nfc.md +++ b/windows/configuration/mobile-devices/provisioning-nfc.md @@ -31,7 +31,7 @@ All Windows 10 Mobile Enterprise and Windows 10 Mobile images have the NFC provi On all Windows devices, device provisioning during OOBE can be triggered by 5 fast taps on the Windows hardware key, which shows the **Provision this device** screen. In the **Provision this device** screen, select **NFC** for NFC-based provisioning. -![Example of Provision this device screen.](../images/nfc.png) +![Example of Provision this device screen](../images/nfc.png) If there is an error during NFC provisioning, the device will show a message if any of the following errors occur: diff --git a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md index a265a544e3..711f3cfc4e 100644 --- a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md +++ b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md @@ -168,28 +168,28 @@ Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or **To set up Apps Corner** -1. On Start ![start.](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) > **Accounts** > **Apps Corner**. +1. On Start ![start](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) > **Accounts** > **Apps Corner**. -2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![done icon.](images/doneicon.png). +2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![done icon](images/doneicon.png). -3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back.](../images/backicon.png) to the Apps Corner settings. +3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back](../images/backicon.png) to the Apps Corner settings. 4. Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode. 5. Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them. -6. Press **Back** ![back.](../images/backicon.png) when you're done. +6. Press **Back** ![back](../images/backicon.png) when you're done. **To use Apps Corner** -1. On Start ![start.](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) > **Accounts** > **Apps Corner** > launch ![launch](../images/launchicon.png). +1. On Start ![start](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) > **Accounts** > **Apps Corner** > launch ![launch](../images/launchicon.png). >[!TIP] >Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** > **pin** to pin the Apps Corner tile to your Start screen. 2. Give the device to someone else, so they can use the device and only the one app you chose. -3. When they're done and you get the device back, press and hold Power ![power.](../images/powericon.png), and then swipe right to exit Apps Corner. +3. When they're done and you get the device back, press and hold Power ![power](../images/powericon.png), and then swipe right to exit Apps Corner. ## Related topics diff --git a/windows/configuration/mobile-devices/start-layout-xml-mobile.md b/windows/configuration/mobile-devices/start-layout-xml-mobile.md index 858de39174..41fc17fe04 100644 --- a/windows/configuration/mobile-devices/start-layout-xml-mobile.md +++ b/windows/configuration/mobile-devices/start-layout-xml-mobile.md @@ -36,7 +36,7 @@ On Windows 10 Mobile, the customized Start works by: The following diagrams show the default Windows 10, version 1607 Start layouts for single SIM and dual SIM devices with Cortana support, and single SIM and dual SIM devices with no Cortana support. -![Start layout for Windows 10 Mobile.](../images/mobile-start-layout.png) +![Start layout for Windows 10 Mobile](../images/mobile-start-layout.png) The diagrams show: diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/provisioning-apn.md index a8d47b38e2..326ea5b8b8 100644 --- a/windows/configuration/provisioning-apn.md +++ b/windows/configuration/provisioning-apn.md @@ -53,11 +53,11 @@ For users who work in different locations, you can configure one APN to connect 5. Enter a name for the connection, and then click **Add**. - ![Example of APN connection name.](images/apn-add.png) + ![Example of APN connection name](images/apn-add.png) 6. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection. - ![settings for new connection.](images/apn-add-details.png) + ![settings for new connection](images/apn-add-details.png) 7. The following table describes the settings available for the connection. diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index 38d6791423..67c28a8b90 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -38,7 +38,7 @@ Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](/win CSPs are behind many of the management tasks and policies for Windows 10, both in Microsoft Intune and in non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). -![how intune maps to csp.](../images/policytocsp.png) +![how intune maps to csp](../images/policytocsp.png) CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Endpoint Configuration Manager, can also target CSPs, by using a client-side Windows Management Instrumentation (WMI)-to-CSP Bridge. @@ -66,7 +66,7 @@ You can use Windows Configuration Designer to create [provisioning packages](./p Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image. -![how help content appears in icd.](../images/cspinicd.png) +![how help content appears in icd](../images/cspinicd.png) [Provisioning packages in Windows 10](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package. @@ -86,7 +86,7 @@ All CSPs in Windows 10 are documented in the [Configuration service provider ref The [main CSP topic](/windows/client-management/mdm/configuration-service-provider-reference) tells you which CSPs are supported on each edition of Windows 10, and links to the documentation for each individual CSP. -![csp per windows edition.](../images/csptable.png) +![csp per windows edition](../images/csptable.png) The documentation for each CSP follows the same structure. After an introduction that explains the purpose of the CSP, a diagram shows the parts of the CSP in tree format. @@ -94,7 +94,7 @@ The full path to a specific configuration setting is represented by its Open Mob The following example shows the diagram for the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes, and rectangular elements are settings or policies for which a value must be supplied. -![assigned access csp tree.](../images/provisioning-csp-assignedaccess.png) +![assigned access csp tree](../images/provisioning-csp-assignedaccess.png) The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see that it uses the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). @@ -104,7 +104,7 @@ The element in the tree diagram after the root node tells you the name of the CS When an element in the diagram uses _italic_ font, it indicates a placeholder for specific information, such as the tenant ID in the following example. -![placeholder in csp tree.](../images/csp-placeholder.png) +![placeholder in csp tree](../images/csp-placeholder.png) After the diagram, the documentation describes each element. For each policy or setting, the valid values are listed. diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index 818a935488..38b7e01c09 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -58,7 +58,7 @@ Provisioning packages can include management instructions and policies, installa > [!TIP] > Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc. > ->![open advanced editor.](../images/icd-simple-edit.png) +>![open advanced editor](../images/icd-simple-edit.png) ## Create the provisioning package @@ -68,11 +68,11 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L 2. Click **Provision desktop devices**. - ![ICD start options.](../images/icd-create-options-1703.png) + ![ICD start options](../images/icd-create-options-1703.png) 3. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps. - ![ICD desktop provisioning.](../images/icd-desktop-1703.png) + ![ICD desktop provisioning](../images/icd-desktop-1703.png) > [!IMPORTANT] > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md index 68cfcc37af..a71916bfab 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md @@ -46,7 +46,7 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi 2. Click **Advanced provisioning**. - ![ICD start options.](../images/icdstart-option.png) + ![ICD start options](../images/icdstart-option.png) 3. Name your project and click **Next**. @@ -73,19 +73,19 @@ Universal apps that you can distribute in the provisioning package can be line-o 2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page. - ![details for offline app package.](../images/uwp-family.png) + ![details for offline app package](../images/uwp-family.png) 3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). 4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. - ![required frameworks for offline app package.](../images/uwp-dependencies.png) + ![required frameworks for offline app package](../images/uwp-dependencies.png) 5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. - In Microsoft Store for Business, generate the unencoded license for the app on the app's download page, and change the extension of the license file from **.xml** to **.ms-windows-store-license**. - ![generate license for offline app.](../images/uwp-license.png) + ![generate license for offline app](../images/uwp-license.png) - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**. diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index f6f7f9876b..cca8b46be8 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -74,11 +74,11 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate 2. Enter a name for the first app, and then click **Add**. - ![enter name for first app.](../images/wcd-app-name.png) + ![enter name for first app](../images/wcd-app-name.png) 3. Configure the settings for the appropriate installer type. - ![enter settings for first app.](../images/wcd-app-commands.png) + ![enter settings for first app](../images/wcd-app-commands.png) ## Add a universal app to your package @@ -88,19 +88,19 @@ Universal apps that you can distribute in the provisioning package can be line-o 2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page. - ![details for offline app package.](../images/uwp-family.png) + ![details for offline app package](../images/uwp-family.png) 3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). 4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. - ![required frameworks for offline app package.](../images/uwp-dependencies.png) + ![required frameworks for offline app package](../images/uwp-dependencies.png) 5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. - In Microsoft Store for Business, generate the unencoded license for the app on the app's download page. - ![generate license for offline app.](../images/uwp-license.png) + ![generate license for offline app](../images/uwp-license.png) - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**. diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md index 4a9381ab1c..4a1bb159ac 100644 --- a/windows/configuration/provisioning-packages/provisioning-apply-package.md +++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md @@ -35,7 +35,7 @@ Provisioning packages can be applied to a device during the first-run experience 1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. - ![The first screen to set up a new PC.](../images/oobe.jpg) + ![The first screen to set up a new PC](../images/oobe.jpg) 2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**. @@ -43,11 +43,11 @@ Provisioning packages can be applied to a device during the first-run experience 3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. - ![Provision this device.](../images/prov.jpg) + ![Provision this device](../images/prov.jpg) 4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. - ![Choose a package.](../images/choose-package.png) + ![Choose a package](../images/choose-package.png) 5. Select **Yes, add it**. @@ -59,7 +59,7 @@ Provisioning packages can be applied to a device during the first-run experience Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation. -![add a package option.](../images/package.png) +![add a package option](../images/package.png) ## Mobile editions @@ -68,13 +68,13 @@ Insert the USB drive to a desktop computer, navigate to **Settings** > **Account 1. Insert an SD card containing the provisioning package into the device. 2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. - ![add a package option.](../images/packages-mobile.png) + ![add a package option](../images/packages-mobile.png) 3. Click **Add**. 4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. - ![Is this package from a source you trust.](../images/package-trust.png) + ![Is this package from a source you trust](../images/package-trust.png) ### Copying the provisioning package to the device @@ -84,7 +84,7 @@ Insert the USB drive to a desktop computer, navigate to **Settings** > **Account 3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. - ![Is this package from a source you trust.](../images/package-trust.png) + ![Is this package from a source you trust](../images/package-trust.png) diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index 0aa10c16b5..b67e28b34d 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -39,7 +39,7 @@ You can use Windows Configuration Designer to create a provisioning package (.pp 2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image: - ![Configuration Designer wizards.](../images/icd-create-options-1703.png) + ![Configuration Designer wizards](../images/icd-create-options-1703.png) - The following wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices: @@ -56,7 +56,7 @@ You can use Windows Configuration Designer to create a provisioning package (.pp >[!TIP] > You can start a project in the simple wizard editor and then switch the project to the advanced editor. > - > ![Switch to advanced editor.](../images/icd-switch.png) + > ![Switch to advanced editor](../images/icd-switch.png) 3. Enter a name for your project, and then select **Next**. @@ -87,7 +87,7 @@ You can use Windows Configuration Designer to create a provisioning package (.pp For an advanced provisioning project, Windows Configuration Designer opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings. -![What the ICD interface looks like.](../images/icd-runtime.png) +![What the ICD interface looks like](../images/icd-runtime.png) The settings in Windows Configuration Designer are based on Windows 10 configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](./how-it-pros-can-use-configuration-service-providers.md). @@ -103,14 +103,14 @@ The process for configuring settings is similar for all settings. The following For details on each specific setting, see [Windows Provisioning settings reference](../wcd/wcd.md). The reference topic for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image. -![Windows Configuration Designer opens the reference topic when you select a setting.](../images/icd-setting-help.png) +![Windows Configuration Designer opens the reference topic when you select a setting](../images/icd-setting-help.png) ## Build package 1. After you're done configuring your customizations, select **Export**, and then select **Provisioning Package**. - ![Export on top bar.](../images/icd-export-menu.png) + ![Export on top bar](../images/icd-export-menu.png) 2. In the **Describe the provisioning package** window, enter the following information, and then select **Next**: - **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field. diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index 1a467d4e6d..8a7b9c464d 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -66,7 +66,7 @@ On devices running Windows 10, you can install [the Windows Configuration Design 6. On the **Select the features you want to install** page, clear all selections except **Configuration Designer**, and then click **Install**. - ![Only Configuration Designer selected for installation.](../images/icd-install.png) + ![Only Configuration Designer selected for installation](../images/icd-install.png) ## Current Windows Configuration Designer limitations diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index 6e54b39009..e5d60aba7f 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -35,7 +35,7 @@ In the XML file, you provide an **Id**, or friendly name, for each **Target**. E A **Target** can have more than one **TargetState**, and a **TargetState** can have more than one **Condition**. -![Target with multiple target states and conditions.](../images/multi-target.png) +![Target with multiple target states and conditions](../images/multi-target.png) The following table describes the logic for the target definition. diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index a3b4e25f84..2313b0e929 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -124,7 +124,7 @@ For details about the settings you can customize in provisioning packages, see [ Windows ICD for Windows 10, version 1607, simplified common provisioning scenarios. -![Configuration Designer options.](../images/icd.png) +![Configuration Designer options](../images/icd.png) Windows ICD in Windows 10, version 1607, supported the following scenarios for IT administrators: diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md index 6e01640c44..a616731808 100644 --- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md +++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md @@ -189,13 +189,13 @@ cmd /c InstallMyApp.bat In Windows Configuration Designer, this looks like: -![Command line in Selected customizations.](../images/icd-script1.png) +![Command line in Selected customizations](../images/icd-script1.png) You also need to add the relevant assets for that command line including the orchestrator script and any other assets it references such as installers or .cab files. In Windows Configuration Designer, that is done by adding files under the `ProvisioningCommands/DeviceContext/CommandFiles` setting. -![Command files in Selected customizations.](../images/icd-script2.png) +![Command files in Selected customizations](../images/icd-script2.png) When you are done, [build the package](provisioning-create-package.md#build-package). diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index ed5c4ee3a3..e4327a7b35 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -108,13 +108,13 @@ You can configure Windows to be in shared PC mode in a couple different ways: 8. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**. > [!div class="mx-imgBorder"] - > ![Shared PC mode in the Configuration settings page.](images/shared_pc_3.png) + > ![Shared PC mode in the Configuration settings page](images/shared_pc_3.png) 11. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**. - A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**. - ![Shared PC settings in ICD.](images/icd-adv-shared-pc.png) + ![Shared PC settings in ICD](images/icd-adv-shared-pc.png) - WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the [MDM_SharedPC class](/windows/win32/dmwmibridgeprov/mdm-sharedpc). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following: @@ -189,7 +189,7 @@ You can apply the provisioning package to a PC during initial setup or to a PC t 1. Start with a PC on the setup screen. - ![The first screen to set up a new PC.](images/oobe.jpg) + ![The first screen to set up a new PC](images/oobe.jpg) 2. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times. @@ -206,7 +206,7 @@ You can apply the provisioning package to a PC during initial setup or to a PC t On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and selects the package to install. -![add a package option.](images/package.png) +![add a package option](images/package.png) > [!NOTE] > If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost. diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md index 5a39031455..24dbcd1b32 100644 --- a/windows/configuration/start-layout-troubleshoot.md +++ b/windows/configuration/start-layout-troubleshoot.md @@ -42,7 +42,7 @@ When troubleshooting basic Start issues (and for the most part, all other Window - `get-AppXPackage -Name Microsoft.Windows.ShellExperienceHost` - `get-AppXPackage -Name Microsoft.Windows.Cortana` - ![Example of output from cmdlets.](images/start-ts-1.png) + ![Example of output from cmdlets](images/start-ts-1.png) Failure messages will appear if they aren't installed @@ -188,7 +188,7 @@ Events for both PDC and Background Tasks Infrastructure Service will be recorded ### Symptom: Application tiles like Alarm, Calculator, and Edge are missing from Start menu and the Settings app fails to open on Windows 10, version 1709 when a local user profile is deleted -![Screenshots that show download icons on app tiles and missing app tiles.](images/start-ts-2.png) +![Screenshots that show download icons on app tiles and missing app tiles](images/start-ts-2.png) **Cause**: This issue is known. The first-time sign-in experience is not detected and does not trigger the install of some apps. @@ -236,11 +236,11 @@ Specifically, behaviors include - If a new roaming user is created, the first sign-in appears normal, but on subsequent sign-ins, tiles are missing. -![Example of a working layout.](images/start-ts-3.png) +![Example of a working layout](images/start-ts-3.png) *Working layout on first sign-in of a new roaming user profile* -![Example of a failing layout.](images/start-ts-4.png) +![Example of a failing layout](images/start-ts-4.png) *Failing layout on subsequent sign-ins* @@ -256,15 +256,15 @@ Specifically, behaviors include Before the upgrade: - ![Example of Start screen with customizations applied.](images/start-ts-5.jpg) + ![Example of Start screen with customizations applied](images/start-ts-5.jpg) After the upgrade the user pinned tiles are missing: - ![Example of Start screen with previously pinned tiles missing.](images/start-ts-6.png) + ![Example of Start screen with previously pinned tiles missing](images/start-ts-6.png) Additionally, users may see blank tiles if sign-in was attempted without network connectivity. - ![Example of blank tiles.](images/start-ts-7.png) + ![Example of blank tiles](images/start-ts-7.png) **Resolution**: This issue was fixed in the [October 2017 update](https://support.microsoft.com/en-us/help/4041676). diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md index 351f09ce8e..d988f11531 100644 --- a/windows/configuration/start-secondary-tiles.md +++ b/windows/configuration/start-secondary-tiles.md @@ -31,15 +31,15 @@ In a Start layout for Windows 10, version 1703, you can include secondary tiles Suppose that the [Start layout that you export](customize-and-export-start-layout.md) had two secondary tiles, such as in the following image: -![tile for MSN and for a SharePoint site.](images/edge-with-logo.png) +![tile for MSN and for a SharePoint site](images/edge-with-logo.png) In prior versions of Windows 10, when you applied the Start layout to a device, the tiles would display as shown in the following image: -![tile for MSN and for a SharePoint site with no logos.](images/edge-without-logo.png) +![tile for MSN and for a SharePoint site with no logos](images/edge-without-logo.png) In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutEdgeAssets` and the policy setting `ImportEdgeAssets`, the tiles will now display the same as they did on the device from which you exported the Start layout. -![tile for MSN and for a SharePoint site.](images/edge-with-logo.png) +![tile for MSN and for a SharePoint site](images/edge-with-logo.png) **Example of secondary tiles in XML generated by Export-StartLayout** @@ -156,7 +156,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L 12. Open the customizations.xml file in a text editor. The **<Customizations>** section will look like this: - ![Customizations file with the placeholder text to replace highlighted.](images/customization-start-edge.png) + ![Customizations file with the placeholder text to replace highlighted](images/customization-start-edge.png) 13. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape). diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md index 75fcbcdad0..83744db2ca 100644 --- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md +++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md @@ -121,7 +121,7 @@ UE-V for Windows 10, version 1607 includes a new template generator. If you are --> -![Selecting UE-V features in ADK.](images/uev-adk-select-uev-feature.png) +![Selecting UE-V features in ADK](images/uev-adk-select-uev-feature.png) 3. To open the generator, select **Microsoft Application Virtualization Generator** from the **Start** menu. diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md index 0d091fe1bb..bb6d70d870 100644 --- a/windows/configuration/ue-v/uev-for-windows.md +++ b/windows/configuration/ue-v/uev-for-windows.md @@ -41,7 +41,7 @@ The diagram below illustrates how UE-V components work together to synchronize u UE-V architecture, with server share, desktop, and UE-V service | **Component** | **Function** | @@ -65,7 +65,7 @@ Use these UE-V components to create and manage custom templates for your third-p --> -![UE-V template generator process.](images/uev-generator-process.png) +![UE-V template generator process](images/uev-generator-process.png) ## Settings synchronized by default diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md index 08853f5b22..bfc7cfa6f3 100644 --- a/windows/configuration/ue-v/uev-prepare-for-deployment.md +++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md @@ -44,7 +44,7 @@ If you want to use UE-V to synchronize user-defined settings for custom applicat The workflow diagram below illustrates a typical UE-V deployment and the decisions you need to be prepared to make. -![UE-V deployment preparation.](images/uev-deployment-preparation.png) +![UE-V deployment preparation](images/uev-deployment-preparation.png) Update & Security --> Windows Update**. - **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update. diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md index e56e7a3b5b..f822925011 100644 --- a/windows/deployment/update/wufb-compliancedeadlines.md +++ b/windows/deployment/update/wufb-compliancedeadlines.md @@ -93,11 +93,11 @@ Once the device is in the pending restart state, it will attempt to restart the Notification users get for a quality update deadline: -![The notification users get for an impending quality update deadline.](images/wufb-quality-notification.png) +![The notification users get for an impending quality update deadline](images/wufb-quality-notification.png) Notification users get for a feature update deadline: -![The notification users get for an impending feature update deadline.](images/wufb-feature-notification.png) +![The notification users get for an impending feature update deadline](images/wufb-feature-notification.png) ### Deadline with user engagement @@ -130,17 +130,17 @@ Before the deadline the device will be in two states: auto-restart period and en Notification users get for quality update engaged deadline: -![The notification users get for an impending engaged quality update deadline example.](images/wufb-quality-engaged-notification.png) +![The notification users get for an impending engaged quality update deadline example](images/wufb-quality-engaged-notification.png) Notification users get for a quality update deadline: -![The notification users get for an impending quality update deadline example.](images/wufb-quality-notification.png) +![The notification users get for an impending quality update deadline example](images/wufb-quality-notification.png) Notification users get for a feature update engaged deadline: -![The notification users get for an impending feature update engaged deadline example.](images/wufb-feature-update-engaged-notification.png) +![The notification users get for an impending feature update engaged deadline example](images/wufb-feature-update-engaged-notification.png) Notification users get for a feature update deadline: -![The notification users get for an impending feature update deadline example.](images/wufb-feature-update-deadline-notification.png) +![The notification users get for an impending feature update deadline example](images/wufb-feature-update-deadline-notification.png) diff --git a/windows/deployment/update/wufb-manageupdate.md b/windows/deployment/update/wufb-manageupdate.md index 8589495141..93a5ab27b7 100644 --- a/windows/deployment/update/wufb-manageupdate.md +++ b/windows/deployment/update/wufb-manageupdate.md @@ -40,7 +40,7 @@ If you don't need a wave deployment and have a small set of devices to manage, w |Do not allow update deferral policies to cause scans against Windows Update|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not allow update deferral policies to cause scans against Windows Update|State: Disabled| ## Suggested configuration for a wave deployment -![Graphic showing a deployment divided into rings for a wave deployment.](images/wufb-wave-deployment.png) +![Graphic showing a deployment divided into rings for a wave deployment](images/wufb-wave-deployment.png) ## Early validation and testing Depending on your organizational size and requirements you might be able to test feature updates earlier to identify if there are impacts to Line of Business applications. Our recommendation is to enroll a set of devices that are a good representation of your device ecosystem (for example, devices with accounting software or engineering software). Learn more about [different deployment rings](https://insider.windows.com/how-to-pc/#working-with-rings). diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md index 8aafc8f67d..e044463423 100644 --- a/windows/deployment/upgrade/quick-fixes.md +++ b/windows/deployment/upgrade/quick-fixes.md @@ -174,7 +174,7 @@ To check your system for unsigned drivers: 5. Type **sigverif** and press ENTER. 6. The File Signature Verification tool will open. Click **Start**. - ![File Signature Verification.](../images/sigverif.png) + ![File Signature Verification](../images/sigverif.png) 7. After the scanning process is complete, if you see **Your files have been scanned and verified as digitally signed** then you have no unsigned drivers. Otherwise, you will see **The following files have not been digitally signed** and a list will be provided with name, location, and version of all unsigned drivers. 8. To view and save a log file, click **Advanced**, and then click **View Log**. Save the log file if desired. @@ -268,7 +268,7 @@ To obtain the proper firmware drivers, search for the most updated driver versio When you begin a Windows Update, the setup process will ask you to **Get important updates**. Answer **Yes** if the computer you are updating is connected to the Internet. See the following example: -![Get important updates.](../images/update.jpg) +![Get important updates](../images/update.jpg) ### Verify disk space @@ -280,13 +280,13 @@ In File Explorer, click on **Computer** or **This PC** on the left, then look un The amount of space available on the system drive will be displayed under the drive. See the following example: -![System drive.](../images/drive.png) +![System drive](../images/drive.png) In the previous example, there is 703 GB of available free space on the system drive (C:). To free up additional space on the system drive, begin by running Disk Cleanup. You can access Disk Cleanup by right-clicking the hard drive icon and then clicking Properties. See the following example: -![Disk cleanup.](../images/cleanup.png) +![Disk cleanup](../images/cleanup.png) For instructions to run Disk Cleanup and other suggestions to free up hard drive space, see [Tips to free up drive space on your PC](https://support.microsoft.com/help/17421/windows-free-up-drive-space). diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index 1e87d9bff7..9e7a29631c 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -25,14 +25,14 @@ ms.topic: article >This is a 300 level topic (moderate advanced).
>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
- [![Download SetupDiag.](../images/download.png)](https://go.microsoft.com/fwlink/?linkid=870142) + [![Download SetupDiag](../images/download.png)](https://go.microsoft.com/fwlink/?linkid=870142) ## About SetupDiag -Current downloadable version of SetupDiag: 1.6.2107.27002. -> Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues. +Current downloadable version of SetupDiag: 1.6.2107.27002 +>Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues. -SetupDiag is a diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. +SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. SetupDiag works by examining Windows Setup log files. It attempts to parse these log files to determine the root cause of a failure to update or upgrade the computer to Windows 10. SetupDiag can be run on the computer that failed to update, or you can export logs from the computer to another location and run SetupDiag in offline mode. @@ -344,10 +344,6 @@ Each rule name and its associated unique rule identifier are listed with a descr ## Release notes -07/27/2021 - SetupDiag v1.6.2107.27002 is released with 61 rules, as a standalone tool available in the Download Center. -- This version contains compliance updates and minor bug fixes. -- With this release and subsequent releases, the version number of the downloadable SetupDiag tool is different from the one included with Windows Setup. - 05/06/2021 - SetupDiag v1.6.1.0 is released with 61 rules, as a standalone tool available in the Download Center. - This version of SetupDiag is included with Windows 10, version 21H1. - A new rule is added: UserProfileSuffixMismatch. @@ -567,7 +563,7 @@ Refer to "https://docs.microsoft.com/windows/desktop/Debug/system-error-codes" f ## Sample registry key -![Example of Addreg.](./../images/addreg.png) +![Example of Addreg](./../images/addreg.png) ## Related topics diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md index 1cde13e1eb..580a08b67c 100644 --- a/windows/deployment/upgrade/submit-errors.md +++ b/windows/deployment/upgrade/submit-errors.md @@ -61,7 +61,7 @@ Click **Submit** to send your feedback. See the following example: -![feedback example.](../images/feedback.png) +![feedback example](../images/feedback.png) After you click Submit, that's all you need to do. Microsoft will receive your feedback and begin analyzing the issue. You can check on your feedback periodically to see what solutions have been provided. @@ -69,7 +69,7 @@ After you click Submit, that's all you need to do. Microsoft will receive your f After your feedback is submitted, you can email or post links to it by opening the Feedback Hub, clicking My feedback at the top, clicking the feedback item you submitted, clicking **Share**, then copying the short link that is displayed. -![share.](../images/share.jpg) +![share link](../images/share.jpg) ## Related topics diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md index bdb7e4814a..842e478dcf 100644 --- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md +++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md @@ -59,31 +59,31 @@ When performing an operating system upgrade, Windows Setup uses phases described 1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Windows files are copied and installation components are gathered. - ![downlevel phase.](../images/downlevel.png) + ![downlevel phase](../images/downlevel.png) 2. **Safe OS phase**: A recovery partition is configured, Windows files are expanded, and updates are installed. An OS rollback is prepared if needed. Example error codes: 0x2000C, 0x20017. - ![safeOS phase.](../images/safeos.png) + ![safeOS phase](../images/safeos.png) 3. **First boot phase**: Initial settings are applied. Example error codes: 0x30018, 0x3000D. - ![first boot phase.](../images/firstboot.png) + ![first boot phase](../images/firstboot.png) 4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**. Example error codes: 0x4000D, 0x40017. At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed. - ![second boot phase.](../images/secondboot.png) + ![second boot phase](../images/secondboot.png) - ![second boot phase.](../images/secondboot2.png) + ![second boot phase](../images/secondboot2.png) - ![second boot phase.](../images/secondboot3.png) + ![second boot phase](../images/secondboot3.png) 5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015. **Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown): -![Upgrade process.](../images/upgrade-process.png) +![Upgrade process](../images/upgrade-process.png) DU = Driver/device updates.
OOBE = Out of box experience.
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index c8a2c54c5a..57307ee3d0 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -33,9 +33,9 @@ The following table shows the methods and paths available to change the edition > [!TIP] > Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Endpoint Configuration Manager. -![not supported.](../images/x_blk.png) (X) = not supported
-![supported, reboot required.](../images/check_grn.png) (green checkmark) = supported, reboot required
-![supported, no reboot.](../images/check_blu.png) (blue checkmark) = supported, no reboot required
+![not supported](../images/x_blk.png) (X) = not supported
+![supported, reboot required](../images/check_grn.png) (green checkmark) = supported, reboot required
+![supported, no reboot](../images/check_blu.png) (blue checkmark) = supported, no reboot required
| Edition upgrade | Using mobile device management (MDM) | Using a provisioning package | Using a command-line tool | Using Microsoft Store for Business or PC | Entering a product key manually | Purchasing a license from the Microsoft Store | |-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- | -| **Home > Pro** | ![not supported.](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | -| **Home > Pro for Workstations** | ![not supported.](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | -| **Home > Pro Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Home > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro > Pro for Workstations** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | -| **Pro > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(1703 - PC)
(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(1703 - PC)
(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro Education > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Enterprise > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Home > Pro** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | +| **Home > Pro for Workstations** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | +| **Home > Pro Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Home > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro > Pro for Workstations** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | +| **Pro > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(1703 - PC)
(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(1703 - PC)
(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro Education > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Enterprise > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | > [!NOTE] > - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md) diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md index 50aad1782d..08c4982f9c 100644 --- a/windows/deployment/upgrade/windows-error-reporting.md +++ b/windows/deployment/upgrade/windows-error-reporting.md @@ -63,7 +63,7 @@ Ten parameters are listed in the event: The event will also contain links to log files that can be used to perform a detailed diagnosis of the error. An example of this event from a successful upgrade is shown below. -![Windows Error Reporting.](../images/event.png) +![Windows Error Reporting](../images/event.png) ## Related topics diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md index 52b489720f..84a87a0aac 100644 --- a/windows/deployment/usmt/migration-store-types-overview.md +++ b/windows/deployment/usmt/migration-store-types-overview.md @@ -49,7 +49,7 @@ You use a command-line option,**/hardlink** , to create a hard-link migration st The following flowchart illustrates the procedural differences between a local migration store and a remote migration store. In this example, a hard-link migration store is used for the local store. -![migration store comparison.](images/dep-win8-l-usmt-migrationcomparemigstores.gif) +![migration store comparison](images/dep-win8-l-usmt-migrationcomparemigstores.gif) ## Local Store vs. Remote Store diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md index b94bc3041b..30930ac481 100644 --- a/windows/deployment/usmt/usmt-common-migration-scenarios.md +++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md @@ -49,7 +49,7 @@ The following diagram shows a PC-refresh migration, also known as a computer ref   -![usmt pc refresh scenario.](images/dep-win8-l-usmt-pcrefresh.jpg) +![usmt pc refresh scenario](images/dep-win8-l-usmt-pcrefresh.jpg)   @@ -100,7 +100,7 @@ The following diagram shows a PC-replacement migration. First, the administrator   -![usmt pc replace scenario.](images/dep-win8-l-usmt-pcreplace.jpg) +![usmt pc replace scenario](images/dep-win8-l-usmt-pcreplace.jpg)   diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index 10e7c2e418..f32ee0d61e 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -55,7 +55,7 @@ The process proceeds as follows: 3. Client computers are activated by receiving the activation object from a domain controller during startup. > [!div class="mx-imgBorder"] - > ![Active Directory-based activation flow.](../images/volumeactivationforwindows81-10.jpg) + > ![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg) **Figure 10**. The Active Directory-based activation flow @@ -80,31 +80,31 @@ When a reactivation event occurs, the client queries AD DS for the activation o 3. Add the Volume Activation Services role, as shown in Figure 11. - ![Adding the Volume Activation Services role.](../images/volumeactivationforwindows81-11.jpg) + ![Adding the Volume Activation Services role](../images/volumeactivationforwindows81-11.jpg) **Figure 11**. Adding the Volume Activation Services role 4. Click the link to launch the Volume Activation Tools (Figure 12). - ![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-12.jpg) + ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-12.jpg) **Figure 12**. Launching the Volume Activation Tools 5. Select the **Active Directory-Based Activation** option (Figure 13). - ![Selecting Active Directory-Based Activation.](../images/volumeactivationforwindows81-13.jpg) + ![Selecting Active Directory-Based Activation](../images/volumeactivationforwindows81-13.jpg) **Figure 13**. Selecting Active Directory-Based Activation 6. Enter your KMS host key and (optionally) a display name (Figure 14). - ![Choosing how to activate your product.](../images/volumeactivationforwindows81-15.jpg) + ![Choosing how to activate your product](../images/volumeactivationforwindows81-15.jpg) **Figure 14**. Entering your KMS host key 7. Activate your KMS host key by phone or online (Figure 15). - ![Entering your KMS host key.](../images/volumeactivationforwindows81-14.jpg) + ![Entering your KMS host key](../images/volumeactivationforwindows81-14.jpg) **Figure 15**. Choosing how to activate your product diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md index 5fa4723874..f9cfcf33ac 100644 --- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md +++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md @@ -80,39 +80,39 @@ This scenario is commonly used in larger organizations that do not find the over 2. Launch Server Manager. 3. Add the Volume Activation Services role, as shown in Figure 4. - ![Adding the Volume Activation Services role in Server Manager.](../images/volumeactivationforwindows81-04.jpg) + ![Adding the Volume Activation Services role in Server Manager](../images/volumeactivationforwindows81-04.jpg) **Figure 4**. Adding the Volume Activation Services role in Server Manager 4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5). - ![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-05.jpg) + ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-05.jpg) **Figure 5**. Launching the Volume Activation Tools 5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6). This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10. - ![Configuring the computer as a KMS host.](../images/volumeactivationforwindows81-06.jpg) + ![Configuring the computer as a KMS host](../images/volumeactivationforwindows81-06.jpg) **Figure 6**. Configuring the computer as a KMS host 6. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7). - ![Installing your KMS host key.](../images/volumeactivationforwindows81-07.jpg) + ![Installing your KMS host key](../images/volumeactivationforwindows81-07.jpg) **Figure 7**. Installing your KMS host key 7. If asked to confirm replacement of an existing key, click **Yes**. 8. After the product key is installed, you must activate it. Click **Next** (Figure 8). - ![Activating the software.](../images/volumeactivationforwindows81-08.jpg) + ![Activating the software](../images/volumeactivationforwindows81-08.jpg) **Figure 8**. Activating the software The KMS key can be activated online or by phone. See Figure 9. - ![Choosing to activate online.](../images/volumeactivationforwindows81-09.jpg) + ![Choosing to activate online](../images/volumeactivationforwindows81-09.jpg) **Figure 9**. Choosing to activate online diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md index 728b60519b..b88d65def4 100644 --- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md +++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md @@ -99,12 +99,12 @@ A MAK is used for one-time activation with Microsoft’s hosted activation servi You can activate computers by using a MAK in two ways: - **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16. - ![MAK independent activation.](../images/volumeactivationforwindows81-16.jpg) + ![MAK independent activation](../images/volumeactivationforwindows81-16.jpg) **Figure 16**. MAK independent activation - **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17. - ![MAK proxy activation with the VAMT.](../images/volumeactivationforwindows81-17.jpg) + ![MAK proxy activation with the VAMT](../images/volumeactivationforwindows81-17.jpg) **Figure 17**. MAK proxy activation with the VAMT diff --git a/windows/deployment/volume-activation/add-remove-computers-vamt.md b/windows/deployment/volume-activation/add-remove-computers-vamt.md index e671e92d02..4e2248db96 100644 --- a/windows/deployment/volume-activation/add-remove-computers-vamt.md +++ b/windows/deployment/volume-activation/add-remove-computers-vamt.md @@ -34,7 +34,7 @@ Before adding computers, ensure that the Windows Management Instrumentation (WMI 5. VAMT searches for the specified computers and adds them to the VAMT database. During the search, VAMT displays the **Finding computers** message shown below. To cancel the search, click **Cancel**. When the search is complete the names of the newly-discovered computers appear in the product list view in the center pane. - ![VAMT, Finding computers dialog box.](images/dep-win8-l-vamt-findingcomputerdialog.gif) + ![VAMT, Finding computers dialog box](images/dep-win8-l-vamt-findingcomputerdialog.gif) **Important**   This step adds only the computers to the VAMT database, and not the products that are installed on the computers. To add the products, you need to run the **Update license status** function. diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md index 5cbd41f410..87cb8d7b0f 100644 --- a/windows/deployment/volume-activation/configure-client-computers-vamt.md +++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md @@ -45,7 +45,7 @@ Enable the VAMT to access client computers using the **Windows Firewall** Contro Enable the VAMT to access client computers across multiple subnets using the **Windows Firewall with Advanced Security** Control Panel: -![VAMT Firewall configuration for multiple subnets.](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif) +![VAMT Firewall configuration for multiple subnets](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif) 1. Open the Control Panel and double-click **Administrative Tools**. 2. Click **Windows Firewall with Advanced Security**. diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index 0b67293d6a..f462f8655f 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -49,7 +49,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for 5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. - ![In this example, the instance name is SQLEXPRESS01.](images/sql-instance.png) + ![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png) ### Install VAMT using the ADK @@ -73,7 +73,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for 2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL. - ![Server name is .\SQLEXPRESS and database name is VAMT.](images/vamt-db.png) + ![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png) For remote SQL Server, use `servername.yourdomain.com`. diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md index 91d2d8540b..45619726e9 100644 --- a/windows/deployment/volume-activation/introduction-vamt.md +++ b/windows/deployment/volume-activation/introduction-vamt.md @@ -45,7 +45,7 @@ VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type prod VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab. -![VAMT in the enterprise.](images/dep-win8-l-vamt-image001-enterprise.jpg) +![VAMT in the enterprise](images/dep-win8-l-vamt-image001-enterprise.jpg) In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection. The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab. @@ -54,7 +54,7 @@ The Isolated Lab environment is a workgroup that is physically separate from the The following screenshot shows the VAMT graphical user interface. -![VAMT user interface.](images/vamtuserinterfaceupdated.jpg) +![VAMT user interface](images/vamtuserinterfaceupdated.jpg) VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as: diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md index 71d990f500..443e1e417b 100644 --- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md +++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md @@ -120,7 +120,7 @@ In the core network, a centralized KMS solution is recommended. You can also use A typical core network that includes a KMS host is shown in Figure 1. -![Typical core network.](../images/volumeactivationforwindows81-01.jpg) +![Typical core network](../images/volumeactivationforwindows81-01.jpg) **Figure 1**. Typical core network @@ -140,7 +140,7 @@ If the isolated network cannot communicate with the core network’s KMS server, If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they are placed in the isolated network. -![New KMS host in an isolated network.](../images/volumeactivationforwindows81-02.jpg) +![New KMS host in an isolated network](../images/volumeactivationforwindows81-02.jpg) **Figure 2**. New KMS host in an isolated network @@ -222,7 +222,7 @@ The flow of KMS activation is shown in Figure 3, and it follows this sequence: 7. If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host. 8. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold has not yet been met, the client will try again. -![KMS activation flow.](../images/volumeactivationforwindows81-03.jpg) +![KMS activation flow](../images/volumeactivationforwindows81-03.jpg) **Figure 3**. KMS activation flow diff --git a/windows/deployment/volume-activation/scenario-online-activation-vamt.md b/windows/deployment/volume-activation/scenario-online-activation-vamt.md index 118a656e49..2716a475b8 100644 --- a/windows/deployment/volume-activation/scenario-online-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-online-activation-vamt.md @@ -25,7 +25,7 @@ In this scenario, the Volume Activation Management Tool (VAMT) is deployed in th - Retail The Secure Zone represents higher-security Core Network computers that have additional firewall protection. -![VAMT firewall configuration for multiple subnets.](images/dep-win8-l-vamt-makindependentactivationscenario.jpg) +![VAMT firewall configuration for multiple subnets](images/dep-win8-l-vamt-makindependentactivationscenario.jpg) ## In This Topic - [Install and start VAMT on a networked host computer](#bkmk-partone) diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md index d3b906680d..84e0a8ea19 100644 --- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md @@ -19,7 +19,7 @@ ms.topic: article In this scenario, the Volume Activation Management Tool (VAMT) is used to activate products that are installed on workgroup computers in an isolated lab environment. For workgroups which are isolated from the larger network, you can perform proxy activation of Multiple Activation Keys (MAKs), KMS Host keys (CSVLKs), Generic Volume License Keys (GVLKs) (or KMS client keys), or retail keys. Proxy activation is performed by installing a second instance of VAMT on a computer in the isolated workgroup. You can then use removable media to transfer VAMT Computer Information Lists (CILXs) between the instance of VAMT in the isolated workgroup and another VAMT host that has Internet access. The following diagram shows a Multiple Activation Key (MAK) proxy activation scenario: -![VAMT MAK proxy activation scenario.](images/dep-win8-l-vamt-makproxyactivationscenario.jpg) +![VAMT MAK proxy activation scenario](images/dep-win8-l-vamt-makproxyactivationscenario.jpg) ## Step 1: Install VAMT on a Workgroup Computer in the Isolated Lab diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md index 562251c0a9..c8e7913ed2 100644 --- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md +++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md @@ -51,7 +51,7 @@ You can use the VAMT to complete the activation process in products by using MAK The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing. -![VAMT showing the licensing status of multiple computers.](../images/volumeactivationforwindows81-18.jpg) +![VAMT showing the licensing status of multiple computers](../images/volumeactivationforwindows81-18.jpg) **Figure 18**. The VAMT showing the licensing status of multiple computers @@ -59,7 +59,7 @@ The VAMT provides an overview of the activation and licensing status of computer The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it is and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage. -![VAMT showing key types and usage.](../images/volumeactivationforwindows81-19.jpg) +![VAMT showing key types and usage](../images/volumeactivationforwindows81-19.jpg) **Figure 19**. The VAMT showing key types and usage diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md index 55fd4c1684..844c46ba14 100644 --- a/windows/deployment/volume-activation/vamt-known-issues.md +++ b/windows/deployment/volume-activation/vamt-known-issues.md @@ -30,7 +30,7 @@ The current known issues with the Volume Activation Management Tool (VAMT), vers Another known issue is that when you try to add a Windows 10 Key Management Service (KMS) Host key (CSVLK) or a Windows Server 2012 R2 for Windows 10 CSVLK into VAMT 3.1 (version 10.0.10240.0), you receive the error message shown here. -![VAMT error message.](./images/vamt-known-issue-message.png) +![VAMT error message](./images/vamt-known-issue-message.png) This issue occurs because VAMT 3.1 does not contain the correct Pkconfig files to recognize this kind of key. To work around this issue, use one of the following methods. diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md index 2a0f0da2a9..3bda096ca5 100644 --- a/windows/deployment/windows-10-deployment-posters.md +++ b/windows/deployment/windows-10-deployment-posters.md @@ -26,13 +26,13 @@ The following posters step through various options for deploying Windows 10 with The Windows Autopilot poster is two pages in portrait mode (11x17). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10AutopilotFlowchart.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10Autopilotflowchart.vsdx) format. -[![Deploy Windows 10 with Autopilot.](./media/windows10-autopilot-flowchart.png)](./media/Windows10AutopilotFlowchart.pdf) +[![Deploy Windows 10 with Autopilot](./media/windows10-autopilot-flowchart.png)](./media/Windows10AutopilotFlowchart.pdf) ## Deploy Windows 10 with Microsoft Endpoint Configuration Manager The Configuration Manager poster is one page in landscape mode (17x11). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.vsdx) format. -[![Deploy Windows 10 with Configuration Manager.](./media/windows10-deployment-config-manager.png)](./media/Windows10DeploymentConfigManager.pdf) +[![Deploy Windows 10 with Configuration Manager](./media/windows10-deployment-config-manager.png)](./media/Windows10DeploymentConfigManager.pdf) ## See also diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md index 0e160f2943..a90baefd20 100644 --- a/windows/deployment/windows-10-media.md +++ b/windows/deployment/windows-10-media.md @@ -42,7 +42,7 @@ Windows 10, version 1709 is available starting on 10/17/2017 in all relevant dis For ISOs that you download from the VLSC or Visual Studio Subscriptions, you can still search for the individual Windows editions. However, each of these editions (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education) will point to the same ISO file, so you only need to download the ISO once. A single Windows image (WIM) file is included in the ISO that contains all the volume licensing images: -![Images.](images/table01.png) +![Images](images/table01.png) When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or Microsoft Endpoint Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update. @@ -69,7 +69,7 @@ This Semi-Annual Channel release of Windows 10 continues the Windows as a servic See the following example for Windows 10, version 1709: -![Windows 10, version 1709 lang pack.](images/lang-pack-1709.png) +![Windows 10, version 1709 lang pack](images/lang-pack-1709.png) ### Features on demand diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md index 9d18e1af46..7e6d238721 100644 --- a/windows/deployment/windows-10-poc-mdt.md +++ b/windows/deployment/windows-10-poc-mdt.md @@ -284,7 +284,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env 10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example: - ![custom image.](images/image.png) + ![custom image](images/image.png) ### Create the deployment task sequence @@ -459,7 +459,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env 7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed. 8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator. - ![finish.](images/deploy-finish.png) + ![finish](images/deploy-finish.png) This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section. diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index d69cc3b5db..603113f920 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -331,7 +331,7 @@ WDSUTIL /Set-Server /AnswerClients:None - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure. See the following example: - ![Config Mgr PXE.](images/configmgr-pxe.png) + ![Config Mgr PXE](images/configmgr-pxe.png) 5. Click **OK**. 6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: @@ -803,7 +803,7 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce >Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter. -![contoso.com\Computers.](images/poc-computers.png) +![contoso.com\Computers](images/poc-computers.png) In the replace procedure, PC1 will not be migrated to a new operating system. It is simplest to perform this procedure before performing the refresh procedure. After refreshing PC1, the operating system will be new. The next (replace) procedure does not install a new operating system on PC1 but rather performs a side-by-side migration of PC1 and another computer (PC4), to copy users and settings from PC1 to the new computer. @@ -907,7 +907,7 @@ The **Client** column indicates that the Configuration Manager client is not cur 14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example: - ![site.](images/configmgr-site.png) + ![site](images/configmgr-site.png) If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated. @@ -915,7 +915,7 @@ The **Client** column indicates that the Configuration Manager client is not cur 16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: - ![client.](images/configmgr-client.png) + ![client](images/configmgr-client.png) >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**. @@ -976,7 +976,7 @@ The **Client** column indicates that the Configuration Manager client is not cur 11. Click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but do not proceed until PC4 is available. See the following example: - ![collection.](images/configmgr-collection.png) + ![collection](images/configmgr-collection.png) ### Create a device collection for PC1 @@ -1026,7 +1026,7 @@ In the Configuration Manager console, in the Software Library workspace under Op 4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example: - ![software.](images/configmgr-software-cntr.png) + ![software](images/configmgr-software-cntr.png) >If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available. @@ -1064,17 +1064,17 @@ In the Configuration Manager console, in the Software Library workspace under Op 3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**. 4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example: - ![installOS.](images/configmgr-install-os.png) + ![installOS](images/configmgr-install-os.png) The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example: - ![asset.](images/configmgr-asset.png) + ![asset](images/configmgr-asset.png) You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**. When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system. - ![post-refresh.](images/configmgr-post-refresh.png) + ![post-refresh](images/configmgr-post-refresh.png) ## Related Topics diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index d4a667a65b..319121950d 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -150,7 +150,7 @@ Hardware requirements are displayed below: The lab architecture is summarized in the following diagram: -![PoC diagram.](images/poc.png) +![PoC diagram](images/poc.png) - Computer 1 is configured to host four VMs on a private, PoC network. - Two VMs are running Windows Server 2012 R2 with required network services and tools installed. @@ -224,9 +224,9 @@ Starting with Windows 8, the host computer’s microprocessor must support secon >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: - ![hyper-v features.](images/hyper-v-feature.png) + ![hyper-v features](images/hyper-v-feature.png) - ![hyper-v.](images/svr_mgr2.png) + ![hyper-v](images/svr_mgr2.png)

If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. @@ -449,7 +449,7 @@ Notes:
3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation). 4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example: - ![disk2vhd 1.](images/disk2vhd.png) + ![disk2vhd 1](images/disk2vhd.png) >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. @@ -482,7 +482,7 @@ Notes:
5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example: - ![disk2vhd 2.](images/disk2vhd-gen2.png) + ![disk2vhd 2](images/disk2vhd-gen2.png) >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. @@ -506,7 +506,7 @@ Notes:
3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later. 4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example: - ![disk2vhd 3.](images/disk2vhd4.png) + ![disk2vhd 3](images/disk2vhd4.png) >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. @@ -821,7 +821,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area. - ![PoC 1.](images/installing-drivers.png) + ![PoC 1](images/installing-drivers.png) >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease. @@ -879,7 +879,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to See the following example: - ![ISE 1.](images/ISE.png) + ![ISE 1](images/ISE.png) 19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host. 20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1: diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 16e8c70c2a..447ea81cfb 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -65,7 +65,7 @@ To support Inherited Activation, both the host computer and the VM must be runni The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic. -![Illustration of how Windows 10 deployment has evolved.](images/sa-evolution.png) +![Illustration of how Windows 10 deployment has evolved](images/sa-evolution.png) - **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
@@ -117,11 +117,11 @@ If the device is running Windows 10, version 1809 or later: - When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below: - ![Subscription Activation with MFA example 1.](images/sa-mfa1.png)
+ ![Subscription Activation with MFA example 1](images/sa-mfa1.png)
- ![Subscription Activation with MFA example 2.](images/sa-mfa2.png)
+ ![Subscription Activation with MFA example 2](images/sa-mfa2.png)
- ![Subscription Activation with MFA example 3.](images/sa-mfa3.png) + ![Subscription Activation with MFA example 3](images/sa-mfa3.png) ### Windows 10 Education requirements @@ -162,7 +162,7 @@ The device is AAD joined from **Settings > Accounts > Access work or school**. The IT administrator assigns Windows 10 Enterprise to a user. See the following figure. -![Windows 10 Enterprise.](images/ent.png) +![Windows 10 Enterprise](images/ent.png) When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user’s subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires. @@ -171,10 +171,10 @@ Devices running Windows 10 Pro, version 1703 or Windows 10 Pro Education, versio The following figures summarize how the Subscription Activation model works: Before Windows 10, version 1903:
-![1703.](images/before.png) +![1703](images/before.png) After Windows 10, version 1903:
-![1903.](images/after.png) +![1903](images/after.png) > [!NOTE] > diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 74e099fc82..d132aa99a6 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -115,9 +115,9 @@ When you are prompted to restart the computer, choose **Yes**. The computer migh Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: - ![Hyper-V feature.](images/hyper-v-feature.png) + ![Hyper-V feature](images/hyper-v-feature.png) - ![Hyper-V.](images/svr_mgr2.png) + ![Hyper-V](images/svr_mgr2.png)

If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. @@ -232,21 +232,21 @@ PS C:\autopilot> Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples: - ![Windows setup example 1.](images/winsetup1.png) - ![Windows setup example 2.](images/winsetup2.png) - ![Windows setup example 3.](images/winsetup3.png) - ![Windows setup example 4.](images/winsetup4.png) - ![Windows setup example 5.](images/winsetup5.png) - ![Windows setup example 6.](images/winsetup6.png) + ![Windows setup example 1](images/winsetup1.png) + ![Windows setup example 2](images/winsetup2.png) + ![Windows setup example 3](images/winsetup3.png) + ![Windows setup example 4](images/winsetup4.png) + ![Windows setup example 5](images/winsetup5.png) + ![Windows setup example 6](images/winsetup6.png) After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example: - ![Windows setup example 7.](images/winsetup7.png) + ![Windows setup example 7](images/winsetup7.png) Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. > [!div class="mx-imgBorder"] - > ![Windows setup example 8.](images/winsetup8.png) + > ![Windows setup example 8](images/winsetup8.png) To create a checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following: @@ -322,7 +322,7 @@ Follow these steps to run the PowerShell script: > [!NOTE] > Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below. - ![Serial number and hardware hash.](images/hwid.png) + ![Serial number and hardware hash](images/hwid.png) You will need to upload this data into Intune to register your device for Autopilot, so the next step is to transfer this file to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM). @@ -338,11 +338,11 @@ With the hardware ID captured in a file, prepare your Virtual Machine for Window On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**. Select **Remove everything** and **Just remove my files**. If you are asked **How would you like to reinstall Windows**, select Local reinstall. Finally, click on **Reset**. -![Reset this PC final prompt.](images/autopilot-reset-prompt.jpg) +![Reset this PC final prompt](images/autopilot-reset-prompt.jpg) Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process. -![Reset this PC screen capture.](images/autopilot-reset-progress.jpg) +![Reset this PC screen capture](images/autopilot-reset-progress.jpg) ## Verify subscription level @@ -350,13 +350,13 @@ For this lab, you need an AAD Premium subscription. You can tell if you have a **Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune** -![MDM and Intune.](images/mdm-intune2.png) +![MDM and Intune](images/mdm-intune2.png) If the configuration blade shown above does not appear, it's likely that you don't have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium. To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5. -![License conversion option.](images/aad-lic1.png) +![License conversion option](images/aad-lic1.png) ## Configure company branding @@ -367,7 +367,7 @@ If you already have company branding configured in Azure Active Directory, you c Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE. -![Configure company branding.](images/branding.png) +![Configure company branding](images/branding.png) When you are finished, click **Save**. @@ -382,7 +382,7 @@ Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**. -![MDM user scope in the Mobility blade.](images/ap-aad-mdm.png) +![MDM user scope in the Mobility blade](images/ap-aad-mdm.png) ## Register your VM @@ -392,14 +392,14 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B 1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**. - ![Intune device import.](images/enroll1.png) + ![Intune device import](images/enroll1.png) > [!NOTE] > If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared. 2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It's okay if other fields (Windows Product ID) are left blank. - ![HWID CSV.](images/enroll2.png) + ![HWID CSV](images/enroll2.png) You should receive confirmation that the file is formatted correctly before uploading it, as shown above. @@ -407,7 +407,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B 4. Click **Refresh** to verify your VM or device has been added. See the following example. - ![Import HWID.](images/enroll3.png) + ![Import HWID](images/enroll3.png) ### Autopilot registration using MSfB @@ -426,11 +426,11 @@ Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft. Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example: -![Microsoft Store for Business.](images/msfb.png) +![Microsoft Store for Business](images/msfb.png) Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added. -![Microsoft Store for Business Devices.](images/msfb-device.png) +![Microsoft Store for Business Devices](images/msfb-device.png) ## Create and assign a Windows Autopilot deployment profile @@ -446,7 +446,7 @@ Pick one: > [!NOTE] > Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list. -![Devices.](images/enroll4.png) +![Devices](images/enroll4.png) #### Create a device group @@ -463,7 +463,7 @@ The Autopilot deployment profile wizard will ask for a device group, so we must 3. Click **Members** and add the Autopilot VM to the group. See the following example: > [!div class="mx-imgBorder"] - > ![add members.](images/group1.png) + > ![add members](images/group1.png) 4. Click **Create**. @@ -472,12 +472,12 @@ The Autopilot deployment profile wizard will ask for a device group, so we must To create a Windows Autopilot profile, scroll back to the left hand pane and click **Devices**, then under **Enroll devices | Windows enrollment** select **Deployment Profiles**. > [!div class="mx-imgBorder"] -> ![Deployment profiles.](images/dp.png) +> ![Deployment profiles](images/dp.png) Click on **Create profile** and then select **Windows PC**. > [!div class="mx-imgBorder"] -> ![Create deployment profile.](images/create-profile.png) +> ![Create deployment profile](images/create-profile.png) On the **Create profile** blade, use the following values: @@ -512,7 +512,7 @@ Click **Next** to continue with the **Assignments** settings: 2. Click the **Autopilot Lab** group, and then click **Select**. 3. Click **Next** to continue and then click **Create**. See the following example: -![Deployment profile.](images/profile.png) +![Deployment profile](images/profile.png) Click on **OK** and then click on **Create**. @@ -529,7 +529,7 @@ First, sign in to the [Microsoft Store for Business](https://businessstore.micro Click **Manage** from the top menu, then click **Devices** from the left navigation tree. -![MSfB manage.](images/msfb-manage.png) +![MSfB manage](images/msfb-manage.png) Click the **Windows Autopilot Deployment Program** link in the **Devices** tile. @@ -538,17 +538,17 @@ To CREATE the profile: Select your device from the **Devices** list: > [!div class="mx-imgBorder"] -> ![MSfB create step 1.](images/msfb-create1.png) +> ![MSfB create step 1](images/msfb-create1.png) On the Autopilot deployment dropdown menu, select **Create new profile**: > [!div class="mx-imgBorder"] -> ![MSfB create step 2.](images/msfb-create2.png) +> ![MSfB create step 2](images/msfb-create2.png) Name the profile, choose your desired settings, and then click **Create**: > [!div class="mx-imgBorder"] -> ![MSfB create step 3.](images/msfb-create3.png) +> ![MSfB create step 3](images/msfb-create3.png) The new profile is added to the Autopilot deployment list. @@ -557,12 +557,12 @@ To ASSIGN the profile: To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown: > [!div class="mx-imgBorder"] -> ![MSfB assign step 1.](images/msfb-assign1.png) +> ![MSfB assign step 1](images/msfb-assign1.png) Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column: > [!div class="mx-imgBorder"] -> ![MSfB assign step 2.](images/msfb-assign2.png) +> ![MSfB assign step 2](images/msfb-assign2.png) > [!IMPORTANT] > The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device. @@ -572,7 +572,7 @@ Confirm the profile was successfully assigned to the intended device by checking If you shut down your VM after the last reset, it's time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**: > [!div class="mx-imgBorder"] -> ![Device status.](images/device-status.png) +> ![Device status](images/device-status.png) Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up. @@ -583,12 +583,12 @@ Also, make sure to wait at least 30 minutes from the time you've [configured com - Turn on the device - Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip). -![OOBE sign-in page.](images/autopilot-oobe.png) +![OOBE sign-in page](images/autopilot-oobe.png) Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated. > [!div class="mx-imgBorder"] -> ![Device enabled.](images/devices1.png) +> ![Device enabled](images/devices1.png) Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done. @@ -606,7 +606,7 @@ To use the device (or VM) for other purposes after completion of this lab, you w You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into the MEM admin center, then navigate to **Intune > Devices > All Devices**. Select the device you want to delete, then click the Delete button along the top menu. > [!div class="mx-imgBorder"] -> ![Delete device step 1.](images/delete-device1.png) +> ![Delete device step 1](images/delete-device1.png) This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**. @@ -618,7 +618,7 @@ The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment To remove the device from the Autopilot program, select the device and click **Delete**. You will get a popup dialog box to confirm deletion. > [!div class="mx-imgBorder"] -> ![Delete device.](images/delete-device2.png) +> ![Delete device](images/delete-device2.png) At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program: @@ -686,7 +686,7 @@ Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-ms Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example: > [!div class="mx-imgBorder"] -> ![Add app example.](images/app01.png) +> ![Add app example](images/app01.png) After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps. @@ -696,20 +696,20 @@ Log into the Azure portal and select **Intune**. Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package. -![Add app step 1.](images/app02.png) +![Add app step 1](images/app02.png) Under **App Type**, select **Windows app (Win32)**: -![Add app step 2.](images/app03.png) +![Add app step 2](images/app03.png) On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**: > [!div class="mx-imgBorder"] -> ![Add app step 3.](images/app04.png) +> ![Add app step 3](images/app04.png) On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as: -![Add app step 4.](images/app05.png) +![Add app step 4](images/app05.png) On the **Program Configuration** blade, supply the install and uninstall commands: @@ -721,7 +721,7 @@ Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q > [!NOTE] > Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) automatically generated them when it converted the .msi file into a .intunewin file. -![Add app step 5.](images/app06.png) +![Add app step 5](images/app06.png) Simply using an install command like "notepad++.exe /S" will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn't actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available). @@ -730,23 +730,23 @@ Click **OK** to save your input and activate the **Requirements** blade. On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**: > [!div class="mx-imgBorder"] -> ![Add app step 6.](images/app07.png) +> ![Add app step 6](images/app07.png) Next, configure the **Detection rules**. For our purposes, we will select manual format: > [!div class="mx-imgBorder"] -> ![Add app step 7.](images/app08.png) +> ![Add app step 7](images/app08.png) Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule: -![Add app step 8.](images/app09.png) +![Add app step 8](images/app09.png) Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration. **Return codes**: For our purposes, leave the return codes at their default values: > [!div class="mx-imgBorder"] -> ![Add app step 9.](images/app10.png) +> ![Add app step 9](images/app10.png) Click **OK** to exit. @@ -757,12 +757,12 @@ Click the **Add** button to finalize and save your app package. Once the indicator message says the addition has completed. > [!div class="mx-imgBorder"] -> ![Add app step 10.](images/app11.png) +> ![Add app step 10](images/app11.png) You will be able to find your app in your app list: > [!div class="mx-imgBorder"] -> ![Add app step 11.](images/app12.png) +> ![Add app step 11](images/app12.png) #### Assign the app to your Intune profile @@ -772,7 +772,7 @@ You will be able to find your app in your app list: In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu: > [!div class="mx-imgBorder"] -> ![Assign app step 1.](images/app13.png) +> ![Assign app step 1](images/app13.png) Select **Add Group** to open the **Add group** pane that is related to the app. @@ -783,10 +783,10 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu Select **Included Groups** and assign the groups you previously created that will use this app: -![Assign app step 2.](images/app14.png) +![Assign app step 2](images/app14.png) > [!div class="mx-imgBorder"] -> ![Assign app step 3.](images/app15.png) +> ![Assign app step 3](images/app15.png) In the **Select groups** pane, click the **Select** button. @@ -797,7 +797,7 @@ In the **Add group** pane, select **OK**. In the app **Assignments** pane, select **Save**. > [!div class="mx-imgBorder"] -> ![Assign app step 4.](images/app16.png) +> ![Assign app step 4](images/app16.png) At this point, you have completed steps to add a Win32 app to Intune. @@ -811,16 +811,16 @@ Log into the Azure portal and select **Intune**. Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package. -![Create app step 1.](images/app17.png) +![Create app step 1](images/app17.png) Under **App Type**, select **Office 365 Suite > Windows 10**: -![Create app step 2.](images/app18.png) +![Create app step 2](images/app18.png) Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel: > [!div class="mx-imgBorder"] -> ![Create app step 3.](images/app19.png) +> ![Create app step 3](images/app19.png) Click **OK**. @@ -829,13 +829,13 @@ In the **App Suite Information** pane, enter a unique suite name, and a s Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal. > [!div class="mx-imgBorder"] -> ![Create app step 4.](images/app20.png) +> ![Create app step 4](images/app20.png) Click **OK**. In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**: -![Create app step 5.](images/app21.png) +![Create app step 5](images/app21.png) Click **OK** and then click **Add**. @@ -847,7 +847,7 @@ Click **OK** and then click **Add**. In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu: > [!div class="mx-imgBorder"] -> ![Create app step 6.](images/app22.png) +> ![Create app step 6](images/app22.png) Select **Add Group** to open the **Add group** pane that is related to the app. @@ -857,10 +857,10 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu Select **Included Groups** and assign the groups you previously created that will use this app: -![Create app step 7.](images/app23.png) +![Create app step 7](images/app23.png) > [!div class="mx-imgBorder"] -> ![Create app step 8.](images/app24.png) +> ![Create app step 8](images/app24.png) In the **Select groups** pane, click the **Select** button. @@ -870,7 +870,7 @@ In the **Add group** pane, select **OK**. In the app **Assignments** pane, select **Save**. -![Create app step 9.](images/app25.png) +![Create app step 9](images/app25.png) At this point, you have completed steps to add Office to Intune. @@ -878,7 +878,7 @@ For more information on adding Office apps to Intune, see [Assign Office 365 app If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate: -![Create app step 10.](images/app26.png) +![Create app step 10](images/app26.png) ## Glossary diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index 04f798b127..0d04abd1e0 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -29,7 +29,7 @@ In this topic, you also learn about different types of reference images that you Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more details, see [Windows ADK for Windows 10](/windows-hardware/get-started/adk-install) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md). -![figure 1.](images/win-10-adk-select.png) +![figure 1](images/win-10-adk-select.png) The Windows 10 ADK feature selection page. @@ -50,7 +50,7 @@ Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All -Source D:\Sources\SxS -LimitAccess ``` -![figure 2.](images/mdt-11-fig05.png) +![figure 2](images/mdt-11-fig05.png) Using DISM functions in PowerShell. @@ -77,7 +77,7 @@ In addition to these tools, there are also XML templates that manage which data - **Custom templates.** Custom templates that you create. - **Config template.** An optional template, called Config.xml, which you can use to exclude or include components in a migration without modifying the other standard XML templates. -![figure 3.](images/mdt-11-fig06.png) +![figure 3](images/mdt-11-fig06.png) A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files. @@ -100,7 +100,7 @@ These are the settings migrated by the default MigUser.xml and MigApp.xml templa Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This is particularly useful for setting up new devices, without the need for re-imaging the device with a custom image. -![figure 4.](images/windows-icd.png) +![figure 4](images/windows-icd.png) Windows Imaging and Configuration Designer. @@ -110,7 +110,7 @@ For more information, see [Windows Imaging and Configuration Designer](/windows/ Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or Configuration Manager, you don’t need Windows SIM very often because those systems automatically update the Unattend.xml file during the deployment, greatly simplifying the process overall. -![figure 7.](images/mdt-11-fig07.png) +![figure 7](images/mdt-11-fig07.png) Windows answer file opened in Windows SIM. @@ -120,7 +120,7 @@ For more information, see [Windows System Image Manager Technical Reference]( ht If you don’t use KMS, you can still manage your MAKs centrally with the Volume Activation Management Tool (VAMT). With this tool, you can install and manage product keys throughout the organization. VAMT also can activate on behalf of clients without Internet access, acting as a MAK proxy. -![figure 6.](images/mdt-11-fig08.png) +![figure 6](images/mdt-11-fig08.png) The updated Volume Activation Management Tool. @@ -138,7 +138,7 @@ Windows PE is a “Lite” version of Windows 10 and was created to act as a dep The key thing to know about Windows PE is that, like the operating system, it needs drivers for at least network and storage devices in each PC. Luckily Windows PE includes the same drivers as the full Windows 10 operating system, which means much of your hardware will work out of the box. -![figure 7.](images/mdt-11-fig09.png) +![figure 7](images/mdt-11-fig09.png) A machine booted with the Windows ADK default Windows PE boot image. @@ -149,7 +149,7 @@ For more details on Windows PE, see [Windows PE (WinPE)](/windows-hardware/manuf Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you will see an automatic failover into Windows RE. -![figure 8.](images/mdt-11-fig10.png) +![figure 8](images/mdt-11-fig10.png) A Windows 10 client booted into Windows RE, showing Advanced options. @@ -160,7 +160,7 @@ For more information on Windows RE, see [Windows Recovery Environment](/windows- Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you will use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker. -![figure 9.](images/mdt-11-fig11.png) +![figure 9](images/mdt-11-fig11.png) Windows Deployment Services using multicast to deploy three machines. @@ -176,7 +176,7 @@ Also, there are a few new features related to TFTP performance: - **Scalable port management.** Provides the capability to service clients with shared UDP port allocation, increasing scalability. - **Variable-size transmission window (Variable Windows Extension).** Improves TFTP performance by allowing the client and server to determine the largest workable window size. -![figure 10.](images/mdt-11-fig12.png) +![figure 10](images/mdt-11-fig12.png) TFTP changes are now easy to perform. @@ -192,7 +192,7 @@ Lite Touch and Zero Touch are marketing names for the two solutions that MDT sup -![figure 11.](images/mdt-11-fig13.png) +![figure 11](images/mdt-11-fig13.png) The Deployment Workbench in, showing a task sequence. @@ -203,7 +203,7 @@ For more information on MDT, see the [Microsoft Deployment Toolkit](/mem/configm [Microsoft SCM](https://go.microsoft.com/fwlink/p/?LinkId=619246) is a free utility used to create baseline security settings for the Windows client and server environment. The baselines can be exported and then deployed via Group Policy, local policies, MDT, or Configuration Manager. The current version of Security Compliance Manager includes baselines for Windows 8.1 and several earlier versions of Windows, Windows Server, and Internet Explorer. -![figure 12.](images/mdt-11-fig14.png) +![figure 12](images/mdt-11-fig14.png) The SCM console showing a baseline configuration for a fictional client's computer security compliance. @@ -228,7 +228,7 @@ For more information on the benefits of an MDOP subscription, see [Microsoft Des There has been a version of IEAK for every version of Internet Explorer since 3.0. It gives you the capability to customize Internet Explorer as you would like. The end result of using IEAK is an Internet Explorer package that can be deployed unattended. The wizard creates one .exe file and one .msi file. -![figure 13.](images/mdt-11-fig15.png) +![figure 13](images/mdt-11-fig15.png) The User Experience selection screen in IEAK 11. @@ -239,7 +239,7 @@ To download IEAK 11, see the [Internet Explorer Administration Kit (IEAK) Inform WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment. -![figure 14.](images/mdt-11-fig16.png) +![figure 14](images/mdt-11-fig16.png) The Windows Server Update Services console. diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md index 5852e85928..930819c367 100644 --- a/windows/privacy/Microsoft-DiagnosticDataViewer.md +++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md @@ -64,7 +64,7 @@ Note that this setting does not control whether your device sends diagnostic dat 2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option. - ![Location to turn on data viewing.](images/ddv-data-viewing.png) + ![Location to turn on data viewing](images/ddv-data-viewing.png) **To turn on data viewing through PowerShell** @@ -134,7 +134,7 @@ When you're done reviewing your diagnostic data, we recommend turning off data v 2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option. - ![Location to turn off data viewing.](images/ddv-settings-off.png) + ![Location to turn off data viewing](images/ddv-settings-off.png) **To turn off data viewing through PowerShell** diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index dc9a127179..3b40651ee2 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -38,7 +38,7 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn 2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option. - ![Location to turn on data viewing.](images/ddv-data-viewing.png) + ![Location to turn on data viewing](images/ddv-data-viewing.png) ### Download the Diagnostic Data Viewer Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. @@ -54,7 +54,7 @@ You can start this app from the **Settings** panel. 2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button. - ![Location to turn on the Diagnostic Data Viewer.](images/ddv-settings-launch.png)

-OR-

+ ![Location to turn on the Diagnostic Data Viewer](images/ddv-settings-launch.png)

-OR-

Go to **Start** and search for _Diagnostic Data Viewer_. @@ -73,7 +73,7 @@ The Diagnostic Data Viewer provides you with the following features to view and >[!Important] >Seeing an event does not necessarily mean it has been uploaded yet. It’s possible that some events are still queued and will be uploaded at a later time. - ![View your diagnostic events.](images/ddv-event-view.jpg) + ![View your diagnostic events](images/ddv-event-view.jpg) - **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text. @@ -83,7 +83,7 @@ The Diagnostic Data Viewer provides you with the following features to view and - **Help to make your Windows experience better.** Microsoft only needs diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others. - To signify your contribution, you’ll see this icon (![Icon to review the device-level sampling.](images/ddv-device-sample.png)) if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)). + To signify your contribution, you’ll see this icon (![Icon to review the device-level sampling](images/ddv-device-sample.png)) if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)). - **Provide diagnostic event feedback.** The **Feedback** icon in the upper right corner of the window opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events. @@ -99,7 +99,7 @@ The Diagnostic Data Viewer provides you with the following features to view and >[!Important] >This content is a reflection of the history of Windows data the app has stored. If you'd like to have extended analyses, please modify the storage capacity of Diagnostic Data Viewer. - ![Look at an overview of what data you've shared with Microsoft through the 'About my data' page in Diagnostic Data Viewer.](images/ddv-analytics.png) + ![Look at an overview of what data you've shared with Microsoft through the 'About my data' page in Diagnostic Data Viewer](images/ddv-analytics.png) ## View Office Diagnostic Data By default, Diagnostic Data Viewer shows you Windows data. You can also view Office diagnostic data by enabling the feature in the app settings page. To learn more about how to view Office diagnostic data, please visit this [page](https://go.microsoft.com/fwlink/?linkid=2023830). @@ -112,7 +112,7 @@ When you're done reviewing your diagnostic data, you should turn of data viewing 2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option. - ![Location to turn off data viewing.](images/ddv-settings-off.png) + ![Location to turn off data viewing](images/ddv-settings-off.png) ## Modifying the size of your data history By default, Diagnostic Data Viewer shows you up to 1GB or 30 days of data (whichever comes first) for Windows diagnostic data. Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first. @@ -139,7 +139,7 @@ You can also use the Windows Error Reporting tool available in the Control Panel Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer. -![Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer.](images/ddv-problem-reports.png) +![Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer](images/ddv-problem-reports.png) **To view your Windows Error Reporting diagnostic data using the Control Panel** @@ -147,7 +147,7 @@ Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Secu Go to **Start** and search for _Problem Reports_. The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft. -![View problem reports tool with report statuses.](images/control-panel-problem-reports-screen.png) +![View problem reports tool with report statuses](images/control-panel-problem-reports-screen.png) ## Known Issues with Diagnostic Data Viewer diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index f1f0d9469a..aad2616468 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -57,60 +57,60 @@ The following table lists management options for each setting, beginning with Wi | Setting | UI | Group Policy | Registry | | - | :-: | :-: | :-: | -| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | -| [2. Cortana and Search](#bkmk-cortana) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | -| [3. Date & Time](#bkmk-datetime) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | -| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | -| [5. Find My Device](#find-my-device) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | -| [6. Font streaming](#font-streaming) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | -| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | -| [8. Internet Explorer](#bkmk-ie) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | -| [9. License Manager](#bkmk-licmgr) | | | ![Check mark.](images/checkmark.png) | -| [10. Live Tiles](#live-tiles) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | -| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark.](images/checkmark.png) | | ![Check mark.](images/checkmark.png) | -| [12. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark.](images/checkmark.png) | -| [13. Microsoft Edge](#bkmk-edge) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [16. OneDrive](#bkmk-onedrive) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [2. Cortana and Search](#bkmk-cortana) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [8. Internet Explorer](#bkmk-ie) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [9. License Manager](#bkmk-licmgr) | | | ![Check mark](images/checkmark.png) | +| [10. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +| [12. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | +| [13. Microsoft Edge](#bkmk-edge) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [17. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | [18. Settings > Privacy](#bkmk-settingssection) | | | | -|     [18.1 General](#bkmk-general) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.2 Location](#bkmk-priv-location) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.3 Camera](#bkmk-priv-camera) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.4 Microphone](#bkmk-priv-microphone) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.5 Notifications](#bkmk-priv-notifications) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png)| -|     [18.6 Speech](#bkmk-priv-speech) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.7 Account info](#bkmk-priv-accounts) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.8 Contacts](#bkmk-priv-contacts) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.9 Calendar](#bkmk-priv-calendar) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.10 Call history](#bkmk-priv-callhistory) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.11 Email](#bkmk-priv-email) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.12 Messaging](#bkmk-priv-messaging) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.14 Radios](#bkmk-priv-radios) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.17 Background apps](#bkmk-priv-background) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.18 Motion](#bkmk-priv-motion) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.19 Tasks](#bkmk-priv-tasks) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.21 Inking & Typing](#bkmk-priv-ink) | ![Check mark.](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -|     [18.22 Activity History](#bkmk-act-history) | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.23 Voice Activation](#bkmk-voice-act) | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [20. Storage Health](#bkmk-storage-health) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [22. Teredo](#bkmk-teredo) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [28. Delivery Optimization](#bkmk-updates) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [29. Windows Update](#bkmk-wu) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)| +|     [18.6 Speech](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.21 Inking & Typing](#bkmk-priv-ink) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +|     [18.22 Activity History](#bkmk-act-history) | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.23 Voice Activation](#bkmk-voice-act) | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [20. Storage Health](#bkmk-storage-health) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) | | -| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ### Settings for Windows Server 2016 with Desktop Experience @@ -119,20 +119,20 @@ See the following table for a summary of the management settings for Windows Ser | Setting | UI | Group Policy | Registry | | - | :-: | :-: | :-: | -| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [2. Cortana and Search](#bkmk-cortana) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [3. Date & Time](#bkmk-datetime) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [6. Font streaming](#font-streaming) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [8. Internet Explorer](#bkmk-ie) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [10. Live Tiles](#live-tiles) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [2. Cortana and Search](#bkmk-cortana) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [8. Internet Explorer](#bkmk-ie) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [10. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [12. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | -| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [16. OneDrive](#bkmk-onedrive) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [18. Settings > Privacy](#bkmk-settingssection) | | | | -| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [22. Teredo](#bkmk-teredo) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | @@ -172,54 +172,54 @@ See the following table for a summary of the management settings for Windows Ser | - | :-: | :-: | :-: | | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [2. Cortana and Search](#bkmk-cortana) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [3. Date & Time](#bkmk-datetime) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [5. Find My Device](#find-my-device) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [8. Internet Explorer](#bkmk-ie) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [10. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark.](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | [12. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | | [13. Microsoft Edge](#bkmk-edge) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [17. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | [18. Settings > Privacy](#bkmk-settingssection) | | | | -|     [18.1 General](#bkmk-general) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.2 Location](#bkmk-priv-location) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.3 Camera](#bkmk-priv-camera) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.4 Microphone](#bkmk-priv-microphone) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.5 Notifications](#bkmk-priv-notifications) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)| -|     [18.6 Speech](#bkmk-priv-speech) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.7 Account info](#bkmk-priv-accounts) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.8 Contacts](#bkmk-priv-contacts) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.9 Calendar](#bkmk-priv-calendar) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.10 Call history](#bkmk-priv-callhistory) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.11 Email](#bkmk-priv-email) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.12 Messaging](#bkmk-priv-messaging) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.14 Radios](#bkmk-priv-radios) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.17 Background apps](#bkmk-priv-background) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.18 Motion](#bkmk-priv-motion) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.19 Tasks](#bkmk-priv-tasks) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.21 Inking & Typing](#bkmk-priv-ink) | ![Check mark.](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -|     [18.22 Activity History](#bkmk-act-history) | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.23 Voice Activation](#bkmk-voice-act) | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)| +|     [18.6 Speech](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.21 Inking & Typing](#bkmk-priv-ink) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +|     [18.22 Activity History](#bkmk-act-history) | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.23 Voice Activation](#bkmk-voice-act) | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [20. Storage Health](#bkmk-storage-health) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) | -| [28. Delivery Optimization](#bkmk-updates) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | +| [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) | | | [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md index 69dba47679..8ac3729427 100644 --- a/windows/security/identity-protection/access-control/active-directory-accounts.md +++ b/windows/security/identity-protection/access-control/active-directory-accounts.md @@ -592,7 +592,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s > **Note**  You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see [Delegation of Administration in Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx). - ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample1.gif) + ![Active Directory local accounts](images/adlocalaccounts-proc1-sample1.gif) 3. Close Active Directory Users and Computers. @@ -600,13 +600,13 @@ In this procedure, the workstations are dedicated to domain administrators. By s 5. Right-click the new OU, and > **Create a GPO in this domain, and Link it here**. - ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample2.png) + ![Active Directory local accounts](images/adlocalaccounts-proc1-sample2.png) 6. Name the GPO, and > **OK**. 7. Expand the GPO, right-click the new GPO, and > **Edit**. - ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample3.png) + ![Active Directory local accounts](images/adlocalaccounts-proc1-sample3.png) 8. Configure which members of accounts can log on locally to these administrative workstations as follows: @@ -625,7 +625,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s 5. Click **Add User or Group**, type **Administrators**, and > **OK**. - ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample4.png) + ![Active Directory local accounts](images/adlocalaccounts-proc1-sample4.png) 9. Configure the proxy configuration: @@ -633,7 +633,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s 2. Double-click **Proxy Settings**, select the **Enable proxy settings** check box, type **127.0.0.1** (the network Loopback IP address) as the proxy address, and > **OK**. - ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample5.png) + ![Active Directory local accounts](images/adlocalaccounts-proc1-sample5.png) 10. Configure the loopback processing mode to enable the user Group Policy proxy setting to apply to all users on the computer as follows: @@ -696,11 +696,11 @@ In this procedure, the workstations are dedicated to domain administrators. By s 1. Right-click **Windows Firewall with Advanced Security LDAP://path**, and > **Properties**. - ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample6.png) + ![Active Directory local accounts](images/adlocalaccounts-proc1-sample6.png) 2. On each profile, ensure that the firewall is enabled and that inbound connections are set to **Block all connections**. - ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample7.png) + ![Active Directory local accounts](images/adlocalaccounts-proc1-sample7.png) 3. Click **OK** to complete the configuration. @@ -738,11 +738,11 @@ For this procedure, do not link accounts to the OU that contain workstations for 3. Right-click **Group Policy Objects**, and > **New**. - ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample1.png) + ![Active Directory local accounts](images/adlocalaccounts-proc2-sample1.png) 4. In the **New GPO** dialog box, name the GPO that restricts administrators from signing in to workstations, and > **OK**. - ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample2.png) + ![Active Directory local accounts](images/adlocalaccounts-proc2-sample2.png) 5. Right-click **New GPO**, and > **Edit**. @@ -756,7 +756,7 @@ For this procedure, do not link accounts to the OU that contain workstations for 3. Click **Add User or Group**, click **Browse**, type **Domain Admins**, and > **OK**. - ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample3.png) + ![Active Directory local accounts](images/adlocalaccounts-proc2-sample3.png) **Note** You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations. @@ -778,7 +778,7 @@ For this procedure, do not link accounts to the OU that contain workstations for 3. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**. - ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample4.png) + ![Active Directory local accounts](images/adlocalaccounts-proc2-sample4.png) **Note** You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations. @@ -791,7 +791,7 @@ For this procedure, do not link accounts to the OU that contain workstations for 6. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**. - ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample5.png) + ![Active Directory local accounts](images/adlocalaccounts-proc2-sample5.png) **Note** You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations. @@ -804,11 +804,11 @@ For this procedure, do not link accounts to the OU that contain workstations for 1. Right-click the workstation OU, and then > **Link an Existing GPO**. - ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample6.png) + ![Active Directory local accounts](images/adlocalaccounts-proc2-sample6.png) 2. Select the GPO that you just created, and > **OK**. - ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample7.png) + ![Active Directory local accounts](images/adlocalaccounts-proc2-sample7.png) 10. Test the functionality of enterprise applications on workstations in the first OU and resolve any issues caused by the new policy. @@ -831,7 +831,7 @@ It is a best practice to configure the user objects for all sensitive accounts i As with any configuration change, test this enabled setting fully to ensure that it performs correctly before you implement it. -![Active Directory local accounts.](images/adlocalaccounts-proc3-sample1.png) +![Active Directory local accounts](images/adlocalaccounts-proc3-sample1.png) ## Secure and manage domain controllers diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index 6ad17afded..d67808e585 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -367,15 +367,15 @@ The following table shows the Group Policy and registry settings that are used t 3. In the console tree, right-click **Group Policy Objects**, and > **New**. - ![local accounts 1.](images/localaccounts-proc1-sample1.png) + ![local accounts 1](images/localaccounts-proc1-sample1.png) 4. In the **New GPO** dialog box, type <**gpo\_name**>, and > **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer. - ![local accounts 2.](images/localaccounts-proc1-sample2.png) + ![local accounts 2](images/localaccounts-proc1-sample2.png) 5. In the details pane, right-click <**gpo\_name**>, and > **Edit**. - ![local accounts 3.](images/localaccounts-proc1-sample3.png) + ![local accounts 3](images/localaccounts-proc1-sample3.png) 6. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by doing the following: @@ -391,7 +391,7 @@ The following table shows the Group Policy and registry settings that are used t 2. Right-click **Registry**, and > **New** > **Registry Item**. - ![local accounts 4.](images/localaccounts-proc1-sample4.png) + ![local accounts 4](images/localaccounts-proc1-sample4.png) 3. In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**. @@ -407,7 +407,7 @@ The following table shows the Group Policy and registry settings that are used t 9. Verify this configuration, and > **OK**. - ![local accounts 5.](images/localaccounts-proc1-sample5.png) + ![local accounts 5](images/localaccounts-proc1-sample5.png) 8. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following: @@ -415,7 +415,7 @@ The following table shows the Group Policy and registry settings that are used t 2. Right-click the **Workstations** OU, and > **Link an existing GPO**. - ![local accounts 6.](images/localaccounts-proc1-sample6.png) + ![local accounts 6](images/localaccounts-proc1-sample6.png) 3. Select the GPO that you just created, and > **OK**. @@ -495,11 +495,11 @@ The following table shows the Group Policy settings that are used to deny networ 4. In the **New GPO** dialog box, type <**gpo\_name**>, and then > **OK** where *gpo\_name* is the name of the new GPO indicates that it is being used to restrict the local administrative accounts from interactively signing in to the computer. - ![local accounts 7.](images/localaccounts-proc2-sample1.png) + ![local accounts 7](images/localaccounts-proc2-sample1.png) 5. In the details pane, right-click <**gpo\_name**>, and > **Edit**. - ![local accounts 8.](images/localaccounts-proc2-sample2.png) + ![local accounts 8](images/localaccounts-proc2-sample2.png) 6. Configure the user rights to deny network logons for administrative local accounts as follows: diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md index be0a573f71..e770d29de4 100644 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ b/windows/security/identity-protection/access-control/security-identifiers.md @@ -52,7 +52,7 @@ SIDs always remain unique. Security authorities never issue the same SID twice, A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID. -![Security identifier architecture.](images/security-identifider-architecture.jpg) +![Security identifier architecture](images/security-identifider-architecture.jpg) The individual values of a SID are described in the following table. diff --git a/windows/security/identity-protection/access-control/security-principals.md b/windows/security/identity-protection/access-control/security-principals.md index 293acd13c9..26564af45a 100644 --- a/windows/security/identity-protection/access-control/security-principals.md +++ b/windows/security/identity-protection/access-control/security-principals.md @@ -42,7 +42,7 @@ The following diagram illustrates the Windows authorization and access control **Authorization and access control process** -![authorization and access control process.](images/authorizationandaccesscontrolprocess.gif) +![authorization and access control process](images/authorizationandaccesscontrolprocess.gif) Security principals are closely related to the following components and technologies: diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md index 9423de2923..f055141697 100644 --- a/windows/security/identity-protection/configure-s-mime.md +++ b/windows/security/identity-protection/configure-s-mime.md @@ -52,11 +52,11 @@ On the device, perform the following steps: (add select certificate) 2. Open **Settings** by tapping the gear icon on a PC, or the ellipsis (...) and then the gear icon on a phone. - :::image type="content" alt-text="settings icon in mail app." source="images/mailsettings.png"::: + :::image type="content" alt-text="settings icon in mail app" source="images/mailsettings.png"::: 3. Tap **Email security**. - :::image type="content" alt-text="email security settings." source="images/emailsecurity.png"::: + :::image type="content" alt-text="email security settings" source="images/emailsecurity.png"::: 4. In **Select an account**, select the account for which you want to configure S/MIME options. @@ -77,7 +77,7 @@ On the device, perform the following steps: (add select certificate) 2. Use **Sign** and **Encrypt** icons to turn on digital signature and encryption for this message. - :::image type="content" alt-text="sign or encrypt message." source="images/signencrypt.png"::: + :::image type="content" alt-text="sign or encrypt message" source="images/signencrypt.png"::: ## Read signed or encrypted messages @@ -93,5 +93,5 @@ When you receive a signed email, the app provide feature to install correspondin 3. Tap **Install.** - :::image type="content" alt-text="message security information." source="images/installcert.png"::: + :::image type="content" alt-text="message security information" source="images/installcert.png":::   \ No newline at end of file diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md index b122158529..8d0219c5dd 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md @@ -33,7 +33,7 @@ When Windows Defender Credential Guard is enabled, Kerberos does not allow uncon Here's a high-level overview on how the LSA is isolated by using virtualization-based security: -![Windows Defender Credential Guard overview.](images/credguard.png) +![Windows Defender Credential Guard overview](images/credguard.png) ## See also diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 936172770d..c737034fd5 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -45,7 +45,7 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will 5. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. Check [this article](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) for more details. - ![Windows Defender Credential Guard Group Policy setting.](images/credguard-gp-2.png) + ![Windows Defender Credential Guard Group Policy setting](images/credguard-gp-2.png) 6. Close the Group Policy Management Console. @@ -168,7 +168,7 @@ You can view System Information to check that Windows Defender Credential Guard Here's an example: > [!div class="mx-imgBorder"] - > ![System Information.](images/credguard-msinfo32.png) + > ![System Information](images/credguard-msinfo32.png) You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md index fea29a3fc3..8a678b6ff4 100644 --- a/windows/security/identity-protection/enterprise-certificate-pinning.md +++ b/windows/security/identity-protection/enterprise-certificate-pinning.md @@ -176,7 +176,7 @@ Certutil writes the binary information to the following registration location: | Value | Binary contents from the certificate pin rules certificate trust list file | | Data type | REG_BINARY | -![Registry binary information.](images/enterprise-pinning-registry-binary-information.png) +![Registry binary information](images/enterprise-pinning-registry-binary-information.png) ### Deploying Enterprise Pin Rule Settings using Group Policy @@ -203,7 +203,7 @@ Sign-in to the reference computer using domain administrator equivalent credenti 11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Click **OK** to save your settings and close the dialog box. - ![PinRules Properties.](images/enterprise-certificate-pinning-pinrules-properties.png) + ![PinRules Properties](images/enterprise-certificate-pinning-pinrules-properties.png) 12. Close the **Group Policy Management Editor** to save your settings. 13. Link the **Enterprise Certificate Pinning Rules** Group Policy object to apply to computers that run Windows 10, version 1703 in your enterprise. When these domain-joined computers apply Group Policy, the registry information configured in the Group Policy object is applied to the computer. @@ -258,7 +258,7 @@ These dates must be properly formatted and represented in UTC. You can use Windows PowerShell to format these dates. You can then copy and paste the output of the cmdlet into the XML file. -![Representing a date.](images/enterprise-certificate-pinning-representing-a-date.png) +![Representing a date](images/enterprise-certificate-pinning-representing-a-date.png) For simplicity, you can truncate decimal point (.) and the numbers after it. However, be certain to append the uppercase “Z” to the end of the XML date string. @@ -272,7 +272,7 @@ However, be certain to append the uppercase “Z” to the end of the XML date s You can also use Windows PowerShell to validate convert an XML date into a human readable date to validate it’s the correct date. -![Converting an XML date.](images/enterprise-certificate-pinning-converting-an-xml-date.png) +![Converting an XML date](images/enterprise-certificate-pinning-converting-an-xml-date.png) ## Representing a Duration in XML @@ -280,13 +280,13 @@ Some elements may be configured to use a duration rather than a date. You must represent the duration as an XML timespan data type. You can use Windows PowerShell to properly format and validate durations (timespans) and copy and paste them into your XML file. -![Representing a duration.](images/enterprise-certificate-pinning-representing-a-duration.png) +![Representing a duration](images/enterprise-certificate-pinning-representing-a-duration.png) ## Converting an XML Duration You can convert a XML formatted timespan into a timespan variable that you can read. -![Converting an XML duration.](images/enterprise-certificate-pinning-converting-a-duration.png) +![Converting an XML duration](images/enterprise-certificate-pinning-converting-a-duration.png) ## Certificate Trust List XML Schema Definition (XSD) diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index f80ffec25c..b7018e4477 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -372,11 +372,11 @@ The Group Policy object contains the policy settings needed to trigger Windows H 7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. - ![Group Policy Editor.](images/multifactorUnlock/gpme.png) + ![Group Policy Editor](images/multifactorUnlock/gpme.png) 8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values. - ![Multifactor Policy Setting.](images/multifactorUnlock/gp-setting.png) + ![Multifactor Policy Setting](images/multifactorUnlock/gp-setting.png) 9. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configuring-unlock-factors). diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index 25d27e28d3..16be1aa6bc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -38,23 +38,23 @@ Determining an adequate number of Windows Server domain controllers is important Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following: -![dc-chart1.](images/plan/dc-chart1.png) +![dc-chart1](images/plan/dc-chart1.png) The environment changes. The first change includes DC1 upgraded to Windows Server 2016 or later to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following: -![dc-chart2.](images/plan/dc-chart2.png) +![dc-chart2](images/plan/dc-chart2.png) The Windows Server 2016 or later domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of password authentication. Why? This behavior occurs because domain controllers 2 - 10 only support password and certificate trust authentication; only a Windows Server 2016 and above domain controller supports public key trust authentication. The Windows Server 2016 and above domain controller still understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will bear more of the authentication load, and easily become overloaded. What if another Windows Server 2016 or later domain controller is added, but without deploying Windows Hello for Business to any more clients? -![dc-chart3.](images/plan/dc-chart3.png) +![dc-chart3](images/plan/dc-chart3.png) Upgrading another domain controller to Windows Server 2016 or later distributes the public key trust authentication across two domain controllers - each supporting 50 percent of the load. But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2019 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016 or later, but the number of WHFB clients remains the same. -![dc-chart4.](images/plan/dc-chart4.png) +![dc-chart4](images/plan/dc-chart4.png) Domain controllers 1 through 5 now share the public key trust authentication load where each domain controller handles 20 percent of the public key trust load but they each still handle 10 percent of the password and certificate trust authentication. These domain controllers still have a heavier load than domain controllers 6 through 10; however, the load is adequately distributed. Now look the scenario when half of the client computers are upgraded to Windows Hello for Business using a key-trust deployment. -![dc-chart5.](images/plan/dc-chart5.png) +![dc-chart5](images/plan/dc-chart5.png) You'll notice the distribution did not change. Each Windows Server 2016 or later domain controller handles 20 percent of the public key trust authentication. However, increasing the volume of authentication (by increasing the number of clients) increases the amount of work that is represented by the same 20 percent. In the previous example, 20 percent of public key trust authentication equated to a volume of 20 authentications per domain controller capable of public key trust authentication. However, with upgraded clients, that same 20 percent represents a volume of 100 public key trust authentications per public key trust capable domain controller. Also, the distribution of non-public key trust authentication remained at 10 percent, but the volume of password and certificate trust authentications decreased across the older domain controllers. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index f354ae19d4..ab73eab4f9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -91,7 +91,7 @@ Sign-in the federation server with domain administrator equivalent credentials. 5. Click **Next** on the **Select Certificate Enrollment Policy** page. 6. On the **Request Certificates** page, Select the **Internal Web Server** check box. 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link - ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/hello-internal-web-server-cert.png) + ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png) 8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. 9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Repeat the same to add device registration service name (*enterpriseregistration.contoso.com*) as another alternative name. Click **OK** when finished. 10. Click **Enroll**. @@ -184,7 +184,7 @@ Sign-in the federation server with _domain administrator_ equivalent credentials 1. Start **Server Manager**. 2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. -![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png) +![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. 4. Click **Next** on the **Connect to Active Directory Domain Services** page. 5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*. @@ -204,7 +204,7 @@ Sign-in the federation server with _domain administrator_ equivalent credentials 1. Start **Server Manager**. 2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. -![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png) +![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. 4. Click **Next** on the **Connect to Active Directory Domain Services** page. 5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net. @@ -456,7 +456,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. 6. On the **Select server roles** page, click **Next**. 7. Select **Network Load Balancing** on the **Select features** page. 8. Click **Install** to start the feature installation. - ![Feature selection screen with NLB selected.](images/hello-nlb-feature-install.png) + ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png) ### Configure Network Load Balancing for AD FS @@ -465,25 +465,25 @@ Before you can load balance all the nodes in the AD FS farm, you must first crea Sign-in a node of the federation farm with _Admin_ equivalent credentials. 1. Open **Network Load Balancing Manager** from **Administrative Tools**. - ![NLB Manager user interface.](images/hello-nlb-manager.png) + ![NLB Manager user interface](images/hello-nlb-manager.png) 2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**. 3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**. - ![NLB Manager - Connect to new Cluster screen.](images/hello-nlb-connect.png) + ![NLB Manager - Connect to new Cluster screen](images/hello-nlb-connect.png) 4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.) 5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**. 6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**. - ![NLB Manager - Add IP to New Cluster screen.](images/hello-nlb-add-ip.png) + ![NLB Manager - Add IP to New Cluster screen](images/hello-nlb-add-ip.png) 7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster. - ![NLB Manager - Cluster IP Configuration screen.](images/hello-nlb-cluster-ip-config.png) + ![NLB Manager - Cluster IP Configuration screen](images/hello-nlb-cluster-ip-config.png) 8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**. 9. In Port Rules, click Edit to modify the default port rules to use port 443. - ![NLB Manager - Add\Edit Port Rule screen.](images/hello-nlb-cluster-port-rule.png) + ![NLB Manager - Add\Edit Port Rule screen](images/hello-nlb-cluster-port-rule.png) ### Additional AD FS Servers 1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**. 2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same. - ![NLB Manager - Cluster with nodes.](images/hello-nlb-cluster.png) + ![NLB Manager - Cluster with nodes](images/hello-nlb-cluster.png) ## Configure DNS for Device Registration diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index 57f12a0692..0686de8a9a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -34,7 +34,7 @@ To locate the schema master role holder, open and command prompt and type: ```Netdom query fsmo | findstr -i “schema”``` -![Netdom example output.](images/hello-cmd-netdom.png) +![Netdom example output](images/hello-cmd-netdom.png) The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md index 0bbce98b00..bafde6afc2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md @@ -51,7 +51,7 @@ Three approaches are documented here: 1. Right-click the **Smartcard Logon** template and click **Duplicate Template** - ![Duplicating Smartcard Template.](images/rdpcert/duplicatetemplate.png) + ![Duplicating Smartcard Template](images/rdpcert/duplicatetemplate.png) 1. On the **Compatibility** tab: 1. Clear the **Show resulting changes** check box @@ -109,7 +109,7 @@ Three approaches are documented here: 1. In the Certificate Authority console, right-click **Certificate Templates**, select **New**, and select **Certificate Template to Issue** - ![Selecting Certificate Template to Issue.](images/rdpcert/certificatetemplatetoissue.png) + ![Selecting Certificate Template to Issue](images/rdpcert/certificatetemplatetoissue.png) 1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and click **OK**. It can take some time for the template to replicate to all servers and become available in this list. @@ -123,7 +123,7 @@ Three approaches are documented here: 1. In the left pane of the MMC, right-click **Personal**, click **All Tasks**, and then click **Request New Certificate…** - ![Request a new certificate.](images/rdpcert/requestnewcertificate.png) + ![Request a new certificate](images/rdpcert/requestnewcertificate.png) 1. On the Certificate Enrollment screen, click **Next**. diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 48a0d130df..476aed7683 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -29,7 +29,7 @@ When you set up Windows Hello in Windows 10, you may get an error during the ** The following image shows an example of an error during **Create a PIN**. -![PIN error.](images/pinerror.png) +![PIN error](images/pinerror.png) ## Error mitigations diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 2fbed0b012..0ecc622ba4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -97,20 +97,20 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se 1. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account. - ![PIN reset service application in Azure.](images/pinreset/pin-reset-service-prompt.png) + ![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png) 1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. 1. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account. - ![PIN reset client application in Azure.](images/pinreset/pin-reset-client-prompt.png) + ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png) > [!NOTE] > After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant. 1. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant. - :::image type="content" alt-text="PIN reset service permissions page." source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications.png"::: + :::image type="content" alt-text="PIN reset service permissions page" source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications.png"::: ### Configure Windows devices to use PIN reset using Group Policy @@ -210,7 +210,7 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au - **Data type:** String - **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be _signin.contoso.com;portal.contoso.com_ (without quotation marks) - :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png"::: + :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy" source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png"::: 1. Click the Save button to save the custom configuration. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index b5361a656c..30dc6c78e6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -55,7 +55,7 @@ Windows Hello for Business emulates a smart card for application compatibility. Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it. > [!div class="mx-imgBorder"] -> ![WHFB Certificate GP Setting.](images/rdpbio/rdpbiopolicysetting.png) +> ![WHFB Certificate GP Setting](images/rdpbio/rdpbiopolicysetting.png) > [!IMPORTANT] > The remote desktop with biometric feature does not work with [Dual Enrollment](hello-feature-dual-enrollment.md) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature. diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index 1efcc90b24..a90f1587c2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -31,7 +31,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c ## Azure AD join authentication to Azure Active Directory -![Azure AD join authentication to Azure Active Directory.](images/howitworks/auth-aadj-cloud.png) +![Azure AD join authentication to Azure Active Directory](images/howitworks/auth-aadj-cloud.png) | Phase | Description | | :----: | :----------- | @@ -42,7 +42,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c |E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| ## Azure AD join authentication to Active Directory using a Key -![Azure AD join authentication to Active Directory using a Key.](images/howitworks/auth-aadj-keytrust-kerb.png) +![Azure AD join authentication to Active Directory using a Key](images/howitworks/auth-aadj-keytrust-kerb.png) | Phase | Description | @@ -56,7 +56,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c ## Azure AD join authentication to Active Directory using a Certificate -![Azure AD join authentication to Active Directory using a Certificate.](images/howitworks/auth-aadj-certtrust-kerb.png) +![Azure AD join authentication to Active Directory using a Certificate](images/howitworks/auth-aadj-certtrust-kerb.png) | Phase | Description | | :----: | :----------- | @@ -69,7 +69,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c ## Hybrid Azure AD join authentication using a Key -![Hybrid Azure AD join authentication using a Key.](images/howitworks/auth-haadj-keytrust.png) +![Hybrid Azure AD join authentication using a Key](images/howitworks/auth-haadj-keytrust.png) | Phase | Description | | :----: | :----------- | @@ -85,7 +85,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c > In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time. ## Hybrid Azure AD join authentication using a Certificate -![Hybrid Azure AD join authentication using a Certificate.](images/howitworks/auth-haadj-certtrust.png) +![Hybrid Azure AD join authentication using a Certificate](images/howitworks/auth-haadj-certtrust.png) | Phase | Description | | :----: | :----------- | diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index 20008e7565..0fb161ccb5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -37,7 +37,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, ## Azure AD joined provisioning in a Managed environment -![Azure AD joined provisioning in a Managed environment.](images/howitworks/prov-aadj-managed.png) +![Azure AD joined provisioning in a Managed environment](images/howitworks/prov-aadj-managed.png) | Phase | Description | | :----: | :----------- | @@ -48,7 +48,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Return to top](#windows-hello-for-business-provisioning) ## Azure AD joined provisioning in a Federated environment -![Azure AD joined provisioning in a Managed environment.](images/howitworks/prov-aadj-federated.png) +![Azure AD joined provisioning in a Managed environment](images/howitworks/prov-aadj-federated.png) | Phase | Description | | :----: | :----------- | @@ -58,7 +58,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Return to top](#windows-hello-for-business-provisioning) ## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment -![Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment.](images/howitworks/prov-haadj-keytrust-managed.png) +![Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment](images/howitworks/prov-haadj-keytrust-managed.png) | Phase | Description | @@ -76,7 +76,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Return to top](#windows-hello-for-business-provisioning) ## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment -![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment.](images/howitworks/prov-haadj-instant-certtrust-federated.png) +![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](images/howitworks/prov-haadj-instant-certtrust-federated.png) | Phase | Description | @@ -94,7 +94,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Return to top](#windows-hello-for-business-provisioning) ## Domain joined provisioning in an On-premises Key Trust deployment -![Domain joined provisioning in an On-premises Key Trust deployment.](images/howitworks/prov-onprem-keytrust.png) +![Domain joined provisioning in an On-premises Key Trust deployment](images/howitworks/prov-onprem-keytrust.png) | Phase | Description | | :----: | :----------- | @@ -105,7 +105,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Return to top](#windows-hello-for-business-provisioning) ## Domain joined provisioning in an On-premises Certificate Trust deployment -![Domain joined provisioning in an On-premises Certificate Trust deployment.](images/howitworks/prov-onprem-certtrust.png) +![Domain joined provisioning in an On-premises Certificate Trust deployment](images/howitworks/prov-onprem-certtrust.png) | Phase | Description | | :----: | :----------- | diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 13246cec6f..8e0a208a86 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -40,19 +40,19 @@ Before adding Azure Active Directory (Azure AD) joined devices to your existing Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure. To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate. Ensure you have Azure AD Connect installed and functioning properly. To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect). If you upgraded your Active Directory schema to the Windows Server 2016 schema after installing Azure AD Connect, run Azure AD Connect and run **Refresh directory schema** from the list of tasks. -![Azure AD Connect Schema Refresh.](images/aadj/aadconnectschema.png) +![Azure AD Connect Schema Refresh](images/aadj/aadconnectschema.png) ### Azure Active Directory Device Registration A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration. A user cannot provision Windows Hello for Business unless the device from which they are trying to provision has registered with Azure Active Directory. For more information about device registration, read [Introduction to device management in Azure Active Directory](/azure/active-directory/devices/overview). You can use the **dsregcmd.exe** command to determine if your device is registered to Azure Active Directory. -![dsregcmd output.](images/aadj/dsregcmd.png) +![dsregcmd output](images/aadj/dsregcmd.png) ### CRL Distribution Point (CDP) Certificates issued by a certificate authority can be revoked. When a certificate authority revokes as certificate, it writes information about the certificate into a revocation list. During certificate validation, Windows 10 consults the CRL distribution point within the certificate to get a list of revoked certificates. Validation compares the current certificate with information in the certificate revocation list to determine if the certificate remains valid. -![Domain Controller Certificate with LDAP CDP.](images/aadj/Certificate-CDP.png) +![Domain Controller Certificate with LDAP CDP](images/aadj/Certificate-CDP.png) The preceding domain controller certificate shows a CRL distribution path (CDP) using Active Directory. You can determine this because the value in the URL begins with **ldap**. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Azure Active Directory joined devices and users on Azure Active Directory joined devices cannot read data from Active Directory, and certificate validation does not provide an opportunity to authenticate prior to reading the certificate revocation list. This becomes a circular problem as the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user cannot read Active Directory because they have not authenticated. @@ -122,16 +122,16 @@ You need to host your new certificate revocation list of a web server so Azure A 1. From **Windows Administrative Tools**, Open **Internet Information Services (IIS) Manager**. 2. Expand the navigation pane to show **Default Web Site**. Select and then right-click **Default Web site** and click **Add Virtual Directory...**. 3. In the **Add Virtual Directory** dialog box, type **cdp** in **alias**. For physical path, type or browse for the physical file location where you will host the certificate revocation list. For this example, the path **c:\cdp** is used. Click **OK**. - ![Add Virtual Directory.](images/aadj/iis-add-virtual-directory.png) + ![Add Virtual Directory](images/aadj/iis-add-virtual-directory.png) > [!NOTE] > Make note of this path as you will use it later to configure share and file permissions. 4. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Directory Browsing** in the content pane. Click **Enable** in the details pane. 5. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Configuration Editor**. 6. In the **Section** list, navigate to **system.webServer/security/requestFiltering**. - ![IIS Configuration Editor requestFiltering.](images/aadj/iis-config-editor-requestFiltering.png) + ![IIS Configuration Editor requestFiltering](images/aadj/iis-config-editor-requestFiltering.png) In the list of named value-pairs in the content pane, configure **allowDoubleEscaping** to **True**. Click **Apply** in the actions pane. - ![IIS Configuration Editor double escaping.](images/aadj/iis-config-editor-allowDoubleEscaping.png) + ![IIS Configuration Editor double escaping](images/aadj/iis-config-editor-allowDoubleEscaping.png) 7. Close **Internet Information Services (IIS) Manager**. #### Create a DNS resource record for the CRL distribution point URL @@ -139,7 +139,7 @@ You need to host your new certificate revocation list of a web server so Azure A 1. On your DNS server or from an administrative workstation, open **DNS Manager** from **Administrative Tools**. 2. Expand **Forward Lookup Zones** to show the DNS zone for your domain. Right-click your domain name in the navigation pane and click **New Host (A or AAAA)...**. 3. In the **New Host** dialog box, type **crl** in **Name**. Type the IP address of the web server you configured in **IP Address**. Click **Add Host**. Click **OK** to close the **DNS** dialog box. Click **Done**. -![Create DNS host record.](images/aadj/dns-new-host-dialog.png) +![Create DNS host record](images/aadj/dns-new-host-dialog.png) 4. Close the **DNS Manager**. ### Prepare a file share to host the certificate revocation list @@ -151,12 +151,12 @@ These procedures configure NTFS and share permissions on the web server to allow 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server). 2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**. 3. Select **Share this folder**. Type **cdp$** in **Share name**. Click **Permissions**. -![cdp sharing.](images/aadj/cdp-sharing.png) +![cdp sharing](images/aadj/cdp-sharing.png) 4. In the **Permissions for cdp$** dialog box, click **Add**. 5. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**. In the **Object Types** dialog box, select **Computers**, and then click **OK**. 7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the server running the certificate authority issuing the certificate revocation list, and then click **Check Names**. Click **OK**. 8. In the **Permissions for cdp$** dialog box, select the certificate authority from the **Group or user names list**. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**. -![CDP Share Permissions.](images/aadj/cdp-share-permissions.png) +![CDP Share Permissions](images/aadj/cdp-share-permissions.png) 9. In the **Advanced Sharing** dialog box, click **OK**. > [!Tip] @@ -166,7 +166,7 @@ These procedures configure NTFS and share permissions on the web server to allow 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server). 2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**. 3. Click **Caching**. Select **No files or programs from the shared folder are available offline**. -![CDP disable caching.](images/aadj/cdp-disable-caching.png) +![CDP disable caching](images/aadj/cdp-disable-caching.png) 4. Click **OK**. #### Configure NTFS permission for the CDP folder @@ -175,7 +175,7 @@ These procedures configure NTFS and share permissions on the web server to allow 2. Right-click the **cdp** folder and click **Properties**. Click the **Security** tab. 3. On the **Security** tab, click Edit. 5. In the **Permissions for cdp** dialog box, click **Add**. -![CDP NTFS Permissions.](images/aadj/cdp-ntfs-permissions.png) +![CDP NTFS Permissions](images/aadj/cdp-ntfs-permissions.png) 6. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**. In the **Object Types** dialog box, select **Computers**. Click **OK**. 7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the certificate authority, and then click **Check Names**. Click **OK**. 8. In the **Permissions for cdp** dialog box, select the name of the certificate authority from the **Group or user names** list. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**. @@ -192,11 +192,11 @@ The web server is ready to host the CRL distribution point. Now, configure the 2. In the navigation pane, right-click the name of the certificate authority and click **Properties** 3. Click **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list. 4. On the **Extensions** tab, click **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, ** or ** (do not forget the trailing forward slash). - ![CDP New Location dialog box.](images/aadj/cdp-extension-new-location.png) + ![CDP New Location dialog box](images/aadj/cdp-extension-new-location.png) 5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. 6. Type **.crl** at the end of the text in **Location**. Click **OK**. 7. Select the CDP you just created. - ![CDP complete http.](images/aadj/cdp-extension-complete-http.png) + ![CDP complete http](images/aadj/cdp-extension-complete-http.png) 8. Select **Include in CRLs. Clients use this to find Delta CRL locations**. 9. Select **Include in the CDP extension of issued certificates**. 10. Click **Apply** save your selections. Click **No** when ask to restart the service. @@ -213,7 +213,7 @@ The web server is ready to host the CRL distribution point. Now, configure the 5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. 6. Type **.crl** at the end of the text in **Location**. Click **OK**. 7. Select the CDP you just created. - ![CDP publishing location.](images/aadj/cdp-extension-complete-unc.png) + ![CDP publishing location](images/aadj/cdp-extension-complete-unc.png) 8. Select **Publish CRLs to this location**. 9. Select **Publish Delta CRLs to this location**. 10. Click **Apply** save your selections. Click **Yes** when ask to restart the service. Click **OK** to close the properties dialog box. @@ -222,7 +222,7 @@ The web server is ready to host the CRL distribution point. Now, configure the 1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**. 2. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and click **Publish** -![Publish a New CRL.](images/aadj/publish-new-crl.png) +![Publish a New CRL](images/aadj/publish-new-crl.png) 3. In the **Publish CRL** dialog box, select **New CRL** and click **OK**. #### Validate CDP Publishing @@ -230,7 +230,7 @@ The web server is ready to host the CRL distribution point. Now, configure the Validate your new CRL distribution point is working. 1. Open a web browser. Navigate to http://crl.[yourdomain].com/cdp. You should see two files created from publishing your new CRL. - ![Validate the new CRL.](images/aadj/validate-cdp-using-browser.png) + ![Validate the new CRL](images/aadj/validate-cdp-using-browser.png) ### Reissue domain controller certificates @@ -239,9 +239,9 @@ With the CA properly configured with a valid HTTP-based CRL distribution point, 1. Sign-in a domain controller using administrative credentials. 2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer. 3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, select the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**. -![Certificate Manager Personal store.](images/aadj/certlm-personal-store.png) +![Certificate Manager Personal store](images/aadj/certlm-personal-store.png) 4. Right-click the selected certificate. Hover over **All Tasks** and then select **Renew Certificate with New Key...**. In the **Certificate Enrollment** wizard, click **Next**. -![Renew with New key.](images/aadj/certlm-renew-with-new-key.png) +![Renew with New key](images/aadj/certlm-renew-with-new-key.png) 5. In the **Request Certificates** page of the wizard, verify the selected certificate has the correct certificate template and ensure the status is available. Click **Enroll**. 6. After the enrollment completes, click **Finish** to close the wizard. 7. Repeat this procedure on all your domain controllers. @@ -259,7 +259,7 @@ With the CA properly configured with a valid HTTP-based CRL distribution point, 3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**. 4. Click the **Details** tab. Scroll down the list until **CRL Distribution Points** is visible in the **Field** column of the list. Select **CRL Distribution Point**. 5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Click **OK**.
-![New Certificate with updated CDP.](images/aadj/dc-cert-with-new-cdp.png) +![New Certificate with updated CDP](images/aadj/dc-cert-with-new-cdp.png) ## Configure and Assign a Trusted Certificate Device Configuration Profile @@ -276,13 +276,13 @@ Steps you will perform include: 2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer. 3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**. 4. Click the **Certification Path** tab. In the **Certification path** view, select the top most node and click **View Certificate**. -![Certificate Path.](images/aadj/certlm-cert-path-tab.png) +![Certificate Path](images/aadj/certlm-cert-path-tab.png) 5. In the new **Certificate** dialog box, click the **Details** tab. Click **Copy to File**. -![Details tab and copy to file.](images/aadj/certlm-root-cert-details-tab.png) +![Details tab and copy to file](images/aadj/certlm-root-cert-details-tab.png) 6. In the **Certificate Export Wizard**, click **Next**. 7. On the **Export File Format** page of the wizard, click **Next**. 8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box. -![Export root certificate.](images/aadj/certlm-export-root-certificate.png) +![Export root certificate](images/aadj/certlm-export-root-certificate.png) 9. Click **OK** two times to return to the **Certificate Manager** for the local computer. Close the **Certificate Manager**. ### Create and Assign a Trust Certificate Device Configuration Profile @@ -291,12 +291,12 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted 1. Sign-in to the [Microsoft Azure Portal](https://portal.azure.com) and select **Microsoft Intune**. 2. Click **Device configuration**. In the **Device Configuration** blade, click **Create profile**. -![Intune Create Profile.](images/aadj/intune-create-device-config-profile.png) +![Intune Create Profile](images/aadj/intune-create-device-config-profile.png) 3. In the **Create profile** blade, type **Enterprise Root Certificate** in **Name**. Provide a description. Select **Windows 10 and later** from the **Platform** list. Select **Trusted certificate** from the **Profile type** list. Click **Configure**. 4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate). Click **OK**. Click **Create**. -![Intune Trusted Certificate Profile.](images/aadj/intune-create-trusted-certificate-profile.png) +![Intune Trusted Certificate Profile](images/aadj/intune-create-trusted-certificate-profile.png) 5. In the **Enterprise Root Certificate** blade, click **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**. -![Intune Profile assignment.](images/aadj/intune-device-config-enterprise-root-assignment.png) +![Intune Profile assignment](images/aadj/intune-device-config-enterprise-root-assignment.png) 6. Sign out of the Microsoft Azure Portal. > [!NOTE] > After the creation, the **supported platform** parameter of the profile will contain the value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same. @@ -310,7 +310,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 3. Choose **Enroll devices**. 4. Select **Windows enrollment**. 5. Under **Windows enrollment**, select **Windows Hello for Business**. - ![Create Windows Hello for Business Policy.](images/aadj/MEM.png) + ![Create Windows Hello for Business Policy](images/aadj/MEM.png) 6. Select **Enabled** from the **Configure Windows Hello for Business** list. 7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys. 8. Enter the desired **Minimum PIN length** and **Maximum PIN length**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index e4ada9da90..b8ce7af3da 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -82,7 +82,7 @@ The easiest way to verify the onPremisesDistingushedNamne attribute is synchroni 2. Click **Login** and provide Azure credentials 3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go** 4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user. - ![Azure AD Connect On-Prem DN Attribute.](images/aadjcert/aadconnectonpremdn.png) + ![Azure AD Connect On-Prem DN Attribute](images/aadjcert/aadconnectonpremdn.png) ## Prepare the Network Device Enrollment Services (NDES) Service Account @@ -259,15 +259,15 @@ Sign-in to the certificate authority or management workstations with an _Enterpr 1. Open **Server Manager** on the NDES server. 2. Click **Manage**. Click **Add Roles and Features**. 3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**. Select **Role-based or feature-based installation** on the **Select installation type** page. Click **Next**. Click **Select a server from the server pool**. Select the local server from the **Server Pool** list. Click **Next**. - ![Server Manager destination server.](images/aadjCert/servermanager-destination-server-ndes.png) + ![Server Manager destination server](images/aadjCert/servermanager-destination-server-ndes.png) 4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list. - ![Server Manager AD CS Role.](images/aadjCert/servermanager-adcs-role.png) + ![Server Manager AD CS Role](images/aadjCert/servermanager-adcs-role.png) Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**. - ![Server Manager Add Features.](images/aadjcert/serverManager-adcs-add-features.png) + ![Server Manager Add Features](images/aadjcert/serverManager-adcs-add-features.png) 5. On the **Features** page, expand **.NET Framework 3.5 Features**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Expand **.NET Framework 4.5 Features**. Expand **WCF Services**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**. - ![Server Manager Feature HTTP Activation.](images/aadjcert/servermanager-adcs-http-activation.png) + ![Server Manager Feature HTTP Activation](images/aadjcert/servermanager-adcs-http-activation.png) 6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**. Click **Add Features** on the **Add Roles and Features Wizard** dialog box. Click **Next**. - ![Server Manager ADCS NDES Role.](images/aadjcert/servermanager-adcs-ndes-role-checked.png) + ![Server Manager ADCS NDES Role](images/aadjcert/servermanager-adcs-ndes-role-checked.png) 7. Click **Next** on the **Web Server Role (IIS)** page. 8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**. * **Web Server > Security > Request Filtering** @@ -275,11 +275,11 @@ Sign-in to the certificate authority or management workstations with an _Enterpr * **Web Server > Application Development > ASP.NET 4.5**. . * **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility** * **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility** - ![Server Manager Web Server Role.](images/aadjcert/servermanager-adcs-webserver-role.png) + ![Server Manager Web Server Role](images/aadjcert/servermanager-adcs-webserver-role.png) 9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**. > [!IMPORTANT] > .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \:\\Sources\SxS\ - ![.NET Side by Side.](images/aadjcert/dotNet35sidebyside.png) + ![.NET Side by Side](images/aadjcert/dotNet35sidebyside.png) ### Configure the NDES service account This task adds the NDES service account to the local IIS_USRS group. The task also configures the NDES service account for Kerberos authentication and delegation @@ -308,7 +308,7 @@ Sign-in the NDES server with access equivalent to _Domain Admins_. > [!NOTE] > If you use the same service account for multiple NDES Servers, repeat the following task for each NDES server under which the NDES service runs. -![Set SPN command prompt.](images/aadjcert/setspn-commandprompt.png) +![Set SPN command prompt](images/aadjcert/setspn-commandprompt.png) #### Configure the NDES Service account for delegation The NDES service enrolls certificates on behalf of users. Therefore, you want to limit the actions it can perform on behalf of the user. You do this through delegation. @@ -317,16 +317,16 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_. 1. Open **Active Directory Users and Computers** 2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab. - ![NDES Delegation Tab.](images/aadjcert/ndessvcdelegationtab.png) + ![NDES Delegation Tab](images/aadjcert/ndessvcdelegationtab.png) 3. Select **Trust this user for delegation to specified services only**. 4. Select **Use any authentication protocol**. 5. Click **Add**. 6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Avaiable services** list, select **HOST**. Click **OK**. - ![NDES Service delegation to NDES host.](images/aadjcert/ndessvcdelegation-host-ndes-spn.png) + ![NDES Service delegation to NDES host](images/aadjcert/ndessvcdelegation-host-ndes-spn.png) 7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**. 8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**. 9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates. - ![NDES Service delegation complete.](images/aadjcert/ndessvcdelegation-host-ca-spn.png) + ![NDES Service delegation complete](images/aadjcert/ndessvcdelegation-host-ca-spn.png) 10. Click **OK**. Close **Active Directory Users and Computers**. ### Configure the NDES Role and Certificate Templates @@ -338,21 +338,21 @@ Sign-in to the certificate authority or management workstations with an _Enterpr > [!NOTE] > If you closed Server Manger from the last set of tasks, start Server Manager and click the action flag that shows a yellow exclamation point. -![Server Manager Post-Install Yellow flag.](images/aadjcert/servermanager-post-ndes-yellowactionflag.png) +![Server Manager Post-Install Yellow flag](images/aadjcert/servermanager-post-ndes-yellowactionflag.png) 1. Click the **Configure Active Directory Certificate Services on the destination server** link. 2. On the **Credentials** page, click **Next**. - ![NDES Installation Credentials.](images/aadjcert/ndesconfig01.png) + ![NDES Installation Credentials](images/aadjcert/ndesconfig01.png) 3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next** - ![NDES Role Services.](images/aadjcert/ndesconfig02.png) + ![NDES Role Services](images/aadjcert/ndesconfig02.png) 4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**. - ![NDES Service Account for NDES.](images/aadjcert/ndesconfig03b.png) + ![NDES Service Account for NDES](images/aadjcert/ndesconfig03b.png) 5. On the **CA for NDES** page, select **CA name**. Click **Select...**. Select the issuing certificate authority from which the NDES server requests certificates. Click **Next**. - ![NDES CA selection.](images/aadjcert/ndesconfig04.png) + ![NDES CA selection](images/aadjcert/ndesconfig04.png) 6. On the **RA Information**, click **Next**. 7. On the **Cryptography for NDES** page, click **Next**. 8. Review the **Confirmation** page. Click **Configure**. - ![NDES Confirmation.](images/aadjcert/ndesconfig05.png) + ![NDES Confirmation](images/aadjcert/ndesconfig05.png) 8. Click **Close** after the configuration completes. #### Configure Certificate Templates on NDES @@ -407,18 +407,18 @@ Sign-in a workstation with access equivalent to a _domain user_. 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. 3. Under **MANAGE**, click **Application proxy**. 4. Click **Download connector service**. Click **Accept terms & Download**. Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain. - ![Azure Application Proxy Connectors.](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png) + ![Azure Application Proxy Connectors](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png) 5. Sign-in the computer that will run the connector with access equivalent to a _domain user_. > [!IMPORTANT] > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers. 6. Start **AADApplicationProxyConnectorInstaller.exe**. 7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**. - ![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-01.png) + ![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-01.png) 8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**. - ![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-02.png) + ![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-02.png) 9. When the installation completes. Read the information regarding outbound proxy servers. Click **Close**. - ![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-03.png) + ![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-03.png) 10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments. #### Create a Connector Group @@ -427,9 +427,9 @@ Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. 3. Under **MANAGE**, click **Application proxy**. - ![Azure Application Proxy Connector groups.](images/aadjcert/azureconsole-applicationproxy-connectors-default.png) + ![Azure Application Proxy Connector groups](images/aadjcert/azureconsole-applicationproxy-connectors-default.png) 4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**. - ![Azure Application New Connector Group.](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png) + ![Azure Application New Connector Group](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png) 5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests. 6. Click **Save**. @@ -443,7 +443,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL. 6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**. 7. Under **Internal URL**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net). - ![Azure NDES Application Proxy Configuration.](images/aadjcert/azureconsole-appproxyconfig.png) + ![Azure NDES Application Proxy Configuration](images/aadjcert/azureconsole-appproxyconfig.png) 8. Select **Passthrough** from the **Pre Authentication** list. 9. Select **NDES WHFB Connectors** from the **Connector Group** list. 10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**. @@ -465,7 +465,7 @@ Sign-in the NDES server with access equivalent to _local administrators_. 5. Click **Next** on the **Select Certificate Enrollment Policy** page. 6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box. 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link - ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png) + ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png) 8. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**. 9. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished. 9. Click **Enroll** @@ -478,12 +478,12 @@ Sign-in the NDES server with access equivalent to _local administrator_. 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. 2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. - ![NDES IIS Console.](images/aadjcert/ndes-iis-console.png) + ![NDES IIS Console](images/aadjcert/ndes-iis-console.png) 3. Click **Bindings...*** under **Actions**. Click **Add**. - ![NDES IIS Console.](images/aadjcert/ndes-iis-bindings.png) + ![NDES IIS Console](images/aadjcert/ndes-iis-bindings.png) 4. Select **https** from **Type**. Confirm the value for **Port** is **443**. 5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**. - ![NDES IIS Console.](images/aadjcert/ndes-iis-bindings-add-443.png) + ![NDES IIS Console](images/aadjcert/ndes-iis-bindings-add-443.png) 6. Select **http** from the **Site Bindings** list. Click **Remove**. 7. Click **Close** on the **Site Bindings** dialog box. 8. Close **Internet Information Services (IIS) Manager**. @@ -509,10 +509,10 @@ Sign-in the NDES server with access equivalent to _local administrator_. A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. -![NDES IIS Console.](images/aadjcert/ndes-https-website-test-01.png) +![NDES IIS Console](images/aadjcert/ndes-https-website-test-01.png) Confirm the web site uses the server authentication certificate. -![NDES IIS Console.](images/aadjcert/ndes-https-website-test-01-show-cert.png) +![NDES IIS Console](images/aadjcert/ndes-https-website-test-01-show-cert.png) ## Configure Network Device Enrollment Services to work with Microsoft Intune @@ -527,7 +527,7 @@ Sign-in the NDES server with access equivalent to _local administrator_. 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. 2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. 3. In the content pane, double-click **Request Filtering**. Click **Edit Feature Settings...** in the action pane. - ![Intune NDES Request filtering.](images/aadjcert/NDES-IIS-RequestFiltering.png) + ![Intune NDES Request filtering](images/aadjcert/NDES-IIS-RequestFiltering.png) 4. Select **Allow unlisted file name extensions**. 5. Select **Allow unlisted verbs**. 6. Select **Allow high-bit characters**. @@ -554,7 +554,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**. 3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section. - ![Intune Certificate Authority.](images/aadjcert/profile01.png) + ![Intune Certificate Authority](images/aadjcert/profile01.png) 4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server. 5. Sign-out of the Microsoft Endpoint Manager admin center. @@ -564,26 +564,26 @@ Sign-in the NDES server with access equivalent to _domain administrator_. 1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server. 2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server. 3. On the **Microsoft Intune** page, click **Next**. - ![Intune Connector Install 01.](images/aadjcert/intunecertconnectorinstall-01.png) + ![Intune Connector Install 01](images/aadjcert/intunecertconnectorinstall-01.png) 4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation. 5. On the **Destination Folder** page, click **Next**. 6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**. - ![Intune Connector Install 03.](images/aadjcert/intunecertconnectorinstall-03.png) + ![Intune Connector Install 03](images/aadjcert/intunecertconnectorinstall-03.png) 7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**. - ![Intune Connector Install 05.](images/aadjcert/intunecertconnectorinstall-05.png) + ![Intune Connector Install 05](images/aadjcert/intunecertconnectorinstall-05.png) > [!NOTE] > The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page. 8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**. 9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**. - ![Intune Connector Install 06.](images/aadjcert/intunecertconnectorinstall-06.png) + ![Intune Connector Install 06](images/aadjcert/intunecertconnectorinstall-06.png) > [!NOTE] > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder. 10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task. - ![Intune Connector install 07.](images/aadjcert/intunecertconnectorinstall-07.png) + ![Intune Connector install 07](images/aadjcert/intunecertconnectorinstall-07.png) ### Configure the Intune Certificate Connector Sign-in the NDES server with access equivalent to _domain administrator_. @@ -594,10 +594,10 @@ Sign-in the NDES server with access equivalent to _domain administrator_. > If the **NDES Connector** user interface is not open, you can start it from **\\NDESConnectorUI\NDESConnectorUI.exe**. 2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect. Click **Apply** - ![Intune Certificate Connector Configuration 01.](images/aadjcert/intunecertconnectorconfig-01.png) + ![Intune Certificate Connector Configuration 01](images/aadjcert/intunecertconnectorconfig-01.png) 3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role. - ![Intune Certificate Connector Configuration 02.](images/aadjcert/intunecertconnectorconfig-02.png) + ![Intune Certificate Connector Configuration 02](images/aadjcert/intunecertconnectorconfig-02.png) > [!IMPORTANT] > The user account must have a valid Intune license assigned. If the user account does not have a valid Intune license, the sign-in fails. @@ -614,7 +614,7 @@ Sign-in the certificate authority used by the NDES Connector with access equival 1. Start the **Certification Authority** management console. 2. In the navigation pane, right-click the name of the certificate authority and select **Properties**. 3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**. - ![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png) + ![Configure Intune certificate revocation 02](images/aadjcert/intuneconfigcertrevocation-02.png) 4. Close the **Certification Authority** #### Enable the NDES Connector for certificate revocation @@ -622,7 +622,7 @@ Sign-in the NDES server with access equivalent to _domain administrator_. 1. Open the **NDES Connector** user interface (**\\NDESConnectorUI\NDESConnectorUI.exe**). 2. Click the **Advanced** tab. Select **Specify a different account username and password**. Type the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**. - ![Intune Connector cert revocation configuration 04.](images/aadjcert/intunecertconnectorconfig-04.png) + ![Intune Connector cert revocation configuration 04](images/aadjcert/intunecertconnectorconfig-04.png) 3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**. ### Test the NDES Connector @@ -641,7 +641,7 @@ Sign-in the NDES server with access equivalent to _domain admin_. ``` where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. - ![NDES web site test after Intune Certificate Connector.](images/aadjcert/ndes-https-website-test-after-intune-connector.png) + ![NDES web site test after Intune Certificate Connector](images/aadjcert/ndes-https-website-test-after-intune-connector.png) 6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**. ## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile @@ -656,7 +656,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 5. Under **Group Name**, type the name of the group. For example, **AADJ WHFB Certificate Users**. 6. Provide a **Group description**, if applicable. 7. Select **Assigned** from the **Membership type** list. - ![Azure AD new group creation.](images/aadjcert/azureadcreatewhfbcertgroup.png) + ![Azure AD new group creation](images/aadjcert/azureadcreatewhfbcertgroup.png) 8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**. 9. Click **Create**. @@ -666,7 +666,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. Select **Devices**, and then click **Configuration Profiles**. 3. Select **Create Profile**. - ![Intune Device Configuration Create Profile.](images/aadjcert/profile02.png) + ![Intune Device Configuration Create Profile](images/aadjcert/profile02.png) 4. Select **Windows 10 and later** from the **Platform** list. 5. Choose **SCEP certificate** from the **Profile** list, and select **Create**. 6. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**. @@ -689,7 +689,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile. 15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**. 16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**. - ![WHFB SCEP certificate Profile EKUs.](images/aadjcert/profile03.png) + ![WHFB SCEP certificate Profile EKUs](images/aadjcert/profile03.png) 17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile. 18. Click **Next**. 19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**. @@ -702,7 +702,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 3. Click **WHFB Certificate Enrollment**. 4. Select **Properties**, and then click **Edit** next to the **Assignments** section. 5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list. Click **Select groups to include**. - ![WHFB SCEP Profile Assignment.](images/aadjcert/profile04.png) + ![WHFB SCEP Profile Assignment](images/aadjcert/profile04.png) 6. Select the **AADJ WHFB Certificate Users** group. Click **Select**. 7. Click **Review + Save**, and then **Save**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 9e100bc146..e80dc75f72 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -70,7 +70,7 @@ To locate the schema master role holder, open and command prompt and type: ```Netdom query fsmo | findstr -i schema``` -![Netdom example output.](images/hello-cmd-netdom.png) +![Netdom example output](images/hello-cmd-netdom.png) The command should return the name of the domain controller where you need to run adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. @@ -114,14 +114,14 @@ When you are ready to install, follow the **Configuring federation with AD FS** ### Create AD objects for AD FS Device Authentication If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration. -![Device Registration.](images/hybridct/device1.png) +![Device Registration](images/hybridct/device1.png) > [!NOTE] > The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1. 1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**. -![Device Registration.](images/hybridct/device2.png) +![Device Registration](images/hybridct/device2.png) 2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands: @@ -132,7 +132,7 @@ If your AD FS farm is not already configured for Device Authentication (you can > [!NOTE] > If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$" -![Device Registration.](images/hybridct/device3.png) +![Device Registration](images/hybridct/device3.png) The above PSH creates the following objects: @@ -140,11 +140,11 @@ The above PSH creates the following objects: - Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration - Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration -![Device Registration.](images/hybridct/device4.png) +![Device Registration](images/hybridct/device4.png) 4. Once this is done, you will see a successful completion message. -![Device Registration.](images/hybridct/device5.png) +![Device Registration](images/hybridct/device5.png) ### Create Service Connection Point (SCP) in Active Directory If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS @@ -155,13 +155,13 @@ If you plan to use Windows 10 domain join (with automatic registration to Azure > [!NOTE] > If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep -![Device Registration.](images/hybridct/device6.png) +![Device Registration](images/hybridct/device6.png) 2. Provide your Azure AD global administrator credentials `PS C:>$aadAdminCred = Get-Credential` -![Device Registration.](images/hybridct/device7.png) +![Device Registration](images/hybridct/device7.png) 3. Run the following PowerShell command @@ -517,7 +517,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe - Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - Container Device Registration Service DKM under the above container -![Device Registration.](images/hybridct/device8.png) +![Device Registration](images/hybridct/device8.png) - object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - read/write access to the specified AD connector account name on the new object diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index 35bd16ed3e..cfaf049efd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -27,22 +27,22 @@ ms.reviewer: ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. -![Event358 from User Device Registration log showing Windows Hello for Business prerequisite check result.](images/Event358.png) +![Event358 from User Device Registration log showing Windows Hello for Business prerequisite check result](images/Event358.png) The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**. Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**. -![Setup a PIN Provisioning.](images/setupapin.png) +![Setup a PIN Provisioning](images/setupapin.png) The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment. Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA. The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry. -![MFA prompt during provisioning.](images/mfa.png) +![MFA prompt during provisioning](images/mfa.png) After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity requirements that you deployed to the environment. -![Create a PIN during provisioning.](images/createPin.png) +![Create a PIN during provisioning](images/createPin.png) The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment. * A successful single factor authentication (username and password at sign-in) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md index e60e0b15f0..9caf362da6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md @@ -27,22 +27,22 @@ ms.reviewer: ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. -![Event358.](images/Event358-2.png) +![Event358](images/Event358-2.png) The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**. Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**. -![Setup a PIN Provisioning.](images/setupapin.png) +![Setup a PIN Provisioning](images/setupapin.png) The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment. Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA. The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry. -![MFA prompt during provisioning.](images/mfa.png) +![MFA prompt during provisioning](images/mfa.png) After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity requirements that you deployed to the environment. -![Create a PIN during provisioning.](images/createPin.png) +![Create a PIN during provisioning](images/createPin.png) The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment. * A successful single factor authentication (username and password at sign-in) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index 4e83f31ec3..99491fb5c3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -73,7 +73,7 @@ Sign-in the federation server with domain administrator equivalent credentials. 5. Click **Next** on the **Select Certificate Enrollment Policy** page. 6. On the **Request Certificates** page, Select the **Internal Web Server** check box. 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link - ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/hello-internal-web-server-cert.png) + ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png) 8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Click **OK** when finished. 9. Click **Enroll**. @@ -155,7 +155,7 @@ Use the following procedures to configure AD FS when your environment uses **Win Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. 1. Start **Server Manager**. 2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. - ![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png) + ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. 4. Click **Next** on the **Connect to Active Directory Domain Services** page. @@ -175,7 +175,7 @@ Use the following procedures to configure AD FS when your environment uses **Win Sign-in the federation server with _Domain Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. 1. Start **Server Manager**. 2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. - ![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png) + ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. 4. Click **Next** on the **Connect to Active Directory Domain Services** page. @@ -262,7 +262,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. 6. On the **Select server roles** page, click **Next**. 7. Select **Network Load Balancing** on the **Select features** page. 8. Click **Install** to start the feature installation - ![Feature selection screen with NLB selected.](images/hello-nlb-feature-install.png) + ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png) ### Configure Network Load Balancing for AD FS @@ -270,25 +270,25 @@ Before you can load balance all the nodes in the AD FS farm, you must first crea Sign-in a node of the federation farm with _Admin_ equivalent credentials. 1. Open **Network Load Balancing Manager** from **Administrative Tools**. - ![NLB Manager user interface.](images/hello-nlb-manager.png) + ![NLB Manager user interface](images/hello-nlb-manager.png) 2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**. 3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**. - ![NLB Manager - Connect to new Cluster screen.](images/hello-nlb-connect.png) + ![NLB Manager - Connect to new Cluster screen](images/hello-nlb-connect.png) 4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.) 5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**. 6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**. - ![NLB Manager - Add IP to New Cluster screen.](images/hello-nlb-add-ip.png) + ![NLB Manager - Add IP to New Cluster screen](images/hello-nlb-add-ip.png) 7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster. - ![NLB Manager - Cluster IP Configuration screen.](images/hello-nlb-cluster-ip-config.png) + ![NLB Manager - Cluster IP Configuration screen](images/hello-nlb-cluster-ip-config.png) 8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**. 9. In Port Rules, click Edit to modify the default port rules to use port 443. - ![NLB Manager - Add\Edit Port Rule screen.](images/hello-nlb-cluster-port-rule.png) + ![NLB Manager - Add\Edit Port Rule screen](images/hello-nlb-cluster-port-rule.png) ### Additional AD FS Servers 1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**. 2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same. - ![NLB Manager - Cluster with nodes.](images/hello-nlb-cluster.png) + ![NLB Manager - Cluster with nodes](images/hello-nlb-cluster.png) ## Configure DNS for Device Registration diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 1a2b17c308..00fa16c254 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -69,7 +69,7 @@ In Windows 10, Windows Hello replaces passwords. When the identity provider sup >[!NOTE] >Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password. -![How authentication works in Windows Hello.](images/authflow.png) +![How authentication works in Windows Hello](images/authflow.png) Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device. diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md index e7d6a0cea8..3ff85f511f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md @@ -35,11 +35,11 @@ People who are currently using virtual or physical smart cards for authenticatio When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**. -![who owns this pc.](images/corpown.png) +![who owns this pc](images/corpown.png) Next, they select a way to connect. Tell the people in your enterprise which option they should pick here. -![choose how you'll connect.](images/connect.png) +![choose how you'll connect](images/connect.png) They sign in, and are then asked to verify their identity. People have options to choose from a text message, phone call, or the authentication application. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length. @@ -55,7 +55,7 @@ People can go to **Settings** > **Accounts** > **Work or school**, select If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it. -![sign in to windows, apps, and services using fingerprint or face.](images/hellosettings.png) +![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 2b1c101fc0..87e71bc747 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -21,7 +21,7 @@ ms.reviewer: ## Four steps to password freedom Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. At Microsoft Ignite 2017, we shared our four-step approach to password freedom. -![Passwordless approach.](images/four-steps-passwordless.png) +![Passwordless approach](images/four-steps-passwordless.png) ### 1. Develop a password replacement offering @@ -203,24 +203,24 @@ Windows provides two ways to prevent your users from using passwords. You can us ##### Security Policy You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**. The name of the policy setting depends on the version of the operating systems you use to configure Group Policy. -![securityPolicyLocation.](images/passwordless/00-securityPolicy.png) +![securityPolicyLocation](images/passwordless/00-securityPolicy.png) **Windows Server 2016 and earlier** The policy name for these operating systems is **Interactive logon: Require smart card**. -![securityPolicyBefore2016.](images/passwordless/00-securitypolicy-2016.png) +![securityPolicyBefore2016](images/passwordless/00-securitypolicy-2016.png) **Windows 10, version 1703 or later using Remote Server Administrator Tools** The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**. -![securityPolicyRSAT.](images/passwordless/00-updatedsecuritypolicytext.png) +![securityPolicyRSAT](images/passwordless/00-updatedsecuritypolicytext.png) When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. #### Excluding the password credential provider You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon** -![HideCredProvPolicy.](images/passwordless/00-hidecredprov.png) +![HideCredProvPolicy](images/passwordless/00-hidecredprov.png) The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**. -![HideCredProvPolicy2.](images/passwordless/01-hidecredprov.png) +![HideCredProvPolicy2](images/passwordless/01-hidecredprov.png) Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs. @@ -261,7 +261,7 @@ The account options on a user account includes an option -- **Smart card is requ > [!NOTE] > Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally). A user account configured for SCRIL is enforced at the domain controller. -![SCRIL setting on AD Users and Computers.](images/passwordless/00-scril-dsa.png) +![SCRIL setting on AD Users and Computers](images/passwordless/00-scril-dsa.png) **SCRIL setting for a user on Active Directory Users and Computers.** When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because: @@ -270,13 +270,13 @@ When you configure a user account for SCRIL, Active Directory changes the affect - the user is not asked to change their password - domain controllers do not allow passwords for interactive authentication -![SCRIL setting from ADAC on Windows Server 2012.](images/passwordless/01-scril-adac-2012.png) +![SCRIL setting from ADAC on Windows Server 2012](images/passwordless/01-scril-adac-2012.png) **SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012.** > [!NOTE] > Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account (clear the check box, save the settings, select the check box and save the settings) to generate a new random 128 bit password. However, you should consider upgrading the domain to Windows Server 2016 domain forest functional level and allow the domain controller to do this for you automatically. -![SCRIL setting from ADAC on Windows Server 2016.](images/passwordless/01-scril-adac-2016.png) +![SCRIL setting from ADAC on Windows Server 2016](images/passwordless/01-scril-adac-2016.png) **SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016.** > [!NOTE] @@ -286,7 +286,7 @@ When you configure a user account for SCRIL, Active Directory changes the affect Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for SCRIL-enabled users by configuring the domain to automatically change the password for SCRIL users. In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or any authentication outages. -![Rotate Password 2016.](images/passwordless/02-rotate-scril-2016.png) +![Rotate Password 2016](images/passwordless/02-rotate-scril-2016.png) > [!NOTE] > Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely. diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md index 2ad3bb1f3b..5e24e71b64 100644 --- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md @@ -54,7 +54,7 @@ It’s important to keep in mind that there are no physical containers on disk, The container actually contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container. -![Each logical container holds one or more sets of keys.](../images/passport-fig3-logicalcontainer.png) +![Each logical container holds one or more sets of keys](../images/passport-fig3-logicalcontainer.png) Containers can contain several types of key material: diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index 65fa656745..57bbf194fc 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -34,13 +34,13 @@ Administrator credentials are highly privileged and must be protected. By using The following diagram helps you to understand how a standard Remote Desktop session to a server without Windows Defender Remote Credential Guard works: -![RDP connection to a server without Windows Defender Remote Credential Guard.png.](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png) +![RDP connection to a server without Windows Defender Remote Credential Guard.png](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png)
The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option: -![Windows Defender Remote Credential Guard.](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png) +![Windows Defender Remote Credential Guard](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png)
As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection. @@ -152,7 +152,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C 2. Double-click **Restrict delegation of credentials to remote servers**. - ![Windows Defender Remote Credential Guard Group Policy.](images/remote-credential-guard-gp.png) + ![Windows Defender Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png) 3. Under **Use the following restricted mode**: diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md index d5c9651f0f..635a9631d6 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md +++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md @@ -34,7 +34,7 @@ Smart card support is required to enable many Remote Desktop Services scenarios. In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using. In a smart card sign-in scenario, the smart card service on the remote server redirects to the smart card reader that is connected to the local computer where the user is trying to sign in. -![Smart card service redirects to smart card reader.](images/sc-image101.png) +![Smart card service redirects to smart card reader](images/sc-image101.png) **Remote Desktop redirection** diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md index 63cbad9b26..0663f9a479 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md +++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md @@ -52,7 +52,7 @@ Interactive sign-in in Windows begins when the user presses CTRL+ALT+DEL. The CT After receiving the SAS, the UI then generates the sign-in tile from the information received from the registered credential providers. The following graphic shows the architecture for credential providers in the Windows operating system. -![Credential provider architecture.](images/sc-image201.gif) +![Credential provider architecture](images/sc-image201.gif) **Figure 1**  **Credential provider architecture** @@ -88,7 +88,7 @@ Vendors provide smart cards and smart card readers, and in many cases the vendor Figure 2 illustrates the relationship between the CryptoAPI, CSPs, the Smart Card Base Cryptographic Service Provider (Base CSP), and smart card minidrivers. -![Base CSP and smart card minidriver architecture.](images/sc-image203.gif) +![Base CSP and smart card minidriver architecture](images/sc-image203.gif) **Figure 2**  **Base CSP and smart card minidriver architecture** @@ -236,7 +236,7 @@ Applications can call the Base CSP with CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL, set In some of the following scenarios, the user can be prompted to insert a smart card. If the user context is silent, this operation fails and no UI is displayed. Otherwise, in response to the UI, the user can insert a smart card or click **Cancel**. If the user cancels the operation, the operation fails. The flow chart in Figure 3 shows the selection steps performed by the Windows operating system. -![Smart card selection process.](images/sc-image205.png) +![Smart card selection process](images/sc-image205.png) **Figure 3**  **Smart card selection behavior** @@ -314,7 +314,7 @@ For other operations, the caller may be able to acquire a "verify" context again Figure 4 shows the Cryptography architecture that is used by the Windows operating system. -![Cryptography architecture.](images/sc-image206.gif) +![Cryptography architecture](images/sc-image206.gif) **Figure 4**  **Cryptography architecture** diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md index dbcf86ee67..ae671b4ace 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md @@ -38,7 +38,7 @@ The following figure shows the flow of the certificate propagation service. The **Certificate propagation service** -![Certificate propagation service.](images/sc-image302.gif) +![Certificate propagation service](images/sc-image302.gif) 1. A signed-in user inserts a smart card. diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md index a220e7e658..ef209588b9 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md @@ -89,7 +89,7 @@ If you enable the **Allow signature keys valid for Logon** credential provider p The following diagram illustrates how smart card sign-in works in the supported versions of Windows. -![Smart card sign-in flow.](images/sc-image402.png) +![Smart card sign-in flow](images/sc-image402.png) **Smart card sign-in flow** @@ -206,21 +206,21 @@ SSL/TLS can map certificates that do not have SAN, and the mapping is done by us **Certificate revocation list distribution points** -![Certificate revocation list distribution points.](images/sc-image403.png) +![Certificate revocation list distribution points](images/sc-image403.png) **UPN in Subject Alternative Name field** -![UPN in Subject Alternative Name field.](images/sc-image404.png) +![UPN in Subject Alternative Name field](images/sc-image404.png) **Subject and Issuer fields** -![Subject and Issuer fields.](images/sc-image405.png) +![Subject and Issuer fields](images/sc-image405.png) This account mapping is supported by the KDC in addition to six other mapping methods. The following figure demonstrates a flow of user account mapping logic that is used by the KDC. **High-level flow of certificate processing for sign-in** -![High-level flow of certificate processing for sign-in.](images/sc-image406.png) +![High-level flow of certificate processing for sign-in](images/sc-image406.png) The certificate object is parsed to look for content to perform user account mapping. @@ -236,7 +236,7 @@ The following figure illustrates the process of mapping user accounts for sign-i **Certificate processing logic** -![Certificate processing logic.](images/sc-image407.png) +![Certificate processing logic](images/sc-image407.png) NT\_AUTH policy is best described in the CERT\_CHAIN\_POLICY\_NT\_AUTH parameter section of the CertVerifyCertificateChainPolicy function. For more information, see [CertVerifyCertificateChainPolicy](/windows/win32/api/wincrypt/nf-wincrypt-certverifycertificatechainpolicy). diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md index 3f72307e25..fa36cf563f 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md @@ -26,7 +26,7 @@ The smart card removal policy service is applicable when a user has signed in wi **Smart card removal policy service** -![Smart card removal policy service.](images/sc-image501.gif) +![Smart card removal policy service](images/sc-image501.gif) The numbers in the previous figure represent the following actions: diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md index 76159c664d..10ffd31a84 100644 --- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md +++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md @@ -34,7 +34,7 @@ In order to better understand how this process happens, let's look at the Window The following shows how the logon process for an administrator differs from the logon process for a standard user. -![uac windows logon process.](images/uacwindowslogonprocess.gif) +![uac windows logon process](images/uacwindowslogonprocess.gif) By default, standard users and administrators access resources and run apps in the security context of standard users. When a user logs on to a computer, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges. @@ -56,7 +56,7 @@ With UAC enabled, Windows 10 prompts for consent or prompts for credentials of The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token. The following is an example of the UAC consent prompt. -![uac consent prompt.](images/uacconsentprompt.gif) +![uac consent prompt](images/uacconsentprompt.gif) **The credential prompt** @@ -64,7 +64,7 @@ The credential prompt is presented when a standard user attempts to perform a ta The following is an example of the UAC credential prompt. -![uac credential prompt.](images/uaccredentialprompt.gif) +![uac credential prompt](images/uaccredentialprompt.gif) **UAC elevation prompts** @@ -81,7 +81,7 @@ The elevation prompt color-coding is as follows: Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screen shot of the **Date and Time Properties** Control Panel item. -![uac shield icon.](images/uacshieldicon.png) +![uac shield icon](images/uacshieldicon.png) The shield icon on the **Change date and time** button indicates that the process requires a full administrator access token and will display a UAC elevation prompt. @@ -99,7 +99,7 @@ While malware could present an imitation of the secure desktop, this issue canno The following diagram details the UAC architecture. -![uac architecture.](images/uacarchitecture.gif) +![uac architecture](images/uacarchitecture.gif) To better understand each component, review the table below: diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md index 4468785ff0..badf574468 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md @@ -24,7 +24,7 @@ This topic for the IT professional discusses the factors to consider when you de Traditional identity devices, such as physical smart cards, follow a predictable lifecycle in any deployment, as shown in the following diagram. -![Diagram of physical smart card lifecycle.](images/vsc-physical-smart-card-lifecycle.png) +![Diagram of physical smart card lifecycle](images/vsc-physical-smart-card-lifecycle.png) Physical devices are created by a dedicated manufacturer and then purchased by the corporation that will ultimately deploy it. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the administrator key, Personal Identification Number (PIN), PIN Unlock Key (PUK), and its physical appearance. To provision the device, it is loaded with the required certificates, such as a sign-in certificate. After you provision the device, it is ready for use. The device must simply be maintained. For example, you must replace cards when they are lost or stolen and reset PINs when users forget them. Finally, you’ll retire devices when they exceed their intended lifetime or when employees leave the company. diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md index 044f7c1fe1..6fb462eb81 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md @@ -28,7 +28,7 @@ A crucial aspect of TPM virtual smart cards is their ability to securely store a The following diagram illustrates the secure key hierarchy and the process of accessing the user key. -![Diagram of the process of accessing the user key.](images/vsc-process-of-accessing-user-key.png) +![Diagram of the process of accessing the user key](images/vsc-process-of-accessing-user-key.png) The following keys are stored on the hard disk: diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md index c6ad4e0710..6810a79d95 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md @@ -62,21 +62,21 @@ On your domain server, you need to create a template for the certificate that yo 2. Click **File**, and then click **Add/Remove Snap-in**. - ![Add or remove snap-in.](images/vsc-02-mmc-add-snap-in.png) + ![Add or remove snap-in](images/vsc-02-mmc-add-snap-in.png) 3. In the available snap-ins list, click **Certificate Templates**, and then click **Add**. - ![Add Certificate Templates snap-in.](images/vsc-03-add-certificate-templates-snap-in.png) + ![Add Certificate Templates snap-in](images/vsc-03-add-certificate-templates-snap-in.png) 4. Certificate Templates is now located under **Console Root** in the MMC. Double-click it to view all the available certificate templates. 5. Right-click the **Smartcard Logon** template, and click **Duplicate Template**. - ![Duplicating the Smartcard Logon template.](images/vsc-04-right-click-smartcard-logon-template.png) + ![Duplicating the Smartcard Logon template](images/vsc-04-right-click-smartcard-logon-template.png) 6. On the **Compatibility** tab, under **Certification Authority**, review the selection, and change it if needed. - ![Compatibility tab, certification authority setting.](images/vsc-05-certificate-template-compatibility.png) + ![Compatibility tab, certification authority setting](images/vsc-05-certificate-template-compatibility.png) 7. On the **General** tab: @@ -102,23 +102,23 @@ On your domain server, you need to create a template for the certificate that yo 12. Select **File**, then click **Add/Remove Snap-in** to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably **Local Computer**. - ![Add Certification Authority snap-in.](images/vsc-06-add-certification-authority-snap-in.png) + ![Add Certification Authority snap-in](images/vsc-06-add-certification-authority-snap-in.png) 13. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list. 14. Right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**. - ![Right-click menu for Certificate Templates.](images/vsc-07-right-click-certificate-templates.png) + ![Right-click menu for Certificate Templates](images/vsc-07-right-click-certificate-templates.png) 15. From the list, select the new template that you just created (**TPM Virtual Smart Card Logon**), and then click **OK**. > **Note**  It can take some time for your template to replicate to all servers and become available in this list. - ![Selecting a certificate template.](images/vsc-08-enable-certificate-template.png) + ![Selecting a certificate template](images/vsc-08-enable-certificate-template.png) 16. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks**, and then click **Stop Service**. Then, right-click the name of the CA again, click **All Tasks**, and then click **Start Service**. - ![Stopping and starting the service.](images/vsc-09-stop-service-start-service.png) + ![Stopping and starting the service](images/vsc-09-stop-service-start-service.png) ## Step 2: Create the TPM virtual smart card @@ -128,7 +128,7 @@ In this step, you will create the virtual smart card on the client computer by u 1. On a domain-joined computer, open a Command Prompt window with Administrative credentials. - ![Cmd prompt, Run as administrator.](images/vsc-10-cmd-run-as-administrator.png) + ![Cmd prompt, Run as administrator](images/vsc-10-cmd-run-as-administrator.png) 2. At the command prompt, type the following, and then press ENTER: @@ -150,11 +150,11 @@ The virtual smart card must be provisioned with a sign-in certificate for it to 2. Right-click **Personal**, click **All Tasks**, and then click **Request New Certificate**. - ![Request New Certificate.](images/vsc-11-certificates-request-new-certificate.png) + ![Request New Certificate](images/vsc-11-certificates-request-new-certificate.png) 3. Follow the prompts and when offered a list of templates, select the **TPM Virtual Smart Card Logon** check box (or whatever you named the template in Step 1). - ![Certificate enrollment, select certificate.](images/vsc-12-certificate-enrollment-select-certificate.png) + ![Certificate enrollment, select certificate](images/vsc-12-certificate-enrollment-select-certificate.png) 4. If prompted for a device, select the Microsoft virtual smart card that corresponds to the one you created in the previous section. It displays as **Identity Device (Microsoft Profile)**. diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index 4d3f59ff0a..789da743aa 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -74,7 +74,7 @@ For more information about these Windows APIs, see: To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The following icon is displayed during sign in, and on other screens that require the user to enter the PIN for a virtual smart card. -![Icon for a virtual smart card.](images/vsc-virtual-smart-card-icon.png) +![Icon for a virtual smart card](images/vsc-virtual-smart-card-icon.png) A TPM-based virtual smart card is labeled **Security Device** in the user interface. diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md index 2c0a581e8d..9665848076 100644 --- a/windows/security/identity-protection/vpn/vpn-authentication.md +++ b/windows/security/identity-protection/vpn/vpn-authentication.md @@ -51,7 +51,7 @@ See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EA The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP). -![EAP XML configuration in Intune profile.](images/vpn-eap-xml.png) +![EAP XML configuration in Intune profile](images/vpn-eap-xml.png) ## Related topics diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md index 44b05da541..2c1405d9e0 100644 --- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md @@ -89,11 +89,11 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien The following image shows associating an app to a VPN connection in a VPN Profile configuration policy using Microsoft Intune. -![Add an app for the VPN connection.](images/vpn-app-trigger.png) +![Add an app for the VPN connection](images/vpn-app-trigger.png) After you add an associated app, if you select the **Only these apps can use this VPN connection (per-app VPN)** checkbox, the app becomes available in **Corporate Boundaries**, where you can configure rules for the app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details. -![Configure rules for the app.](images/vpn-app-rules.png) +![Configure rules for the app](images/vpn-app-rules.png) ## Related topics diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index 66baa88e46..393bf3b90b 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -87,7 +87,7 @@ Two client-side configuration service providers are leveraged for VPN device com The VPN client side connection flow works as follows: > [!div class="mx-imgBorder"] -> ![Device compliance workflow when VPN client attempts to connect.](images/vpn-device-compliance.png) +> ![Device compliance workflow when VPN client attempts to connect](images/vpn-device-compliance.png) When a VPNv2 Profile is configured with \ \true<\/Enabled> the VPN client uses this connection flow: diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md index 465f79924f..e65b9b6d8b 100644 --- a/windows/security/identity-protection/vpn/vpn-connection-type.md +++ b/windows/security/identity-protection/vpn/vpn-connection-type.md @@ -23,7 +23,7 @@ Virtual private networks (VPNs) are point-to-point connections across a private There are many options for VPN clients. In Windows 10, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured. -![VPN connection types.](images/vpn-connection.png) +![VPN connection types](images/vpn-connection.png) ## Built-in VPN client @@ -67,12 +67,12 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune: > [!div class="mx-imgBorder"] -> ![Available connection types.](images/vpn-connection-intune.png) +> ![Available connection types](images/vpn-connection-intune.png) In Intune, you can also include custom XML for third-party plug-in profiles: > [!div class="mx-imgBorder"] -> ![Custom XML.](images/vpn-custom-xml-intune.png) +> ![Custom XML](images/vpn-custom-xml-intune.png) ## Related topics diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md index 70cec8d554..fcc360257b 100644 --- a/windows/security/identity-protection/vpn/vpn-name-resolution.md +++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md @@ -64,7 +64,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien The following image shows name resolution options in a VPN Profile configuration policy using Microsoft Intune. -![Add DNS rule.](images/vpn-name-intune.png) +![Add DNS rule](images/vpn-name-intune.png) The fields in **Add or edit DNS rule** in the Intune profile correspond to the XML settings shown in the following table. diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md index 96eae8c6ac..69940276c8 100644 --- a/windows/security/identity-protection/vpn/vpn-profile-options.md +++ b/windows/security/identity-protection/vpn/vpn-profile-options.md @@ -312,7 +312,7 @@ After you configure the settings that you want using ProfileXML, you can apply i 10. Set Data type to **String (XML file)**. 11. Upload the profile XML file. 12. Click **OK**. - ![Custom VPN profile.](images/custom-vpn-profile.png) + ![Custom VPN profile](images/custom-vpn-profile.png) 13. Click **OK**, then **Create**. 14. Assign the profile. diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md index ea0cb1c3ae..a33e2b0f3f 100644 --- a/windows/security/identity-protection/vpn/vpn-routing.md +++ b/windows/security/identity-protection/vpn/vpn-routing.md @@ -53,11 +53,11 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien When you configure a VPN profile in Microsoft Intune, you select a checkbox to enable split tunnel configuration. -![split tunnel.](images/vpn-split.png) +![split tunnel](images/vpn-split.png) Next, in **Corporate Boundaries**, you add the routes that should use the VPN connection. -![add route for split tunnel.](images/vpn-split-route.png) +![add route for split tunnel](images/vpn-split-route.png) ## Related topics diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md index c84ab32cb0..bd1a32dde4 100644 --- a/windows/security/identity-protection/vpn/vpn-security-features.md +++ b/windows/security/identity-protection/vpn/vpn-security-features.md @@ -59,7 +59,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien The following image shows the interface to configure traffic rules in a VPN Profile configuration policy, using Microsoft Intune. -![Add a traffic rule.](images/vpn-traffic-rules.png) +![Add a traffic rule](images/vpn-traffic-rules.png) ## LockDown VPN diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md index 62a4cf6cf0..2c1a02b8db 100644 --- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md +++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md @@ -31,7 +31,7 @@ This guide explains how credential theft attacks occur and the strategies and co - Respond to suspicious activity - Recover from a breach -![Security stages.](images/security-stages.png) +![Security stages](images/security-stages.png) ## Attacks that steal credentials diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index 23b9d93073..fc9b15fdef 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -89,7 +89,7 @@ On computers with a compatible TPM, operating system drives that are BitLocker-p In the following Group Policy example, TPM + PIN is required to unlock an operating system drive: -![Pre-boot authentication setting in Group Policy.](images/pre-boot-authentication-group-policy.png) +![Pre-boot authentication setting in Group Policy](images/pre-boot-authentication-group-policy.png) Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured. @@ -110,7 +110,7 @@ This Kernel DMA Protection is available only for new systems beginning with Wind You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection enabled: -![Kernel DMA protection.](images/kernel-dma-protection.png) +![Kernel DMA protection](images/kernel-dma-protection.png) If kernel DMA protection *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports: diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index cd0b6543e6..4864bdf4d4 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -34,31 +34,31 @@ This article depicts the BitLocker deployment comparison chart. |Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined | |Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | |Cloud or on premises | Cloud | On premises | On premises | -|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client | |Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | -|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | -|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | +|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database | |Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | -|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | -|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | | -|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | +|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | | +|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index a72324edf4..eaccfb9c9f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -298,18 +298,18 @@ This policy can be configured using GPO under **Computer Configuration** > **Adm It can also be configured using Intune mobile device management (MDM) in the BitLocker CSP: *\./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage\* -![Custom URL.](./images/bl-intune-custom-url.png) +![Custom URL](./images/bl-intune-custom-url.png) Example of customized recovery screen: -![Customized BitLocker Recovery Screen.](./images/bl-password-hint1.png) +![Customized BitLocker Recovery Screen](./images/bl-password-hint1.png) ### BitLocker recovery key hints BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen. -![Customized BitLocker recovery screen.](./images/bl-password-hint2.png) +![Customized BitLocker recovery screen](./images/bl-password-hint2.png) > [!IMPORTANT] > We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft Account. @@ -339,7 +339,7 @@ There are rules governing which hint is shown during the recovery (in order of p **Result:** The hint for the Microsoft Account and the custom URL are displayed. -![Example 1 of Customized BitLocker recovery screen.](./images/rp-example1.png) +![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.png) #### Example 2 (single recovery key with single backup) @@ -354,7 +354,7 @@ There are rules governing which hint is shown during the recovery (in order of p **Result:** Only the custom URL is displayed. -![Example 2 of customized BitLocker recovery screen.](./images/rp-example2.png) +![Example 2 of customized BitLocker recovery screen](./images/rp-example2.png) #### Example 3 (single recovery key with multiple backups) @@ -369,7 +369,7 @@ There are rules governing which hint is shown during the recovery (in order of p **Result:** Only the Microsoft Account hint is displayed. -![Example 3 of customized BitLocker recovery screen.](./images/rp-example3.png) +![Example 3 of customized BitLocker recovery screen](./images/rp-example3.png) #### Example 4 (multiple recovery passwords) @@ -399,7 +399,7 @@ There are rules governing which hint is shown during the recovery (in order of p **Result:** Only the hint for a successfully backed up key is displayed, even if it isn't the most recent key. -![Example 4 of customized BitLocker recovery screen.](./images/rp-example4.png) +![Example 4 of customized BitLocker recovery screen](./images/rp-example4.png) #### Example 5 (multiple recovery passwords) @@ -429,7 +429,7 @@ There are rules governing which hint is shown during the recovery (in order of p **Result:** The hint for the most recent key is displayed. -![Example 5 of customized BitLocker recovery screen.](./images/rp-example5.png) +![Example 5 of customized BitLocker recovery screen](./images/rp-example5.png) ## Using additional recovery information diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index e8045e225c..c6483a8057 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -52,7 +52,7 @@ manage-bde -status ``` This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume: -![Using manage-bde to check encryption status.](images/manage-bde-status.png) +![Using manage-bde to check encryption status](images/manage-bde-status.png) The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process. diff --git a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md index 664fb40db0..2a08e910d0 100644 --- a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md +++ b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md @@ -58,7 +58,7 @@ You can use Get-WinEvent in an elevated PowerShell window to display filtered in The output of such a command resembles the following. - ![Display of events that is produced by using Get-WinEvent and a BitLocker filter.](./images/psget-winevent-1.png) + ![Display of events that is produced by using Get-WinEvent and a BitLocker filter](./images/psget-winevent-1.png) - To export BitLocker-related information: ```ps @@ -77,7 +77,7 @@ You can use Get-WinEvent in an elevated PowerShell window to display filtered in The output of such a command resembles the following. - ![Display of events that is produced by using Get-WinEvent and a TPM filter.](./images/psget-winevent-2.png) + ![Display of events that is produced by using Get-WinEvent and a TPM filter](./images/psget-winevent-2.png) > [!NOTE] > If you intend to contact Microsoft Support, we recommend that you export the logs listed in this section. diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md index 6268e09343..d41b2c7bf1 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md @@ -82,11 +82,11 @@ To verify that this issue has occurred, follow these steps: 1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring?view=powershell-6) command in the PowerShell window, as follows. - ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE.](./images/ts-bitlocker-usb-sddl.png) + ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE](./images/ts-bitlocker-usb-sddl.png) If you see NT AUTHORITY\INTERACTIVE (as highlighted), in the output of this command, this is the cause of the issue. Under typical conditions, the output should resemble the following: - ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users.](./images/ts-bitlocker-usb-default-sddl.png) + ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users](./images/ts-bitlocker-usb-default-sddl.png) > [!NOTE] > GPOs that change the security descriptors of services have been known to cause this issue. diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md index 1def746b1f..bab9c21e3e 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md @@ -45,11 +45,11 @@ To install the tool, follow these steps: 1. Accept the default installation path. - ![Specify Location page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-1.png) + ![Specify Location page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-1.png) 1. Under **Select the features you want to install**, select **Windows Hardware Lab Kit—Controller + Studio**. - ![Select features page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-2.png) + ![Select features page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-2.png) 1. Finish the installation. @@ -60,7 +60,7 @@ To use TBSLogGenerator, follow these steps: This folder contains the TBSLogGenerator.exe file. - ![Properties and location of the TBSLogGenerator.exe file.](./images/ts-tpm-3.png) + ![Properties and location of the TBSLogGenerator.exe file](./images/ts-tpm-3.png) 1. Run the following command: ```cmd @@ -78,19 +78,19 @@ To use TBSLogGenerator, follow these steps: TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt ``` - ![Command Prompt window that shows an example of how to use TBSLogGenerator.](./images/ts-tpm-4.png) + ![Command Prompt window that shows an example of how to use TBSLogGenerator](./images/ts-tpm-4.png) The command produces a text file that uses the specified name. In the case of the example, the file is **0000000005-0000000000.txt**. The file is located in the same folder as the original .log file. - ![Windows Explorer window that shows the text file that TBSLogGenerator produces.](./images/ts-tpm-5.png) + ![Windows Explorer window that shows the text file that TBSLogGenerator produces](./images/ts-tpm-5.png) The content of this text file resembles the following. -![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png) +![Contents of the text file, as shown in NotePad](./images/ts-tpm-6.png) To find the PCR information, go to the end of the file. - ![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png) + ![View of NotePad that shows the PCR information at the end of the text file](./images/ts-tpm-7.png) ## Use PCPTool to decode Measured Boot logs @@ -114,4 +114,4 @@ where the variables represent the following values: The content of the XML file resembles the following. -![Command Prompt window that shows an example of how to use PCPTool.](./images/pcptool-output.jpg) +![Command Prompt window that shows an example of how to use PCPTool](./images/pcptool-output.jpg) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md index 611dc64098..60c34a7bb6 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md @@ -20,7 +20,7 @@ ms.custom: bitlocker This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices. -![The BitLocker status indictors on the Intune portal.](./images/4509189-en-1.png) +![The BitLocker status indictors on the Intune portal](./images/4509189-en-1.png) To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages: @@ -43,7 +43,7 @@ For information about how to verify that Intune policies are enforcing BitLocker Event ID 853 can carry different error messages, depending on the context. In this case, the Event ID 853 error message indicates that the device does not appear to have a TPM. The event information resembles the following: -![Details of event ID 853 (TPM is not available, cannot find TPM).](./images/4509190-en-1.png) +![Details of event ID 853 (TPM is not available, cannot find TPM)](./images/4509190-en-1.png) ### Cause @@ -64,7 +64,7 @@ For more information, see [Troubleshoot the TPM](../tpm/initialize-and-configure In this case, you see event ID 853, and the error message in the event indicates that bootable media is available to the device. The event information resembles the following. -![Details of event ID 853 (TPM is not available, bootable media found).](./images/4509191-en-1.png) +![Details of event ID 853 (TPM is not available, bootable media found)](./images/4509191-en-1.png) ### Cause @@ -100,7 +100,7 @@ You can resolve this issue by verifying the configuration of the disk partitions The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 10 automatically creates a recovery partition that contains the Winre.wim file. The partition configuration resembles the following. -![Default disk partitions, including the recovery partition.](./images/4509194-en-1.png) +![Default disk partitions, including the recovery partition](./images/4509194-en-1.png) To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands: @@ -108,11 +108,11 @@ To verify the configuration of the disk partitions, open an elevated Command Pro diskpart list volume ``` -![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png) +![Output of the list volume command in the Diskpart app](./images/4509195-en-1.png) If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager). -![Windows image configuration in Microsoft Endpoint Configuration Manager.](./images/configmgr-imageconfig.jpg) +![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/configmgr-imageconfig.jpg) #### Step 2: Verify the status of WinRE @@ -123,7 +123,7 @@ reagentc /info ``` The output of this command resembles the following. -![Output of the reagentc /info command.](./images/4509193-en-1.png) +![Output of the reagentc /info command](./images/4509193-en-1.png) If the **Windows RE status** is not **Enabled**, run the following command to enable it: @@ -141,7 +141,7 @@ bcdedit /enum all The output of this command resembles the following. -![Output of the bcdedit /enum all command.](./images/4509196-en-1.png) +![Output of the bcdedit /enum all command](./images/4509196-en-1.png) In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros. @@ -163,7 +163,7 @@ To verify the BIOS mode, use the System Information app. To do this, follow thes 1. Select **Start**, and enter **msinfo32** in the **Search** box. 1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**. - ![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png) + ![System Information app, showing the BIOS Mode setting](./images/4509198-en-1.png) 1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device. > [!NOTE] > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device. @@ -192,11 +192,11 @@ Manage-bde -protectors -get %systemdrive% In the TPM section of the output of this command, verify that the **PCR Validation Profile** setting includes **7**, as follows. -![Output of the manage-bde command.](./images/4509199-en-1.png) +![Output of the manage-bde command](./images/4509199-en-1.png) If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then Secure Boot is not turned on. -![Output of the manage-bde command when PCR 7 is not present.](./images/4509200-en-1.png) +![Output of the manage-bde command when PCR 7 is not present](./images/4509200-en-1.png) #### 2. Verify the Secure Boot state @@ -204,9 +204,9 @@ To verify the Secure Boot state, use the System Information app. To do this, fol 1. Select **Start**, and enter **msinfo32** in the **Search** box. 1. Verify that the **Secure Boot State** setting is **On**, as follows: - ![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png) + ![System Information app, showing a supported Secure Boot State](./images/4509201-en-1.png) 1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device. - ![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png) + ![System Information app, showing a unsupported Secure Boot State](./images/4509202-en-1.png) > [!NOTE] > You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi?view=win10-ps) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command: @@ -290,7 +290,7 @@ If your device runs Windows 10 version 1703 or later, supports Modern Standby (a If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker Drive Encryption. The settings for this policy should resemble the following: -![Intune policy settings.](./images/4509186-en-1.png) +![Intune policy settings](./images/4509186-en-1.png) The OMA-URI references for these settings are as follows: @@ -316,7 +316,7 @@ The Intune 1901 release provides settings that you can use to configure automati - Support Modern Standby - Use Windows 10 version 1803 or later -![Intune policy setting.](./images/4509188-en-1.png) +![Intune policy setting](./images/4509188-en-1.png) The OMA-URI references for these settings are as follows: @@ -331,17 +331,17 @@ The OMA-URI references for these settings are as follows: During regular operations, BitLocker Drive Encryption generates events such as Event ID 796 and Event ID 845. -![Event ID 796, as shown in Event Viewer.](./images/4509203-en-1.png) +![Event ID 796, as shown in Event Viewer](./images/4509203-en-1.png) -![Event ID 845, as shown in Event Viewer.](./images/4509204-en-1.png) +![Event ID 845, as shown in Event Viewer](./images/4509204-en-1.png) You can also determine whether the BitLocker recovery password has been uploaded to Azure AD by checking the device details in the Azure AD Devices section. -![BitLocker recovery information as viewed in Azure AD.](./images/4509205-en-1.png) +![BitLocker recovery information as viewed in Azure AD](./images/4509205-en-1.png) On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the following subkeys: - **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\BitLocker** - **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device** -![Registry subkeys that relate to Intune policy.](./images/4509206-en-1.png) \ No newline at end of file +![Registry subkeys that relate to Intune policy](./images/4509206-en-1.png) \ No newline at end of file diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 768d8cdd75..31fc1097a4 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -53,7 +53,7 @@ By default, peripherals with DMA Remapping incompatible drivers will be blocked ## User experience -![Kernel DMA protection user experience.](images/kernel-dma-protection-user-experience.png) +![Kernel DMA protection user experience](images/kernel-dma-protection-user-experience.png) By default, peripherals with DMA remapping compatible device drivers will be automatically enumerated and started. Peripherals with DMA Remapping incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. The peripheral will continue to function normally if the user locks the screen or logs out of the system. @@ -77,7 +77,7 @@ Systems running Windows 10 version 1803 that do support Kernel DMA Protection do Beginning with Windows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**. -![Kernel DMA protection in Security Center.](bitlocker/images/kernel-dma-protection-security-center.png) +![Kernel DMA protection in Security Center](bitlocker/images/kernel-dma-protection-security-center.png) ### Using System information @@ -85,7 +85,7 @@ Beginning with Windows 10 version 1809, you can use Security Center to check if 2. Check the value of **Kernel DMA Protection**. - ![Kernel DMA protection in System Information.](bitlocker/images/kernel-dma-protection.png) + ![Kernel DMA protection in System Information](bitlocker/images/kernel-dma-protection.png) 3. If the current state of **Kernel DMA Protection** is OFF and **Hyper-V - Virtualization Enabled in Firmware** is NO: @@ -113,11 +113,11 @@ No, Kernel DMA Protection only protects against drive-by DMA attacks after the O DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (i.e. the device driver does not support DMA-remapping). Please check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external). -![Kernel DMA protection user experience.](images/device_details_tab_1903.png) +![Kernel DMA protection user experience](images/device_details_tab_1903.png) *For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the following image. -![Kernel DMA protection user experience.](images/device-details-tab.png) +![Kernel DMA protection user experience](images/device-details-tab.png) ### What should I do if the drivers for my PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping? diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index 3d8754473d..721ae1e1e3 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -55,7 +55,7 @@ Windows 10 supports four features to help prevent rootkits and bootkits from lo Figure 1 shows the Windows 10 startup process. -![Windows 10 startup process.](./images/dn168167.boot_process(en-us,MSDN.10).png) +![Windows 10 startup process](./images/dn168167.boot_process(en-us,MSDN.10).png) **Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage** @@ -115,7 +115,7 @@ Depending on the implementation and configuration, the server can now determine Figure 2 illustrates the Measured Boot and remote attestation process. -![Measured Boot and remote attestation process.](./images/dn168167.measure_boot(en-us,MSDN.10).png) +![Measured Boot and remote attestation process](./images/dn168167.measure_boot(en-us,MSDN.10).png) **Figure 2. Measured Boot proves the PC’s health to a remote server** diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md index dd9e12558e..06d8c54066 100644 --- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md @@ -84,7 +84,7 @@ Identity providers have flexibility in how they provision credentials on client • **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios. -![TPM Capabilities.](images/tpm-capabilities.png) +![TPM Capabilities](images/tpm-capabilities.png) *Figure 1: TPM Cryptographic Key Management* @@ -126,7 +126,7 @@ The TPM provides the following way for scenarios to use the measurements recorde When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state. -![Process to Create Evidence of Boot Software and Configuration Using TPM.](images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png) +![Process to Create Evidence of Boot Software and Configuration Using TPM](images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png) *Figure 2: Process used to create evidence of boot software and configuration using a TPM* diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index 5a5e12feb9..4a5ddd2df2 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -91,7 +91,7 @@ It's possible that you might revoke data from an unenrolled device only to later To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**. - ![Robocopy in S mode.](images/robocopy-s-mode.png) + ![Robocopy in S mode](images/robocopy-s-mode.png) If the employee performed a clean installation and there is no user profile, you need to recover the keys from the System Volume folder in each drive. Type: diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md index 909073181d..a605d96688 100644 --- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md @@ -34,11 +34,11 @@ Follow these steps to associate your WIP policy with your organization's existin 2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**. - ![Microsoft Intune, Create a new policy using the portal.](images/wip-azure-vpn-device-policy.png) + ![Microsoft Intune, Create a new policy using the portal](images/wip-azure-vpn-device-policy.png) 3. In the **Create Profile** blade, type a name for your profile, such as *Contoso_VPN_Win10*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**. - ![Microsoft Intune, Create a new policy using the Create Profile blade.](images/wip-azure-vpn-configure-policy.png) + ![Microsoft Intune, Create a new policy using the Create Profile blade](images/wip-azure-vpn-configure-policy.png) 4. In the **Custom OMA-URI Settings** blade, click **Add**. @@ -54,7 +54,7 @@ Follow these steps to associate your WIP policy with your organization's existin - **Value.** Type your fully-qualified domain that should be used by the OMA-URI setting. For example, _corp.contoso.com_. - ![Microsoft Intune, Add your OMA-URI settings.](images/wip-azure-vpn-custom-omauri.png) + ![Microsoft Intune, Add your OMA-URI settings](images/wip-azure-vpn-custom-omauri.png) 6. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy. @@ -73,7 +73,7 @@ After you’ve created your VPN policy, you'll need to deploy it to the same gro The policy is deployed to the selected users' devices. - ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed.](images/wip-azure-add-user-groups.png) + ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md index 32511b9cd5..f13e30a044 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md @@ -36,12 +36,12 @@ After you've installed and set up Configuration Manager for your organization, y 1. Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. - ![Configuration Manager, Configuration Items screen.](images/wip-configmgr-addpolicy.png) + ![Configuration Manager, Configuration Items screen](images/wip-configmgr-addpolicy.png) 2. Click the **Create Configuration Item** button.

The **Create Configuration Item Wizard** starts. - ![Create Configuration Item wizard, define the configuration item and choose the configuration type.](images/wip-configmgr-generalscreen.png) + ![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/wip-configmgr-generalscreen.png) 3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. @@ -55,11 +55,11 @@ The **Create Configuration Item Wizard** starts. 5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**. - ![Create Configuration Item wizard, choose the supported platforms for the policy.](images/wip-configmgr-supportedplat.png) + ![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-configmgr-supportedplat.png) 6. On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**. - ![Create Configuration Item wizard, choose the Windows Information Protection settings.](images/wip-configmgr-devicesettings.png) + ![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-configmgr-devicesettings.png) The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. @@ -81,7 +81,7 @@ For this example, we're going to add Microsoft OneNote, a store app, to the **Ap The **Add app rule** box appears. - ![Create Configuration Item wizard, add a universal store app.](images/wip-configmgr-adduniversalapp.png) + ![Create Configuration Item wizard, add a universal store app](images/wip-configmgr-adduniversalapp.png) 2. Add a friendly name for your app into the **Title** box. In this example, it's *Microsoft OneNote*. @@ -141,7 +141,7 @@ For this example, we're going to add Internet Explorer, a desktop app, to the ** The **Add app rule** box appears. - ![Create Configuration Item wizard, add a classic desktop app.](images/wip-configmgr-adddesktopapp.png) + ![Create Configuration Item wizard, add a classic desktop app](images/wip-configmgr-adddesktopapp.png) 2. Add a friendly name for your app into the **Title** box. In this example, it's *Internet Explorer*. @@ -218,7 +218,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules** 2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. - ![Local security snap-in, showing the Packaged app Rules.](images/intune-local-security-snapin.png) + ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) 3. Right-click in the right-hand pane, and then click **Create New Rule**. @@ -226,33 +226,33 @@ For this example, we're going to add an AppLocker XML file to the **App Rules** 4. On the **Before You Begin** page, click **Next**. - ![Create a Packaged app Rules wizard and showing the Before You Begin page.](images/intune-applocker-before-begin.png) + ![Create a Packaged app Rules wizard and showing the Before You Begin page](images/intune-applocker-before-begin.png) 5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. - ![Create Packaged app Rules wizard, set action to Allow.](images/intune-applocker-permissions.png) + ![Create Packaged app Rules wizard, set action to Allow](images/intune-applocker-permissions.png) 6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. - ![Create Packaged app Rules wizard, select use an installed packaged app.](images/intune-applocker-publisher.png) + ![Create Packaged app Rules wizard, select use an installed packaged app](images/intune-applocker-publisher.png) 7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we're using Microsoft Photos. - ![Create Packaged app Rules wizard, select application and click ok.](images/intune-applocker-select-apps.png) + ![Create Packaged app Rules wizard, select application and click ok](images/intune-applocker-select-apps.png) 8. On the updated **Publisher** page, click **Create**. - ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page.](images/intune-applocker-publisher-with-app.png) + ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) 9. Review the Local Security Policy snap-in to make sure your rule is correct. - ![Local security snap-in, showing the new rule.](images/intune-local-security-snapin-updated.png) + ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) 10. In the left pane, right-click on **AppLocker**, and then click **Export policy**. The **Export policy** box opens, letting you export and save your new policy as XML. - ![Local security snap-in, showing the Export Policy option.](images/intune-local-security-export.png) + ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. @@ -286,7 +286,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules** The **Add app rule** box appears. - ![Create Configuration Item wizard, add an AppLocker policy.](images/wip-configmgr-addapplockerfile.png) + ![Create Configuration Item wizard, add an AppLocker policy](images/wip-configmgr-addapplockerfile.png) 2. Add a friendly name for your app into the **Title** box. In this example, it's *Allowed app list*. @@ -353,7 +353,7 @@ You can specify multiple domains owned by your enterprise by separating them wit - Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. - ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity.](images/wip-configmgr-corp-identity.png) + ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-configmgr-corp-identity.png) ## Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. @@ -372,7 +372,7 @@ There are no default locations included with WIP, you must add each of your netw 2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. - ![Add or edit corporate network definition box, Add your enterprise network locations.](images/wip-configmgr-add-network-domain.png) + ![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-configmgr-add-network-domain.png) @@ -431,7 +431,7 @@ There are no default locations included with WIP, you must add each of your netw 5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate.](images/wip-configmgr-dra.png) + ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-configmgr-dra.png) After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. @@ -440,7 +440,7 @@ There are no default locations included with WIP, you must add each of your netw ## Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you'll be asked to decide if you want to add any optional WIP settings. -![Create Configuration Item wizard, Choose any additional, optional settings.](images/wip-configmgr-additionalsettings.png) +![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-configmgr-additionalsettings.png) **To set your optional settings** 1. Choose to set any or all of the optional settings: @@ -467,7 +467,7 @@ After you've finished configuring your policy, you can review all of your info o **To view the Summary screen** - Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy. - ![Create Configuration Item wizard, Summary screen for all of your policy choices.](images/wip-configmgr-summaryscreen.png) + ![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-configmgr-summaryscreen.png) A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page. diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 0442c3778a..17dcaff4f3 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -50,7 +50,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or 3. Click **Restore Default URLs** or enter the settings for MDM or MAM user scope and click **Save**: - ![Configure MDM or MAM provider.](images/mobility-provider.png) + ![Configure MDM or MAM provider](images/mobility-provider.png) ## Create a WIP policy @@ -58,7 +58,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or 2. Open Microsoft Intune and click **Apps** > **App protection policies** > **Create policy**. - ![Open Client apps.](images/create-app-protection-policy.png) + ![Open Client apps](images/create-app-protection-policy.png) 3. In the **App policy** screen, click **Add a policy**, and then fill out the fields: @@ -70,11 +70,11 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or - **Enrollment state.** Choose **Without enrollment** for MAM or **With enrollment** for MDM. - ![Add a mobile app policy.](images/add-a-mobile-app-policy.png) + ![Add a mobile app policy](images/add-a-mobile-app-policy.png) 4. Click **Protected apps** and then click **Add apps**. - ![Add protected apps.](images/add-protected-apps.png) + ![Add protected apps](images/add-protected-apps.png) You can add these types of apps: @@ -89,7 +89,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or Select **Recommended apps** and select each app you want to access your enterprise data or select them all, and click **OK**. -![Microsoft Intune management console: Recommended apps.](images/recommended-apps.png) +![Microsoft Intune management console: Recommended apps](images/recommended-apps.png) ### Add Store apps @@ -99,7 +99,7 @@ Select **Store apps**, type the app product name and publisher, and click **OK** - **Publisher**: `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` - **Product Name**: `Microsoft.MicrosoftPowerBIForWindows` -![Add Store app.](images/add-a-protected-store-app.png) +![Add Store app](images/add-a-protected-store-app.png) To add multiple Store apps, click the ellipsis **…**. @@ -201,7 +201,7 @@ To add **Desktop apps**, complete the following fields, based on what results yo To add another Desktop app, click the ellipsis **…**. After you’ve entered the info into the fields, click **OK**. -![Microsoft Intune management console: Adding Desktop app info.](images/wip-azure-add-desktop-apps.png) +![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png) If you’re unsure about what to include for the publisher, you can run this PowerShell command: @@ -242,7 +242,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo 2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. - ![Local security snap-in, showing the Packaged app Rules.](images/wip-applocker-secpol-1.png) + ![Local security snap-in, showing the Packaged app Rules](images/wip-applocker-secpol-1.png) 3. Right-click in the right-hand blade, and then click **Create New Rule**. @@ -250,7 +250,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo 4. On the **Before You Begin** page, click **Next**. - ![Screenshot of the Before You Begin tab.](images/wip-applocker-secpol-wizard-1.png) + ![Screenshot of the Before You Begin tab](images/wip-applocker-secpol-wizard-1.png) 5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. @@ -262,25 +262,25 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo 7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Dynamics 365. - ![Screenshot of the Select applications list.](images/wip-applocker-secpol-wizard-4.png) + ![Screenshot of the Select applications list](images/wip-applocker-secpol-wizard-4.png) 8. On the updated **Publisher** page, click **Create**. - ![Screenshot of the Publisher tab.](images/wip-applocker-secpol-wizard-5.png) + ![Screenshot of the Publisher tab](images/wip-applocker-secpol-wizard-5.png) 9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy. - ![Screenshot of AppLocker warning.](images/wip-applocker-default-rule-warning.png) + ![Screenshot of AppLocker warning](images/wip-applocker-default-rule-warning.png) 9. Review the Local Security Policy snap-in to make sure your rule is correct. - ![Local security snap-in, showing the new rule.](images/wip-applocker-secpol-create.png) + ![Local security snap-in, showing the new rule](images/wip-applocker-secpol-create.png) 10. In the left blade, right-click on **AppLocker**, and then click **Export policy**. The **Export policy** box opens, letting you export and save your new policy as XML. - ![Local security snap-in, showing the Export Policy option.](images/wip-applocker-secpol-export.png) + ![Local security snap-in, showing the Export Policy option](images/wip-applocker-secpol-export.png) 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. @@ -320,7 +320,7 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps. 3. Right-click **Executable Rules** > **Create New Rule**. - ![Local security snap-in, showing the Executable Rules.](images/create-new-path-rule.png) + ![Local security snap-in, showing the Executable Rules](images/create-new-path-rule.png) 4. On the **Before You Begin** page, click **Next**. @@ -328,11 +328,11 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps. 6. On the **Conditions** page, click **Path** and then click **Next**. - ![Screenshot with Path conditions selected in the Create Executable Rules wizard.](images/path-condition.png) + ![Screenshot with Path conditions selected in the Create Executable Rules wizard](images/path-condition.png) 7. Click **Browse Folders...** and select the path for the unsigned apps. For this example, we’re using "C:\Program Files". - ![Screenshot of the Path field of the Create Executable Rules wizard.](images/select-path.png) + ![Screenshot of the Path field of the Create Executable Rules wizard](images/select-path.png) 8. On the **Exceptions** page, add any exceptions and then click **Next**. @@ -351,11 +351,11 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps. 1. In **Protected apps**, click **Import apps**. - ![Import protected apps.](images/import-protected-apps.png) + ![Import protected apps](images/import-protected-apps.png) Then import your file. - ![Microsoft Intune, Importing your AppLocker policy file using Intune.](images/wip-azure-import-apps.png) + ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/wip-azure-import-apps.png) 2. Browse to your exported AppLocker policy file, and then click **Open**. @@ -366,7 +366,7 @@ If your app is incompatible with WIP, but still needs to be used with enterprise 1. In **Client apps - App protection policies**, click **Exempt apps**. - ![Exempt apps.](images/exempt-apps.png) + ![Exempt apps](images/exempt-apps.png) 2. In **Exempt apps**, click **Add apps**. @@ -391,7 +391,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi 1. From the **App protection policy** blade, click the name of your policy, and then click **Required settings**. - ![Microsoft Intune, Required settings blade showing Windows Information Protection mode.](images/wip-azure-required-settings-protection-mode.png) + ![Microsoft Intune, Required settings blade showing Windows Information Protection mode](images/wip-azure-required-settings-protection-mode.png) |Mode |Description | |-----|------------| @@ -413,11 +413,11 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor 2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field. - ![Microsoft Intune, Set your corporate identity for your organization.](images/wip-azure-required-settings-corp-identity.png) + ![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png) 3. To add domains, such your email domain names, click **Configure Advanced settings** > **Add network boundary** and select **Protected domains**. - ![Add protected domains.](images/add-protected-domains.png) + ![Add protected domains](images/add-protected-domains.png) ## Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include your enterprise network locations. @@ -426,7 +426,7 @@ There are no default locations included with WIP, you must add each of your netw To define the network boundaries, click **App policy** > the name of your policy > **Advanced settings** > **Add network boundary**. -![Microsoft Intune, Set where your apps can access enterprise data on your network.](images/wip-azure-advanced-settings-network.png) +![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png) Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the options covered in the following subsections, and then click **OK**. @@ -558,7 +558,7 @@ Decide if you want Windows to look for additional network settings: - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you turn this off, Windows will search for additional IP ranges on any domain-joined devices connected to your network. -![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise.](images/wip-azure-advanced-settings-network-autodetect.png) +![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise](images/wip-azure-advanced-settings-network-autodetect.png) ## Upload your Data Recovery Agent (DRA) certificate After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data. @@ -573,12 +573,12 @@ After you create and deploy your WIP policy to your employees, Windows begins to 2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate.](images/wip-azure-advanced-settings-efsdra.png) + ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png) ## Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you can choose optional settings. -![Advanced optional settings.](images/wip-azure-advanced-settings-optional.png) +![Advanced optional settings](images/wip-azure-advanced-settings-optional.png) **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: @@ -613,7 +613,7 @@ After you've decided where your protected apps can access enterprise data on you You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied. -![WIP encrypted file extensions.](images/wip-encrypted-file-extensions.png) +![WIP encrypted file extensions](images/wip-encrypted-file-extensions.png) ## Related topics diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md index 8d929e1db4..524199cf73 100644 --- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md @@ -34,7 +34,7 @@ After you’ve created your Windows Information Protection (WIP) policy, you'll The policy is deployed to the selected users' devices. - ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed.](images/wip-azure-add-user-groups.png) + ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) >[!NOTE] diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md index dd3fb2529e..b54cc7cbe1 100644 --- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md +++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md @@ -36,13 +36,13 @@ You need to add the Enterprise Context column to the **Details** tab of the Task The **Select columns** box appears. - ![Task Manager, Select column box with Enterprise Context option selected.](images/wip-select-column.png) + ![Task Manager, Select column box with Enterprise Context option selected](images/wip-select-column.png) 3. Scroll down and check the **Enterprise Context** option, and then click **OK** to close the box. The **Enterprise Context** column should now be available in Task Manager. - ![Task Manager, Enterprise Context column highlighted.](images/wip-taskmgr.png) + ![Task Manager, Enterprise Context column highlighted](images/wip-taskmgr.png) ## Review the Enterprise Context The **Enterprise Context** column shows you what each app can do with your enterprise data: diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index e2f9ce0a1f..1e97616ee8 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -38,11 +38,11 @@ In the **Website learning report**, you can view a summary of the devices that h 1. Click **Intune** > **Client apps** > **App protection status** > **Reports**. - ![Image showing the UI path to the WIP report.](images/access-wip-learning-report.png) + ![Image showing the UI path to the WIP report](images/access-wip-learning-report.png) 1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**. - ![Image showing the UI with for app and website learning reports.](images/wip-learning-select-report.png) + ![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png) Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. @@ -75,7 +75,7 @@ The information needed for the following steps can be found using Device Health, 4. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app). - ![View of drop down menu for Store or desktop apps.](images/wip-learning-choose-store-or-desktop-app.png) + ![View of drop down menu for Store or desktop apps](images/wip-learning-choose-store-or-desktop-app.png) 5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above. @@ -87,7 +87,7 @@ The information needed for the following steps can be found using Device Health, `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US` - ![View of Add Apps app info entry boxes.](images/wip-learning-app-info.png) + ![View of Add Apps app info entry boxes](images/wip-learning-app-info.png) 6. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**). diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index ea4b252a30..1ede3ef4ed 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -58,7 +58,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP] 3. Double-click **Turn on Virtualization Based Security**. 4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**. - ![Enable HVCI using Group Policy.](../images/enable-hvci-gp.png) + ![Enable HVCI using Group Policy](../images/enable-hvci-gp.png) 5. Click **Ok** to close the editor. @@ -279,7 +279,7 @@ This field lists the computer name. All valid values for computer name. Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section. -![Windows Defender Device Guard properties in the System Summary.](../images/dg-fig11-dgproperties.png) +![Windows Defender Device Guard properties in the System Summary](../images/dg-fig11-dgproperties.png) ## Troubleshooting diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md index def1ec0b93..6e6173e36d 100644 --- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md +++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md @@ -17,7 +17,7 @@ ms.technology: mde --- # Coordinated Malware Eradication -![coordinated-malware-eradication.](images/CoordinatedMalware.png) +![coordinated-malware-eradication](images/CoordinatedMalware.png) Coordinated Malware Eradication (CME) aims to bring organizations in cybersecurity and in other industries together to change the game against malware. While the cybersecurity industry today is effective at disrupting malware families through individual efforts, those disruptions rarely lead to eradication since malware authors quickly adapt their tactics to survive. diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md index b125773d18..e2029f3c2c 100644 --- a/windows/security/threat-protection/intelligence/fileless-threats.md +++ b/windows/security/threat-protection/intelligence/fileless-threats.md @@ -25,7 +25,7 @@ Attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) fo For clarity, fileless threats are grouped into different categories. -![Comprehensive diagram of fileless malware.](images/fileless-malware.png)
+![Comprehensive diagram of fileless malware](images/fileless-malware.png)
*Figure 1. Comprehensive diagram of fileless malware* Fileless threats can be classified by their entry point, which indicates how fileless malware can arrive on a machine. They can arrive via an exploit, through compromised hardware, or via regular execution of applications and scripts. @@ -56,7 +56,7 @@ It’s possible to carry out such installation via command line without requirin Some malware can have a sort of fileless persistence, but not without using files to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. Opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe. -![Image of Kovter's registry key.](images/kovter-reg-key.png)
+![Image of Kovter's registry key](images/kovter-reg-key.png)
*Figure 2. Kovter’s registry key* When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an autorun key configured to open such file when the machine starts. diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md index 3b37bdf391..ef4a133061 100644 --- a/windows/security/threat-protection/intelligence/malware-naming.md +++ b/windows/security/threat-protection/intelligence/malware-naming.md @@ -20,7 +20,7 @@ ms.technology: mde We name the malware and unwanted software that we detect according to the Computer Antivirus Research Organization (CARO) malware naming scheme. The scheme uses the following format: -![coordinated-malware-eradication.](images/NamingMalware1.png) +![coordinated-malware-eradication](images/NamingMalware1.png) When our analysts research a particular threat, they'll determine what each of the components of the name will be. diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md index 01c216b8fe..1f997dac95 100644 --- a/windows/security/threat-protection/intelligence/phishing.md +++ b/windows/security/threat-protection/intelligence/phishing.md @@ -35,7 +35,7 @@ Here are several telltale signs of a phishing scam: * The links or URLs provided in emails are **not pointing to the correct location** or are pointing to a third-party site not affiliated with the sender of the email. For example, in the image below the URL provided doesn't match the URL that you'll be taken to. - ![example of how exploit kits work.](./images/URLhover.png) + ![example of how exploit kits work](./images/URLhover.png) * There's a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email. diff --git a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md index ae7c0e8363..00eafc82ce 100644 --- a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md +++ b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md @@ -33,7 +33,7 @@ This process requires a global or application admin in the tenant. 2. Select **Grant admin consent for organization**. 3. If you're able to do so, review the API permissions required for this application, as the following image shows. Provide consent for the tenant. - ![grant consent image.](images/msi-grant-admin-consent.jpg) + ![grant consent image](images/msi-grant-admin-consent.jpg) 4. If the administrator receives an error while attempting to provide consent manually, try either [Option 1](#option-1-approve-enterprise-application-permissions-by-user-request) or [Option 2](#option-2-provide-admin-consent-by-authenticating-the-application-as-an-admin) as possible workarounds.   @@ -43,13 +43,13 @@ This process requires a global or application admin in the tenant. Azure Active Directory admins will need to allow for users to request admin consent to apps. Verify the setting is configured to **Yes** in [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/). -![Enterprise applications user settings.](images/msi-enterprise-app-user-setting.jpg) +![Enterprise applications user settings](images/msi-enterprise-app-user-setting.jpg) More information is available in [Configure Admin consent workflow](/azure/active-directory/manage-apps/configure-admin-consent-workflow). Once this setting is verified, users can go through the enterprise customer sign-in at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission), and submit a request for admin consent, including justification. -![Contoso sign in flow.](images/msi-contoso-approval-required.png) +![Contoso sign in flow](images/msi-contoso-approval-required.png) Admin will be able to review and approve the application permissions [Azure admin consent requests](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AccessRequests/menuId/). @@ -58,7 +58,7 @@ After providing consent, all users in the tenant will be able to use the applica ## Option 2 Provide admin consent by authenticating the application as an admin This process requires that global admins go through the Enterprise customer sign-in flow at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission). -![Consent sign in flow.](images/msi-microsoft-permission-required.jpg) +![Consent sign in flow](images/msi-microsoft-permission-required.jpg) Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and then select **Accept**. @@ -70,20 +70,20 @@ If neither of these options resolve the issue, try the following steps (as an ad 1. Remove previous configurations for the application. Go to [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/982e94b2-fea9-4d1f-9fca-318cda92f90b) and select **delete**. - ![Delete app permissions.](images/msi-properties.png) + ![Delete app permissions](images/msi-properties.png) 2. Capture TenantID from [Properties](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties). 3. Replace {tenant-id} with the specific tenant that needs to grant consent to this application in the URL below. Copy this URL into browser. The rest of the parameters are already completed. ``https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent?client_id=f0cf43e5-8a9b-451c-b2d5-7285c785684d&state=12345&redirect_uri=https%3a%2f%2fwww.microsoft.com%2fwdsi%2ffilesubmission&scope=openid+profile+email+offline_access`` - ![Permissions needed.](images/msi-microsoft-permission-requested-your-organization.png) + ![Permissions needed](images/msi-microsoft-permission-requested-your-organization.png) 4. Review the permissions required by the application, and then select **Accept**. 5. Confirm the permissions are applied in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/ce60a464-5fca-4819-8423-bcb46796b051). - ![Review that permissions are applied.](images/msi-permissions.jpg) + ![Review that permissions are applied](images/msi-permissions.jpg) 6. Sign in to [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission) as an enterprise user with a non-admin account to see if you have access. diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md index 2aa32ed8f6..ed4e5aaf84 100644 --- a/windows/security/threat-protection/intelligence/worms-malware.md +++ b/windows/security/threat-protection/intelligence/worms-malware.md @@ -39,7 +39,7 @@ Both Bondat and Gamarue have clever ways of obscuring themselves to evade detect This image shows how a worm can quickly spread through a shared USB drive. -![Worm example.](./images/WormUSB-flight.png) +![Worm example](./images/WormUSB-flight.png) ### *Figure worm spreading from a shared USB drive* diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index 83a6f5e00b..f0c6938382 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -29,8 +29,8 @@ For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with Po For example: -[![VBS script.](images/vbs-example.png)](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline) -[![PowerShell script.](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0) +[![VBS script](images/vbs-example.png)](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline) +[![PowerShell script](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0) The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it. The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it does not contain any information on non-security updates, tools or drivers. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index 3b18ab25d3..994ade09de 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -45,7 +45,7 @@ Applies to: You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container. The following diagram shows the flow between the host PC and the isolated container. -![Flowchart for movement between Microsoft Edge and Application Guard.](images/application-guard-container-v-host.png) +![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png) ## Install Application Guard @@ -55,7 +55,7 @@ Application Guard functionality is turned off by default. However, you can quick 1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**. - ![Windows Features, turning on Microsoft Defender Application Guard.](images/turn-windows-features-on-off.png) + ![Windows Features, turning on Microsoft Defender Application Guard](images/turn-windows-features-on-off.png) 2. Select the check box next to **Microsoft Defender Application Guard** and then click **OK**. @@ -86,7 +86,7 @@ Application Guard functionality is turned off by default. However, you can quick > [!IMPORTANT] > Make sure your organization's devices meet [requirements](reqs-md-app-guard.md) and are [enrolled in Intune](/mem/intune/enrollment/device-enrollment). -:::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune."::: +:::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune"::: 1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 4ad66674a9..de798293db 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -29,7 +29,7 @@ For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrus For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from the host operating system. This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials. -![Hardware isolation diagram.](images/appguard-hardware-isolation.png) +![Hardware isolation diagram](images/appguard-hardware-isolation.png) ### What types of devices should use Application Guard? diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index d8ff39f397..74525211f8 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -33,7 +33,7 @@ You can see how an employee would use standalone mode with Application Guard. 2. Restart the device, start Microsoft Edge, and then select **New Application Guard window** from the menu. - ![New Application Guard window setting option.](images/appguard-new-window.png) + ![New Application Guard window setting option](images/appguard-new-window.png) 3. Wait for Application Guard to set up the isolated environment. @@ -42,7 +42,7 @@ You can see how an employee would use standalone mode with Application Guard. 4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues. - ![Untrusted website running in Application Guard.](images/appguard-visual-cues.png) + ![Untrusted website running in Application Guard](images/appguard-visual-cues.png) ## Application Guard in Enterprise-managed mode @@ -64,19 +64,19 @@ Before you can use Application Guard in managed mode, you must install Windows 1 c. For the purposes of this scenario, type `.microsoft.com` into the **Enterprise cloud resources** box. - ![Group Policy editor with Enterprise cloud resources setting.](images/appguard-gp-network-isolation.png) + ![Group Policy editor with Enterprise cloud resources setting](images/appguard-gp-network-isolation.png) d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting. e. For the purposes of this scenario, type `bing.com` into the **Neutral resources** box. - ![Group Policy editor with Neutral resources setting.](images/appguard-gp-network-isolation-neutral.png) + ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png) 4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Managed Mode** setting. 5. Click **Enabled**, choose Option **1**, and click **OK**. - ![Group Policy editor with Turn On/Off setting.](images/appguard-gp-turn-on.png) + ![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png) >[!NOTE] >Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario. @@ -85,13 +85,13 @@ Before you can use Application Guard in managed mode, you must install Windows 1 After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard. - ![Trusted website running on Microsoft Edge.](images/appguard-turned-on-with-trusted-site.png) + ![Trusted website running on Microsoft Edge](images/appguard-turned-on-with-trusted-site.png) 7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists. After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment. - ![Untrusted website running in Application Guard.](images/appguard-visual-cues.png) + ![Untrusted website running in Application Guard](images/appguard-visual-cues.png) ### Customize Application Guard @@ -118,7 +118,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. - ![Group Policy editor clipboard options.](images/appguard-gp-clipboard.png) + ![Group Policy editor clipboard options](images/appguard-gp-clipboard.png) 3. Choose how the clipboard works: @@ -144,7 +144,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. - ![Group Policy editor Print options.](images/appguard-gp-print.png) + ![Group Policy editor Print options](images/appguard-gp-print.png) 3. Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing. @@ -156,7 +156,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. - ![Group Policy editor Data Persistence options.](images/appguard-gp-persistence.png) + ![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png) 3. Open Microsoft Edge and browse to an untrusted, but safe URL. @@ -186,7 +186,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. - ![Group Policy editor Download options.](images/appguard-gp-download.png) + ![Group Policy editor Download options](images/appguard-gp-download.png) 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. @@ -200,7 +200,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. - ![Group Policy editor hardware acceleration options.](images/appguard-gp-vgpu.png) + ![Group Policy editor hardware acceleration options](images/appguard-gp-vgpu.png) 3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. @@ -217,7 +217,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled**, set **Options** to 2, and click **OK**. - ![Group Policy editor File trust options.](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png) + ![Group Policy editor File trust options](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png) 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. @@ -231,7 +231,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. - ![Group Policy editor Camera and microphone options.](images/appguard-gp-allow-camera-and-mic.png) + ![Group Policy editor Camera and microphone options](images/appguard-gp-allow-camera-and-mic.png) 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. @@ -245,7 +245,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**. - ![Group Policy editor Root certificate options.](images/appguard-gp-allow-root-certificates.png) + ![Group Policy editor Root certificate options](images/appguard-gp-allow-root-certificates.png) 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. @@ -258,10 +258,10 @@ Once a user has the extension and its companion app installed on their enterpris 1. Open either Firefox or Chrome — whichever browser you have the extension installed on. 2. Navigate to an enterprise website, i.e. an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded. - ![The evaluation page displayed while the page is being loaded, explaining that the user must wait.](images/app-guard-chrome-extension-evaluation-page.png) + ![The evaluation page displayed while the page is being loaded, explaining that the user must wait](images/app-guard-chrome-extension-evaluation-page.png) 3. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge. - ![A non-enterprise website being redirected to an Application Guard container -- the text displayed explains that the page is being opened in Application Guard for Microsoft Edge.](images/app-guard-chrome-extension-launchIng-edge.png) + ![A non-enterprise website being redirected to an Application Guard container -- the text displayed explains that the page is being opened in Application Guard for Microsoft Edge](images/app-guard-chrome-extension-launchIng-edge.png) 4. Open a new Application Guard window, by select the Microsoft Defender Application Guard icon, then **New Application Guard Window** ![The "New Application Guard Window" option is highlighted in red](images/app-guard-chrome-extension-new-app-guard-page.png) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index 146b20c787..80486846fb 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -61,7 +61,7 @@ If you believe a warning or block was incorrectly shown for a file or applicatio When submitting Microsoft Defender SmartScreen products, make sure to select **Microsoft Defender SmartScreen** from the product menu. -![Windows Security, Microsoft Defender SmartScreen controls.](images/Microsoft-defender-smartscreen-submission.png) +![Windows Security, Microsoft Defender SmartScreen controls](images/Microsoft-defender-smartscreen-submission.png) ## Viewing Microsoft Defender SmartScreen anti-phishing events diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md index 89c036958f..85c404a314 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md @@ -60,7 +60,7 @@ Starting with Windows 10, version 1703, users can use Windows Security to set up - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. - ![Windows Security, Microsoft Defender SmartScreen controls.](images/windows-defender-smartscreen-control-2020.png) + ![Windows Security, Microsoft Defender SmartScreen controls](images/windows-defender-smartscreen-control-2020.png) ## How Microsoft Defender SmartScreen works when a user tries to run an app Microsoft Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Microsoft Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization. diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md index c2a1d31b98..c792222c8a 100644 --- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md +++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md @@ -41,7 +41,7 @@ The following procedure describes how to use Group Policy to override individual 1. Open your Group Policy editor and go to the **Administrative Templates\System\Mitigation Options\Process Mitigation Options** setting. - ![Group Policy editor: Process Mitigation Options with setting enabled and Show button active.](images/gp-process-mitigation-options.png) + ![Group Policy editor: Process Mitigation Options with setting enabled and Show button active](images/gp-process-mitigation-options.png) 2. Click **Enabled**, and then in the **Options** area, click **Show** to open the **Show Contents** box, where you’ll be able to add your apps and the appropriate bit flag values, as shown in the [Setting the bit field](#setting-the-bit-field) and [Example](#example) sections of this topic. @@ -52,12 +52,12 @@ The following procedure describes how to use Group Policy to override individual **Note**
Setting bit flags in positions not specified here to anything other than ? might cause undefined behavior. - ![Group Policy editor: Process Mitigation Options with Show Contents box and example text.](images/gp-process-mitigation-options-show.png) + ![Group Policy editor: Process Mitigation Options with Show Contents box and example text](images/gp-process-mitigation-options-show.png) ## Setting the bit field Here’s a visual representation of the bit flag locations for the various Process Mitigation Options settings: -![Visual representation of the bit flag locations for the Process Mitigation Options settings.](images/gp-process-mitigation-options-bit-flag-image.png) +![Visual representation of the bit flag locations for the Process Mitigation Options settings](images/gp-process-mitigation-options-bit-flag-image.png) Where the bit flags are read from right to left and are defined as: diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index 0a9058b91d..f98634584d 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -130,7 +130,7 @@ You can now see which processes have DEP enabled. -![Processes with DEP enabled in Windows 10.](images/security-fig5-dep.png) +![Processes with DEP enabled in Windows 10](images/security-fig5-dep.png) *Figure 2.  Processes on which DEP has been enabled in Windows 10* @@ -168,7 +168,7 @@ One of the most common techniques used to gain access to a system is to find a v Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts. -![ASLR at work.](images/security-fig4-aslr.png) +![ASLR at work](images/security-fig4-aslr.png) **Figure 3.  ASLR at work** diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index e24bb48367..220c774696 100644 --- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -56,13 +56,13 @@ Because mobile devices are increasingly being used to access corporate informati Devices that are used to access corporate resources must be trusted. An efficient end-to-end security approach is able to evaluate device health and use the current security state when granting access to a high-value asset. -:::image type="content" alt-text="figure 1." source="images/hva-fig1-endtoend1.png"::: +:::image type="content" alt-text="figure 1" source="images/hva-fig1-endtoend1.png"::: A robust design needs to establish the user’s identity, strengthen the authentication method if needed, and learn behavior like the network location the user regularly connects from. Also, a modern approach must be able to release sensitive content only if user devices are determined to be healthy and secure. The following figure shows a solution built to assess device health from the cloud. The device authenticates the user through a connection to an identity provider in the cloud. If the managed asset contains highly confidential information, the conditional access engine of the identity provider may elect to verify the security compliance of the mobile device before access is granted. The user’s device is able to prove its health status that can be sent at any time or when mobile device management (MDM) requests it. -:::image type="content" alt-text="figure 2." source="images/hva-fig2-assessfromcloud2.png"::: +:::image type="content" alt-text="figure 2" source="images/hva-fig2-assessfromcloud2.png"::: Windows devices can be protected from low-level rootkits and bootkits by using low-level hardware technologies such as Unified Extensible Firmware Interface (UEFI) Secure Boot. @@ -94,7 +94,7 @@ In Windows 10, there are three pillars of investments: This section is an overview that describes different parts of the end-to-end security solution that helps protect high-value assets and information from attackers and malware. -:::image type="content" alt-text="figure 3." source="images/hva-fig3-endtoendoverview3.png"::: +:::image type="content" alt-text="figure 3" source="images/hva-fig3-endtoendoverview3.png"::: | Number | Part of the solution | Description | | - | - | - | @@ -115,7 +115,7 @@ This section describes what Windows 10 offers in terms of security defenses and The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the operating system early and prevent protection mechanisms and antimalware software from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal with low-level malware is to secure the boot process so that the device is protected from the very start. Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-req) section. -:::image type="content" alt-text="figure 4." source="images/hva-fig4-hardware.png"::: +:::image type="content" alt-text="figure 4" source="images/hva-fig4-hardware.png"::: Windows 10 supports features to help prevent sophisticated low-level malware like rootkits and bootkits from loading during the startup process: @@ -230,7 +230,7 @@ The following Windows 10 services are protected with virtualization-based securi The schema below is a high-level view of Windows 10 with virtualization-based security. -:::image type="content" alt-text="figure 5." source="images/hva-fig5-virtualbasedsecurity.png"::: +:::image type="content" alt-text="figure 5" source="images/hva-fig5-virtualbasedsecurity.png"::: ### Credential Guard @@ -425,11 +425,11 @@ The antimalware software can search to determine whether the boot sequence conta Health attestation logs the measurements in various TPM Platform Configuration Registers (PCRs) and TCG logs during the boot process. -:::image type="content" alt-text="figure 6." source="images/hva-fig6-logs.png"::: +:::image type="content" alt-text="figure 6" source="images/hva-fig6-logs.png"::: When starting a device equipped with TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log. -:::image type="content" alt-text="figure 7." source="images/hva-fig7-measurement.png"::: +:::image type="content" alt-text="figure 7" source="images/hva-fig7-measurement.png"::: The health attestation process works as follows: @@ -459,7 +459,7 @@ The following process describes how health boot measurements are sent to the hea 4. The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter. -:::image type="content" alt-text="figure 8." source="images/hva-fig8a-healthattest8a.png"::: +:::image type="content" alt-text="figure 8" source="images/hva-fig8a-healthattest8a.png"::: ### Device health attestation components @@ -632,7 +632,7 @@ A solution that leverages MDM and the Health Attestation Service consists of thr 2. After this is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return. 3. At any point after this, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it’s been attested. - :::image type="content" alt-text="figure 9." source="images/hva-fig8-evaldevicehealth8.png"::: + :::image type="content" alt-text="figure 9" source="images/hva-fig8-evaldevicehealth8.png"::: Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as follows: @@ -671,7 +671,7 @@ The remote device health attestation process uses measured boot data to verify t The figure below shows how the Health Attestation Service is expected to work with Microsoft’s cloud-based Intune MDM service. -:::image type="content" alt-text="figure 10." source="images/hva-fig9-intune.png"::: +:::image type="content" alt-text="figure 10" source="images/hva-fig9-intune.png"::: An MDM solution can then leverage health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware free, its antimalware system is functional and up to date, the firewall is running, and the devices patch state is compliant. @@ -705,7 +705,7 @@ If the device is not registered, the user will get a message with instructions o **Azure AD** authenticates the user and the device, **MDM** manages the compliance and conditional access policies, and the **Health Attestation Service** reports about the health of the device in an attested way. -:::image type="content" alt-text="figure 11." source="images/hva-fig10-conditionalaccesscontrol.png"::: +:::image type="content" alt-text="figure 11" source="images/hva-fig10-conditionalaccesscontrol.png"::: ### Office 365 conditional access control @@ -725,7 +725,7 @@ The user will be denied access to services when sign-in credentials are changed, Depending on the type of email application that employees use to access Exchange online, the path to establish secured access to email can be slightly different. However, the key components: Azure AD, Office 365/Exchange Online, and Intune, are the same. The IT experience and end-user experience also are similar. -:::image type="content" alt-text="figure 12." source="images/hva-fig11-office365.png"::: +:::image type="content" alt-text="figure 12" source="images/hva-fig11-office365.png"::: Clients that attempt to access Office 365 will be evaluated for the following properties: @@ -758,7 +758,7 @@ For on-premises applications there are two options to enable conditional access - For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more details, see the [Azure AD Conditional Access preview updated: Now supports On-Premises and Custom LOB apps](https://go.microsoft.com/fwlink/p/?LinkId=691618) blog post. - Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications. -:::image type="content" alt-text="figure 13." source="images/hva-fig12-conditionalaccess12.png"::: +:::image type="content" alt-text="figure 13" source="images/hva-fig12-conditionalaccess12.png"::: The following process describes how Azure AD conditional access works: diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md index ce251bc758..eb88a41772 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md @@ -36,7 +36,7 @@ Beginning with Windows 10 version 1607, new functionality was added to Windows 1 This functionality is controlled by a new **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The Privacy setting is off by default, which hides the details. -![Privacy setting.](images/privacy-setting-in-sign-in-options.png) +![Privacy setting](images/privacy-setting-in-sign-in-options.png) The **Interactive logon: Display user information when the session is locked** Group Policy setting controls the same functionality. diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md index 7a58b942a4..426d291c10 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md @@ -157,7 +157,7 @@ The following diagram shows Security Settings and related features. #### Security Settings Policies and Related Features -![components related to security policies.](images/secpol-components.gif) +![components related to security policies](images/secpol-components.gif) - **Scesrv.dll** @@ -181,7 +181,7 @@ The Security Settings extension of the Local Group Policy Editor is part of the **Security Settings Architecture** -![architecture of security policy settings.](images/secpol-architecture.gif) +![architecture of security policy settings](images/secpol-architecture.gif) The security settings configuration and analysis tools include a security configuration engine, which provides local computer (non-domain member) and Group Policy−based configuration and analysis of security settings policies. The security configuration engine also supports the creation of security policy files. The primary features of the security configuration engine are scecli.dll and scesrv.dll. @@ -321,7 +321,7 @@ In the context of Group Policy processing, security settings policy is processed **Multiple GPOs and Merging of Security Policy** - ![multiple gpos and merging of security policy.](images/secpol-multigpomerge.gif) + ![multiple gpos and merging of security policy](images/secpol-multigpomerge.gif) 1. The resultant security policies are stored in secedit.sdb, the security settings database. The security engine gets the security template files and imports them to secedit.sdb. 1. The security settings policies are applied to devices. @@ -329,7 +329,7 @@ The following figure illustrates the security settings policy processing. **Security Settings Policy Processing** -![process and interactions of security policy settings.](images/secpol-processes.gif) +![process and interactions of security policy settings](images/secpol-processes.gif) ### Merging of security policies on domain controllers diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index a8362c5bda..277bc347d1 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -380,9 +380,9 @@ This can easily be extended to other Auto-Execution Start Points keys in the reg Use the following figures to see how you can configure those registry keys. -![default acl for run key.](images/runkey.png) +![default acl for run key](images/runkey.png) -![default acl for runonce key.](images/runoncekey.png) +![default acl for runonce key](images/runoncekey.png) ## Appendix C - Event channel settings (enable and channel access) methods @@ -399,7 +399,7 @@ The following GPO snippet performs the following: - Enables the **Microsoft-Windows-DriverFrameworks-UserMode/Operational** event channel. - Sets the maximum file size for **Microsoft-Windows-DriverFrameworks-UserMode/Operational** to 50MB. -![configure event channels.](images/capi-gpo.png) +![configure event channels](images/capi-gpo.png) ## Appendix D - Minimum GPO for WEF Client configuration @@ -409,7 +409,7 @@ Here are the minimum steps for WEF to operate: 2. Start the WinRM service. 3. Add the Network Service account to the built-in Event Log Readers security group. This allows reading from secured event channel, such as the security event channel. -![configure the wef client.](images/wef-client-config.png) +![configure the wef client](images/wef-client-config.png) ## Appendix E – Annotated baseline subscription event query diff --git a/windows/security/threat-protection/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md index 11b4c1a58b..9b1eb730a6 100644 --- a/windows/security/threat-protection/windows-10-mobile-security-guide.md +++ b/windows/security/threat-protection/windows-10-mobile-security-guide.md @@ -299,7 +299,7 @@ One of the most common techniques used by attackers to gain access to a system i Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. The below diagram illustrates how ASLR works, showing how the locations of different critical Windows components can change in memory between restarts. -![figure 3.](images/mobile-security-guide-figure3.png) +![figure 3](images/mobile-security-guide-figure3.png) Microsoft has substantively improved the ASLR implementation in Windows 10 Mobile over previous versions, applying it across the entire system rather than only in specific apps. With 64bit system and application processes that can take advantage of a vastly increased memory space, it is even more difficult for malware to predict where Windows 10 Mobile stores vital data. When used on systems that have TPMs, ASLR memory randomization becomes increasingly unique across devices, adding additional degrees of difficulty for repurposing successful exploits to another system. diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index 582297f71b..ab40f94622 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -37,7 +37,7 @@ Refer to the below video for an overview and brief demo. > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4mlcp] ## Policy Authorization Process -![Policy Authorization.](images/wdac-intune-policy-authorization.png) +![Policy Authorization](images/wdac-intune-policy-authorization.png) The general steps for expanding the S mode base policy on your Intune-managed devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups. Because you need access to WDAC PowerShell cmdlets to generate your supplemental policy, you should create and manage your policies on a non-S mode device. Once the policy has been uploaded to Intune, we recommend assigning it to a single test S-mode device to verify expected functioning before deploying the policy more broadly. 1. Generate a supplemental policy with WDAC tooling @@ -89,11 +89,11 @@ The general steps for expanding the S mode base policy on your Intune-managed de > When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion?view=win10-ps&preserve-view=true) for information on setting the version number. ## Standard Process for Deploying Apps through Intune -![Deploying Apps through Intune.](images/wdac-intune-app-deployment.png) +![Deploying Apps through Intune](images/wdac-intune-app-deployment.png) Refer to [Intune Standalone - Win32 app management](/intune/apps-win32-app-management) for guidance on the existing procedure of packaging signed catalogs and app deployment. ## Optional: Process for Deploying Apps using Catalogs -![Deploying Apps using Catalogs.](images/wdac-intune-app-catalogs.png) +![Deploying Apps using Catalogs](images/wdac-intune-app-catalogs.png) Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that will authorize all apps signed by that certificate, which may include apps you don't want to allow as well. Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) through the use of signed catalogs. This works for apps which may be unsigned or even signed apps when you don't want to trust all apps that may share the same signing certificate. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md index af49d0b081..f197b8f4b2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md @@ -61,7 +61,7 @@ AppLocker can be configured to display the default message but with a custom URL The following image shows an example of the error message for a blocked app. You can use the **Set a support web link** policy setting to customize the **More information** link. -![applocker blocked application error message.](images/blockedappmsg.gif) +![applocker blocked application error message](images/blockedappmsg.gif) For steps to display a custom URL for the message, see [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md index 9ffaf2b82c..5350f5c843 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md @@ -44,7 +44,7 @@ Because a computer's effective policy includes rules from each linked GPO, dupli The following figure demonstrates how AppLocker rule enforcement is applied through linked GPOs. -![applocker rule enforcement inheritance chart.](images/applocker-plan-inheritance.gif) +![applocker rule enforcement inheritance chart](images/applocker-plan-inheritance.gif) In the preceding illustration, note that all GPOs linked to Contoso are applied in order as configured. The rules that are not configured are also applied. For example, the result of the Contoso and Human Resources GPOs is 33 rules enforced, as shown in the client HR-Term1. The Human Resources GPO contains 10 non-configured rules. When the rule collection is configured for **Audit only**, no rules are enforced. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md index a51539d046..0f909bdf3d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md @@ -30,7 +30,7 @@ To successfully deploy AppLocker policies, you need to identify your application The following diagram shows the main points in the design, planning, and deployment process for AppLocker. -![applocker quick reference guide.](images/applocker-plandeploy-quickreference.gif) +![applocker quick reference guide](images/applocker-plandeploy-quickreference.gif) ## Resources to support the deployment process diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md index 671bd29bf1..bc1218b82c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md @@ -46,7 +46,7 @@ To familiarize yourself with creating WDAC rules from audit events, follow these **Figure 1. Exceptions to the deployed WDAC policy**
- ![Event showing exception to WDAC policy.](images/dg-fig23-exceptionstocode.png) + ![Event showing exception to WDAC policy](images/dg-fig23-exceptionstocode.png) 3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**. diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index 706f2e6d6a..cb94565bff 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -45,7 +45,7 @@ To familiarize yourself with creating WDAC rules from audit events, follow these 2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md). **Figure 1. Exceptions to the deployed WDAC policy** - ![Event showing exception to WDAC policy.](images/dg-fig23-exceptionstocode.png) + ![Event showing exception to WDAC policy](images/dg-fig23-exceptionstocode.png) 3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md index 761ea31822..b9ca84a296 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md @@ -39,7 +39,7 @@ ECDSA is not supported. 2. When connected, right-click **Certificate Templates**, and then click **Manage** to open the Certification Templates Console. - ![CA snap-in showing Certificate Templates.](images/dg-fig27-managecerttemp.png) + ![CA snap-in showing Certificate Templates](images/dg-fig27-managecerttemp.png) Figure 1. Manage the certificate templates @@ -55,7 +55,7 @@ ECDSA is not supported. 8. In the **Edit Basic Constraints Extension** dialog box, select **Enable this extension**, as shown in Figure 2. - ![Edit Basic Constraints Extension.](images/dg-fig29-enableconstraints.png) + ![Edit Basic Constraints Extension](images/dg-fig29-enableconstraints.png) Figure 2. Select constraints on the new template @@ -71,7 +71,7 @@ When this certificate template has been created, you must publish it to the CA p 1. In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then click **Certificate Template to Issue**, as shown in Figure 3. - ![Select Certificate Template to Issue.](images/dg-fig30-selectnewcert.png) + ![Select Certificate Template to Issue](images/dg-fig30-selectnewcert.png) Figure 3. Select the new certificate template to issue @@ -89,7 +89,7 @@ Now that the template is available to be issued, you must request one from the c 4. In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4. - ![Request Certificates: more information required.](images/dg-fig31-getmoreinfo.png) + ![Request Certificates: more information required](images/dg-fig31-getmoreinfo.png) Figure 4. Get more information for your code signing certificate diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index bdb0bb25f6..52cac752d2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -142,7 +142,7 @@ To sign the existing catalog file, copy each of the following commands into an e 4. Verify the catalog file digital signature. Right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 1. - ![Digital Signature list in file Properties.](images/dg-fig12-verifysigning.png) + ![Digital Signature list in file Properties](images/dg-fig12-verifysigning.png) Figure 1. Verify that the signing certificate exists @@ -182,7 +182,7 @@ To simplify the management of catalog files, you can use Group Policy preference > [!NOTE] > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate). - ![Group Policy Management, create a GPO.](images/dg-fig13-createnewgpo.png) + ![Group Policy Management, create a GPO](images/dg-fig13-createnewgpo.png) Figure 2. Create a new GPO @@ -192,7 +192,7 @@ To simplify the management of catalog files, you can use Group Policy preference 5. Within the selected GPO, navigate to Computer Configuration\\Preferences\\Windows Settings\\Files. Right-click **Files**, point to **New**, and then click **File**, as shown in Figure 3. - ![Group Policy Management Editor, New File.](images/dg-fig14-createnewfile.png) + ![Group Policy Management Editor, New File](images/dg-fig14-createnewfile.png) Figure 3. Create a new file @@ -202,7 +202,7 @@ To simplify the management of catalog files, you can use Group Policy preference 7. To keep versions consistent, in the **New File Properties** dialog box (Figure 4), select **Replace** from the **Action** list so that the newest version is always used. - ![File Properties, Replace option.](images/dg-fig15-setnewfileprops.png) + ![File Properties, Replace option](images/dg-fig15-setnewfileprops.png) Figure 4. Set the new file properties @@ -235,7 +235,7 @@ As an alternative to Group Policy, you can use Configuration Manager to deploy c 3. Name the package, set your organization as the manufacturer, and select an appropriate version number. - ![Create Package and Program Wizard.](images/dg-fig16-specifyinfo.png) + ![Create Package and Program Wizard](images/dg-fig16-specifyinfo.png) Figure 5. Specify information about the new package @@ -257,7 +257,7 @@ As an alternative to Group Policy, you can use Configuration Manager to deploy c - From the **Drive mode** list, select **Runs with UNC name**. - ![Standard Program page of wizard.](images/dg-fig17-specifyinfo.png) + ![Standard Program page of wizard](images/dg-fig17-specifyinfo.png) Figure 6. Specify information about the standard program @@ -285,7 +285,7 @@ After you create the deployment package, deploy it to a collection so that the c - Select the **Commit changes at deadline or during a maintenance window (requires restarts)** check box. - ![Deploy Software Wizard, User Experience page.](images/dg-fig18-specifyux.png) + ![Deploy Software Wizard, User Experience page](images/dg-fig18-specifyux.png) Figure 7. Specify the user experience @@ -310,13 +310,13 @@ When catalog files have been deployed to the computers within your environment, 3. Name the new policy, and under **Select and then configure the custom settings for client devices**, select the **Software Inventory** check box, as shown in Figure 8. - ![Create Custom Client Device Settings.](images/dg-fig19-customsettings.png) + ![Create Custom Client Device Settings](images/dg-fig19-customsettings.png) Figure 8. Select custom settings 4. In the navigation pane, click **Software Inventory**, and then click **Set Types**, as shown in Figure 9. - ![Software Inventory settings for devices.](images/dg-fig20-setsoftwareinv.png) + ![Software Inventory settings for devices](images/dg-fig20-setsoftwareinv.png) Figure 9. Set the software inventory @@ -329,7 +329,7 @@ When catalog files have been deployed to the computers within your environment, 7. In the **Path Properties** dialog box, select **Variable or path name**, and then type **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}** in the box, as shown in Figure 10. - ![Path Properties, specifying a path.](images/dg-fig21-pathproperties.png) + ![Path Properties, specifying a path](images/dg-fig21-pathproperties.png) Figure 10. Set the path properties diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md index dea3b62b33..d20e96958f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -43,7 +43,7 @@ To deploy and manage a WDAC policy with Group Policy: > [!NOTE] > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control policy management](plan-windows-defender-application-control-management.md). - ![Group Policy Management, create a GPO.](images/dg-fig24-creategpo.png) + ![Group Policy Management, create a GPO](images/dg-fig24-creategpo.png) 3. Name the new GPO. You can choose any name. @@ -51,7 +51,7 @@ To deploy and manage a WDAC policy with Group Policy: 5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**. - ![Edit the Group Policy for Windows Defender Application Control.](images/wdac-edit-gp.png) + ![Edit the Group Policy for Windows Defender Application Control](images/wdac-edit-gp.png) 6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the WDAC policy deployment path. @@ -60,7 +60,7 @@ To deploy and manage a WDAC policy with Group Policy: > [!NOTE] > This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers. - ![Group Policy called Deploy Windows Defender Application Control.](images/dg-fig26-enablecode.png) + ![Group Policy called Deploy Windows Defender Application Control](images/dg-fig26-enablecode.png) > [!NOTE] > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 29fbbe9431..250600e081 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -71,7 +71,7 @@ The steps to use Intune's custom OMA-URI functionality are: - **Certificate file**: upload your binary format policy file. You do not need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. > [!div class="mx-imgBorder"] - > ![Configure custom WDAC.](images/wdac-intune-custom-oma-uri.png) + > ![Configure custom WDAC](images/wdac-intune-custom-oma-uri.png) > [!NOTE] > For the _Policy GUID_ value, do not include the curly brackets. diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md index 0c319af7e6..848bfe1e62 100644 --- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md @@ -45,7 +45,7 @@ Most WDAC policies will evolve over time and proceed through a set of identifiab 6. Deploy the enforced mode policy to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly. 7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes. -![Recommended WDAC policy deployment process.](images/policyflow.png) +![Recommended WDAC policy deployment process](images/policyflow.png) ### Keep WDAC policies in a source control or document management solution diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md index 4915d3faea..2c5382e43b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md @@ -43,7 +43,7 @@ Each of the template policies has a unique set of policy allow list rules that w More information about the Default Windows Mode and Allow Microsoft Mode policies can be accessed through the [Example WDAC base policies article](example-wdac-base-policies.md). -![Selecting a base template for the policy.](images/wdac-wizard-template-selection.png) +![Selecting a base template for the policy](images/wdac-wizard-template-selection.png) Once the base template is selected, give the policy a name and choose where to save the application control policy on disk. @@ -69,7 +69,7 @@ A description of each policy rule, beginning with the left-most column, is provi | **User Mode Code Integrity** | WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. | > [!div class="mx-imgBorder"] -> ![Rule options UI for Windows Allowed mode policy.](images/wdac-wizard-rule-options-UI-advanced-collapsed.png) +> ![Rule options UI for Windows Allowed mode policy](images/wdac-wizard-rule-options-UI-advanced-collapsed.png) ### Advanced Policy Rules Description @@ -84,7 +84,7 @@ Selecting the **+ Advanced Options** label will show another column of policy ru | **Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.| | **Require EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later drivers will meet this requirement. | -![Rule options UI for Windows Allowed mode.](images/wdac-wizard-rule-options-UI.png) +![Rule options UI for Windows Allowed mode](images/wdac-wizard-rule-options-UI.png) > [!NOTE] > We recommend that you **enable Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. For this reason, all templates have Audit Mode enabled by default. @@ -105,7 +105,7 @@ The Publisher file rule type uses properties in the code signing certificate cha | **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate as well as a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. | -![Custom filepublisher file rule creation.](images/wdac-wizard-custom-publisher-rule.png) +![Custom filepublisher file rule creation](images/wdac-wizard-custom-publisher-rule.png) ### Filepath Rules @@ -123,7 +123,7 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c | **Internal name** | Specifies the internal name of the binary. | > [!div class="mx-imgBorder"] -> ![Custom file attributes rule.](images/wdac-wizard-custom-file-attribute-rule.png) +> ![Custom file attributes rule](images/wdac-wizard-custom-file-attribute-rule.png) ### File Hash Rules diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md index 5f96c11702..bca81708e6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md @@ -33,15 +33,15 @@ Prerequisite information about application control can be accessed through the [ Once the Supplemental Policy type is chosen on the New Policy page, policy name and file dialog fields can be used to name and save the supplemental policy. The next step requires selecting a base policy to expand. To expand a base policy, the base must allow supplemental policies. The WDAC Wizard will verify if the base policy allows supplementals and will show the following confirmation. -![Base policy allows supplemental policies.](images/wdac-wizard-supplemental-expandable.png) +![Base policy allows supplemental policies](images/wdac-wizard-supplemental-expandable.png) If the base policy is not configured for supplemental policies, the Wizard will attempt to convert the policy to one that can be supplemented. Once successful, the Wizard will show a dialog demonstrating that the addition of the Allow Supplemental Policy rule was completed. -![Wizard confirms modification of base policy.](images/wdac-wizard-confirm-base-policy-modification.png) +![Wizard confirms modification of base policy](images/wdac-wizard-confirm-base-policy-modification.png) Policies that cannot be supplemented, for instance, a supplemental policy, will be detected by the Wizard and will show the following error. Only a base policy can be supplemented. More information on supplemental policies can be found on our [Multiple Policies article](deploy-multiple-windows-defender-application-control-policies.md). -![Wizard detects a bad base policy.](images/wdac-wizard-supplemental-not-base.png) +![Wizard detects a bad base policy](images/wdac-wizard-supplemental-not-base.png) ## Configuring Policy Rules @@ -60,7 +60,7 @@ There are only three policy rules that can be configured by the supplemental pol | **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. | | **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. | -![Rule options UI for Windows Allowed mode.](images/wdac-wizard-supplemental-policy-rule-options-UI.png) +![Rule options UI for Windows Allowed mode](images/wdac-wizard-supplemental-policy-rule-options-UI.png) ## Creating custom file rules @@ -78,7 +78,7 @@ The Publisher file rule type uses properties in the code signing certificate cha | **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate and a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. | -![Custom filepublisher file rule creation.](images/wdac-wizard-custom-publisher-rule.png) +![Custom filepublisher file rule creation](images/wdac-wizard-custom-publisher-rule.png) ### Filepath Rules @@ -96,7 +96,7 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c | **Internal name** | Specifies the internal name of the binary. | -![Custom file attributes rule.](images/wdac-wizard-custom-file-attribute-rule.png) +![Custom file attributes rule](images/wdac-wizard-custom-file-attribute-rule.png) ### File Hash Rules diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md index 09c88d84aa..2b94c7f004 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md @@ -36,7 +36,7 @@ The WDAC Wizard makes editing and viewing WDAC policies easier than the PowerShe The `Policy Rules` page will load with the in-edit policy rules configured per the set rules. Selecting the `+ Advanced Options` button will reveal the advanced policy rule options panel. This grouping of rules contains additional policy rule options that are less common to the majority of users. To edit any of the rules, flip the corresponding policy rule state. For instance, to disable Audit Mode and enable Enforcement Mode in the figure below, the button beside the `Audit Mode` label needs only to be pressed. Once the policy rules are configured, select the Next button to continue the next stage of editing: [Adding File Rules](#adding-file-rules). -![Configuring the policy rules.](images/wdac-wizard-edit-policy-rules.png) +![Configuring the policy rules](images/wdac-wizard-edit-policy-rules.png) A description of the policy rule is shown at the bottom of the page when the cursor is placed over the rule title. For a complete list of the policy rules and their capabilities, see the [Windows Defender Application Control policy rules table](select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules). @@ -50,7 +50,7 @@ Selecting the `+ Custom Rules` button will open the Custom Rules panel. For more The WDAC Wizard makes deleting file rules from an existing policy quick and easy. To remove any type of file rule: publisher rule, path rule, filename rule, or a hash rule, select the rule in the `Policy Signing Rules List` table on the left-hand side of the page. Selecting the rule will highlight the entire row. Once the row is highlighted, select the remove icon underneath the table. The Wizard will prompt for user confirmation before removing the file rule. Once removed, the rule will no longer appear in the policy or the table. -![Removing file rule from policy during edit.](images/wdac-wizard-edit-remove-file-rule.png) +![Removing file rule from policy during edit](images/wdac-wizard-edit-remove-file-rule.png) **Note:** removing a publisher rule will also remove the associated File Attribute rules. For instance, in the xml block below, removing ID_SIGNER_CONTOSO_PUBLISHER would also remove the rules ID_FILEATTRIB_LOB_APP_1 and ID_FILEATTRIB_LOB_APP_2. diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md index 66ad01329f..ec6e988048 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md @@ -30,4 +30,4 @@ Select the policies you wish to merge into one policy using the `+ Add Policy` b Lastly, select a filepath save location for the final merged policy using the `Browse` button. If a minimum of two policies are selected, and the save location is specified, select the `Next` button to build the policy. -![Merging WDAC policies into a final WDAC policy.](images/wdac-wizard-merge.png) +![Merging WDAC policies into a final WDAC policy](images/wdac-wizard-merge.png) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md index ed1a7fe460..6da28ad681 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md @@ -57,4 +57,4 @@ This can only be done in Group Policy. >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) \ No newline at end of file +>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md index 544e90142e..80d025f7ac 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md @@ -76,4 +76,4 @@ This can only be done in Group Policy. > [!NOTE] > If you hide all sections then the app will show a restricted interface, as in the following screenshot: > -> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) \ No newline at end of file +> ![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md index 969d80c8bf..1bfddcc3f2 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md @@ -32,11 +32,11 @@ ms.technology: mde You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support. -![The security center custom fly-out.](images/security-center-custom-flyout.png) +![The security center custom fly-out](images/security-center-custom-flyout.png) This information will also be shown in some enterprise-specific notifications (including notifications for the [Block at first sight feature](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)). -![A security center notification.](images/security-center-custom-notif.png) +![A security center notification](images/security-center-custom-notif.png) Users can select the displayed information to initiate a support request: diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md index 13fce0f2d5..919f2cb7a2 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md @@ -56,4 +56,4 @@ This can only be done in Group Policy. >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) \ No newline at end of file +>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md index f4d3053cd9..f0627d2869 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md @@ -50,7 +50,7 @@ This can only be done in Group Policy. >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) +>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) ## Disable the Clear TPM button If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md index 274c66bd66..c7d0fb4944 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md @@ -55,4 +55,4 @@ This can only be done in Group Policy. >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) \ No newline at end of file +>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md index 3a14dc7c26..5cf74d9fdf 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md @@ -52,5 +52,5 @@ This can only be done in Group Policy. >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) +>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md index 87960171d1..762e9c7402 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md @@ -63,7 +63,7 @@ This can only be done in Group Policy. >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) +>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) ## Hide the Ransomware protection area diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md index 30cc06c3d0..146bdcc78e 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md @@ -34,7 +34,7 @@ Windows 10 in S mode is streamlined for tighter security and superior performanc The Windows Security interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically. -![Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode.](images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png) +![Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode](images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png) For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode). diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index fe03727f33..17eb0a98fd 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -31,7 +31,7 @@ In Windows 10, version 1709 and later, the app also shows information from third In Windows 10, version 1803, the app has two new areas, **Account protection** and **Device security**. -![Screenshot of the Windows Security app showing that the device is protected and five icons for each of the features.](images/security-center-home.png) +![Screenshot of the Windows Security app showing that the device is protected and five icons for each of the features](images/security-center-home.png) > [!NOTE] > The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender for Endpoint](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). @@ -55,19 +55,19 @@ You can find more information about each section, including options for configur > [!NOTE] > If you hide all sections then the app will show a restricted interface, as in the following screenshot: > -> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) +> ![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) ## Open the Windows Security app - Click the icon in the notification area on the taskbar. - ![Screenshot of the icon for the Windows Security app on the Windows task bar.](images/security-center-taskbar.png) + ![Screenshot of the icon for the Windows Security app on the Windows task bar](images/security-center-taskbar.png) - Search the Start menu for **Windows Security**. - ![Screenshot of the Start menu showing the results of a search for the Windows Security app, the first option with a large shield symbol is selected.](images/security-center-start-menu.png) + ![Screenshot of the Start menu showing the results of a search for the Windows Security app, the first option with a large shield symbol is selected](images/security-center-start-menu.png) - Open an area from Windows **Settings**. - ![Screenshot of Windows Settings showing the different areas available in the Windows Security.](images/settings-windows-defender-security-center-areas.png) + ![Screenshot of Windows Settings showing the different areas available in the Windows Security](images/settings-windows-defender-security-center-areas.png) > [!NOTE] > Settings configured with management tools, such as Group Policy, Microsoft Intune, or Microsoft Endpoint Configuration Manager, will generally take precedence over the settings in the Windows Security. See the topics for each of the sections for links to configuring the associated features or products. diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md index 848345ef8b..8b55c05b3e 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md +++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md @@ -52,7 +52,7 @@ DRTM lets the system freely boot into untrusted code initially, but shortly afte This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state. -![System Guard Secure Launch.](images/system-guard-secure-launch.png) +![System Guard Secure Launch](images/system-guard-secure-launch.png) Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly. @@ -82,7 +82,7 @@ While Windows Defender System Guard provides advanced protection that will help As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch will not support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. -![Boot time integrity.](images/windows-defender-system-guard-boot-time-integrity.png) +![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png) After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Endpoint Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources. diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 55321967df..14695d80d0 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -38,13 +38,13 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM) 2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**. - ![Secure Launch Configuration.](images/secure-launch-group-policy.png) + ![Secure Launch Configuration](images/secure-launch-group-policy.png) ### Windows Security Center Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**. - ![Windows Security Center.](images/secure-launch-security-app.png) + ![Windows Security Center](images/secure-launch-security-app.png) ### Registry @@ -58,13 +58,13 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** > 5. Double-click **Enabled**, change the value to **1**, and click **OK**. - ![Secure Launch Registry.](images/secure-launch-registry.png) + ![Secure Launch Registry](images/secure-launch-registry.png) ## How to verify System Guard Secure Launch is configured and running To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**. -![Verifying Secure Launch is running in the Windows Security Center.](images/secure-launch-msinfo.png) +![Verifying Secure Launch is running in the Windows Security Center](images/secure-launch-msinfo.png) > [!NOTE] > To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs). diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md index 5819f886fd..71f0392376 100644 --- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md +++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md @@ -38,7 +38,7 @@ type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](./op When you open the Windows Defender Firewall for the first time, you can see the default settings applicable to the local computer. The Overview panel displays security settings for each type of network to which the device can connect. -![Windows Defender Firewall with Advanced Security first time opening.](images/fw01-profiles.png) +![Windows Defender Firewall with Advanced Security first time opening](images/fw01-profiles.png) *Figure 1: Windows Defender Firewall* @@ -55,7 +55,7 @@ View detailed settings for each profile by right-clicking the top-level **Window Maintain the default settings in Windows Defender Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections. -![A screenshot of a cell phone Description automatically generated.](images/fw03-defaults.png) +![A screenshot of a cell phone Description automatically generated](images/fw03-defaults.png) *Figure 2: Default inbound/outbound settings* @@ -70,7 +70,7 @@ In many cases, a next step for administrators will be to customize these profile This can be accomplished by right-clicking either **Inbound Rules** or **Outbound Rules**, and selecting **New Rule**. The interface for adding a new rule looks like this: -![Rule creation wizard.](images/fw02-createrule.png) +![Rule creation wizard](images/fw02-createrule.png) *Figure 3: Rule Creation Wizard* @@ -131,7 +131,7 @@ To determine why some applications are blocked from communicating in the network Creation of application rules at runtime can also be prohibited by administrators using the Settings app or Group Policy. -![Windows Firewall prompt.](images/fw04-userquery.png) +![Windows Firewall prompt](images/fw04-userquery.png) *Figure 4: Dialog box to allow access* @@ -148,7 +148,7 @@ Rule merging settings control how rules from different policy sources can be com The rule merging settings either allow or prevent local admins from creating their own firewall rules in addition to those obtained from Group Policy. -![Customize settings.](images/fw05-rulemerge.png) +![Customize settings](images/fw05-rulemerge.png) *Figure 5: Rule merging setting* @@ -180,11 +180,11 @@ An important firewall feature you can use to mitigate damage during an active at Shields up can be achieved by checking **Block all incoming connections, including those in the list of allowed apps** setting found in either the Windows Settings app or the legacy file *firewall.cpl*. -![Incoming connections.](images/fw06-block.png) +![Incoming connections](images/fw06-block.png) *Figure 6: Windows settings App/Windows Security/Firewall Protection/Network Type* -![Firewall cpl.](images/fw07-legacy.png) +![Firewall cpl](images/fw07-legacy.png) *Figure 7: Legacy firewall.cpl* diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md index 37d7edb647..0e67454be2 100644 --- a/windows/security/threat-protection/windows-firewall/boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md @@ -32,7 +32,7 @@ The GPOs you build for the boundary zone include IPsec or connection security ru Because these boundary zone devices can receive unsolicited inbound communications from untrusted devices that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision. -![design flowchart.](images/wfas-designflowchart1.gif) +![design flowchart](images/wfas-designflowchart1.gif) The goal of this process is to determine whether the risk of adding a device to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk cannot be mitigated, membership must be denied. diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index 479b2e67af..bf9a3f7d47 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -28,7 +28,7 @@ ms.technology: mde To get started, open Device Configuration in Intune, then create a new profile. Choose Windows 10 as the platform, and Endpoint Protection as the profile type. Select Windows Defender Firewall. -![Windows Defender Firewall in Intune.](images/windows-firewall-intune.png) +![Windows Defender Firewall in Intune](images/windows-firewall-intune.png) >[!IMPORTANT] >A single Endpoint Protection profile may contain up to a maximum of 150 firewall rules. If a client device requires more than 150 rules, then multiple profiles must be assigned to it. diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md index 8f27c49ab5..0e7f47576b 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md @@ -32,7 +32,7 @@ In addition to the basic protection provided by the firewall rules in the previo The following illustration shows the traffic protection needed for this design example. -![domain isolation policy design.](images/wfas-design2example1.gif) +![domain isolation policy design](images/wfas-design2example1.gif) 1. All devices on the Woodgrove Bank corporate network that are Active Directory domain members must authenticate inbound network traffic as coming from another computer that is a member of the domain. Unless otherwise specified in this section, Woodgrove Bank's devices reject all unsolicited inbound network traffic that is not authenticated. If the basic firewall design is also implemented, even authenticated inbound network traffic is dropped unless it matches an inbound firewall rule. diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md index 659827d1c6..6c13157e59 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md @@ -34,7 +34,7 @@ By using connection security rules based on IPsec, you provide a logical barrier The design is shown in the following illustration, with the arrows that show the permitted communication paths. -![isolated domain boundary zone.](images/wfasdomainisoboundary.gif) +![isolated domain boundary zone](images/wfasdomainisoboundary.gif) Characteristics of this design, as shown in the diagram, include the following: diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md index 718505a9d7..90d5fd2514 100644 --- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md +++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md @@ -22,7 +22,7 @@ Debugging packet drops is a continuous issue to Windows customers. In the past, Typically, when investigating packet drop events, a customer would use the field `Filter Run-Time ID` from Windows Filtering Platform (WFP) audits 5157 or 5152. -![Event properties.](images/event-properties-5157.png) +![Event properties](images/event-properties-5157.png) The filter ID uniquely identifies the filter that caused the packet drop. The filter ID can be searched in the WFP state dump output to trace back to the Firewall rule where the filter originated from. @@ -73,7 +73,7 @@ To enable a specific audit event, run the corresponding command in an administra As the audit surfaces `Filter Origin` and `Interface Index`, the network admin can determine the root cause of the network packet drop and the interface it happened on. -![Event audit.](images/event-audit-5157.png) +![Event audit](images/event-audit-5157.png) The next sections are divided by `Filter Origin` type, the value is either a rule name or the name of one of the default block filters. If the filter origin is one of the default block filters, skip to the section, **Firewall default block filters**. Otherwise, continue to the section **Firewall rules**. @@ -86,7 +86,7 @@ Get-NetFirewallRule -Name “” Get-NetFirewallRule -Name " {A549B7CF-0542-4B67-93F9-EEBCDD584377} " ``` -![Firewall rule.](images/firewallrule.png) +![Firewall rule](images/firewallrule.png) After identifying the rule that caused the drop, the network admin can now modify/disable the rule to allow the traffic they want through command prompt or using the Windows Defender UI. The network admin can find the rule in the UI with the rule’s `DisplayName`. @@ -118,7 +118,7 @@ Get-NetIPInterface –InterfaceIndex Get-NetIPInterface –InterfaceIndex 5 ``` -![Quarantine default block filter.](images/quarantine-default-block-filter.png) +![Quarantine default block filter](images/quarantine-default-block-filter.png) To learn more about the quarantine feature, see [Quarantine behavior](quarantine.md). @@ -139,7 +139,7 @@ To generate a list of all the query user block rules, you can run the following Get-NetFirewallRule | Where {$_.Name -like "*Query User*"} ``` -![Query user default block filter.](images/query-user-default-block-filters.png) +![Query user default block filter](images/query-user-default-block-filters.png) The query user pop-up feature is enabled by default. diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md index 5a6acfea96..8c8fb36ee5 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md @@ -38,7 +38,7 @@ The network administrators want to implement Windows Defender Firewall with Adva The following illustration shows the traffic protection needs for this design example. -![design example 1.](images/wfas-designexample1.gif) +![design example 1](images/wfas-designexample1.gif) 1. The network infrastructure servers that are running services, such as Active Directory, DNS, DHCP, or WINS, can receive unsolicited inbound requests from network clients. The network clients can receive the responses from the infrastructure servers. diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md index 265019f489..7b95852c3d 100644 --- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -41,7 +41,7 @@ The following are important factors in the implementation of your Windows Defend The next step in implementing your design is to determine in what order each of the deployment steps must be performed. This guide uses checklists to help you accomplish the various deployment tasks that are required to implement your design plan. As the following diagram shows, checklists and subchecklists are used as necessary to provide the end-to-end procedure for deploying a design. -![wfas implementation.](images/wfas-implement.gif) +![wfas implementation](images/wfas-implement.gif) Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Defender Firewall with Advanced Security design. diff --git a/windows/security/threat-protection/windows-firewall/quarantine.md b/windows/security/threat-protection/windows-firewall/quarantine.md index bd087a2124..87bab115a6 100644 --- a/windows/security/threat-protection/windows-firewall/quarantine.md +++ b/windows/security/threat-protection/windows-firewall/quarantine.md @@ -196,7 +196,7 @@ Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /s Sample drop audit with `filterOrigin` as `Quarantine Default`. -![Quarantine default.](images/quarantine-default1.png) +![Quarantine default](images/quarantine-default1.png) Once the drop’s filter origin has been identified as the quarantine default inbound block filter, the interface should be further investigated. To find the relevant interface, use the `InterfaceIndex` value from the `netEvent` or event audit in the following PowerShell command to generate more information about the interface: @@ -205,7 +205,7 @@ Get-NetIPInterface –InterfaceIndex Get-NetIPInterface –InterfaceIndex 5 ``` -![Quarantine Interfaceindex.](images/quarantine-interfaceindex1.png) +![Quarantine Interfaceindex](images/quarantine-interfaceindex1.png) Using the interface name, event viewer can be searched for any interface related changes. diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md index 8fbeb35412..81a548b4ee 100644 --- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md @@ -30,7 +30,7 @@ For devices that share sensitive information over the network, Windows Defender The following illustration shows an encryption zone in an isolated domain. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory. -![encryption zone in an isolated domain.](images/wfas-domainisoencrypt.gif) +![encryption zone in an isolated domain](images/wfas-domainisoencrypt.gif) This goal provides the following benefits: diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md index 1a7c288575..a50232fe28 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md @@ -34,7 +34,7 @@ You can restrict access by specifying either computer or user credentials. The following illustration shows an isolated server, and examples of devices that can and cannot communicate with it. Devices that are outside the Woodgrove corporate network, or computers that are in the isolated domain but are not members of the required NAG, cannot communicate with the isolated server. -![isolated domain with network access groups.](images/wfas-domainnag.gif) +![isolated domain with network access groups](images/wfas-domainnag.gif) This goal, which corresponds to [Server Isolation Policy Design](server-isolation-policy-design.md), provides the following features: diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md index 5285e56ad9..d7de7d8963 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md @@ -35,7 +35,7 @@ The protection provided by domain isolation can help you comply with regulatory The following illustration shows an isolated domain, with one of the zones that are optionally part of the design. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory. -![domain isolation.](images/wfas-domainiso.gif) +![domain isolation](images/wfas-domainiso.gif) These goals, which correspond to [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md), provide the following benefits: diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md index 8cb2a35d50..4c6f3f4fb7 100644 --- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -59,7 +59,7 @@ These procedures assume that you already have a public key infrastructure (PKI) The following Windows PowerShell script establishes a connection security rule that uses IKEv2 for communication between two computers (CLIENT1 and SERVER1) that are joined to the corp.contoso.com domain as shown in Figure 1. -![the contoso corporate network.](images/corpnet.gif) +![the contoso corporate network](images/corpnet.gif) **Figure 1** The Contoso corporate network @@ -77,7 +77,7 @@ This script does the following: - Creates the IKEv2 connection security rule called **My IKEv2 Rule**. -![powershell logo.](images/powershelllogosmall.gif)**Windows PowerShell commands** +![powershell logo](images/powershelllogosmall.gif)**Windows PowerShell commands** Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. @@ -117,7 +117,7 @@ Use a Windows PowerShell script similar to the following to create a local IPsec >**Important:**  The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors. -![powershell logo.](images/powershelllogosmall.gif)**Windows PowerShell commands** +![powershell logo](images/powershelllogosmall.gif)**Windows PowerShell commands** Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md index a0070cf114..0e2b6ce11e 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md @@ -46,7 +46,7 @@ In addition to the protection provided by the firewall rules and domain isolatio The following illustration shows the traffic protection needs for this design example. -![isolated server example.](images/wfas-design3example1.gif) +![isolated server example](images/wfas-design3example1.gif) 1. Access to the SQL Server devices must be restricted to only those computer or user accounts that have a business requirement to access the data. This includes the service accounts that are used by the WGBank front-end servers, and administrators of the SQL Server devices. In addition, access is only granted when it is sent from an authorized computer. Authorization is determined by membership in a network access group (NAG). diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md index 7d44e7c17c..f4d452b4cf 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md @@ -32,7 +32,7 @@ You can implement a server isolation design without using domain isolation. To d The design is shown in the following illustration, with arrows that show the permitted communication paths. -![isolated domain with isolated server.](images/wfas-domainisohighsec.gif) +![isolated domain with isolated server](images/wfas-domainisohighsec.gif) Characteristics of this design include the following: diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index bf70a3a3b7..3e383743a4 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -328,7 +328,7 @@ Windows PowerShell can create powerful, complex IPsec policies like in Netsh and In Netsh, the authentication and cryptographic sets were specified as a list of comma-separated tokens in a specific format. In Windows PowerShell, rather than using default settings, you first create your desired authentication or cryptographic proposal objects and bundle them into lists in your preferred order. Then, you create one or more IPsec rules that reference these sets. The benefit of this model is that programmatic access to the information in the rules is much easier. See the following sections for clarifying examples. -![object model for creating a single ipsec rule.](images/createipsecrule.gif) +![object model for creating a single ipsec rule](images/createipsecrule.gif) ### Create IPsec rules @@ -353,7 +353,7 @@ If you want to create a custom set of quick-mode proposals that includes both AH You can then use the newly created custom quick-mode policies when you create IPsec rules. The cryptography set object is linked to an IPsec rule object. -![crypto set object.](images/qmcryptoset.gif) +![crypto set object](images/qmcryptoset.gif) In this example, we build on the previously created IPsec rule by specifying a custom quick-mode crypto set. The final IPsec rule requires outbound traffic to be authenticated by the specified cryptography method. diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md index 8e719f1364..f18a5180db 100644 --- a/windows/security/threat-protection/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-baselines.md @@ -61,12 +61,12 @@ You can download the security baselines from the [Microsoft Download Center](htt The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. -[![Security Compliance Toolkit.](images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) -[![Get Support.](images/get-support.png)](get-support-for-security-baselines.md) +[![Security Compliance Toolkit](images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) +[![Get Support](images/get-support.png)](get-support-for-security-baselines.md) ## Community -[![Microsoft Security Guidance Blog.](images/community.png)](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bd-p/Security-Baselines) +[![Microsoft Security Guidance Blog](images/community.png)](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bd-p/Security-Baselines) ## Related Videos diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index 170918a4fa..cfb7427cbc 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -60,12 +60,12 @@ You can download the security baselines from the [Microsoft Download Center](htt The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. -[![Security Compliance Toolkit.](./../images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) -[![Get Support.](./../images/get-support.png)](get-support-for-security-baselines.md) +[![Security Compliance Toolkit](./../images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) +[![Get Support](./../images/get-support.png)](get-support-for-security-baselines.md) ## Community -[![Microsoft Security Guidance Blog.](./../images/community.png)](/archive/blogs/secguide/) +[![Microsoft Security Guidance Blog](./../images/community.png)](/archive/blogs/secguide/) ## Related Videos diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md index b99b7a48ad..1387997652 100644 --- a/windows/whats-new/contribute-to-a-topic.md +++ b/windows/whats-new/contribute-to-a-topic.md @@ -38,7 +38,7 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner 1. Go to the article that you want to update, and then click **Edit**. - ![GitHub Web, showing the Edit link.](images/contribute-link.png) + ![GitHub Web, showing the Edit link](images/contribute-link.png) 2. Sign into (or sign up for) a GitHub account. @@ -46,7 +46,7 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner 3. Click the **Pencil** icon (in the red box) to edit the content. - ![GitHub Web, showing the Pencil icon in the red box.](images/pencil-icon.png) + ![GitHub Web, showing the Pencil icon in the red box](images/pencil-icon.png) 4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see: - **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring) @@ -55,11 +55,11 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner 5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct. - ![GitHub Web, showing the Preview Changes tab.](images/preview-changes.png) + ![GitHub Web, showing the Preview Changes tab](images/preview-changes.png) 6. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change**. - ![GitHub Web, showing the Propose file change button.](images/propose-file-change.png) + ![GitHub Web, showing the Propose file change button](images/propose-file-change.png) The **Comparing changes** screen shows the changes between your version of the article and the original content. @@ -67,7 +67,7 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner If there are no problems, you’ll see the message, **Able to merge**. - ![GitHub Web, showing the Comparing changes screen.](images/compare-changes.png) + ![GitHub Web, showing the Comparing changes screen](images/compare-changes.png) 8. Click **Create pull request**. diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 256dad7a3a..83e1c6b032 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -48,7 +48,7 @@ This version of Window 10 includes security improvements for threat protection, The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) platform includes the security pillars shown in the following diagram. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. -![Microsoft Defender for Endpoint.](../images/wdatp.png) +![Microsoft Defender for Endpoint](../images/wdatp.png) ##### Attack surface reduction @@ -275,7 +275,7 @@ The WSC service now requires antivirus products to run as a protected process to WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. -![Security at a glance.](../images/defender.png "Windows Security Center") +![Security at a glance](../images/defender.png "Windows Security Center") #### Group Policy Security Options @@ -288,7 +288,7 @@ A new security policy setting We’ve continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: -![S mode settings.](../images/virus-and-threat-protection.png "Virus & threat protection settings") +![S mode settings](../images/virus-and-threat-protection.png "Virus & threat protection settings") ## Deployment @@ -387,7 +387,7 @@ If you have shared devices deployed in your work place, **Fast sign-in** enables 3. Sign-in to a shared PC with your account. You'll notice the difference! - ![fast sign-in.](../images/fastsignin.png "fast sign-in") + ![fast sign-in](../images/fastsignin.png "fast sign-in") ### Web sign-in to Windows 10 @@ -402,7 +402,7 @@ Until now, Windows logon only supported the use of identities federated to ADFS 3. On the lock screen, select web sign-in under sign-in options. 4. Click the “Sign in” button to continue. -![Sign-in option.](../images/websignin.png "web sign-in") +![Sign-in option](../images/websignin.png "web sign-in") ## Windows Analytics @@ -470,7 +470,7 @@ The OS uninstall period is a length of time that users are given when they can o Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. -![get bulk token action in wizard.](../images/bulk-token.png) +![get bulk token action in wizard](../images/bulk-token.png) ### Windows Spotlight @@ -636,7 +636,7 @@ If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, t We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. -![Reg editor.](../images/regeditor.png "Registry editor dropdown") +![Reg editor](../images/regeditor.png "Registry editor dropdown") ## Remote Desktop with Biometrics @@ -650,9 +650,9 @@ To get started, sign into your device using Windows Hello for Business. Bring up See the following example: -![Enter your credentials.](../images/RDPwBioTime.png "Windows Hello") -![Provide credentials.](../images/RDPwBio2.png "Windows Hello personal") -![Microsoft Hyper-V Server 2016.](../images/hyper-v.png "Microsoft Hyper-V Server 2016") +![Enter your credentials](../images/RDPwBioTime.png "Windows Hello") +![Provide credentials](../images/RDPwBio2.png "Windows Hello personal") +![Microsoft Hyper-V Server 2016](../images/hyper-v.png "Microsoft Hyper-V Server 2016") ## See Also diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 48bf6b509b..b05bba2289 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -31,11 +31,11 @@ Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool Windows Configuration Designer in Windows 10, version 1703, includes several new wizards to make it easier to create provisioning packages. -![wizards for desktop, mobile, kiosk, Surface Hub.](images/wcd-options.png) +![wizards for desktop, mobile, kiosk, Surface Hub](images/wcd-options.png) Both the desktop and kiosk wizards include an option to remove pre-installed software, based on the new [CleanPC configuration service provider (CSP)](/windows/client-management/mdm/cleanpc-csp). -![remove pre-installed software option.](images/wcd-cleanpc.png) +![remove pre-installed software option](images/wcd-cleanpc.png) [Learn more about Windows Configuration Designer.](/windows/configuration/provisioning-packages/provisioning-packages) @@ -44,7 +44,7 @@ Both the desktop and kiosk wizards include an option to remove pre-installed sof Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. -![get bulk token action in wizard.](images/bulk-token.png) +![get bulk token action in wizard](images/bulk-token.png) ### Windows Spotlight @@ -279,7 +279,7 @@ Learn about the new Group Policies that were added in Windows 10, version 1703. The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](/windows/configuration/mobile-devices/lockdown-xml). -![Lockdown Designer app in Store.](images/ldstore.png) +![Lockdown Designer app in Store](images/ldstore.png) [Learn more about the Lockdown Designer app.](/windows/configuration/mobile-devices/mobile-lockdown-designer) diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index 6410248ff6..e73c5af9bc 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -46,7 +46,7 @@ To learn more about Autopilot self-deploying mode and to see step-by-step instru We’ve continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: > [!div class="mx-imgBorder"] -> ![Virus & threat protection settings.](images/virus-and-threat-protection.png "Virus & threat protection settings") +> ![Virus & threat protection settings](images/virus-and-threat-protection.png "Virus & threat protection settings") With controlled folder access you can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. @@ -109,16 +109,16 @@ To try this: See the following example: > [!div class="mx-imgBorder"] -> ![Security at a glance.](images/1_AppBrowser.png "app and browser control") +> ![Security at a glance](images/1_AppBrowser.png "app and browser control") > [!div class="mx-imgBorder"] -> ![Isolated browser.](images/2_InstallWDAG.png "isolated browsing") +> ![Isolated browser](images/2_InstallWDAG.png "isolated browsing") > [!div class="mx-imgBorder"] -> ![change WDAG settings.](images/3_ChangeSettings.png "change settings") +> ![change WDAG settings](images/3_ChangeSettings.png "change settings") > [!div class="mx-imgBorder"] -> ![view WDAG settings.](images/4_ViewSettings.jpg "view settings") +> ![view WDAG settings](images/4_ViewSettings.jpg "view settings") ### Windows Security Center @@ -130,7 +130,7 @@ The WSC service now requires antivirus products to run as a protected process to WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. -![alt text.](images/defender.png "Windows Security Center") +![alt text](images/defender.png "Windows Security Center") ### Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes @@ -195,7 +195,7 @@ We introduced a simplified assigned access configuration experience in **Setting To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page. -![set up a kiosk.](images/kiosk-mode.png "set up a kiosk") +![set up a kiosk](images/kiosk-mode.png "set up a kiosk") Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types. @@ -203,7 +203,7 @@ Microsoft Edge kiosk mode running in single-app assigned access has two kiosk ty 2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity. -![single app assigned access.](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access") +![single app assigned access](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access") Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types. @@ -212,11 +212,11 @@ Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk typ **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows. -![multi-app assigned access.](images/Multi-app_kiosk_inFrame.png "multi-app assigned access") +![multi-app assigned access](images/Multi-app_kiosk_inFrame.png "multi-app assigned access") **Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books. -![normal mode.](images/Normal_inFrame.png "normal mode") +![normal mode](images/Normal_inFrame.png "normal mode") Learn more about [Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy). @@ -224,7 +224,7 @@ Learn more about [Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-ed We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. -![Registry editor dropdown.](images/regeditor.png "Registry editor dropdown") +![Registry editor dropdown](images/regeditor.png "Registry editor dropdown") ## Faster sign-in to a Windows 10 shared pc @@ -237,7 +237,7 @@ Do you have shared devices deployed in your work place? **Fast sign-in** enables 3. Sign-in to a shared PC with your account. You'll notice the difference! - ![fast sign-in.](images/fastsignin.png "fast sign-in") + ![fast sign-in](images/fastsignin.png "fast sign-in") >[!NOTE] >This is a private preview feature and therefore not meant or recommended for production purposes. @@ -259,7 +259,7 @@ Until now, Windows logon only supported the use of identities federated to ADFS 4. Click the **Sign in** button to continue. > [!div class="mx-imgBorder"] - > ![Web sign-in.](images/websignin.png "web sign-in") + > ![Web sign-in](images/websignin.png "web sign-in") >[!NOTE] >This is a private preview feature and therefore not meant or recommended for production purposes. @@ -271,7 +271,7 @@ Android phone users, you can finally stop emailing yourself photos. With Your Ph For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing–-read, watch, or browse-- with all the benefits of a bigger screen. > [!div class="mx-imgBorder"] -> ![your phone.](images/your-phone.png "your phone") +> ![your phone](images/your-phone.png "your phone") The desktop pin takes you directly to the **Your Phone** app for quicker access to your phone’s content. You can also go through the all apps list in Start, or use the Windows key and search for **Your Phone**. @@ -283,7 +283,7 @@ One of the things we’ve heard from you is that it’s hard to know when you’ * Video mode increases the screen-to-screen latency to ensure the video on the big screen plays back smoothly * Productivity modes strikes a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos don’t glitch as often. -![wireless projection banner.](images/beaming.png "wireless projection banner") +![wireless projection banner](images/beaming.png "wireless projection banner") ## Remote Desktop with Biometrics @@ -293,6 +293,6 @@ To get started, sign into your device using Windows Hello for Business. Bring up See the following example: -![Enter your credentials.](images/RDPwBioTime.png "Windows Hello") -![Enter your credentials.](images/RDPwBio2.png "Windows Hello personal") -![Microsoft Hyper-V Server 2016.](images/hyper-v.png "Microsoft Hyper-V Server 2016") +![Enter your credentials](images/RDPwBioTime.png "Windows Hello") +![Enter your credentials](images/RDPwBio2.png "Windows Hello personal") +![Microsoft Hyper-V Server 2016](images/hyper-v.png "Microsoft Hyper-V Server 2016") diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index 74eb1725e2..371bf97c95 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -125,7 +125,7 @@ The draft release of the [security configuration baseline settings](/archive/blo This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly: -![System Guard.](images/system-guard.png "SMM Firmware Measurement") +![System Guard](images/system-guard.png "SMM Firmware Measurement") ### Identity Protection diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md index 692871b1c3..ac0d4984f2 100644 --- a/windows/whats-new/whats-new-windows-10-version-2004.md +++ b/windows/whats-new/whats-new-windows-10-version-2004.md @@ -43,7 +43,7 @@ In this release, [Windows Defender System Guard](/windows/security/threat-prote With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon. - ![System Guard.](images/system-guard2.png) + ![System Guard](images/system-guard2.png) ### Windows Defender Application Guard From de364ca11502abb8d95f93847f7662f557d00144 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Fri, 27 Aug 2021 12:01:28 +0530 Subject: [PATCH 28/41] Revert "Revert "Merge branch 'master' into aljupudi-w11defender-branch01"" This reverts commit e87ef8501d40b3c702f8ea2aea542b91cc179bf2. --- CONTRIBUTING.md | 10 +- ...ct-data-using-enterprise-site-discovery.md | 14 +- ...rprise-mode-logging-and-data-collection.md | 18 +- ...-on-enterprise-mode-and-use-a-site-list.md | 4 +- ...control-and-logging-for-enterprise-mode.md | 4 +- ...ct-data-using-enterprise-site-discovery.md | 14 +- .../deprecated-document-modes.md | 2 +- ...doc-modes-and-enterprise-mode-site-list.md | 6 +- .../out-of-date-activex-control-blocking.md | 6 +- ...-the-default-browser-using-group-policy.md | 2 +- ...rprise-mode-logging-and-data-collection.md | 18 +- ...s-and-tricks-to-manage-ie-compatibility.md | 4 +- ...-on-enterprise-mode-and-use-a-site-list.md | 4 +- ...control-and-logging-for-enterprise-mode.md | 4 +- .../licensing-version-and-features-ieak11.md | 52 ++--- .../educator-tib-get-started.md | 62 +++--- education/trial-in-a-box/index.md | 4 +- .../trial-in-a-box/itadmin-tib-get-started.md | 46 ++--- education/trial-in-a-box/support-options.md | 12 +- education/windows/autopilot-reset.md | 8 +- education/windows/change-to-pro-education.md | 20 +- .../windows/chromebook-migration-guide.md | 4 +- .../configure-windows-for-education.md | 10 +- .../deploy-windows-10-in-a-school-district.md | 16 +- .../windows/deploy-windows-10-in-a-school.md | 14 +- .../windows/edu-deployment-recommendations.md | 12 +- .../education-scenarios-store-for-business.md | 4 +- .../windows/get-minecraft-for-education.md | 6 +- education/windows/index.md | 10 +- education/windows/school-get-minecraft.md | 46 ++--- .../set-up-school-pcs-azure-ad-join.md | 2 +- .../set-up-students-pcs-to-join-domain.md | 2 +- .../windows/set-up-students-pcs-with-apps.md | 26 +-- education/windows/set-up-windows-10.md | 2 +- education/windows/take-a-test-multiple-pcs.md | 14 +- education/windows/take-a-test-single-pc.md | 4 +- education/windows/take-tests-in-windows-10.md | 2 +- education/windows/teacher-get-minecraft.md | 22 +- .../windows/use-set-up-school-pcs-app.md | 2 +- smb/cloud-mode-business-setup.md | 92 ++++----- smb/index.md | 6 +- ...quire-apps-microsoft-store-for-business.md | 2 +- .../billing-understand-your-invoice-msfb.md | 6 +- ...or-business-education-powershell-module.md | 2 +- ...oubleshoot-microsoft-store-for-business.md | 10 +- ...-new-microsoft-store-business-education.md | 4 +- .../working-with-line-of-business-apps.md | 2 +- ...ation-publishing-and-client-interaction.md | 6 +- .../app-v/appv-deployment-checklist.md | 6 +- .../app-v/appv-install-the-sequencer.md | 2 +- .../app-v/appv-planning-checklist.md | 12 +- ...enterprise-background-activity-controls.md | 6 +- .../per-user-services-in-windows.md | 14 +- .../svchost-service-refactoring.md | 8 +- .../administrative-tools-in-windows-10.md | 4 +- ...nced-troubleshooting-802-authentication.md | 20 +- .../advanced-troubleshooting-boot-problems.md | 2 +- ...eshooting-wireless-network-connectivity.md | 4 +- ...t-removal-policy-external-storage-media.md | 2 +- .../connect-to-remote-aadj-pc.md | 4 +- .../client-management/img-boot-sequence.md | 2 +- .../introduction-page-file.md | 6 +- ...e-device-installation-with-group-policy.md | 38 ++-- .../manage-settings-app-with-group-policy.md | 2 +- ...-in-your-organization-modern-management.md | 2 +- .../mandatory-user-profile.md | 16 +- .../mdm/accountmanagement-csp.md | 2 +- ...ure-ad-tenant-and-azure-ad-subscription.md | 32 +-- .../client-management/mdm/applocker-csp.md | 6 +- .../mdm/appv-deploy-and-config.md | 2 +- ...e-active-directory-integration-with-mdm.md | 6 +- ...omatic-mdm-enrollment-in-the-new-portal.md | 4 +- .../client-management/mdm/bootstrap-csp.md | 2 +- .../mdm/browserfavorite-csp.md | 2 +- ...ollment-using-windows-provisioning-tool.md | 16 +- .../mdm/cellularsettings-csp.md | 2 +- .../mdm/cm-cellularentries-csp.md | 2 +- ...onfiguration-service-provider-reference.md | 60 +++--- .../mdm/device-update-management.md | 14 +- .../mdm/deviceinstanceservice-csp.md | 2 +- .../client-management/mdm/devicelock-csp.md | 2 +- .../diagnose-mdm-failures-in-windows-10.md | 20 +- .../disconnecting-from-mdm-unenrollment.md | 2 +- .../mdm/eap-configuration.md | 22 +- .../mdm/enable-admx-backed-policies-in-mdm.md | 12 +- ...dded-8-1-handheld-devices-to-windows-10.md | 44 ++-- ...device-automatically-using-group-policy.md | 44 ++-- .../mdm/enterprise-app-management.md | 2 +- .../mdm/enterpriseappmanagement-csp.md | 2 +- .../client-management/mdm/filesystem-csp.md | 2 +- .../mdm/healthattestation-csp.md | 2 +- windows/client-management/mdm/hotspot-csp.md | 2 +- ...rver-side-mobile-application-management.md | 2 +- ...ent-tool-for-windows-store-for-business.md | 6 +- .../mdm/mdm-enrollment-of-windows-devices.md | 76 +++---- .../client-management/mdm/messaging-csp.md | 2 +- .../mdm/mobile-device-enrollment.md | 2 +- windows/client-management/mdm/napdef-csp.md | 4 +- ...ew-in-windows-mdm-enrollment-management.md | 10 +- .../mdm/passportforwork-csp.md | 4 +- .../policy-configuration-service-provider.md | 2 +- .../mdm/policy-csp-deviceinstallation.md | 8 +- .../mdm/policy-csp-mixedreality.md | 28 +-- .../mdm/policy-csp-system.md | 15 +- .../mdm/push-notification-windows-mdm.md | 16 +- .../client-management/mdm/pxlogical-csp.md | 4 +- ...ree-azure-active-directory-subscription.md | 6 +- .../mdm/securitypolicy-csp.md | 2 +- .../mdm/understanding-admx-backed-policies.md | 4 +- .../mdm/unifiedwritefilter-csp.md | 2 +- windows/client-management/mdm/vpn-csp.md | 2 +- .../mdm/w4-application-csp.md | 2 +- .../mdm/w7-application-csp.md | 2 +- windows/client-management/mdm/wifi-csp.md | 2 +- .../mdm/windows-mdm-enterprise-settings.md | 2 +- .../windowsadvancedthreatprotection-csp.md | 2 +- .../mdm/wmi-providers-supported-in-windows.md | 60 +++--- windows/client-management/quick-assist.md | 2 +- .../troubleshoot-inaccessible-boot-device.md | 16 +- .../troubleshoot-stop-errors.md | 4 +- .../troubleshoot-tcpip-connectivity.md | 16 +- .../troubleshoot-tcpip-netmon.md | 8 +- .../troubleshoot-tcpip-port-exhaust.md | 18 +- .../troubleshoot-tcpip-rpc-errors.md | 10 +- .../windows-version-search.md | 10 +- .../configure-windows-10-taskbar.md | 16 +- .../cortana-at-work/cortana-at-work-crm.md | 4 +- .../cortana-at-work-powerbi.md | 26 +-- .../cortana-at-work-voice-commands.md | 2 +- .../customize-and-export-start-layout.md | 2 +- ...-10-start-screens-by-using-group-policy.md | 4 +- ...-by-using-provisioning-packages-and-icd.md | 2 +- ...ation-user-model-id-of-an-installed-app.md | 2 +- windows/configuration/kiosk-methods.md | 12 +- windows/configuration/kiosk-prepare.md | 4 +- windows/configuration/kiosk-shelllauncher.md | 2 +- windows/configuration/kiosk-single-app.md | 10 +- windows/configuration/kiosk-troubleshoot.md | 2 +- .../lock-down-windows-10-applocker.md | 8 +- .../lock-down-windows-10-to-specific-apps.md | 14 +- .../manage-wifi-sense-in-enterprise.md | 6 +- .../mobile-devices/lockdown-xml.md | 30 +-- .../mobile-lockdown-designer.md | 28 +-- .../provisioning-configure-mobile.md | 6 +- .../mobile-devices/provisioning-nfc.md | 2 +- ...kiosk-for-windows-10-for-mobile-edition.md | 12 +- .../mobile-devices/start-layout-xml-mobile.md | 2 +- windows/configuration/provisioning-apn.md | 4 +- ...can-use-configuration-service-providers.md | 10 +- .../provision-pcs-for-initial-deployment.md | 6 +- ...rovision-pcs-with-apps-and-certificates.md | 8 +- .../provision-pcs-with-apps.md | 10 +- .../provisioning-apply-package.md | 14 +- .../provisioning-create-package.md | 10 +- .../provisioning-install-icd.md | 2 +- .../provisioning-multivariant.md | 2 +- .../provisioning-packages.md | 2 +- .../provisioning-script-to-install-app.md | 4 +- .../set-up-shared-or-guest-pc.md | 8 +- .../start-layout-troubleshoot.md | 14 +- .../configuration/start-secondary-tiles.md | 8 +- .../uev-deploy-uev-for-custom-applications.md | 2 +- windows/configuration/ue-v/uev-for-windows.md | 4 +- .../ue-v/uev-prepare-for-deployment.md | 16 +- .../uev-upgrade-uev-from-previous-releases.md | 2 +- .../configuration/wcd/wcd-admxingestion.md | 4 +- ...ws-10-start-layout-options-and-policies.md | 4 +- windows/configuration/windows-spotlight.md | 8 +- windows/deployment/TOC.yml | 2 + .../deployment/deploy-enterprise-licenses.md | 6 +- windows/deployment/deploy-m365.md | 4 +- windows/deployment/deploy-whats-new.md | 2 +- ...ystem-image-using-configuration-manager.md | 4 +- ...-windows-pe-using-configuration-manager.md | 16 +- ...e-boot-image-with-configuration-manager.md | 10 +- ...ence-with-configuration-manager-and-mdt.md | 4 +- ...-windows-10-using-configuration-manager.md | 4 +- ...-10-using-pxe-and-configuration-manager.md | 30 +-- ...0-deployment-with-configuration-manager.md | 12 +- ...f-windows-10-with-configuration-manager.md | 22 +- ...-windows-10-using-configuration-manager.md | 22 +- ...-windows-10-using-configuration-manager.md | 24 +-- ...to-windows-10-with-configuraton-manager.md | 16 +- .../assign-applications-using-roles-in-mdt.md | 6 +- ...d-environment-for-windows-10-deployment.md | 10 +- .../configure-mdt-settings.md | 2 +- .../create-a-windows-10-reference-image.md | 28 +-- .../deploy-a-windows-10-image-using-mdt.md | 38 ++-- ...d-with-the-microsoft-deployment-toolkit.md | 8 +- ...prepare-for-windows-deployment-with-mdt.md | 10 +- ...sh-a-windows-7-computer-with-windows-10.md | 6 +- ...s-7-computer-with-a-windows-10-computer.md | 12 +- .../set-up-mdt-for-bitlocker.md | 6 +- ...ows-10-deployment-in-a-test-environment.md | 4 +- ...0-with-the-microsoft-deployment-toolkit.md | 8 +- .../use-orchestrator-runbooks-with-mdt.md | 20 +- ...stage-windows-10-deployment-information.md | 8 +- .../use-web-services-in-mdt.md | 16 +- windows/deployment/index.yml | 2 +- windows/deployment/mbr-to-gpt.md | 2 +- ...compatibility-administrator-users-guide.md | 2 +- ...oyment-considerations-for-windows-to-go.md | 12 +- ...rstanding-and-using-compatibility-fixes.md | 4 +- .../deployment/planning/using-the-sua-tool.md | 2 +- .../planning/using-the-sua-wizard.md | 2 +- .../windows-10-infrastructure-requirements.md | 2 +- windows/deployment/s-mode.md | 4 +- windows/deployment/update/PSFxWhitepaper.md | 8 +- windows/deployment/update/WIP4Biz-intro.md | 2 +- .../deployment/update/check-release-health.md | 12 +- .../update/deployment-service-overview.md | 4 +- .../get-started-updates-channels-tools.md | 12 +- .../update/how-windows-update-works.md | 14 +- .../deployment/update/media-dynamic-update.md | 2 +- .../olympia/olympia-enrollment-guidelines.md | 14 +- .../deployment/update/plan-define-strategy.md | 4 +- windows/deployment/update/safeguard-holds.md | 2 +- ...update-compliance-delivery-optimization.md | 2 +- ...update-compliance-feature-update-status.md | 2 +- .../update-compliance-need-attention.md | 2 +- ...pdate-compliance-security-update-status.md | 2 +- .../update/update-compliance-using.md | 8 +- .../deployment/update/waas-configure-wufb.md | 2 +- .../waas-delivery-optimization-setup.md | 2 +- .../update/waas-delivery-optimization.md | 2 +- ...aas-deployment-rings-windows-10-updates.md | 12 +- .../deployment/update/waas-integrate-wufb.md | 2 +- .../update/waas-manage-updates-wsus.md | 48 ++--- .../update/waas-manage-updates-wufb.md | 14 +- .../waas-optimize-windows-10-updates.md | 16 +- windows/deployment/update/waas-overview.md | 14 +- windows/deployment/update/waas-restart.md | 19 +- ...s-servicing-channels-windows-10-updates.md | 24 +-- .../update/waas-servicing-differences.md | 6 +- ...s-servicing-strategy-windows-10-updates.md | 14 +- .../deployment/update/waas-wufb-csp-mdm.md | 18 +- .../update/waas-wufb-group-policy.md | 18 +- windows/deployment/update/waas-wufb-intune.md | 20 +- .../deployment/update/windows-update-logs.md | 10 +- .../update/windows-update-overview.md | 2 +- .../update/wufb-compliancedeadlines.md | 12 +- .../deployment/update/wufb-manageupdate.md | 2 +- windows/deployment/upgrade/quick-fixes.md | 8 +- windows/deployment/upgrade/setupdiag.md | 14 +- windows/deployment/upgrade/submit-errors.md | 4 +- .../upgrade/troubleshoot-upgrade-errors.md | 14 +- .../upgrade/windows-10-edition-upgrades.md | 42 ++-- .../upgrade/windows-error-reporting.md | 2 +- .../usmt/migration-store-types-overview.md | 2 +- .../usmt/usmt-common-migration-scenarios.md | 4 +- ...ctive-directory-based-activation-client.md | 12 +- ...ivate-using-key-management-service-vamt.md | 12 +- .../activate-windows-10-clients-vamt.md | 4 +- .../add-remove-computers-vamt.md | 2 +- .../configure-client-computers-vamt.md | 2 +- .../volume-activation/install-vamt.md | 4 +- .../volume-activation/introduction-vamt.md | 4 +- .../plan-for-volume-activation-client.md | 6 +- .../scenario-online-activation-vamt.md | 2 +- .../scenario-proxy-activation-vamt.md | 2 +- ...olume-activation-management-tool-client.md | 4 +- .../volume-activation/vamt-known-issues.md | 2 +- .../windows-10-deployment-posters.md | 4 +- windows/deployment/windows-10-media.md | 4 +- windows/deployment/windows-10-poc-mdt.md | 4 +- .../windows-10-poc-sc-config-mgr.md | 18 +- windows/deployment/windows-10-poc.md | 16 +- .../windows-10-subscription-activation.md | 14 +- .../demonstrate-deployment-on-vm.md | 128 ++++++------ .../windows-deployment-scenarios-and-tools.md | 28 +-- .../privacy/Microsoft-DiagnosticDataViewer.md | 4 +- .../diagnostic-data-viewer-overview.md | 16 +- ...system-components-to-microsoft-services.md | 192 +++++++++--------- .../active-directory-accounts.md | 30 +-- .../access-control/local-accounts.md | 16 +- .../access-control/security-identifiers.md | 2 +- .../access-control/security-principals.md | 2 +- .../identity-protection/configure-s-mime.md | 8 +- .../credential-guard-how-it-works.md | 2 +- .../credential-guard-manage.md | 4 +- .../enterprise-certificate-pinning.md | 12 +- .../feature-multifactor-unlock.md | 4 +- .../hello-adequate-domain-controllers.md | 10 +- .../hello-cert-trust-adfs.md | 20 +- .../hello-cert-trust-validate-ad-prereq.md | 2 +- .../hello-deployment-rdp-certs.md | 6 +- .../hello-errors-during-pin-creation.md | 2 +- .../hello-feature-pin-reset.md | 8 +- .../hello-feature-remote-desktop.md | 2 +- .../hello-how-it-works-authentication.md | 10 +- .../hello-how-it-works-provisioning.md | 12 +- .../hello-hybrid-aadj-sso-base.md | 52 ++--- .../hello-hybrid-aadj-sso-cert.md | 94 ++++----- .../hello-hybrid-cert-trust-devreg.md | 18 +- .../hello-hybrid-cert-whfb-provision.md | 8 +- .../hello-hybrid-key-whfb-provision.md | 8 +- .../hello-key-trust-adfs.md | 20 +- .../hello-for-business/hello-overview.md | 2 +- .../hello-prepare-people-to-use.md | 6 +- .../passwordless-strategy.md | 20 +- .../retired/hello-how-it-works.md | 2 +- .../remote-credential-guard.md | 6 +- .../smart-card-and-remote-desktop-services.md | 2 +- .../smart-cards/smart-card-architecture.md | 8 +- ...rt-card-certificate-propagation-service.md | 2 +- ...ertificate-requirements-and-enumeration.md | 12 +- .../smart-card-removal-policy-service.md | 2 +- .../how-user-account-control-works.md | 10 +- ...l-smart-card-deploy-virtual-smart-cards.md | 2 +- .../virtual-smart-card-evaluate-security.md | 2 +- .../virtual-smart-card-get-started.md | 22 +- ...tual-smart-card-use-virtual-smart-cards.md | 2 +- .../vpn/vpn-authentication.md | 2 +- .../vpn/vpn-auto-trigger-profile.md | 4 +- .../vpn/vpn-conditional-access.md | 2 +- .../vpn/vpn-connection-type.md | 6 +- .../vpn/vpn-name-resolution.md | 2 +- .../vpn/vpn-profile-options.md | 2 +- .../identity-protection/vpn/vpn-routing.md | 4 +- .../vpn/vpn-security-features.md | 2 +- ...dential-theft-mitigation-guide-abstract.md | 2 +- .../bitlocker/bitlocker-countermeasures.md | 4 +- .../bitlocker-deployment-comparison.md | 48 ++--- .../bitlocker-recovery-guide-plan.md | 16 +- ...ve-encryption-tools-to-manage-bitlocker.md | 2 +- .../bitlocker/troubleshoot-bitlocker.md | 4 +- .../ts-bitlocker-cannot-encrypt-issues.md | 4 +- .../ts-bitlocker-decode-measured-boot-logs.md | 16 +- .../bitlocker/ts-bitlocker-intune-issues.md | 38 ++-- .../kernel-dma-protection-for-thunderbolt.md | 10 +- .../secure-the-windows-10-boot-process.md | 4 +- .../tpm/how-windows-uses-the-tpm.md | 4 +- ...reate-and-verify-an-efs-dra-certificate.md | 2 +- ...e-vpn-and-wip-policy-using-intune-azure.md | 8 +- .../create-wip-policy-using-configmgr.md | 40 ++-- .../create-wip-policy-using-intune-azure.md | 56 ++--- .../deploy-wip-policy-using-intune-azure.md | 2 +- .../wip-app-enterprise-context.md | 4 +- .../wip-learning.md | 8 +- ...tion-based-protection-of-code-integrity.md | 4 +- .../coordinated-malware-eradication.md | 2 +- .../intelligence/fileless-threats.md | 4 +- .../intelligence/malware-naming.md | 2 +- .../intelligence/phishing.md | 2 +- .../portal-submission-troubleshooting.md | 14 +- .../intelligence/worms-malware.md | 2 +- .../mbsa-removal-and-guidance.md | 4 +- .../install-md-app-guard.md | 6 +- .../md-app-guard-overview.md | 2 +- .../test-scenarios-md-app-guard.md | 34 ++-- ...microsoft-defender-smartscreen-overview.md | 2 +- ...ender-smartscreen-set-individual-device.md | 2 +- ...tions-for-app-related-security-policies.md | 6 +- ...iew-of-threat-mitigations-in-windows-10.md | 4 +- ...-the-health-of-windows-10-based-devices.md | 26 +-- ...-information-when-the-session-is-locked.md | 2 +- .../security-policy-settings.md | 8 +- ...arding-to-assist-in-intrusion-detection.md | 8 +- .../windows-10-mobile-security-guide.md | 2 +- .../LOB-win32-apps-on-s.md | 6 +- .../plan-for-applocker-policy-management.md | 2 +- ...ent-setting-inheritance-in-group-policy.md | 2 +- ...the-applocker-policy-deployment-process.md | 2 +- ...s-defender-application-control-policies.md | 2 +- ...s-defender-application-control-policies.md | 2 +- ...or-windows-defender-application-control.md | 8 +- ...rt-windows-defender-application-control.md | 20 +- ...ion-control-policies-using-group-policy.md | 6 +- ...plication-control-policies-using-intune.md | 2 +- ...defender-application-control-management.md | 2 +- .../wdac-wizard-create-base-policy.md | 10 +- .../wdac-wizard-create-supplemental-policy.md | 12 +- .../wdac-wizard-editing-policy.md | 4 +- .../wdac-wizard-merging-policies.md | 2 +- .../wdsc-account-protection.md | 2 +- .../wdsc-app-browser-control.md | 2 +- .../wdsc-customize-contact-information.md | 4 +- .../wdsc-device-performance-health.md | 2 +- .../wdsc-device-security.md | 2 +- .../wdsc-family-options.md | 2 +- .../wdsc-firewall-network-protection.md | 2 +- .../wdsc-virus-threat-protection.md | 2 +- .../wdsc-windows-10-in-s-mode.md | 2 +- .../windows-defender-security-center.md | 10 +- ...sed-root-of-trust-helps-protect-windows.md | 4 +- ...-guard-secure-launch-and-smm-protection.md | 8 +- .../best-practices-configuring.md | 14 +- .../windows-firewall/boundary-zone.md | 2 +- ...create-windows-firewall-rules-in-intune.md | 2 +- .../domain-isolation-policy-design-example.md | 2 +- .../domain-isolation-policy-design.md | 2 +- .../filter-origin-documentation.md | 10 +- .../firewall-policy-design-example.md | 2 +- ...wall-with-advanced-security-design-plan.md | 2 +- .../windows-firewall/quarantine.md | 4 +- ...n-accessing-sensitive-network-resources.md | 2 +- ...cess-to-only-specified-users-or-devices.md | 2 +- ...restrict-access-to-only-trusted-devices.md | 2 +- ...to-end-ipsec-connections-by-using-ikev2.md | 6 +- .../server-isolation-policy-design-example.md | 2 +- .../server-isolation-policy-design.md | 2 +- ...-administration-with-windows-powershell.md | 4 +- .../windows-security-baselines.md | 6 +- .../windows-security-baselines.md | 6 +- windows/whats-new/contribute-to-a-topic.md | 10 +- .../ltsc/whats-new-windows-10-2019.md | 20 +- .../whats-new-windows-10-version-1703.md | 8 +- .../whats-new-windows-10-version-1809.md | 36 ++-- .../whats-new-windows-10-version-1903.md | 2 +- .../whats-new-windows-10-version-2004.md | 2 +- 410 files changed, 2137 insertions(+), 2121 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 75cb7255c8..ef3a69ff52 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -20,7 +20,7 @@ We've tried to make editing an existing, public file as simple as possible. 1. Go to the page on docs.microsoft.com that you want to update, and then click **Edit**. - ![GitHub Web, showing the Edit link](images/contribute-link.png) + ![GitHub Web, showing the Edit link.](images/contribute-link.png) 2. Log into (or sign up for) a GitHub account. @@ -28,7 +28,7 @@ We've tried to make editing an existing, public file as simple as possible. 3. Click the **Pencil** icon (in the red box) to edit the content. - ![GitHub Web, showing the Pencil icon in the red box](images/pencil-icon.png) + ![GitHub Web, showing the Pencil icon in the red box.](images/pencil-icon.png) 4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see: - **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring) @@ -37,11 +37,11 @@ We've tried to make editing an existing, public file as simple as possible. 5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct. - ![GitHub Web, showing the Preview Changes tab](images/preview-changes.png) + ![GitHub Web, showing the Preview Changes tab.](images/preview-changes.png) 6. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change** to create a fork in your personal GitHub account. - ![GitHub Web, showing the Propose file change button](images/propose-file-change.png) + ![GitHub Web, showing the Propose file change button.](images/propose-file-change.png) The **Comparing changes** screen appears to see what the changes are between your fork and the original content. @@ -49,7 +49,7 @@ We've tried to make editing an existing, public file as simple as possible. If there are no problems, you’ll see the message, **Able to merge**. - ![GitHub Web, showing the Comparing changes screen](images/compare-changes.png) + ![GitHub Web, showing the Comparing changes screen.](images/compare-changes.png) 8. Click **Create pull request**. diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md index 4fc4fb1ecc..d4f9600d8b 100644 --- a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md +++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md @@ -34,11 +34,11 @@ Before you start, you need to make sure you have the following: 1. Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**. - ![microsoft security bulletin techcenter](images/securitybulletin-filter.png) + ![microsoft security bulletin techcenter.](images/securitybulletin-filter.png) 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table. - ![affected software section](images/affectedsoftware.png) + ![affected software section.](images/affectedsoftware.png) 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section. @@ -280,13 +280,13 @@ You can collect your hardware inventory using the MOF Editor, while you’re con 1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. - ![Configuration Manager, showing the hardware inventory settings for client computers](images/configmgrhardwareinventory.png) + ![Configuration Manager, showing the hardware inventory settings for client computers.](images/configmgrhardwareinventory.png) 2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes. 3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**. - ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box](images/ie11-inventory-addclassconnectscreen.png) + ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box.](images/ie11-inventory-addclassconnectscreen.png) 4. Select the check boxes next to the following classes, and then click **OK**: @@ -393,12 +393,12 @@ The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sam ### SCCM Report Sample – ActiveX.rdl Gives you a list of all of the ActiveX-related sites visited by the client computer. -![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer](images/configmgractivexreport.png) +![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer.](images/configmgractivexreport.png) ### SCCM Report Sample – Site Discovery.rdl Gives you a list of all of the sites visited by the client computer. -![Site Discovery.rdl report, lists all websites visited by the client computer](images/ie-site-discovery-sample-report.png) +![Site Discovery.rdl report, lists all websites visited by the client computer.](images/ie-site-discovery-sample-report.png) ## View the collected XML data After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like: @@ -436,7 +436,7 @@ You can import this XML data into the correct version of the Enterprise Mode Sit 1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**. - ![Enterprise Mode Site List Manager with Bulk add from file option](images/bulkadd-emiesitelistmgr.png) + ![Enterprise Mode Site List Manager with Bulk add from file option.](images/bulkadd-emiesitelistmgr.png) 2. Go to your XML file to add the included sites to the tool, and then click **Open**.
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md index 47322f0c03..923d4dfe04 100644 --- a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md +++ b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md @@ -27,11 +27,11 @@ ms.date: 07/27/2017 Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu. -![enterprise mode option on the tools menu](images/ie-emie-toolsmenu.png) +![enterprise mode option on the tools menu.](images/ie-emie-toolsmenu.png) The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic. -![group policy to turn on enterprise mode](images/ie-emie-grouppolicy.png) +![group policy to turn on enterprise mode.](images/ie-emie-grouppolicy.png) Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system. @@ -47,11 +47,11 @@ This lets you create an ASP form that accepts the incoming POST messages. 3. Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port. - ![IIS Manager, editing website bindings](images/ie-emie-editbindings.png) + ![IIS Manager, editing website bindings.](images/ie-emie-editbindings.png) 4. Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box. - ![IIS Manager, setting logging options](images/ie-emie-logging.png) + ![IIS Manager, setting logging options.](images/ie-emie-logging.png) 5. Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.

Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users. @@ -72,7 +72,7 @@ This code logs your POST fields to your IIS log file, where you can review all o ### IIS log file information This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode. -![Enterprise Mode log file](images/ie-emie-logfile.png) +![Enterprise Mode log file.](images/ie-emie-logfile.png) ## Using the GitHub sample to collect your data @@ -99,14 +99,14 @@ The required packages are automatically downloaded and included in the solution. 1. Right-click on the name, PhoneHomeSample, and click **Publish**. - ![Visual Studio, Publish menu](images/ie-emie-publishsolution.png) + ![Visual Studio, Publish menu.](images/ie-emie-publishsolution.png) 2. In the **Publish Web** wizard, pick the publishing target and options that work for your organization. **Important**
Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website.  - ![Visual Studio, Publish Web wizard](images/ie-emie-publishweb.png) + ![Visual Studio, Publish Web wizard.](images/ie-emie-publishweb.png) After you finish the publishing process, you need to test to make sure the app deployed successfully. @@ -131,7 +131,7 @@ The required packages are automatically downloaded and included in the solution. - Go to `https:///List` to see the report results.

If you’re already on the webpage, you’ll need to refresh the page to see the results. - ![Enterprise Mode Result report with details](images/ie-emie-reportwdetails.png) + ![Enterprise Mode Result report with details.](images/ie-emie-reportwdetails.png) ### Troubleshooting publishing errors @@ -141,7 +141,7 @@ If you have errors while you’re publishing your project, you should try to upd 1. From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**. - ![Nuget Package Manager for package updates](images/ie-emie-packageupdate.png) + ![Nuget Package Manager for package updates.](images/ie-emie-packageupdate.png) 2. Click **Updates** on the left side of the tool, and click the **Update All** button.

You may need to do some additional package cleanup to remove older package versions. diff --git a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md index 4651adf5cf..4573423115 100644 --- a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md +++ b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md @@ -9,7 +9,7 @@ centralized control, you can create one global list of websites that render usin 1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Enterprise Mode Site List** setting.

Turning this setting on also requires you to create and store a site list. 2. Click **Enabled**, and then in the **Options** area, type the location to your site list. @@ -24,7 +24,7 @@ All of your managed devices must have access to this location if you want them t 2. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file.

For example: + ![Enterprise mode with site list in the registry.](../edge/images/enterprise-mode-value-data.png) --> - **HTTPS location:** `"SiteList"="https://localhost:8080/sites.xml"` diff --git a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md index b34f9be63f..c8ef3d030c 100644 --- a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md +++ b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md @@ -33,7 +33,7 @@ Besides turning on this feature, you also have the option to provide a URL for E 1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting. - ![group policy editor with emie setting](images/ie-emie-editpolicy.png) + ![group policy editor with emie setting.](images/ie-emie-editpolicy.png) 2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu. @@ -45,7 +45,7 @@ Besides turning on this feature, you also have the option to provide a URL for E 3. Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates. - ![edit registry string for data collection location](images/ie-emie-editregistrystring.png) + ![edit registry string for data collection location.](images/ie-emie-editregistrystring.png) Your **Value data** location can be any of the following types: diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md index 1acd936993..65fbb8eaaf 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md +++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md @@ -38,11 +38,11 @@ Before you start, you need to make sure you have the following: 1. Go to the [Microsoft Security Bulletin](/security-updates/) page, and change the filter to **Windows Internet Explorer 11**. - ![microsoft security bulletin techcenter](images/securitybulletin-filter.png) + ![microsoft security bulletin techcenter.](images/securitybulletin-filter.png) 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table. - ![affected software section](images/affectedsoftware.png) + ![affected software section.](images/affectedsoftware.png) 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section. @@ -284,13 +284,13 @@ You can collect your hardware inventory using the MOF Editor, while you’re con 1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. - ![Configuration Manager, showing the hardware inventory settings for client computers](images/configmgrhardwareinventory.png) + ![Configuration Manager, showing the hardware inventory settings for client computers.](images/configmgrhardwareinventory.png) 2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes. 3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**. - ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box](images/ie11-inventory-addclassconnectscreen.png) + ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box.](images/ie11-inventory-addclassconnectscreen.png) 4. Select the check boxes next to the following classes, and then click **OK**: @@ -397,12 +397,12 @@ The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sam ### SCCM Report Sample – ActiveX.rdl Gives you a list of all of the ActiveX-related sites visited by the client computer. -![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer](images/configmgractivexreport.png) +![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer.](images/configmgractivexreport.png) ### SCCM Report Sample – Site Discovery.rdl Gives you a list of all of the sites visited by the client computer. -![Site Discovery.rdl report, lists all websites visited by the client computer](images/ie-site-discovery-sample-report.png) +![Site Discovery.rdl report, lists all websites visited by the client computer.](images/ie-site-discovery-sample-report.png) ## View the collected XML data After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like: @@ -440,7 +440,7 @@ You can import this XML data into the correct version of the Enterprise Mode Sit 1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**. - ![Enterprise Mode Site List Manager with Bulk add from file option](images/bulkadd-emiesitelistmgr.png) + ![Enterprise Mode Site List Manager with Bulk add from file option.](images/bulkadd-emiesitelistmgr.png) 2. Go to your XML file to add the included sites to the tool, and then click **Open**.
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). diff --git a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md index e8d1ec3d7d..5cfa201d18 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md +++ b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md @@ -48,7 +48,7 @@ The compatibility improvements made in IE11 lets older websites just work in the ## Document mode selection flowchart This flowchart shows how IE11 works when document modes are used. -![Flowchart detailing how document modes are chosen in IE11](images/docmode-decisions-sm.png)
+![Flowchart detailing how document modes are chosen in IE11.](images/docmode-decisions-sm.png)
[Click this link to enlarge image](img-ie11-docmode-lg.md) ## Known Issues with Internet Explorer 8 document mode in Enterprise Mode diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md index 333686dc07..9ec7ddf862 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md @@ -45,7 +45,7 @@ To see if this fix might help you, run through this process one step at a time, 1. Go to a site having compatibility problems, press **F12** to open the **F12 Developer Tools**, and go to the **Emulation** tool. - ![Emulation tool showing document mode selection](images/docmode-f12.png) + ![Emulation tool showing document mode selection.](images/docmode-f12.png) 2. Starting with the **11 (Default)** option, test your broken scenario.
If that doesn’t work, continue down to the next lowest document mode, stopping as soon as you find a document mode that fixes your problems. For more information about the Emulation tool, see [Emulate browsers, screen sizes, and GPS locations](/previous-versions/windows/internet-explorer/ie-developer/samples/dn255001(v=vs.85)). @@ -62,7 +62,7 @@ There are two versions of the Enterprise Mode site list schema and the Enterpris 1. Open the Enterprise Mode Site List Manager, and click **Add**. - ![Enterprise Mode Site List Manager, showing the available modes](images/emie-listmgr.png) + ![Enterprise Mode Site List Manager, showing the available modes.](images/emie-listmgr.png) 2. Add the **URL** and pick the document mode from the **Launch in** box. This should be the same document mode you found fixed your problems while testing the site.
Similar to Enterprise Mode, you can specify a document mode for a particular web path—such as contoso.com/ERP—or at a domain level. In the above, the entire contoso.com domain loads in Enterprise Mode, while microsoft.com is forced to load into IE8 Document Mode and bing.com loads in IE11. @@ -74,7 +74,7 @@ For more information about Enterprise Mode, see [What is Enterprise Mode?](what- ### Review your Enterprise Mode site list Take a look at your Enterprise Mode site list and make sure everything is the way you want it. The next step will be to turn the list on and start to use it in your company. The Enterprise Mode Site List Manager will look something like: -![Enterprise Mode Site List Manager, showing the different modes](images/emie-sitelistmgr.png) +![Enterprise Mode Site List Manager, showing the different modes.](images/emie-sitelistmgr.png) And the underlying XML code will look something like: diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md index 75283c1f64..4eed39657f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md +++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md @@ -62,15 +62,15 @@ When IE blocks an outdated ActiveX control, you’ll see a notification bar simi **Internet Explorer 9 through Internet Explorer 11** -![Warning about outdated activex controls (ie9+)](images/outdatedcontrolwarning.png) +![Warning about outdated activex controls (ie9+).](images/outdatedcontrolwarning.png) **Windows Internet Explorer 8** -![Warning about outdated activex controls (ie8)](images/ieoutdatedcontrolwarning.png) +![Warning about outdated activex controls (ie8).](images/ieoutdatedcontrolwarning.png) Out-of-date ActiveX control blocking also gives you a security warning that tells you if a webpage tries to launch specific outdated apps, outside of IE: -![Warning about outdated activex controls outside ie](images/ieoutdatedcontroloutsideofie.png) +![Warning about outdated activex controls outside ie.](images/ieoutdatedcontroloutsideofie.png) ## How do I fix an outdated ActiveX control or app? diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md index 6edccdda73..9424e5e32f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md @@ -27,7 +27,7 @@ You can use the Group Policy setting, **Set a default associations configuration 1. Open your Group Policy editor and go to the **Computer Configuration\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.

Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268). - ![set default associations group policy setting](images/setdefaultbrowsergp.png) + ![set default associations group policy setting.](images/setdefaultbrowsergp.png) 2. Click **Enabled**, and then in the **Options** area, type the location to your default associations configuration file.

If this setting is turned on and your employee's device is domain-joined, this file is processed and default associations are applied at logon. If this setting isn't configured or is turned off, or if your employee's device isn't domain-joined, no default associations are applied at logon. diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md index dd26f8e369..b42426f1d7 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md @@ -31,11 +31,11 @@ ms.date: 07/27/2017 Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu. -![enterprise mode option on the tools menu](images/ie-emie-toolsmenu.png) +![enterprise mode option on the tools menu.](images/ie-emie-toolsmenu.png) The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic. -![group policy to turn on enterprise mode](images/ie-emie-grouppolicy.png) +![group policy to turn on enterprise mode.](images/ie-emie-grouppolicy.png) Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system. @@ -51,11 +51,11 @@ When you turn logging on, you need a valid URL that points to a server that can 3. Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port. - ![IIS Manager, editing website bindings](images/ie-emie-editbindings.png) + ![IIS Manager, editing website bindings.](images/ie-emie-editbindings.png) 4. Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box. - ![IIS Manager, setting logging options](images/ie-emie-logging.png) + ![IIS Manager, setting logging options.](images/ie-emie-logging.png) 5. Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.

Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users. @@ -76,7 +76,7 @@ When you turn logging on, you need a valid URL that points to a server that can ### IIS log file information This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode. -![Enterprise Mode log file](images/ie-emie-logfile.png) +![Enterprise Mode log file.](images/ie-emie-logfile.png) ## Using the GitHub sample to collect your data @@ -103,14 +103,14 @@ For logging, you’re going to need a valid URL that points to a server that can 5. Right-click on the name, PhoneHomeSample, and click **Publish**. - ![Visual Studio, Publish menu](images/ie-emie-publishsolution.png) + ![Visual Studio, Publish menu.](images/ie-emie-publishsolution.png) 6. In the **Publish Web** wizard, pick the publishing target and options that work for your organization. **Important**
Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website.  - ![Visual Studio, Publish Web wizard](images/ie-emie-publishweb.png) + ![Visual Studio, Publish Web wizard.](images/ie-emie-publishweb.png) After you finish the publishing process, you need to test to make sure the app deployed successfully. @@ -135,7 +135,7 @@ For logging, you’re going to need a valid URL that points to a server that can - Go to `https:///List` to see the report results.

If you’re already on the webpage, you’ll need to refresh the page to see the results. - ![Enterprise Mode Result report with details](images/ie-emie-reportwdetails.png) + ![Enterprise Mode Result report with details.](images/ie-emie-reportwdetails.png) ### Troubleshooting publishing errors @@ -145,7 +145,7 @@ If you have errors while you’re publishing your project, you should try to upd 1. From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**. - ![Nuget Package Manager for package updates](images/ie-emie-packageupdate.png) + ![Nuget Package Manager for package updates.](images/ie-emie-packageupdate.png) 2. Click **Updates** on the left side of the tool, and click the **Update All** button.

You may need to do some additional package cleanup to remove older package versions. diff --git a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md index 14bd40e745..ec77071c73 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md +++ b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md @@ -28,7 +28,7 @@ Jump to: [Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md) can be very effective in providing backward compatibility for older web apps. The Enterprise Mode Site List includes the ability to put any web app in any document mode, include IE8 and IE7 Enterprise Modes, without changing a single line of code on the website. -![Internet Explorer Enterprise Modes and document modes](images/img-enterprise-mode-site-list-xml.jpg) +![Internet Explorer Enterprise Modes and document modes.](images/img-enterprise-mode-site-list-xml.jpg) Sites in the \ section can be rendered in any document mode, as shown in blue above. Some sites designed for older versions of Internet Explorer may require better backward compatibility, and these can leverage the \ section of the Enterprise Mode Site List. IE8 Enterprise Mode provides higher-fidelity emulation for Internet Explorer 8 by using, among other improvements, the original Internet Explorer 8 user agent string. IE7 Enterprise Mode further improves emulation by adding Compatibility View. @@ -84,7 +84,7 @@ To see if the site works in the Internet Explorer 5, Internet Explorer 7, Intern - Open the site in Internet Explorer 11, load the F12 tools by pressing the **F12** key or by selecting **F12 Developer Tools** from the **Tools** menu, and select the **Emulation** tab. - ![F12 Developer Tools Emulation tab](images/img-f12-developer-tools-emulation.jpg) + ![F12 Developer Tools Emulation tab.](images/img-f12-developer-tools-emulation.jpg) - Run the site in each document mode until you find the mode in which the site works. diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md index 8c84054dc3..1b32fa64ad 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md @@ -39,7 +39,7 @@ Before you can use a site list with Enterprise Mode, you need to turn the functi 1. Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list` setting.

Turning this setting on also requires you to create and store a site list. For more information about creating your site list, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics. - ![local group policy editor for using a site list](images/ie-emie-grouppolicysitelist.png) + ![local group policy editor for using a site list.](images/ie-emie-grouppolicysitelist.png) 2. Click **Enabled**, and then in the **Options** area, type the location to your site list. @@ -51,7 +51,7 @@ Before you can use a site list with Enterprise Mode, you need to turn the functi 4. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file. For example: - ![enterprise mode with site list in the registry](images/ie-emie-registrysitelist.png) + ![enterprise mode with site list in the registry.](images/ie-emie-registrysitelist.png) - **HTTPS location**: `"SiteList"="https://localhost:8080/sites.xml"` diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md index b4db0fb7a4..897b27ceed 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md @@ -37,7 +37,7 @@ Besides turning on this feature, you also have the option to provide a URL for E 1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting. - ![group policy editor with emie setting](images/ie-emie-editpolicy.png) + ![group policy editor with emie setting.](images/ie-emie-editpolicy.png) 2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu. @@ -49,7 +49,7 @@ Besides turning on this feature, you also have the option to provide a URL for E 5. Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates. - ![edit registry string for data collection location](images/ie-emie-editregistrystring.png) + ![edit registry string for data collection location.](images/ie-emie-editregistrystring.png) Your **Value data** location can be any of the following types: diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md index fd6904f4a8..54ae269373 100644 --- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md @@ -33,32 +33,32 @@ During installation, you must pick a version of IEAK 11, either **External** or | Feature | Internal | External | |-------------------------------------------|:--------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------:| -| Welcome screen | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| File locations | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Platform selection | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Language selection | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Package type selection | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Feature selection | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Automatic Version Synchronization (AVS) | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Custom components | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Internal install | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | -| User experience | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | -| Browser user interface | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Search providers | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Important URLs – Home page and support | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Accelerators | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Favorites, Favorites bar, and feeds | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Browsing options | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | -| First Run wizard and Welcome page options | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Connection manager | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Connection settings | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Automatic configuration | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | -| Proxy settings | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Security and privacy settings | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | -| Add a root certificate | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | -| Programs | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | -| Additional settings | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | -| Wizard complete | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Welcome screen | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| File locations | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Platform selection | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Language selection | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Package type selection | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Feature selection | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Automatic Version Synchronization (AVS) | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Custom components | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Internal install | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | +| User experience | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | +| Browser user interface | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Search providers | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Important URLs – Home page and support | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Accelerators | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Favorites, Favorites bar, and feeds | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Browsing options | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | +| First Run wizard and Welcome page options | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Connection manager | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Connection settings | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Automatic configuration | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | +| Proxy settings | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Security and privacy settings | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | +| Add a root certificate | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | +| Programs | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | +| Additional settings | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) | +| Wizard complete | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Available](/microsoft-edge/deploy/images/148767.png) | --- diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md index d0251e80ba..bbf1be6015 100644 --- a/education/trial-in-a-box/educator-tib-get-started.md +++ b/education/trial-in-a-box/educator-tib-get-started.md @@ -24,13 +24,13 @@ manager: dansimp | Tool | Description | | :---: |:--- | -| [![Connect the device to Wi-Fi](images/edu-TIB-setp-1-v3.png)](#edu-task1) | [Log in](#edu-task1) to **Device A** with your Teacher credentials and connect to the school network. | -| [![Try Learning Tools Immersive Reader](images/edu-TIB-setp-2-v3.png)](#edu-task2) | **Interested in significantly improving your students' reading speed and comprehension?[1](#footnote1)**
Try the [Learning Tools Immersive Reader](#edu-task2) to see how kids can learn to read faster, using text read aloud, and highlighting words for syntax. | -| [![Launch Microsoft Teams](images/edu-TIB-setp-3-v3.png)](#edu-task3) | **Looking to foster collaboration, communication, and critical thinking in the classroom?**
Launch [Microsoft Teams](#edu-task3) and learn how to set up digital classroom discussions, respond to student questions, and organize class content. | -| [![Open OneNote](images/edu-TIB-setp-4-v3.png)](#edu-task4) | **Trying to expand classroom creativity and interaction between students?**
Open [OneNote](#edu-task4) and create an example group project for your class. | -| [![Try Photos app](images/edu-tib-setp-5-v4.png)](#edu-task5) | **Curious about telling stories through video?**
Try the [Photos app](#edu-task5) to make your own example video. | -| [![Play with Minecraft: Education Edition](images/edu-tib-setp-6-v4.png)](#edu-task6) | **Want to teach kids to further collaborate and problem solve?**
Play with [Minecraft: Education Edition](#edu-task6) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. | -| [![Do Math with Windows Ink](images/edu-tib-setp-7-v1.png)](#edu-task7) | **Want to provide a personal math tutor for your students?**
Use [Windows Ink and the Math Assistant feature](#edu-task7) in OneNote to give students step-by-step instructions and interactive 2D graphs for math problems. | +| [![Connect the device to Wi-Fi.](images/edu-TIB-setp-1-v3.png)](#edu-task1) | [Log in](#edu-task1) to **Device A** with your Teacher credentials and connect to the school network. | +| [![Try Learning Tools Immersive Reader.](images/edu-TIB-setp-2-v3.png)](#edu-task2) | **Interested in significantly improving your students' reading speed and comprehension?[1](#footnote1)**
Try the [Learning Tools Immersive Reader](#edu-task2) to see how kids can learn to read faster, using text read aloud, and highlighting words for syntax. | +| [![Launch Microsoft Teams.](images/edu-TIB-setp-3-v3.png)](#edu-task3) | **Looking to foster collaboration, communication, and critical thinking in the classroom?**
Launch [Microsoft Teams](#edu-task3) and learn how to set up digital classroom discussions, respond to student questions, and organize class content. | +| [![Open OneNote.](images/edu-TIB-setp-4-v3.png)](#edu-task4) | **Trying to expand classroom creativity and interaction between students?**
Open [OneNote](#edu-task4) and create an example group project for your class. | +| [![Try Photos app.](images/edu-tib-setp-5-v4.png)](#edu-task5) | **Curious about telling stories through video?**
Try the [Photos app](#edu-task5) to make your own example video. | +| [![Play with Minecraft: Education Edition.](images/edu-tib-setp-6-v4.png)](#edu-task6) | **Want to teach kids to further collaborate and problem solve?**
Play with [Minecraft: Education Edition](#edu-task6) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. | +| [![Do Math with Windows Ink.](images/edu-tib-setp-7-v1.png)](#edu-task7) | **Want to provide a personal math tutor for your students?**
Use [Windows Ink and the Math Assistant feature](#edu-task7) in OneNote to give students step-by-step instructions and interactive 2D graphs for math problems. |
@@ -41,7 +41,7 @@ manager: dansimp
-![Log in to Device A and connect to the school network](images/edu-TIB-setp-1-jump.png) +![Log in to Device A and connect to the school network.](images/edu-TIB-setp-1-jump.png) ## 1. Log in and connect to the school network To try out the educator tasks, start by logging in as a teacher. @@ -55,7 +55,7 @@ To try out the educator tasks, start by logging in as a teacher.

-![Improve student reading speed and comprehension](images/edu-TIB-setp-2-jump.png) +![Improve student reading speed and comprehension.](images/edu-TIB-setp-2-jump.png) ## 2. Significantly improve student reading speed and comprehension > [!VIDEO https://www.youtube.com/embed/GCzSAslq_2Y] @@ -78,7 +78,7 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse 4. Select the **Immersive Reader** button. - ![Word's Immersive Reader](images/word_online_immersive_reader.png) + ![Word's Immersive Reader.](images/word_online_immersive_reader.png) 5. Press the **Play** button to hear text read aloud. @@ -86,14 +86,14 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse | Text to Speech | Text Preferences | Grammar Options | Line Focus | | :------------: | :--------------: | :-------------: | :--------: | - | ![Word Text to Speech](images/wordonline_tts.png) | ![Word Text Preferences](images/wordonline_text_preferences.png) | ![Word Grammar Options](images/wordonline_grammar_options.png) | ![Word Line Focus](images/wordonline_line_focus.png) | + | ![Word Text to Speech.](images/wordonline_tts.png) | ![Word Text Preferences](images/wordonline_text_preferences.png) | ![Word Grammar Options](images/wordonline_grammar_options.png) | ![Word Line Focus](images/wordonline_line_focus.png) |

-![Spark communication, critical thinking, and creativity with Microsoft Teams](images/edu-TIB-setp-3-jump.png) +![Spark communication, critical thinking, and creativity with Microsoft Teams.](images/edu-TIB-setp-3-jump.png) ## 3. Spark communication, critical thinking, and creativity in the classroom > [!VIDEO https://www.youtube.com/embed/riQr4Dqb8B8] @@ -114,7 +114,7 @@ Take a guided tour of Microsoft Teams and test drive this digital hub.

-![Expand classroom collaboration and interaction with OneNote](images/edu-TIB-setp-4-jump.png) +![Expand classroom collaboration and interaction with OneNote.](images/edu-TIB-setp-4-jump.png) ## 4. Expand classroom collaboration and interaction between students > [!VIDEO https://www.youtube.com/embed/dzDSWMb_fIE] @@ -135,16 +135,16 @@ When you're not using the pen, just use the magnet to stick it to the left side 3. Follow the instructions for the project. Look for the **Try this!** callouts to experiment with these engaging activities. - Discover the power of digital ink by selecting the Draw tab. Choose your pen and get scribbling. - ![OneNote Draw tab](images/onenote_draw.png) + ![OneNote Draw tab.](images/onenote_draw.png) - Type anywhere on the page! Just click your cursor where you want to place text. - Use the checkmark in the **Home** tab to keep track of completed tasks. - ![OneNote To Do Tag](images/onenote_checkmark.png) + ![OneNote To Do Tag.](images/onenote_checkmark.png) - To find information without leaving OneNote, use the Researcher tool found under the Insert tab. - ![OneNote Researcher](images/onenote_researcher.png) + ![OneNote Researcher.](images/onenote_researcher.png)

@@ -178,7 +178,7 @@ Use video to create a project summary. 8. Drag the videos to the Storyboard, one by one. Your project should look roughly like this: - ![Photos app layout showing videos added in previous steps](images/photo_app_1.png) + ![Photos app layout showing videos added in previous steps.](images/photo_app_1.png) 9. Select the first card in the Storyboard (the video of the project materials) and select **Text**, type a title in, a text style, a layout, and select **Done**. @@ -191,7 +191,7 @@ Use video to create a project summary. 4. Play back your effect. 5. Select **Done** when you have it where you want it. - ![Lighting bolt effect being added to a video clip](images/photo_app_2.png) + ![Lighting bolt effect being added to a video clip.](images/photo_app_2.png) 12. Select **Music** and select a track from the **Recommended** music collection. 1. The music will update automatically to match the length of your video project, even as you make changes. @@ -208,7 +208,7 @@ Check out this use case video of the Photos team partnering with the Bureau Of F

-![Further collaborate and problem solve with Minecraft: Education Edition](images/edu-TIB-setp-5-jump.png) +![Further collaborate and problem solve with Minecraft: Education Edition.](images/edu-TIB-setp-5-jump.png) ## 6. Get kids to further collaborate and problem solve > [!VIDEO https://www.youtube.com/embed/QI_bRNUugog] @@ -226,7 +226,7 @@ Today, we'll explore a Minecraft world through the eyes of a student. 3. Scroll down to the **Details** section and select **Download World**. - ![Select the download world link](images/mcee_downloadworld.png) + ![Select the download world link.](images/mcee_downloadworld.png) 4. When prompted, save the world. @@ -250,7 +250,7 @@ Today, we'll explore a Minecraft world through the eyes of a student. To try more advanced movements or building within Minecraft, use the Minecraft Controls Diagram. - ![Minecraft mouse and keyboard controls](images/mcee_keyboard_mouse_controls.png) + ![Minecraft mouse and keyboard controls.](images/mcee_keyboard_mouse_controls.png) 12. Access and adapt over 300 lesson plans, spanning all grades and subjects, to meet your needs. Enjoy exploring new worlds and happy crafting. @@ -260,13 +260,13 @@ Today, we'll explore a Minecraft world through the eyes of a student. 2. Click **Class Resources**. 3. Click **Find a Lesson**. - ![Access and adapt over 300 Minecraft lesson plans](images/minecraft_lesson_plans.png) + ![Access and adapt over 300 Minecraft lesson plans.](images/minecraft_lesson_plans.png)


-![Help students understand new math concepts with the Math Assistant in OneNote](images/Inking.png) +![Help students understand new math concepts with the Math Assistant in OneNote.](images/Inking.png) ## 7. Use Windows Ink to provide a personal math tutor for your students The **Math Assistant** and **Ink Replay** features available in the OneNote app give your students step-by-step instructions on how to solve their math problems and help them visualize math functions on an interactive 2D graph. @@ -275,15 +275,15 @@ The **Math Assistant** and **Ink Replay** features available in the OneNote app To get started: 1. Open the OneNote app for Windows 10 (not OneNote 2016). - ![OneNote icon](images/OneNote_logo.png) + ![OneNote icon.](images/OneNote_logo.png) 2. In the top left corner, click on the **<** arrow to access your notebooks and pages. - ![OneNote back arrow navigation button](images/left_arrow.png) + ![OneNote back arrow navigation button.](images/left_arrow.png) 3. Click **Add Page** to launch a blank work space. - ![Select add page button](images/plus-page.png) + ![Select add page button.](images/plus-page.png) 4. Make sure your pen is paired to the device. To pair, see Connect to Bluetooth devices. @@ -292,26 +292,26 @@ To solve the equation 3x+4=7, follow these instructions: 2. If you wrote the equation using digital ink, use the **Lasso tool** to circle the equation. If you typed the equation, highlight it using your mouse. - ![Lasso button](images/lasso.png) + ![Lasso button.](images/lasso.png) 3. On the **Draw** tab, click the **Math** button. - ![Math button](images/math-button.png) + ![Math button.](images/math-button.png) 4. From the drop-down menu in the **Math** pane, select the option to **Solve for x**. You can now see the final solution of the equation. - ![Solve for x menu](images/solve-for-x.png) + ![Solve for x menu.](images/solve-for-x.png) 5. From the second drop-down below, choose **Steps for Solving Linear Formula**, which shows you the step-by-step solution of this equation. 6. On the **View** tab, click the **Replay** button. Use your mouse to select the written equation and watch your text in replay. Replay is great for students to review how the teacher solved the equation and for teachers to review how students approached a problem. - ![Replay button](images/replay.png) + ![Replay button.](images/replay.png) To graph the equation 3x+4=7, follow these instructions: 1. From the drop-down menu in the **Math** pane, select the option to **Graph Both Sides in 2D**. You can play with the interactive graph of your equation - use a single finger to move the graph position or two fingers to change the **zoom** level. - ![Graph both sides in 2D](images/graph-for-x.png) + ![Graph both sides in 2D.](images/graph-for-x.png) 2. Click the **Insert on Page** button below the graph to add a screenshot of the graph to your page.
diff --git a/education/trial-in-a-box/index.md b/education/trial-in-a-box/index.md index f21a0ddcf4..5f1c865bce 100644 --- a/education/trial-in-a-box/index.md +++ b/education/trial-in-a-box/index.md @@ -16,7 +16,7 @@ ms.date: 12/11/2017 # Microsoft Education Trial in a Box -![Microsoft Education Trial in a Box - Unlock Limitless Learning](images/Unlock-Limitless-Learning.png) +![Microsoft Education Trial in a Box - Unlock Limitless Learning.](images/Unlock-Limitless-Learning.png)
@@ -28,7 +28,7 @@ Welcome to Microsoft Education Trial in a Box. We built this trial to make it ea
-| [![Get started for Educators](images/teacher_rotated_resized.png)](educator-tib-get-started.md) | [![Get started for IT Admins](images/itadmin_rotated_resized.png)](itadmin-tib-get-started.md) | +| [![Get started for Educators.](images/teacher_rotated_resized.png)](educator-tib-get-started.md) | [![Get started for IT Admins](images/itadmin_rotated_resized.png)](itadmin-tib-get-started.md) | | :---: | :---: | | **Educator**
Enhance students of all abilities by unleashing their creativity, collaboration, and improving problem-solving skills.
[Get started](educator-tib-get-started.md) | **IT Admin**
Quickly implement and deploy a full cloud infrastructure that's secure and easy to manage.
[Get started](itadmin-tib-get-started.md) | diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md index be9a131941..d0ba6a05b3 100644 --- a/education/trial-in-a-box/itadmin-tib-get-started.md +++ b/education/trial-in-a-box/itadmin-tib-get-started.md @@ -24,11 +24,11 @@ manager: dansimp |  |  | | :---: |:--- | -| [![Log in to Device A](images/admin-TIB-setp-1-v3.png)](#it-task1) | [Log in](#it-task1) to **Device A** with your IT Admin credentials and connect to your school's network. | -| [![Configure Device B with Set up School PCs](images/admin-TIB-setp-2-v3.png)](#it-task2) | [Configure Device B](#it-task2) with the Set up School PCs app. | -| [![Configure Intune for Education](images/admin-TIB-setp-3-v3.png)](#it-task3) | [Express configure Intune for Education](#it-task3) to manage devices, users, and policies. | -| [![Find and deploy apps](images/admin-TIB-setp-4-v3.png)](#it-task4) | [Find apps from the Microsoft Store for Education](#it-task4) and deploy them to manage devices in your tenant. | -| [![Create custom folders](images/admin-TIB-setp-5-v3.png)](#it-task5) | [Create custom folders](#it-task5) that will appear on each managed device's **Start** menu. | +| [![Log in to Device A.](images/admin-TIB-setp-1-v3.png)](#it-task1) | [Log in](#it-task1) to **Device A** with your IT Admin credentials and connect to your school's network. | +| [![Configure Device B with Set up School PCs.](images/admin-TIB-setp-2-v3.png)](#it-task2) | [Configure Device B](#it-task2) with the Set up School PCs app. | +| [![Configure Intune for Education.](images/admin-TIB-setp-3-v3.png)](#it-task3) | [Express configure Intune for Education](#it-task3) to manage devices, users, and policies. | +| [![Find and deploy apps.](images/admin-TIB-setp-4-v3.png)](#it-task4) | [Find apps from the Microsoft Store for Education](#it-task4) and deploy them to manage devices in your tenant. | +| [![Create custom folders.](images/admin-TIB-setp-5-v3.png)](#it-task5) | [Create custom folders](#it-task5) that will appear on each managed device's **Start** menu. |
@@ -42,7 +42,7 @@ If you run into any problems while following the steps in this guide, or you hav
-![Log in to Device A](images/admin-TIB-setp-1-jump.png) +![Log in to Device A.](images/admin-TIB-setp-1-jump.png) ## 1. Log in to Device A with your IT Admin credentials and connect to the school network To try out the IT admin tasks, start by logging in as an IT admin. @@ -56,7 +56,7 @@ To try out the IT admin tasks, start by logging in as an IT admin.
-![Configure Device B with Set up School PCs](images/admin-TIB-setp-2-jump.png) +![Configure Device B with Set up School PCs.](images/admin-TIB-setp-2-jump.png) ## 2. Configure Device B with Set up School PCs Now you're ready to learn how to configure a brand new device. You will start on **Device A** by downloading and running the Set up School PCs app. Then, you will configure **Device B**. @@ -66,11 +66,11 @@ If you've previously used Set up School PCs to provision student devices, you ca 1. From the **Start** menu, find and then click **Microsoft Store** to launch the Store. - ![Microsoft Store from the Start menu](images/start_microsoft_store.png) + ![Microsoft Store from the Start menu.](images/start_microsoft_store.png) 2. Search for the **Set up School PCs** app. - ![Set up School PCs on Microsoft Store](images/microsoft_store_suspc_install.png) + ![Set up School PCs on Microsoft Store.](images/microsoft_store_suspc_install.png) 3. Click **Install**. @@ -78,7 +78,7 @@ If you've previously used Set up School PCs to provision student devices, you ca 1. On **Device A**, launch the Set up School PCs app. - ![Launch the Set up School PCs app](images/suspc_start.png) + ![Launch the Set up School PCs app.](images/suspc_start.png) 2. Click **Get started**. 3. Select **Sign-in**. @@ -95,7 +95,7 @@ If you've previously used Set up School PCs to provision student devices, you ca We recommend checking the highlighted settings below: - ![Configure student PC settings](images/suspc_configure_pcsettings_selected.png) + ![Configure student PC settings.](images/suspc_configure_pcsettings_selected.png) - **Remove apps pre-installed by the device manufacturer** - If you select this option, this will reset the machine and the provisioning process will take longer (about 30 minutes). - **Allow local storage (not recommended for shared devices)** lets students save files to the **Desktop** and **Documents** folder on the student PC. @@ -108,7 +108,7 @@ If you've previously used Set up School PCs to provision student devices, you ca 7. **Set up the Take a Test app** configures the device for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. Windows will lock down the student PC so that students can't access anything else while taking the test. - ![Configure the Take a Test app](images/suspc_takeatest.png) + ![Configure the Take a Test app.](images/suspc_takeatest.png) 1. Specify if you want to create a Take a Test button on the students' sign-in screens. 2. Select **Advanced settings** to allow keyboard text suggestions to appear and to allow teachers to monitor online tests. @@ -120,7 +120,7 @@ If you've previously used Set up School PCs to provision student devices, you ca 8. **Add recommended apps** lets you choose from a set of recommended Microsoft Store apps to provision. - ![Recommended apps in Set up School PCs package configuration](images/suspc_configure_recommendedapps_v2.png) + ![Recommended apps in Set up School PCs package configuration.](images/suspc_configure_recommendedapps_v2.png) The recommended apps include the following: * **Office 365 for Windows 10 S (Education Preview)** - Optional. This works well for the Trial in a Box PCs running Windows 10 S. However, if you try to install this app on other editions of Windows 10, setup will fail. Also note that if you select **Office 365 for Windows 10 S (Education Preview)**, it will take about 30-45 minutes longer for Set up School PCs to create the provisioning package as the app downloads Office 365 for Windows 10 S (Education Preview) from the Microsoft Store. @@ -131,7 +131,7 @@ If you've previously used Set up School PCs to provision student devices, you ca To change any of the settings, select the page or section (such as **Sign-in** or **Settings**) to go back to that page and make your changes. - ![Select the section or page name to make a change](images/suspc_review_summary.png) + ![Select the section or page name to make a change.](images/suspc_review_summary.png) 10. Accept the summary and then insert a USB drive in **Device A**. Use the USB drive that came in the Trial in a Box accessories box to save the provisioning package. 11. Select the drive and then **Save** to create the provisioning package. @@ -153,7 +153,7 @@ A provisioning package is a method for applying settings to Windows 10 without n 1. Start with **Device B** turned off or with the PC on the first-run setup screen. In Windows 10 S Fall Creators Update, the first-run setup screen says **Let's start with region. Is this right?**. - ![The first screen to set up a new PC in Windows 10 Fall Creators Update](images/win10_oobe_firstscreen.png) + ![The first screen to set up a new PC in Windows 10 Fall Creators Update.](images/win10_oobe_firstscreen.png) If you go past the region selection screen, select **Ctrl + Shift + F3** which will prompt the "System Preparation Tool." Select **Okay** in the tool to return to the region selection screen. If this doesn't work, reset the PC by going to **Settings > Update & Security > Recovery > Reset this PC.** @@ -166,20 +166,20 @@ You can complete the rest of the IT admin tasks using **Device A**.
-![Express configure Intune for Education](images/admin-TIB-setp-3-jump.png) +![Express configure Intune for Education.](images/admin-TIB-setp-3-jump.png) ## 3. Express configure Intune for Education to manage devices, users, and policies Intune for Education provides an **Express configuration** option so you can get going right away. We'll use that option here. 1. Log into the Intune for Education console. 2. On the Intune for Education dashboard, click **Launch Express Configuration** or select the **Express configuration**. - ![Intune for Education dashboard](images/i4e_dashboard_expressconfig.png) + ![Intune for Education dashboard.](images/i4e_dashboard_expressconfig.png) 3. In the **Welcome to Intune for Education** screen, click **Get started** and follow the prompts until you get to the **Choose group** screen. 4. In the **Choose group** screen, select **All Users** so that all apps and settings that we select during express setup will apply to this group. 5. In the **Choose apps** screen, you will see a selection of desktop (Win32) apps, Web apps, and Microsoft Store apps. - ![Choose apps you want to provision to the group](images/i4e_expressconfig_chooseapps.png) + ![Choose apps you want to provision to the group.](images/i4e_expressconfig_chooseapps.png) 6. Add or remove apps by clicking on them. A blue checkmark means the app is added and will be installed for all members of the group selected in step 5. @@ -197,7 +197,7 @@ Intune for Education provides an **Express configuration** option so you can get
-![Find apps from the Microsoft Store for Education](images/admin-TIB-setp-4-jump.png) +![Find apps from the Microsoft Store for Education.](images/admin-TIB-setp-4-jump.png) ## 4. Find apps from the Microsoft Store for Education and deploy them to managed devices in your tenant The Microsoft Store for Education is where you can shop for more apps for your school. @@ -205,7 +205,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s 2. In the **Store apps** section, select **+ New app** to go to the Microsoft Store for Education. 3. Select **Sign in** and start shopping for apps for your school. - ![Microsoft Store for Education site](images/msfe_portal.png) + ![Microsoft Store for Education site.](images/msfe_portal.png) 4. Check some of the categories for suggested apps or search the Store for a free educational or reference app. Find ones that you haven't already installed during express configuration for Intune for Education. For example, these apps are free: - Duolingo - Learn Languages for Free @@ -222,7 +222,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s The apps will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant. - ![List of apps bought for the school](images/msfe_boughtapps.png) + ![List of apps bought for the school.](images/msfe_boughtapps.png) In the **Private store** column of the **Products & services** page, the status for some apps will indicate that it's "In private store" while others will say "Adding to private store" or "Not applicable". Learn more about this in Distribute apps using your private store. @@ -231,7 +231,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s
-![Create custom folders that appear on managed devices](images/admin-TIB-setp-5-jump.png) +![Create custom folders that appear on managed devices.](images/admin-TIB-setp-5-jump.png) ## 5. Create custom folders that will appear on each managed device's Start menu Update settings for all devices in your tenant by adding the **Documents** and **Downloads** folders to all devices managed in Intune for Education. @@ -239,7 +239,7 @@ Update settings for all devices in your tenant by adding the **Documents** and * 2. Select **Group > All Devices > Settings** and expand **Windows interface settings**. 3. In **Choose folders that appear in the Start menu**, select **Documents** and **Downloads**. - ![Choose folders that appear in the Start menu](images/screenshot-bug.png) + ![Choose folders that appear in the Start menu.](images/screenshot-bug.png) 4. **Save** your changes. diff --git a/education/trial-in-a-box/support-options.md b/education/trial-in-a-box/support-options.md index 9cb32351de..627a78c9ef 100644 --- a/education/trial-in-a-box/support-options.md +++ b/education/trial-in-a-box/support-options.md @@ -38,7 +38,7 @@ For more information about checking for updates, and how to optionally turn on a > [!NOTE] > For the alternate email address, make sure you use a different address from your Office 365 email address. - ![Complete your contact details](images/o365_adminaccountinfo.png) + ![Complete your contact details.](images/o365_adminaccountinfo.png) 4. Click **Save**. @@ -46,17 +46,17 @@ For more information about checking for updates, and how to optionally turn on a 1. Click the **Need help?** button in the lower right-hand corner of the Office 365 console. - ![Select Need help to get support](images/o365_needhelp.png) + ![Select Need help to get support.](images/o365_needhelp.png) You will see a sidebar window open up on the right-hand side of the screen. - ![Option to have a support representative call you](images/o365_needhelp_callingoption.png) + ![Option to have a support representative call you.](images/o365_needhelp_callingoption.png) If you chose to have a support representative call you, a new support ticket will be opened and you can track these in **Support tickets**. - ![Track your support tickets](images/o365_needhelp_supporttickets.png) + ![Track your support tickets.](images/o365_needhelp_supporttickets.png) -2. Click the **question button** ![Question button](images/o365_needhelp_questionbutton.png) in the top navigation of the sidebar window. +2. Click the **question button** ![Question button.](images/o365_needhelp_questionbutton.png) in the top navigation of the sidebar window. 3. In the field below **Need help?**, enter a description of your help request. 4. Click the **Get help button**. 5. In the **Let us call you** section, enter a phone number where you can be reached. @@ -69,7 +69,7 @@ Forget your password? Follow these steps to recover it. 1. Go to https://portal.office.com 2. Select **Can't access your account** and follow the prompts to get back into your account. - ![Recover your account](images/officeportal_cantaccessaccount.png) + ![Recover your account.](images/officeportal_cantaccessaccount.png) diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index 00b99a4c75..c0ac95e03e 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -61,7 +61,7 @@ You can set the policy using one of these methods: - When using [Set up School PCs](use-set-up-school-pcs-app.md), in the **Configure student PC settings** screen, select **Enable Windows 10 Autopilot Reset** among the list of settings for the student PC as shown in the following example: - ![Configure student PC settings in Set up School PCs](images/suspc_configure_pc2.jpg) + ![Configure student PC settings in Set up School PCs.](images/suspc_configure_pc2.jpg) ## Trigger Autopilot Reset Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it's done, the device is again ready for use. @@ -70,7 +70,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo 1. From the Windows device lock screen, enter the keystroke: **CTRL + Windows key + R**. - ![Enter CTRL+Windows key+R on the Windows lockscreen](images/autopilot-reset-lockscreen.png) + ![Enter CTRL+Windows key+R on the Windows lockscreen.](images/autopilot-reset-lockscreen.png) This will open up a custom login screen for Autopilot Reset. The screen serves two purposes: @@ -78,7 +78,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo 2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process. - ![Custom login screen for Autopilot Reset](images/autopilot-reset-customlogin.png) + ![Custom login screen for Autopilot Reset.](images/autopilot-reset-customlogin.png) 2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger Autopilot Reset. @@ -97,7 +97,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo - Is returned to a known good managed state, connected to Azure AD and MDM. - ![Notification that provisioning is complete](images/autopilot-reset-provisioningcomplete.png) + ![Notification that provisioning is complete.](images/autopilot-reset-provisioningcomplete.png) Once provisioning is complete, the device is again ready for use. diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index b104042dbc..ea30225b3e 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -65,7 +65,7 @@ See [change using Microsoft Store for Education](#change-using-microsoft-store-f **Figure 1** - Enter the details for the Windows edition change - ![Enter the details for the Windows edition change](images/i4e_editionupgrade.png) + ![Enter the details for the Windows edition change.](images/i4e_editionupgrade.png) 3. The change will automatically be applied to the group you selected. @@ -78,7 +78,7 @@ You can use Windows Configuration Designer to create a provisioning package that **Figure 2** - Enter the license key - ![Enter the license key to change to Windows 10 Pro Education](images/wcd_productkey.png) + ![Enter the license key to change to Windows 10 Pro Education.](images/wcd_productkey.png) 3. Complete the rest of the process for creating a provisioning package and then apply the package to the devices you want to change to Windows 10 Pro Education. @@ -123,7 +123,7 @@ Once you enable the setting to change to Windows 10 Pro Education, the change wi **Figure 3** - Check the box to confirm - ![Check the box to confirm](images/msfe_manage_benefits_checktoconfirm.png) + ![Check the box to confirm.](images/msfe_manage_benefits_checktoconfirm.png) 5. Click **Change all my devices**. @@ -169,13 +169,13 @@ If the Windows device is running Windows 10, version 1703, follow these steps. **Figure 4** - Select how you'd like to set up the device - ![Select how you'd like to set up the device](images/1_howtosetup.png) + ![Select how you'd like to set up the device.](images/1_howtosetup.png) 2. On the **Sign in with Microsoft** page, enter the username and password to use with Office 365 or other services from Microsoft, and then click **Next**. **Figure 5** - Enter the account details - ![Enter the account details you use with Office 365 or other Microsoft services](images/2_signinwithms.png) + ![Enter the account details you use with Office 365 or other Microsoft services.](images/2_signinwithms.png) 3. Go through the rest of Windows device setup. Once you're done, the device will be Azure AD joined to your school's subscription. @@ -188,21 +188,21 @@ If the Windows device is running Windows 10, version 1703, follow these steps. **Figure 6** - Go to **Access work or school** in Settings - ![Go to Access work or school in Settings](images/settings_workorschool_1.png) + ![Go to Access work or school in Settings.](images/settings_workorschool_1.png) 2. In **Access work or school**, click **Connect**. 3. In the **Set up a work or school account** window, click the **Join this device to Azure Active Directory** option at the bottom. **Figure 7** - Select the option to join the device to Azure Active Directory - ![Select the option to join the device to Azure Active Directory](images/settings_setupworkorschoolaccount_2.png) + ![Select the option to join the device to Azure Active Directory.](images/settings_setupworkorschoolaccount_2.png) 4. On the **Let's get you signed in** window, enter the Azure AD credentials (username and password) and sign in. This will join the device to the school's Azure AD. 5. To verify that the device was successfully joined to Azure AD, go back to **Settings > Accounts > Access work or school**. You should now see a connection under the **Connect to work or school** section that indicates the device is connected to Azure AD. **Figure 8** - Verify the device connected to Azure AD - ![Verify the device is connected to Azure AD](images/settings_connectedtoazuread_3.png) + ![Verify the device is connected to Azure AD.](images/settings_connectedtoazuread_3.png) #### Step 2: Sign in using Azure AD account @@ -286,7 +286,7 @@ Once the automatic change to Windows 10 Pro Education is turned off, the change **Figure 12** - Revert to Windows 10 Pro - ![Revert to Windows 10 Pro](images/msfe_manage_reverttowin10pro.png) + ![Revert to Windows 10 Pro.](images/msfe_manage_reverttowin10pro.png) 4. You will be asked if you're sure that you want to turn off automatic changes to Windows 10 Pro Education. Click **Yes**. 5. Click **Close** in the **Success** page. @@ -304,7 +304,7 @@ You need to synchronize these identities so that users will have a *single ident **Figure 13** - On-premises AD DS integrated with Azure AD -![Illustration of Azure Active Directory Connect](images/windows-ad-connect.png) +![Illustration of Azure Active Directory Connect.](images/windows-ad-connect.png) For more information about integrating on-premises AD DS domains with Azure AD, see these resources: - [Integrating your on-premises identities with Azure Active Directory](/azure/active-directory/hybrid/whatis-hybrid-identity) diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 59da859362..d927aef072 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -118,7 +118,7 @@ At the end of this section, you should have a list of Chromebook user and device You use the Google Admin Console (as shown in Figure 1) to manage user and device settings. These settings are applied to all the Chromebook devices in your institution that are enrolled in the Google Admin Console. Review the user and device settings in the Google Admin Console and determine which settings are appropriate for your Windows devices. -![figure 1](images/chromebook-fig1-googleadmin.png) +![figure 1.](images/chromebook-fig1-googleadmin.png) Figure 1. Google Admin Console @@ -221,7 +221,7 @@ Table 3. Settings in the Security node in the Google Admin Console In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you will migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2). -![figure 2](images/fig2-locallyconfig.png) +![figure 2.](images/fig2-locallyconfig.png) Figure 2. Locally-configured settings on Chromebook diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index f662b8ac78..27b3806af5 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -94,19 +94,19 @@ Use one of these methods to set this policy. - Data type: Integer - Value: 0 - ![Create an OMA URI for AllowCortana](images/allowcortana_omauri.png) + ![Create an OMA URI for AllowCortana.](images/allowcortana_omauri.png) ### Group Policy Set **Computer Configuration > Administrative Templates > Windows Components > Search > AllowCortana** to **Disabled**. -![Set AllowCortana to disabled through Group Policy](images/allowcortana_gp.png) +![Set AllowCortana to disabled through Group Policy.](images/allowcortana_gp.png) ### Provisioning tools - [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates. - [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - Under **Runtime settings**, click the **Policies** settings group, set **Experience > Cortana** to **No**. - ![Set AllowCortana to No in Windows Configuration Designer](images/allowcortana_wcd.png) + ![Set AllowCortana to No in Windows Configuration Designer.](images/allowcortana_wcd.png) ## SetEduPolicies **SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It is a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp). @@ -123,7 +123,7 @@ Use one of these methods to set this policy. - Data type: Boolean - Value: true - ![Create an OMA URI for SetEduPolices](images/setedupolicies_omauri.png) + ![Create an OMA URI for SetEduPolices.](images/setedupolicies_omauri.png) ### Group Policy **SetEduPolicies** is not natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc). @@ -147,7 +147,7 @@ For example: - [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - Under **Runtime settings**, click the **SharedPC** settings group, set **PolicyCustomization > SetEduPolicies** to **True**. - ![Set SetEduPolicies to True in Windows Configuration Designer](images/setedupolicies_wcd.png) + ![Set SetEduPolicies to True in Windows Configuration Designer.](images/setedupolicies_wcd.png) ## Ad-free search with Bing Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index 5ca4cb7ea0..9dcdd7ca81 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -34,21 +34,21 @@ Proper preparation is essential for a successful district deployment. To avoid c As part of preparing for your district deployment, you need to plan your district configuration — the focus of this guide. Figure 1 illustrates a typical finished district configuration that you can use as a model (the blueprint in our builder analogy) for the finished state. > [!div class="mx-imgBorder"] -> ![Typical district configuration for this guide](images/edu-districtdeploy-fig1.png "Typical district configuration for this guide") +> ![Typical district configuration for this guide.](images/edu-districtdeploy-fig1.png "Typical district configuration for this guide") *Figure 1. Typical district configuration for this guide* A *district* consists of multiple schools, typically at different physical locations. Figure 2 illustrates a typical school configuration within the district that this guide uses. > [!div class="mx-imgBorder"] -> ![Typical school configuration for this guide](images/edu-districtdeploy-fig2.png "Typical school configuration for this guide") +> ![Typical school configuration for this guide.](images/edu-districtdeploy-fig2.png "Typical school configuration for this guide") *Figure 2. Typical school configuration for this guide* Finally, each school consists of multiple classrooms. Figure 3 shows the classroom configuration this guide uses. > [!div class="mx-imgBorder"] -> ![Typical classroom configuration in a school](images/edu-districtdeploy-fig3.png "Typical classroom configuration in a school") +> ![Typical classroom configuration in a school.](images/edu-districtdeploy-fig3.png "Typical classroom configuration in a school") *Figure 3. Typical classroom configuration in a school* @@ -181,7 +181,7 @@ The high-level process for deploying and configuring devices within individual c 9. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS–Azure AD integration. > [!div class="mx-imgBorder"] -> ![How district configuration works](images/edu-districtdeploy-fig4.png "How district configuration works") +> ![How district configuration works.](images/edu-districtdeploy-fig4.png "How district configuration works") *Figure 4. How district configuration works* @@ -768,7 +768,7 @@ In this method, you have an on-premises AD DS domain. As shown in Figure 5, the > Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)). > [!div class="mx-imgBorder"] -> ![Automatic synchronization between AD DS and Azure AD](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Azure AD") +> ![Automatic synchronization between AD DS and Azure AD.](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Azure AD") *Figure 5. Automatic synchronization between AD DS and Azure AD* @@ -779,7 +779,7 @@ For more information about how to perform this step, see the [Integrate on-premi In this method, you have no on-premises AD DS domain. As shown in Figure 6, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies. > [!div class="mx-imgBorder"] -> ![Bulk import into Azure AD from other sources](images/edu-districtdeploy-fig6.png "Bulk import into Azure AD from other sources") +> ![Bulk import into Azure AD from other sources.](images/edu-districtdeploy-fig6.png "Bulk import into Azure AD from other sources") *Figure 6. Bulk import into Azure AD from other sources* @@ -812,14 +812,14 @@ You can deploy the Azure AD Connect tool: - **On premises.** As shown in Figure 7, Azure AD Connect runs on premises, which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server. > [!div class="mx-imgBorder"] - > ![Azure AD Connect on premises](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises") + > ![Azure AD Connect on premises.](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises") *Figure 7. Azure AD Connect on premises* - **In Azure.** As shown in Figure 8, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises. > [!div class="mx-imgBorder"] - > ![Azure AD Connect in Azure](images/edu-districtdeploy-fig8.png "Azure AD Connect in Azure") + > ![Azure AD Connect in Azure.](images/edu-districtdeploy-fig8.png "Azure AD Connect in Azure") *Figure 8. Azure AD Connect in Azure* diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index 3b464f9fa6..318b892188 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -30,13 +30,13 @@ Proper preparation is essential for a successful school deployment. To avoid com As part of preparing for your school deployment, you need to plan your configuration—the focus of this guide. Figure 1 illustrates a typical finished school configuration that you can use as a model (the blueprint in our builder analogy) for the finished state. -![fig 1](images/deploy-win-10-school-figure1.png) +![fig 1.](images/deploy-win-10-school-figure1.png) *Figure 1. Typical school configuration for this guide* Figure 2 shows the classroom configuration this guide uses. -![fig 2](images/deploy-win-10-school-figure2.png) +![fig 2.](images/deploy-win-10-school-figure2.png) *Figure 2. Typical classroom configuration in a school* @@ -112,7 +112,7 @@ The high-level process for deploying and configuring devices within individual c 6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10. 7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Azure AD integration. -![fig 3](images/deploy-win-10-school-figure3.png) +![fig 3.](images/deploy-win-10-school-figure3.png) *Figure 3. How school configuration works* @@ -346,7 +346,7 @@ In this method, you have an on-premises AD DS domain. As shown in Figure 4, the **Note**  Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)?f=255&MSPPError=-2147217396). -![fig 4](images/deploy-win-10-school-figure4.png) +![fig 4.](images/deploy-win-10-school-figure4.png) *Figure 4. Automatic synchronization between AD DS and Azure AD* @@ -356,7 +356,7 @@ For more information about how to perform this step, see the [Integrate on-premi In this method, you have no on-premises AD DS domain. As shown in Figure 5, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies. -![fig 5](images/deploy-win-10-school-figure5.png) +![fig 5.](images/deploy-win-10-school-figure5.png) *Figure 5. Bulk import into Azure AD from other sources* @@ -383,13 +383,13 @@ You can deploy the Azure AD Connect tool by using one of the following methods: - **On premises.** As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server. - ![fig 6](images/deploy-win-10-school-figure6.png) + ![fig 6.](images/deploy-win-10-school-figure6.png) *Figure 6. Azure AD Connect on premises* - **In Azure**. As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises. - ![fig 7](images/deploy-win-10-school-figure7.png) + ![fig 7.](images/deploy-win-10-school-figure7.png) *Figure 7. Azure AD Connect in Azure* diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md index eaa2f7c35b..03a761c858 100644 --- a/education/windows/edu-deployment-recommendations.md +++ b/education/windows/edu-deployment-recommendations.md @@ -55,11 +55,11 @@ To turn off access to contacts for all apps on individual Windows devices: 1. On the computer, go to **Settings** and select **Privacy**. - ![Privacy settings](images/win10_settings_privacy.png) + ![Privacy settings.](images/win10_settings_privacy.png) 2. Under the list of **Privacy** areas, select **Contacts**. - ![Contacts privacy settings](images/win10_settings_privacy_contacts.png) + ![Contacts privacy settings.](images/win10_settings_privacy_contacts.png) 3. Turn off **Let apps access my contacts**. @@ -73,7 +73,7 @@ For IT-managed Windows devices, you can use a Group Policy to turn off the setti If you want to allow only certain apps to have access to contacts, you can use the switch for each app to specify which ones you want on or off. -![Choose apps with access to contacts](images/win10_settings_privacy_contacts_apps.png) +![Choose apps with access to contacts.](images/win10_settings_privacy_contacts_apps.png) The list of apps on the Windows-based device may vary from the above example. The list depends on what apps you have installed and which of these apps access contacts. @@ -83,7 +83,7 @@ To allow only certain apps to have access to contacts, you can: * Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** and then specify the default for each app by adding the app's Package Family Name under the default behavior you want to enforce. - ![App privacy Group Policy](images/gp_letwinappsaccesscontacts.png) + ![App privacy Group Policy.](images/gp_letwinappsaccesscontacts.png) ## Skype and Xbox settings @@ -109,7 +109,7 @@ Skype uses the user’s contact details to deliver important information about t To manage and edit your profile in the Skype UWP app, follow these steps: -1. In the Skype UWP app, select the user profile icon ![Skype profile icon](images/skype_uwp_userprofile_icon.png) to go to the user’s profile page. +1. In the Skype UWP app, select the user profile icon ![Skype profile icon.](images/skype_uwp_userprofile_icon.png) to go to the user’s profile page. 2. In the account page, select **Manage account** for the Skype account that you want to change. This will take you to the online Skype portal. @@ -127,7 +127,7 @@ To manage and edit your profile in the Skype UWP app, follow these steps: 6. To change the profile picture, go to the Skype app and click on the current profile picture or avatar. The **Manage Profile Picture** window pops up. - ![Skype profile icon](images/skype_uwp_manageprofilepic.png) + ![Skype profile icon.](images/skype_uwp_manageprofilepic.png) * To take a new picture, click the camera icon in the pop up window. To upload a new picture, click the three dots (**...**). diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md index 586d6ea6b8..f4ea0cf4ef 100644 --- a/education/windows/education-scenarios-store-for-business.md +++ b/education/windows/education-scenarios-store-for-business.md @@ -39,7 +39,7 @@ Admins can control whether or not teachers are automatically assigned the **Basi 2. Click **Manage**, and then click **Settings**. 3. On **Shop**, select or clear **Make everyone a Basic Purchaser**. -![manage settings to control Basic Purchaser role assignment](images/sfe-make-everyone-bp.png) +![manage settings to control Basic Purchaser role assignment.](images/sfe-make-everyone-bp.png) > [!NOTE] > **Make everyone a Basic Purchaser** is on by default. @@ -52,7 +52,7 @@ When **Make everyone a Basic Purchaser** is turned off, admins can manually assi 2. Click **Manage**, and then choose **Permissions**. 3. On **Roles**, click **Assign roles**, type and select a name, choose the role you want to assign, and then click **Save**. - ![Permission page for Microsoft Store for Business](images/sfe-roles.png) + ![Permission page for Microsoft Store for Business.](images/sfe-roles.png) **Blocked Basic Purchasers** diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 78f1759c45..a89e29de02 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -29,7 +29,7 @@ ms.topic: conceptual Teachers and IT administrators can now get early access to **Minecraft: Education Edition** and add it their Microsoft Store for Business for distribution. - + ## Prerequisites @@ -39,11 +39,11 @@ Teachers and IT administrators can now get early access to **Minecraft: Educatio - Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://products.office.com/academic/office-365-education-plan) - If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](/windows/client-management/mdm/register-your-free-azure-active-directory-subscription) - + [Learn how teachers can get and distribute **Minecraft: Education Edition**](teacher-get-minecraft.md) - + [Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft. \ No newline at end of file diff --git a/education/windows/index.md b/education/windows/index.md index 81e3f97634..cf961bfe83 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -14,15 +14,15 @@ ms.date: 10/13/2017 # Windows 10 for Education -![Windows 10 Education and Windows 10 Pro Education](images/windows-10-for-education-banner.png) +![Windows 10 Education and Windows 10 Pro Education.](images/windows-10-for-education-banner.png) -## ![Learn more about Windows](images/education.png) Learn +## ![Learn more about Windows.](images/education.png) Learn

Windows 10 editions for education customers
Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.

Compare each Windows edition
Find out more about the features and functionality we support in each edition of Windows.

Get Windows 10 Education or Windows 10 Pro Education
When you've made your decision, find out how to buy Windows for your school.

-## ![Plan for Windows 10 in your school](images/clipboard.png) Plan +## ![Plan for Windows 10 in your school.](images/clipboard.png) Plan

Windows 10 configuration recommendations for education customers
Provides guidance on ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.

Deployment recommendations for school IT administrators
Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.

@@ -30,14 +30,14 @@ ms.date: 10/13/2017

Take tests in Windows 10
Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.

Chromebook migration guide
Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.

-## ![Deploy Windows 10 for Education](images/PCicon.png) Deploy +## ![Deploy Windows 10 for Education.](images/PCicon.png) Deploy

Set up Windows devices for education
Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.

Deploy Windows 10 in a school
Get step-by-step guidance to help you deploy Windows 10 in a school environment.

Deploy Windows 10 in a school district
Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.

Test Windows 10 S on existing Windows 10 education devices
Test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us.

-## ![Switch to Windows 10 for Education](images/windows.png) Switch +## ![Switch to Windows 10 for Education.](images/windows.png) Switch

Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S
If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.

diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index e3900603b6..a728b75a41 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -50,15 +50,15 @@ If you’ve been approved and are part of the Enrollment for Education Solutions 1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **GET STARTED**. - + 2. Enter your email address, and select Educator, Administrator, or Student.
If your email address isn't associated to an Azure AD or Office 365 Education tenant, you'll be asked to create one. - + 3. Select **Get the app**. This will take you to the Microsoft Store for Education to download the app. You will also receive an email with instructions and a link to the Store. - + 4. Sign in to Microsoft Store for Education with your email address. @@ -66,7 +66,7 @@ If you’ve been approved and are part of the Enrollment for Education Solutions 6. **Minecraft: Education Edition** opens in the Microsoft Store for Education. Select **Get the app**. This places **Minecraft: Education Edition** in your Store inventory. - + Now that the app is in your Microsoft Store for Education inventory, you can choose how to distribute Minecraft. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft). @@ -113,11 +113,11 @@ After you've finished the purchase, you can find your invoice by checking **Mine 2. Click **Minecraft: Education Edition** in the list of apps. 3. On **Minecraft: Education Edition**, click **View Bills**. - ![Minecraft: Education Edition app details page with view bills link highlighted](images/mcee-view-bills.png) + ![Minecraft: Education Edition app details page with view bills link highlighted.](images/mcee-view-bills.png) 4. On **Invoice Bills**, click the invoice number to view and download your invoice. It downloads as a .pdf. - ![Minecraft: Education Edition app details page with view bills link highlighted](images/mcee-invoice-bills.png) + ![Minecraft: Education Edition app details page with view bills link highlighted.](images/mcee-invoice-bills.png) The **Payment Instructions** section on the first page of the invoice has information on invoice amount, due date, and how to pay with electronic funds transfer, or with a check. @@ -133,11 +133,11 @@ Admins can also add Minecraft: Education Edition to the private store. This allo ### Configure automatic subscription assignment @@ -168,7 +168,7 @@ You can install the app on your PC. This gives you a chance to test the app and 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then click **Install**. - + 3. Click **Install**. @@ -180,33 +180,33 @@ Enter email addresses for your students, and each student will get an email with 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**. - ![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png) + ![Minecraft Education Edition product page.](images/mc-install-for-me-teacher.png) 3. Click **Invite people**. 4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**. You can only assign the app to students with work or school accounts. If you don't find the student, you might need to add a work or school account for the student. - ![Assign to people showing student name](images/minecraft-assign-to-people-name.png) + ![Assign to people showing student name.](images/minecraft-assign-to-people-name.png) **To finish Minecraft install (for students)** 1. Students will receive an email with a link that will install the app on their PC.
- ![Email with Get the app link](images/minecraft-student-install-email.png) + ![Email with Get the app link.](images/minecraft-student-install-email.png) 2. Click **Get the app** to start the app install in Microsoft Store app. 3. In Microsoft Store app, click **Install**. - ![Microsoft Store app with Minecraft page](images/minecraft-in-windows-store-app.png) + ![Microsoft Store app with Minecraft page.](images/minecraft-in-windows-store-app.png) After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**. Microsoft Store app is preinstalled with Windows 10. - ![Microsoft Store app showing access to My Library](images/minecraft-private-store.png) + ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png) When students click **My Library** they'll find apps assigned to them. - ![My Library for example student](images/minecraft-my-library.png) + ![My Library for example student.](images/minecraft-my-library.png) ### Download for others Download for others allows teachers or IT admins to download an app that they can install on PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when: @@ -225,11 +225,11 @@ Minecraft: Education Edition will not install if there are updates pending for o 1. Start Microsoft Store app on the PC (click **Start**, and type **Store**). 2. Click the account button, and then click **Downloads and updates**. - ![Microsoft Store app showing access to My Library](images/minecraft-private-store.png) + ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png) 3. Click **Check for updates**, and install all available updates. - ![Microsoft Store app showing access to My Library](images/mc-check-for-updates.png) + ![Microsoft Store app showing access to My Library.](images/mc-check-for-updates.png) 4. Restart the computer before installing Minecraft: Education Edition. @@ -238,7 +238,7 @@ You'll download a .zip file, extract the files, and then use one of the files to 1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**. - ![Microsoft Store app showing access to My Library](images/mc-dnld-others-teacher.png) + ![Microsoft Store app showing access to My Library.](images/mc-dnld-others-teacher.png) 2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**. 3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC. @@ -257,7 +257,7 @@ However, tenant admins can control whether or not teachers automatically sign up To prevent educators from automatically signing up for Microsoft Store for Business 1. In Microsoft Store for Business, click **Settings**, and then click **Permissions**. - ![Permission page for Microsoft Store for Business](images/minecraft-admin-permissions.png) + ![Permission page for Microsoft Store for Business.](images/minecraft-admin-permissions.png) 2. Click **Allow educators in my organization to sign up for the Microsoft Store for Business.** @@ -269,7 +269,7 @@ Minecraft: Education Edition adds a new role for teachers: **Basic Purchaser**. - Acquire and manage the app - Info on Support page (including links to documentation and access to support through customer service) - ![assign roles to manage Minecraft permissions](images/minecraft-perms.png) + ![assign roles to manage Minecraft permissions.](images/minecraft-perms.png) **To assign Basic Purchaser role** @@ -280,15 +280,15 @@ Minecraft: Education Edition adds a new role for teachers: **Basic Purchaser**. 2. Click **Settings**, and then choose **Permissions**. - ![Permission page for Microsoft Store for Business](images/minecraft-admin-permissions.png) + ![Permission page for Microsoft Store for Business.](images/minecraft-admin-permissions.png) 3. Click **Add people**, type a name, select the correct person, choose the role you want to assign, and click **Save**. - ![Permission page for Microsoft Store for Business](images/minecraft-assign-roles.png) + ![Permission page for Microsoft Store for Business.](images/minecraft-assign-roles.png) Microsoft Store for Business updates the list of people and permissions. - ![Permission page for Microsoft Store for Business](images/minecraft-assign-roles-2.png) + ![Permission page for Microsoft Store for Business.](images/minecraft-assign-roles-2.png) --> diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md index 6d62b6bb55..02198518ca 100644 --- a/education/windows/set-up-school-pcs-azure-ad-join.md +++ b/education/windows/set-up-school-pcs-azure-ad-join.md @@ -48,7 +48,7 @@ Active Directory** \> **Devices** \> **Device settings**. for Azure AD by selecting **All** or **Selected**. If you choose the latter option, select the teachers and IT staff to allow them to connect to Azure AD. -![Select the users you want to let join devices to Azure AD](images/suspc-enable-shared-pc-1807.png) +![Select the users you want to let join devices to Azure AD.](images/suspc-enable-shared-pc-1807.png) You can also create an account that holds the exclusive rights to join devices. When a student PC needs to be set up, provide the account credentials to the appropriate teachers or staff. diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index 22d45b09fc..328b2f80a1 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -43,7 +43,7 @@ Follow the steps in [Provision PCs with common settings for initial deployment ( **Figure 7** - Add the account to use for test-taking - ![Add the account to use for test-taking](images/wcd_settings_assignedaccess.png) + ![Add the account to use for test-taking.](images/wcd_settings_assignedaccess.png) The account can be in one of the following formats: - username diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md index 7d803777e5..f0bb65fa78 100644 --- a/education/windows/set-up-students-pcs-with-apps.md +++ b/education/windows/set-up-students-pcs-with-apps.md @@ -35,7 +35,7 @@ You can apply a provisioning package on a USB drive to off-the-shelf devices dur 2. 2. On the **Finish** page, select **Switch to advanced editor**. - ![Switch to advanced editor](images/icd-school-adv-edit.png) + ![Switch to advanced editor.](images/icd-school-adv-edit.png) **Next steps** - [Add a desktop app to your package](#add-a-desktop-app-to-your-package) @@ -52,7 +52,7 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi 2. Click **Advanced provisioning**. - ![ICD start options](images/icdstart-option.png) + ![ICD start options.](images/icdstart-option.png) 3. Name your project and click **Next**. @@ -89,17 +89,17 @@ Universal apps that you can distribute in the provisioning package can be line-o 2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page. - ![details for offline app package](images/uwp-family.png) + ![details for offline app package.](images/uwp-family.png) 3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). 4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. - ![required frameworks for offline app package](images/uwp-dependencies.png) + ![required frameworks for offline app package.](images/uwp-dependencies.png) 5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Microsoft Store for Business, you generate the license for the app on the app's download page. - ![generate license for offline app](images/uwp-license.png) + ![generate license for offline app.](images/uwp-license.png) [Learn more about distributing offline apps from the Microsoft Store for Business.](/microsoft-store/distribute-offline-apps) @@ -168,7 +168,7 @@ If your build is successful, the name of the provisioning package, output direct **During initial setup, from a USB drive** 1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. - ![The first screen to set up a new PC](images/oobe.jpg) + ![The first screen to set up a new PC.](images/oobe.jpg) 2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**. @@ -176,11 +176,11 @@ If your build is successful, the name of the provisioning package, output direct 3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. - ![Provision this device](images/prov.jpg) + ![Provision this device.](images/prov.jpg) 4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. - ![Choose a package](images/choose-package.png) + ![Choose a package.](images/choose-package.png) 5. Select **Yes, add it**. @@ -188,11 +188,11 @@ If your build is successful, the name of the provisioning package, output direct 6. Read and accept the Microsoft Software License Terms. - ![Sign in](images/license-terms.png) + ![Sign in.](images/license-terms.png) 7. Select **Use Express settings**. - ![Get going fast](images/express-settings.png) + ![Get going fast.](images/express-settings.png) 8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**. @@ -200,18 +200,18 @@ If your build is successful, the name of the provisioning package, output direct 9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**. - ![Connect to Azure AD](images/connect-aad.png) + ![Connect to Azure AD.](images/connect-aad.png) 10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive. - ![Sign in](images/sign-in-prov.png) + ![Sign in.](images/sign-in-prov.png) **After setup, from a USB drive, network folder, or SharePoint site** On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and select the package to install. -![add a package option](images/package.png) +![add a package option.](images/package.png) --> diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md index b401df97ef..e1acdf9f1d 100644 --- a/education/windows/set-up-windows-10.md +++ b/education/windows/set-up-windows-10.md @@ -27,7 +27,7 @@ Choose the tool that is appropriate for how your students will sign in (Active D You can use the following diagram to compare the tools. -![Which tool to use to set up Windows 10](images/suspc_wcd_featureslist.png) +![Which tool to use to set up Windows 10.](images/suspc_wcd_featureslist.png) ## In this section diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index 3044c770e5..10e2d2f7e0 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -39,7 +39,7 @@ If you set up Take a Test, this adds a **Take a Test** button on the student PC' **Figure 1** - Configure Take a Test in the Set up School PCs app -![Configure Take a Test in the Set up School PCs app](images/suspc_choosesettings_setuptakeatest.png) +![Configure Take a Test in the Set up School PCs app.](images/suspc_choosesettings_setuptakeatest.png) ### Set up a test account in Intune for Education You can set up a test-taking account in Intune for Education. To do this, follow these steps: @@ -49,7 +49,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow **Figure 2** - Add a test profile in Intune for Education - ![Add a test profile in Intune for Education](images/i4e_takeatestprofile_addnewprofile.png) + ![Add a test profile in Intune for Education.](images/i4e_takeatestprofile_addnewprofile.png) 3. In the new profile page: 1. Enter a name for the profile. @@ -60,7 +60,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow **Figure 3** - Add information about the test profile - ![Add information about the test profile](images/i4e_takeatestprofile_newtestaccount.png) + ![Add information about the test profile.](images/i4e_takeatestprofile_newtestaccount.png) After you save the test profile, you will see a summary of the settings that you configured for Take a Test. Next, you'll need to assign the test profile to a group that will be using the test account. @@ -68,13 +68,13 @@ You can set up a test-taking account in Intune for Education. To do this, follow **Figure 4** - Assign the test account to a group - ![Assign the test account to a group](images/i4e_takeatestprofile_accountsummary.png) + ![Assign the test account to a group.](images/i4e_takeatestprofile_accountsummary.png) 5. In the **Groups** page, click **Change group assignments**. **Figure 5** - Change group assignments - ![Change group assignments](images/i4e_takeatestprofile_groups_changegroupassignments.png) + ![Change group assignments.](images/i4e_takeatestprofile_groups_changegroupassignments.png) 6. In the **Change group assignments** page: 1. Select a group from the right column and click **Add Members** to select the group and assign the test-taking account to that group. You can select more than one group. @@ -82,7 +82,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow **Figure 6** - Select the group(s) that will use the test account - ![Select the groups that will use the test account](images/i4e_takeatestprofile_groupassignment_selected.png) + ![Select the groups that will use the test account.](images/i4e_takeatestprofile_groupassignment_selected.png) And that's it! When the students from the selected group sign in to the student PCs using the Take a Test user name that you selected, the PC will be locked down and Take a Test will open the assessment URL and students can start taking tests. @@ -136,7 +136,7 @@ To set up a test account through Windows Configuration Designer, follow these st **Figure 7** - Add the account to use for test-taking - ![Add the account to use for test-taking](images/wcd_settings_assignedaccess.png) + ![Add the account to use for test-taking.](images/wcd_settings_assignedaccess.png) The account can be in one of the following formats: - username diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index 1286a5aec8..9d26301975 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -30,13 +30,13 @@ To configure the assessment URL and a dedicated testing account on a single PC, **Figure 1** - Use the Settings app to set up a test-taking account - ![Use the Settings app to set up a test-taking account](images/tat_settingsapp_workorschoolaccess_setuptestaccount.png) + ![Use the Settings app to set up a test-taking account.](images/tat_settingsapp_workorschoolaccess_setuptestaccount.png) 4. In the **Set up an account for taking tests** window, choose an existing account to use as the dedicated testing account. **Figure 2** - Choose the test-taking account - ![Choose the test-taking account](images/tat_settingsapp_setuptesttakingaccount_1703.png) + ![Choose the test-taking account.](images/tat_settingsapp_setuptesttakingaccount_1703.png) > [!NOTE] > If you don't have an account on the device, you can create a new account. To do this, go to **Settings > Accounts > Other people > Add someone else to this PC > I don’t have this person’s sign-in information > Add a user without a Microsoft account**. diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index 7e016c22c0..f9ba6a9479 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -32,7 +32,7 @@ Many schools use online testing for formative and summative assessments. It's cr ## How to use Take a Test -![Set up and user flow for the Take a Test app](images/take_a_test_flow_dark.png) +![Set up and user flow for the Take a Test app.](images/take_a_test_flow_dark.png) There are several ways to configure devices for assessments, depending on your use case: diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 136499ee4c..6f0d1d4341 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -65,7 +65,7 @@ After Minecraft: Education Edition licenses have been purchased, either directly - You can assign the app to others. - You can download the app to distribute. - + ### Install for me You can install the app on your PC. This gives you a chance to work with the app before using it with your students. @@ -73,7 +73,7 @@ You can install the app on your PC. This gives you a chance to work with the app 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then click **Install**. - + 3. Click **Install**. @@ -84,13 +84,13 @@ Enter email addresses for your students, and each student will get an email with 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**. - + 3. Click **Invite people**. 4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**. - ![Assign to people showing student name](images/minecraft-assign-to-people-name.png) + ![Assign to people showing student name.](images/minecraft-assign-to-people-name.png) You can assign the app to students with work or school accounts.
If you don't find the student, you can still assign the app to them if self-service sign up is supported for your domain. Students will receive an email with a link to Microsoft 365 admin center where they can create an account, and then install **Minecraft: Education Edition**. Questions about self-service sign up? Check with your admin. @@ -100,20 +100,20 @@ Enter email addresses for your students, and each student will get an email with Students will receive an email with a link that will install the app on their PC. -![Email with Get the app link](images/minecraft-student-install-email.png) +![Email with Get the app link.](images/minecraft-student-install-email.png) 1. Click **Get the app** to start the app install in Microsoft Store app. 2. In Microsoft Store app, click **Install**. - ![Microsoft Store app with Minecraft page](images/minecraft-in-windows-store-app.png) + ![Microsoft Store app with Minecraft page.](images/minecraft-in-windows-store-app.png) After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**. - ![Microsoft Store app showing access to My Library](images/minecraft-private-store.png) + ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png) When students click **My Library** they'll find apps assigned to them. - ![My Library for example student](images/minecraft-my-library.png) + ![My Library for example student.](images/minecraft-my-library.png) ### Download for others Download for others allows teachers or IT admins to download a packages that they can install on student PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when: @@ -132,11 +132,11 @@ Minecraft: Education Edition will not install if there are updates pending for o 1. Start Microsoft Store app on the PC (click **Start**, and type **Store**). 2. Click the account button, and then click **Downloads and updates**. - ![Microsoft Store app showing access to My Library](images/minecraft-private-store.png) + ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png) 3. Click **Check for updates**, and install all available updates. - ![Microsoft Store app showing access to My Library](images/mc-check-for-updates.png) + ![Microsoft Store app showing access to My Library.](images/mc-check-for-updates.png) 4. Restart the computer before installing Minecraft: Education Edition. @@ -145,7 +145,7 @@ You'll download a .zip file, extract the files, and then use one of the files to 1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**. - ![Microsoft Store app showing access to My Library](images/mc-dnld-others-teacher.png) + ![Microsoft Store app showing access to My Library.](images/mc-dnld-others-teacher.png) 2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**. 3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC. diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 3f31119391..ca36e12e5a 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -103,7 +103,7 @@ We strongly recommend that you avoid changing preset policies. Changes can slow The **Set up School PCs** app guides you through the configuration choices for the student PCs. To begin, open the app on your PC and click **Get started**. - ![Launch the Set up School PCs app](images/suspc_getstarted_050817.png) + ![Launch the Set up School PCs app.](images/suspc_getstarted_050817.png) ### Package name Type a unique name to help distinguish your school's provisioning packages. The name appears: diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md index 4294d7199e..3b6a109ef3 100644 --- a/smb/cloud-mode-business-setup.md +++ b/smb/cloud-mode-business-setup.md @@ -18,7 +18,7 @@ ms.topic: conceptual # Get started: Deploy and manage a full cloud IT solution for your business -![Learn how to set up a full cloud infrastructure for your business](images/business-cloud-mode.png) +![Learn how to set up a full cloud infrastructure for your business.](images/business-cloud-mode.png) **Applies to:** @@ -61,7 +61,7 @@ If this is the first time you're setting this up, and you'd like to see how it's **Figure 1** - Try or buy Office 365 - ![Office 365 for business sign up](images/office365_tryorbuy_now.png) + ![Office 365 for business sign up.](images/office365_tryorbuy_now.png) 2. Fill out the sign up form and provide information about you and your company. 3. Create a user ID and password to use to sign into your account. @@ -76,7 +76,7 @@ If this is the first time you're setting this up, and you'd like to see how it's **Figure 2** - Microsoft 365 admin center - ![Microsoft 365 admin center](images/office365_portal.png) + ![Microsoft 365 admin center.](images/office365_portal.png) 6. Select the **Admin** tile to go to the admin center. @@ -86,7 +86,7 @@ If this is the first time you're setting this up, and you'd like to see how it's **Figure 3** - Admin center - ![Microsoft 365 admin center](images/office365_admin_portal.png) + ![Microsoft 365 admin center.](images/office365_admin_portal.png) 8. Go back to the admin center to add or buy a domain. @@ -94,14 +94,14 @@ If this is the first time you're setting this up, and you'd like to see how it's **Figure 4** - Option to add or buy a domain - ![Add or buy a domain in admin center](images/office365_buy_domain.png) + ![Add or buy a domain in admin center.](images/office365_buy_domain.png) 2. In the **Home > Domains** page, you will see the Microsoft-provided domain, such as *fabrikamdesign.onmicrosoft.com*. **Figure 5** - Microsoft-provided domain - ![Microsoft-provided domain](images/office365_ms_provided_domain.png) + ![Microsoft-provided domain.](images/office365_ms_provided_domain.png) - If you already have a domain, select **+ Add domain** to add your existing domain. If you select this option, you'll be required to verify that you own the domain. Follow the steps in the wizard to verify your domain. - If you don't already own a domain, select **+ Buy domain**. If you're using a trial plan, you'll be required to upgrade your trial plan in order to buy a domain. Choose the subscription plan to use for your business and provide the details to complete your order. @@ -110,7 +110,7 @@ If this is the first time you're setting this up, and you'd like to see how it's **Figure 6** - Domains - ![Verify your domains in the admin center](images/office365_additional_domain.png) + ![Verify your domains in the admin center.](images/office365_additional_domain.png) ### 1.2 Add users and assign product licenses Once you've set up Office and added your domain, it's time to add users so they have access to Office 365. People in your organization need an account before they can sign in and access Office 365. The easiest way to add users is to add them one at a time in the Microsoft 365 admin center. @@ -123,7 +123,7 @@ When adding users, you can also assign admin privileges to certain users in your **Figure 7** - Add users - ![Add Office 365 users](images/office365_users.png) + ![Add Office 365 users.](images/office365_users.png) 2. In the **Home > Active users** page, add users individually or in bulk. - To add users one at a time, select **+ Add a user**. @@ -132,7 +132,7 @@ When adding users, you can also assign admin privileges to certain users in your **Figure 8** - Add an individual user - ![Add an individual user](images/office365_add_individual_user.png) + ![Add an individual user.](images/office365_add_individual_user.png) - To add multiple users at once, select **More** and then choose **+ Import multiple users**. If you select this option, you'll need to create and upload a CSV file containing the list of users. @@ -140,13 +140,13 @@ When adding users, you can also assign admin privileges to certain users in your **Figure 9** - Import multiple users - ![Import multiple users](images/office365_import_multiple_users.png) + ![Import multiple users.](images/office365_import_multiple_users.png) 3. Verify that all the users you added appear in the list of **Active users**. The **Status** should indicate the product licenses that were assigned to them. **Figure 10** - List of active users - ![Verify users and assigned product licenses](images/o365_active_users.png) + ![Verify users and assigned product licenses.](images/o365_active_users.png) ### 1.3 Add Microsoft Intune Microsoft Intune provides mobile device management, app management, and PC management capabilities from the cloud. Using Intune, organizations can provide their employees with access to apps, data, and corporate resources from anywhere on almost any device while helping to keep corporate information secure. To learn more, see What is Intune? @@ -160,14 +160,14 @@ Microsoft Intune provides mobile device management, app management, and PC manag **Figure 11** - Assign Intune licenses - ![Assign Microsoft Intune licenses to users](images/o365_assign_intune_license.png) + ![Assign Microsoft Intune licenses to users.](images/o365_assign_intune_license.png) 5. In the admin center, confirm that **Intune** shows up in the list under **Admin centers**. If it doesn't, sign out and then sign back in and then check again. 6. Select **Intune**. This will take you to the Intune management portal. **Figure 12** - Microsoft Intune management portal - ![Microsoft Intune management portal](images/intune_portal_home.png) + ![Microsoft Intune management portal.](images/intune_portal_home.png) Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Microsoft Store for Business for app distribution](#17-configure-microsoft-store-for-business-for-app-distribution). @@ -185,21 +185,21 @@ Microsoft Azure is an open and flexible cloud platform that enables you to quick **Figure 13** - Access to Azure AD is not available - ![Access to Azure AD not available](images/azure_ad_access_not_available.png) + ![Access to Azure AD not available.](images/azure_ad_access_not_available.png) 3. From the error message, select the country/region for your business. This should match with the location you specified when you signed up for Office 365. 4. Click **Azure subscription**. This will take you to a free trial sign up screen. **Figure 14** - Sign up for Microsoft Azure - ![Sign up for Microsoft Azure](images/azure_ad_sign_up_screen.png) + ![Sign up for Microsoft Azure.](images/azure_ad_sign_up_screen.png) 5. In the **Free trial sign up** screen, fill in the required information and then click **Sign up**. 6. After you sign up, you should see the message that your subscription is ready. Click **Start managing my service**. **Figure 15** - Start managing your Azure subscription - ![Start managing your Azure subscription](images/azure_ad_successful_signup.png) + ![Start managing your Azure subscription.](images/azure_ad_successful_signup.png) This will take you to the Microsoft Azure portal. @@ -216,26 +216,26 @@ To add Azure AD group(s), we will use the Microsoft Store for Business using the same tenant account that you used to sign into Intune. 4. Accept the EULA. @@ -312,20 +312,20 @@ In this part of the walkthrough, we'll be working on the Intune management portal, select **Admin > Mobile Device Management**, expand **Windows**, and then choose **Store for Business**. 8. In the **Microsoft Store for Business** page, select **Configure Sync** to sync your Store for Business volume-purchased apps with Intune. **Figure 26** - Configure Store for Business sync in Intune - ![Configure Store for Business sync in Intune](images/intune_admin_mdm_store_sync.png) + ![Configure Store for Business sync in Intune.](images/intune_admin_mdm_store_sync.png) 9. In the **Configure Microsoft Store for Business app sync** dialog box, check **Enable Microsoft Store for Business sync**. In the **Language** dropdown list, choose the language in which you want apps from the Store to be displayed in the Intune console and then click **OK**. **Figure 27** - Enable Microsoft Store for Business sync in Intune - ![Enable Store for Business sync in Intune](images/intune_configure_store_app_sync_dialog.png) + ![Enable Store for Business sync in Intune.](images/intune_configure_store_app_sync_dialog.png) The **Microsoft Store for Business** page will refresh and it will show the details from the sync. @@ -348,7 +348,7 @@ In the following example, we'll show you how to buy apps through the Microsoft S **Figure 28** - Shop for Store apps - ![Shop for Store apps](images/wsfb_shop_microsoft_apps.png) + ![Shop for Store apps.](images/wsfb_shop_microsoft_apps.png) 2. Click to select an app, such as **Reader**. This opens the app page. 3. In the app's Store page, click **Get the app**. You should see a dialog that confirms your order. Click **Close**. This will refresh the app's Store page. @@ -358,7 +358,7 @@ In the following example, we'll show you how to buy apps through the Microsoft S **Figure 29** - App inventory shows the purchased apps - ![Confirm that your inventory shows purchased apps](images/wsfb_manage_inventory_newapps.png) + ![Confirm that your inventory shows purchased apps.](images/wsfb_manage_inventory_newapps.png) > [!NOTE] > Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune to sync all your purchased apps. You can force a sync to make this process happen faster. For more info, see [To sync recently purchased apps](#forceappsync). @@ -372,7 +372,7 @@ If you need to sync your most recently purchased apps and have it appear in your **Figure 30** - Force a sync in Intune - ![Force a sync in Intune](images/intune_admin_mdm_forcesync.png) + ![Force a sync in Intune.](images/intune_admin_mdm_forcesync.png) **To view purchased apps** - In the Intune management portal, select **Apps > Apps** and then choose **Volume-Purchased Apps** to see the list of available apps. Verify that the apps you purchased were imported correctly. @@ -393,7 +393,7 @@ To set up new Windows devices, go through the Windows initial device setup or fi **Figure 31** - First screen in Windows device setup - ![First screen in Windows device setup](images/win10_hithere.png) + ![First screen in Windows device setup.](images/win10_hithere.png) > [!NOTE] > During setup, if you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired/Ethernet connection. @@ -403,13 +403,13 @@ To set up new Windows devices, go through the Windows initial device setup or fi **Figure 32** - Choose how you'll connect your Windows device - ![Choose how you'll connect the Windows device](images/win10_choosehowtoconnect.png) + ![Choose how you'll connect the Windows device.](images/win10_choosehowtoconnect.png) 4. In the **Let's get you signed in** screen, sign in using one of the user accounts you added in section [1.2 Add users and assign product licenses](#12-add-users-and-assign-product-licenses). We suggest signing in as one of the global administrators. Later, sign in on another device using one of the non-admin accounts. **Figure 33** - Sign in using one of the accounts you added - ![Sign in using one of the accounts you added](images/win10_signin_admin_account.png) + ![Sign in using one of the accounts you added.](images/win10_signin_admin_account.png) 5. If this is the first time you're signing in, you will be asked to update your password. Update the password and continue with sign-in and setup. @@ -430,7 +430,7 @@ In the Intune management **Figure 34** - Check the PC name on your device - ![Check the PC name on your device](images/win10_settings_pcname.png) + ![Check the PC name on your device.](images/win10_settings_pcname.png) 2. Log in to the Intune management portal. 3. Select **Groups** and then go to **Devices**. @@ -441,7 +441,7 @@ In the Intune management **Figure 35** - Check that the device appears in Intune - ![Check that the device appears in Intune](images/intune_groups_devices_list.png) + ![Check that the device appears in Intune.](images/intune_groups_devices_list.png) ## 3. Manage device settings and features You can use Microsoft Intune admin settings and policies to manage features on your organization's mobile devices and computers. For more info, see [Manage settings and features on your devices with Microsoft Intune policies](/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). @@ -460,7 +460,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the **Figure 36** - Reconfigure an app's deployment setting in Intune - ![Reconfigure app deployment settings in Intune](images/intune_apps_deploymentaction.png) + ![Reconfigure app deployment settings in Intune.](images/intune_apps_deploymentaction.png) 6. Click **Finish**. 7. Repeat steps 2-6 for other apps that you want to deploy to the device(s) as soon as possible. @@ -470,7 +470,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the **Figure 37** - Confirm that additional apps were deployed to the device - ![Confirm that additional apps were deployed to the device](images/win10_deploy_apps_immediately.png) + ![Confirm that additional apps were deployed to the device.](images/win10_deploy_apps_immediately.png) ### 3.2 Configure other settings in Intune @@ -486,7 +486,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the **Figure 38** - Add a configuration policy - ![Add a configuration policy](images/intune_policy_disablecamera.png) + ![Add a configuration policy.](images/intune_policy_disablecamera.png) 7. Click **Save Policy**. A confirmation window will pop up. 8. On the **Deploy Policy** confirmation window, select **Yes** to deploy the policy now. @@ -495,7 +495,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the **Figure 39** - The new policy should appear in the **Policies** list. - ![New policy appears on the list](images/intune_policies_newpolicy_deployed.png) + ![New policy appears on the list.](images/intune_policies_newpolicy_deployed.png) **To turn off Windows Hello and PINs during device setup** 1. In the Intune management portal, select **Admin**. @@ -504,7 +504,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the **Figure 40** - Policy to disable Windows Hello for Business - ![Disable Windows Hello for Business](images/intune_policy_disable_windowshello.png) + ![Disable Windows Hello for Business.](images/intune_policy_disable_windowshello.png) 4. Click **Save**. @@ -531,32 +531,32 @@ For other devices, such as those personally-owned by employees who need to conne **Figure 41** - Add an Azure AD account to the device - ![Add an Azure AD account to the device](images/win10_add_new_user_join_aad.png) + ![Add an Azure AD account to the device.](images/win10_add_new_user_join_aad.png) 4. In the **Let's get you signed in** window, enter the work credentials for the account and then click **Sign in** to authenticate the user. **Figure 42** - Enter the account details - ![Enter the account details](images/win10_add_new_user_account_aadwork.png) + ![Enter the account details.](images/win10_add_new_user_account_aadwork.png) 5. You will be asked to update the password so enter a new password. 6. Verify the details to make sure you're connecting to the right organization and then click **Join**. **Figure 43** - Make sure this is your organization - ![Make sure this is your organization](images/win10_confirm_organization_details.png) + ![Make sure this is your organization.](images/win10_confirm_organization_details.png) 7. You will see a confirmation window that says the device is now connected to your organization. Click **Done**. **Figure 44** - Confirmation that the device is now connected - ![Confirmation that the device is now connected](images/win10_confirm_device_connected_to_org.png) + ![Confirmation that the device is now connected.](images/win10_confirm_device_connected_to_org.png) 8. The **Connect to work or school** window will refresh and will now include an entry that shows you're connected to your organization's Azure AD. This means the device is now registered in Azure AD and enrolled in MDM and the account should have access to the organization's resources. **Figure 45** - Device is now enrolled in Azure AD - ![Device is enrolled in Azure AD](images/win10_device_enrolled_in_aad.png) + ![Device is enrolled in Azure AD.](images/win10_device_enrolled_in_aad.png) 9. You can confirm that the new device and user are showing up as Intune-managed by going to the Intune management portal and following the steps in [2.3 Verify the device is Azure AD joined](#23-verify-the-device-is-azure-ad-joined). It may take several minutes before the new device shows up so check again later. diff --git a/smb/index.md b/smb/index.md index cc4c596a1c..a6ae7f1200 100644 --- a/smb/index.md +++ b/smb/index.md @@ -17,16 +17,16 @@ audience: itpro # Windows 10 for SMB -![Windows 10 for SMB](images/smb_portal_banner.png) +![Windows 10 for SMB.](images/smb_portal_banner.png) -## ![Learn more about Windows and other resources for SMBs](images/learn.png) Learn +## ![Learn more about Windows and other resources for SMBs.](images/learn.png) Learn

Windows 10 for business
Learn how Windows 10 and Windows devices can help your business.

SMB blog
Read about the latest stories, technology insights, and business strategies for SMBs.

How to buy
Go here when you're ready to buy or want to learn more about Microsoft products you can use to help transform your business.

-## ![Deploy a Microsoft solution for your business](images/deploy.png) Deploy +## ![Deploy a Microsoft solution for your business.](images/deploy.png) Deploy

Get started: Deploy and manage a full cloud IT solution for your business
Find out how easy it is to deploy and manage a full cloud IT solution for your small to midsize business using Microsoft cloud services and tools.

diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md index 73c2ce1f3d..882b7e57ba 100644 --- a/store-for-business/acquire-apps-microsoft-store-for-business.md +++ b/store-for-business/acquire-apps-microsoft-store-for-business.md @@ -55,7 +55,7 @@ There are a couple of things we need to know when you pay for apps. You can add 2. Select **Manage**, and then select **Settings**. 3. On **Shop**, , under **Shopping behavior**, turn on or turn off **Allow users to shop**. -![manage settings to control Basic Purchaser role assignment](images/sfb-allow-shop-setting.png) +![manage settings to control Basic Purchaser role assignment.](images/sfb-allow-shop-setting.png) ## Allow app requests diff --git a/store-for-business/billing-understand-your-invoice-msfb.md b/store-for-business/billing-understand-your-invoice-msfb.md index 26bb2598f8..bee1e82435 100644 --- a/store-for-business/billing-understand-your-invoice-msfb.md +++ b/store-for-business/billing-understand-your-invoice-msfb.md @@ -51,7 +51,7 @@ invoice and descriptions for each term. The **Invoice Summary** is on the top of the first page and shows information about your billing profile and how you pay. -![Invoice summary section](images/invoicesummary.png) +![Invoice summary section.](images/invoicesummary.png) | Term | Description | @@ -68,7 +68,7 @@ The **Invoice Summary** is on the top of the first page and shows information ab The **Billing Summary** shows the charges against the billing profile since the previous billing period, any credits that were applied, tax, and the total amount due. -![Billing summary section](images/billingsummary.png) +![Billing summary section.](images/billingsummary.png) | Term | Description | | --- | --- | @@ -91,7 +91,7 @@ The total amount due for each service family is calculated by subtracting Azure `Total = Charges/Credits - Azure Credit + Tax` -![Details by invoice section](images/invoicesectiondetails.png) +![Details by invoice section.](images/invoicesectiondetails.png) | Term |Description | | --- | --- | diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md index bb29be21a9..3bdd7d61bc 100644 --- a/store-for-business/microsoft-store-for-business-education-powershell-module.md +++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md @@ -91,7 +91,7 @@ Get-MSStoreInventory >1. Sign in to [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845) or [Microsoft Store for Education](https://businessstore.microsoft.com/). >2. Click **Manage** and then choose **Apps & software**. >3. Click the line-of-business app. The URL of the page will contain the product ID and SKU as part of the URL. For example: ->![Url after apps/ is product id and next is SKU](images/lob-sku.png) +>![Url after apps/ is product id and next is SKU.](images/lob-sku.png) ## View people assigned to a product Most items in **Products and Services** in **Microsoft Store for Business and Education** need to be assigned to people in your org. You can view the people in your org assigned to a specific product by using these commands: diff --git a/store-for-business/troubleshoot-microsoft-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md index 784e422a8a..0a66d2a739 100644 --- a/store-for-business/troubleshoot-microsoft-store-for-business.md +++ b/store-for-business/troubleshoot-microsoft-store-for-business.md @@ -36,23 +36,23 @@ The private store for your organization is a page in Microsoft Store app that co 1. Click the people icon in Microsoft Store app, and click **Sign in**. - ![Sign in to Store app with a different account](images/wsfb-wsappsignin.png) + ![Sign in to Store app with a different account.](images/wsfb-wsappsignin.png) 2. Click **Add account**, and then click **Work or school account**. - ![Choose an account to use](images/wsfb-wsappaddacct.png) + ![Choose an account to use.](images/wsfb-wsappaddacct.png) 3. Type the email account and password, and click **Sign in**. - ![Sign in for work or school account](images/wsfb-wsappworkacct.png) + ![Sign in for work or school account.](images/wsfb-wsappworkacct.png) 4. You should see the private store for your organization. In our example, the page is named **Contoso publishing**. - ![Private store with name highlighted](images/wsfb-wsappprivatestore.png) + ![Private store with name highlighted.](images/wsfb-wsappprivatestore.png) Click the private store to see apps in your private store. - ![Private store for Contoso publishing](images/wsfb-privatestoreapps.png) + ![Private store for Contoso publishing.](images/wsfb-privatestoreapps.png) ## Troubleshooting Microsoft Store for Business integration with Microsoft Endpoint Configuration Manager diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index 66f34fdabe..4b0cd1e47d 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -26,7 +26,7 @@ Microsoft Store for Business and Education regularly releases new and improved f :::row::: :::column span="1"::: - ![Security groups](images/security-groups-icon.png) + ![Security groups.](images/security-groups-icon.png) :::column-end::: :::column span="1"::: **Use security groups with Private store apps**

On the details page for apps in your private store, you can set **Private store availability**. This allows you to choose which security groups can see an app in the private store.

[Get more info](./app-inventory-management-microsoft-store-for-business.md#private-store-availability)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education @@ -38,7 +38,7 @@ Microsoft Store for Business and Education regularly releases new and improved f We’ve been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new features! | | | |-----------------------|---------------------------------| -| ![Private store performance icon](images/perf-improvement-icon.png) |**Performance improvements in private store**

We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them.

[Get more info](./manage-private-store-settings.md#private-store-performance)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | +| ![Private store performance icon.](images/perf-improvement-icon.png) |**Performance improvements in private store**

We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them.

[Get more info](./manage-private-store-settings.md#private-store-performance)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | | | **Manage Windows device deployment with Windows Autopilot Deployment**

In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device.

[Get more info](add-profile-to-devices.md)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | | ![Microsoft Store for Business Settings page, Distribute tab showing app requests setting.](images/msfb-wn-1709-app-request.png) |**Request an app**

People in your organization can request additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases.

[Get more info](./acquire-apps-microsoft-store-for-business.md#request-apps)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | || ![Image showing Add a Collection.](images/msfb-add-collection.png) |**Private store collections**

You can groups of apps in your private store with **Collections**. This can help you organize apps and help people find apps for their job or classroom.

[Get more info](https://review.docs.microsoft.com/microsoft-store/manage-private-store-settings?branch=msfb-14856406#add-a-collection)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md index 2150c9e7c3..8efc8effad 100644 --- a/store-for-business/working-with-line-of-business-apps.md +++ b/store-for-business/working-with-line-of-business-apps.md @@ -46,7 +46,7 @@ You'll need to set up: - LOB publishers need to have an app in Microsoft Store, or have an app ready to submit to the Store. The process and timing look like this: -![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for MSFB admin, LOB publisher, and Developer](images/lob-workflow.png) +![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for MSFB admin, LOB publisher, and Developer.](images/lob-workflow.png) ## Add an LOB publisher (Admin) Admins need to invite developer or ISVs to become an LOB publisher. diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md index b0bdee5283..130ad633ee 100644 --- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md +++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md @@ -423,7 +423,7 @@ The process then configures the client for package or connection group additions This completes an App-V package add for the publishing refresh process. The next step is publishing the package to a specific target (machine or user). -![Package add file and registry data](images/packageaddfileandregistrydata.png) +![Package add file and registry data.](images/packageaddfileandregistrydata.png) **Package add file and registry data** @@ -454,7 +454,7 @@ During the Publishing Refresh operation, the specific publishing operation, **Pu Publishing an App-V Package that is part of a Connection Group is very similar to the above process. For connection groups, the path that stores the specific catalog information includes PackageGroups as a child of the Catalog Directory. Review the Machine and User Catalog information in the preceding sections for details. -![package add file and registry data - global](images/packageaddfileandregistrydata-global.png) +![package add file and registry data - global.](images/packageaddfileandregistrydata-global.png) **Package add file and registry data—global** @@ -481,7 +481,7 @@ After the Publishing Refresh process, the user launches and then relaunches an A 7. The Application launches. For any missing files in the package store (sparse files), App-V will stream fault the files on an as-needed basis. - ![package add file and registry data - stream](images/packageaddfileandregistrydata-stream.png) + ![package add file and registry data - stream.](images/packageaddfileandregistrydata-stream.png) **Package add file and registry data—stream** diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md index 501a6eae9f..4183212c31 100644 --- a/windows/application-management/app-v/appv-deployment-checklist.md +++ b/windows/application-management/app-v/appv-deployment-checklist.md @@ -20,9 +20,9 @@ This checklist outlines the recommended steps and items to consider when deployi |Status|Task|References|Notes| |---|---|---|---| -|![Checklist box](../app-v/images/checklistbox.gif)|Prepare the computing environment for App-V deployment during your planning phase.|[App-V planning checklist](appv-planning-checklist.md)|| -|![Checklist box](../app-v/images/checklistbox.gif)|Review App-V's supported configurations.|[App-V supported configurations](appv-supported-configurations.md)|| -|![Checklist box](../app-v/images/checklistbox.gif)|Run App-V Setup to deploy the required App-V features for your environment.|[How to install the sequencer](appv-install-the-sequencer.md)
[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)
[How to deploy the App-V server](appv-deploy-the-appv-server.md)|| +|![Checklist box.](../app-v/images/checklistbox.gif)|Prepare the computing environment for App-V deployment during your planning phase.|[App-V planning checklist](appv-planning-checklist.md)|| +|![Checklist box.](../app-v/images/checklistbox.gif)|Review App-V's supported configurations.|[App-V supported configurations](appv-supported-configurations.md)|| +|![Checklist box.](../app-v/images/checklistbox.gif)|Run App-V Setup to deploy the required App-V features for your environment.|[How to install the sequencer](appv-install-the-sequencer.md)
[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)
[How to deploy the App-V server](appv-deploy-the-appv-server.md)|| >[!NOTE] >Keep track of server names and associated URLs you create during installation. You'll need this information throughout the installation process. diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md index e8785b3d7f..9bde5d0531 100644 --- a/windows/application-management/app-v/appv-install-the-sequencer.md +++ b/windows/application-management/app-v/appv-install-the-sequencer.md @@ -28,7 +28,7 @@ The App-V Sequencer is included in the Windows 10 Assessment and Deployment Kit 1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). 2. Select the **Get Windows ADK for Windows 10** button on the page to start the ADK installer. Make sure that **Microsoft Application Virtualization (App-V) Sequencer** is selected during the installation. - ![Selecting APP-V features in ADK](images/app-v-in-adk.png) + ![Selecting APP-V features in ADK.](images/app-v-in-adk.png) 3. To open the Sequencer, go to the **Start** menu and select **Microsoft Application Virtualization (App-V) Sequencer**. See [Creating and managing virtual applications](appv-creating-and-managing-virtualized-applications.md) and the [Application Virtualization Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V%205.0%20Sequencing%20Guide.docx) for information about creating virtual applications with the Sequencer. diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md index e838f04c45..50887ca724 100644 --- a/windows/application-management/app-v/appv-planning-checklist.md +++ b/windows/application-management/app-v/appv-planning-checklist.md @@ -23,12 +23,12 @@ This checklist can be used to help you plan for preparing your organization for |Status|Task|References|Notes| |---|---|---|---| -|![Checklist box](../app-v/images/checklistbox.gif)|Review the getting started information about App-V to gain a basic understanding of the product before beginning deployment planning.|[Getting started with App-V](appv-getting-started.md)|| -|![Checklist box](../app-v/images/checklistbox.gif)|Plan for App-V deployment prerequisites and prepare your computing environment.|[App-V prerequisites](appv-prerequisites.md)|| -|![Checklist box](../app-v/images/checklistbox.gif)|If you plan to use the App-V management server, plan for the required roles.|[Planning for the App-V server deployment](appv-planning-for-appv-server-deployment.md)|| -|![Checklist box](../app-v/images/checklistbox.gif)|Plan for the App-V sequencer and client to create and run virtualized applications.|[Planning for the App-V Sequencer and client deployment](appv-planning-for-sequencer-and-client-deployment.md)|| -|![Checklist box](../app-v/images/checklistbox.gif)|If applicable, review the options and steps for migrating from a previous version of App-V.|[Migrating to App-V from a previous version](appv-migrating-to-appv-from-a-previous-version.md)|| -|![Checklist box](../app-v/images/checklistbox.gif)|Decide whether to configure App-V clients in Shared Content Store mode.|[Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md)|| +|![Checklist box.](../app-v/images/checklistbox.gif)|Review the getting started information about App-V to gain a basic understanding of the product before beginning deployment planning.|[Getting started with App-V](appv-getting-started.md)|| +|![Checklist box.](../app-v/images/checklistbox.gif)|Plan for App-V deployment prerequisites and prepare your computing environment.|[App-V prerequisites](appv-prerequisites.md)|| +|![Checklist box.](../app-v/images/checklistbox.gif)|If you plan to use the App-V management server, plan for the required roles.|[Planning for the App-V server deployment](appv-planning-for-appv-server-deployment.md)|| +|![Checklist box.](../app-v/images/checklistbox.gif)|Plan for the App-V sequencer and client to create and run virtualized applications.|[Planning for the App-V Sequencer and client deployment](appv-planning-for-sequencer-and-client-deployment.md)|| +|![Checklist box.](../app-v/images/checklistbox.gif)|If applicable, review the options and steps for migrating from a previous version of App-V.|[Migrating to App-V from a previous version](appv-migrating-to-appv-from-a-previous-version.md)|| +|![Checklist box.](../app-v/images/checklistbox.gif)|Decide whether to configure App-V clients in Shared Content Store mode.|[Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md)|| diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index d123957cd1..0a72c19e87 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -23,15 +23,15 @@ Enterprise users want the same ability to enable or limit background activity. I Users have the ability to control background activity for their device through two interfaces in the **Settings** app: the **Background apps** page and the **Battery usage by app** page. The **Background apps** page has a master switch to turn background activity on or off for all apps, and provides individual switches to control each app's ability to run in the background.  -![Background apps settings page](images/backgroundapps-setting.png) +![Background apps settings page.](images/backgroundapps-setting.png) The **Battery usage by app** page allows fine-grained tuning of background activity. Users have the ability to set background activity to by **Managed By Windows**, as well as turning it on or off for each app. Only devices with a battery have this page available in the **Settings** app. Here is the set of available controls on desktop:  -![Battery usage by app on desktop](images/battery-usage-by-app-desktop.png) +![Battery usage by app on desktop.](images/battery-usage-by-app-desktop.png) Here is the set of available controls for mobile devices:  -![Battery usage by app on mobile](images/battery-usage-by-app-mobile.png) +![Battery usage by app on mobile.](images/battery-usage-by-app-mobile.png) Although the user interface differs across editions of the operating system, the policy and developer interface is consistent across Windows 10. For more information about these controls, see [Optimize background activity](/windows/uwp/debug-test-perf/optimize-background-activity). diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index 0cda2dc8c9..4483687ba8 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -102,19 +102,19 @@ If a per-user service can't be disabled using a the security template, you can d 5. Right-click **Registry** > **New** > **Registry Item**. - ![Group Policy preferences disabling per-user services](media/gpp-per-user-services.png) + ![Group Policy preferences disabling per-user services.](media/gpp-per-user-services.png) 6. Make sure that HKEY_Local_Machine is selected for Hive and then click ... (the ellipses) next to Key Path. - ![Choose HKLM](media/gpp-hklm.png) + ![Choose HKLM.](media/gpp-hklm.png) 7. Browse to **System\CurrentControlSet\Services\PimIndexMaintenanceSvc**. In the list of values, highlight **Start** and click **Select**. - ![Select Start](media/gpp-svc-start.png) + ![Select Start.](media/gpp-svc-start.png) 8. Change **Value data** from **00000003** to **00000004** and click **OK**. Note setting the Value data to **4** = **Disabled**. - ![Startup Type is Disabled](media/gpp-svc-disabled.png) + ![Startup Type is Disabled.](media/gpp-svc-disabled.png) 9. To add the other services that cannot be managed with a Group Policy templates, edit the policy and repeat steps 5-8. @@ -140,14 +140,14 @@ REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t RE If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the template services, change the Startup Type for each service to 4 (disabled): -![Using Regedit to change servive Starup Type](media/regedit-change-service-startup-type.png) +![Using Regedit to change servive Starup Type.](media/regedit-change-service-startup-type.png) > [!CAUTION] > We recommend that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the Registry Editor or by the Windows operating system before they are applied. As a result, incorrect values can be stored, and this can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as the Microsoft Management Console (MMC) to accomplish tasks. If you must edit the registry, use extreme caution. Beginning with Windows 10, version 1709 and Windows Server, version 1709, you can prevent the per-user service from being created by setting **UserServiceFlags** to 0 under the same service configuration in the registry: -![Create per-user services in disabled state](media/user-service-flag.png) +![Create per-user services in disabled state.](media/user-service-flag.png) ### Manage template services by modifying the Windows image @@ -186,4 +186,4 @@ For example, you might see the following per-user services listed in the Service You can query the service configuration from the command line. The **Type** value indicates whether the service is a user-service template or user-service instance. -![Use sc.exe to view service type](media/cmd-type.png) \ No newline at end of file +![Use sc.exe to view service type.](media/cmd-type.png) \ No newline at end of file diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md index 4130fde7e5..8482a3497c 100644 --- a/windows/application-management/svchost-service-refactoring.md +++ b/windows/application-management/svchost-service-refactoring.md @@ -48,11 +48,11 @@ Refactoring also makes it easier to view running processes in Task Manager. You For example, here are the running processes displayed in Task Manager in Windows 10 version 1607: -![Running processes in Task Manager, version 1607](media/svchost-grouped-processes.png) +![Running processes in Task Manager, version 1607.](media/svchost-grouped-processes.png) Compare that to the same view of running processes in Windows 10 version 1703: -![Running processes in Task Manager, version 1703](media/svchost-separated-processes.png) +![Running processes in Task Manager, version 1703.](media/svchost-separated-processes.png) @@ -66,7 +66,7 @@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. The default value of **1** prevents the service from being split. For example, this is the registry key configuration for BFE: -![Example of a service that cannot be separated](media/svchost-separation-disabled.png) +![Example of a service that cannot be separated.](media/svchost-separation-disabled.png) ## Memory footprint @@ -77,7 +77,7 @@ Consider the following: |Grouped Services (< 3.5GB) | Split Services (3.5GB+) |--------------------------------------- | ------------------------------------------ | -|![Memory utilization for grouped services](media/svchost-grouped-utilization.png) |![Memory utilization for separated services](media/svchost-separated-utilization.png) | +|![Memory utilization for grouped services.](media/svchost-grouped-utilization.png) |![Memory utilization for separated services](media/svchost-separated-utilization.png) | > [!NOTE] > The above represents the peak observed values. diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index 260944a53c..6da0fdfdb9 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -23,11 +23,11 @@ ms.topic: article Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. -![Screenshot of Control Panel](images/admin-tools.png) +![Screenshot of Control Panel.](images/admin-tools.png) The tools in the folder might vary depending on which edition of Windows you are using. -![Screenshot of folder of admin tools](images/admin-tools-folder.png) +![Screenshot of folder of admin tools.](images/admin-tools-folder.png) These tools were included in previous versions of Windows. The associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders. diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index ac96c101cf..c2a8ea0c57 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -41,53 +41,53 @@ Check Windows Security Event log on the NPS Server for NPS events that correspon In the event message, scroll to the very bottom, and then check the [Reason Code](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it. - ![example of an audit failure](images/auditfailure.png) + ![example of an audit failure.](images/auditfailure.png) *Example: event ID 6273 (Audit Failure)*

‎ - ![example of an audit success](images/auditsuccess.png) + ![example of an audit success.](images/auditsuccess.png) *Example: event ID 6272 (Audit Success)*
‎The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one. On the client side, go to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, go to **..\Wired-AutoConfig/Operational**. See the following example: -![event viewer screenshot showing wired-autoconfig and WLAN autoconfig](images/eventviewer.png) +![event viewer screenshot showing wired-autoconfig and WLAN autoconfig.](images/eventviewer.png) Most 802.1X authentication issues are because of problems with the certificate that's used for client or server authentication. Examples include invalid certificate, expiration, chain verification failure, and revocation check failure. First, validate the type of EAP method that's used: -![eap authentication type comparison](images/comparisontable.png) +![eap authentication type comparison.](images/comparisontable.png) If a certificate is used for its authentication method, check whether the certificate is valid. For the server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Select and hold (or right-click) the policy, and then select **Properties**. In the pop-up window, go to the **Constraints** tab, and then select the **Authentication Methods** section. -![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png) +![Constraints tab of the secure wireless connections properties.](images/eappropertymenu.png) The CAPI2 event log is useful for troubleshooting certificate-related issues. By default, this log isn't enabled. To enable this log, expand **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, select and hold (or right-click) **Operational**, and then select **Enable Log**. -![screenshot of event viewer](images/capi.png) +![screenshot of event viewer.](images/capi.png) For information about how to analyze CAPI2 event logs, see [Troubleshooting PKI Problems on Windows Vista](/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29). When troubleshooting complex 802.1X authentication issues, it's important to understand the 802.1X authentication process. Here's an example of wireless connection process with 802.1X authentication: -![authenticator flow chart](images/authenticator_flow_chart.png) +![authenticator flow chart.](images/authenticator_flow_chart.png) If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter for a client-side capture, and **EAP** for an NPS-side capture. See the following examples: -![client-side packet capture data](images/clientsidepacket_cap_data.png) +![client-side packet capture data.](images/clientsidepacket_cap_data.png) *Client-side packet capture data*

-![NPS-side packet capture data](images/NPS_sidepacket_capture_data.png) +![NPS-side packet capture data.](images/NPS_sidepacket_capture_data.png) *NPS-side packet capture data*
‎ > [!NOTE] > If you have a wireless trace, you can also [view ETL files with network monitor](/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. If you need to load the required [parser](/archive/blogs/netmon/parser-profiles-in-network-monitor-3-4), see the instructions under the **Help** menu in Network Monitor. Here's an example: -![ETL parse](images/etl.png) +![ETL parse.](images/etl.png) ## Audit policy diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md index 646585085e..d039c10c17 100644 --- a/windows/client-management/advanced-troubleshooting-boot-problems.md +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -50,7 +50,7 @@ The kernel passes control to the session manager process (Smss.exe) which initia Here is a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement. -![thumbnail of boot sequence flowchart](images/boot-sequence-thumb.png)
+![thumbnail of boot sequence flowchart.](images/boot-sequence-thumb.png)
[Click to enlarge](img-boot-sequence.md)
diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md index ce4154396e..57d2cc10a8 100644 --- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md +++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md @@ -152,7 +152,7 @@ The important components of the MSM include: - Security Manager (SecMgr) - handles all pre and post-connection security operations. - Authentication Engine (AuthMgr) – Manages 802.1x auth requests - ![MSM details](images/msmdetails.png) + ![MSM details.](images/msmdetails.png) Each of these components has their own individual state machines which follow specific transitions. Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** filters in TextAnalysisTool for more detail. @@ -327,4 +327,4 @@ Copy and paste all the lines below and save them into a text file named "wifi.ta In the following example, the **View** settings are configured to **Show Only Filtered Lines**. -![TAT filter example](images/tat.png) \ No newline at end of file +![TAT filter example.](images/tat.png) \ No newline at end of file diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/change-default-removal-policy-external-storage-media.md index 69fa51d4e4..d59710d70b 100644 --- a/windows/client-management/change-default-removal-policy-external-storage-media.md +++ b/windows/client-management/change-default-removal-policy-external-storage-media.md @@ -54,4 +54,4 @@ To change the policy for an external storage device: 7. Select the policy that you want to use. - ![Policy options for disk management](./images/change-def-rem-policy-2.png) + ![Policy options for disk management.](./images/change-def-rem-policy-2.png) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 275869bf99..4d8f35673e 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -24,7 +24,7 @@ ms.topic: article From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). -![Remote Desktop Connection client](images/rdp.png) +![Remote Desktop Connection client.](images/rdp.png) ## Set up @@ -40,7 +40,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu 2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. - ![Allow remote connections to this computer](images/allow-rdp.png) + ![Allow remote connections to this computer.](images/allow-rdp.png) 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies: diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md index b1077e5be6..6ce343dade 100644 --- a/windows/client-management/img-boot-sequence.md +++ b/windows/client-management/img-boot-sequence.md @@ -14,4 +14,4 @@ ms.prod: w10 Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
-![Full-sized boot sequence flowchart](images/boot-sequence.png) +![Full-sized boot sequence flowchart.](images/boot-sequence.png) diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md index 376916c1d3..9354d9c8c9 100644 --- a/windows/client-management/introduction-page-file.md +++ b/windows/client-management/introduction-page-file.md @@ -56,13 +56,13 @@ Page files extend how much "committed memory" (also known as "virtual memory") i The system commit memory limit is the sum of physical memory and all page files combined. It represents the maximum system-committed memory (also known as the "system commit charge") that the system can support. -![Task manager](images/task-manager.png) +![Task manager.](images/task-manager.png) The system commit charge is the total committed or "promised" memory of all committed virtual memory in the system. If the system commit charge reaches the system commit limit, the system and processes might not get committed memory. This condition can cause freezing, crashing, and other malfunctions. Therefore, make sure that you set the system commit limit high enough to support the system commit charge during peak usage. -![Out of memory](images/out-of-memory.png) +![Out of memory.](images/out-of-memory.png) -![Task Manager](images/task-manager-commit.png) +![Task Manager.](images/task-manager-commit.png) The system committed charge and system committed limit can be measured on the **Performance** tab in Task Manager or by using the "\Memory\Committed Bytes" and "\Memory\Commit Limit" performance counters. The \Memory\% Committed Bytes In Use counter is a ratio of \Memory\Committed Bytes to \Memory\Commit Limit values. diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md index 263dd24430..db00986ab0 100644 --- a/windows/client-management/manage-device-installation-with-group-policy.md +++ b/windows/client-management/manage-device-installation-with-group-policy.md @@ -212,7 +212,7 @@ This policy setting will change the evaluation order in which Allow and Prevent Some of these policies take precedence over other policies. The flowchart shown below illustrates how Windows processes them to determine whether a user can install a device or not, as shown in Figure below. -![Device Installation policies flow chart](images/device-installation-flowchart.png)
_Device Installation policies flow chart_ +![Device Installation policies flow chart.](images/device-installation-flowchart.png)
_Device Installation policies flow chart_ @@ -261,17 +261,17 @@ To find device identification strings using Device Manager 4. Find the “Printers” section and find the target printer - ![Selecting the printer in Device Manager](images/device-installation-dm-printer-by-device.png)
_Selecting the printer in Device Manager_ + ![Selecting the printer in Device Manager.](images/device-installation-dm-printer-by-device.png)
_Selecting the printer in Device Manager_ 5. Double-click the printer and move to the ‘Details’ tab. - ![‘Details’ tab](images/device-installation-dm-printer-details-screen.png)
_Open the ‘Details’ tab to look for the device identifiers_ + ![‘Details’ tab.](images/device-installation-dm-printer-details-screen.png)
_Open the ‘Details’ tab to look for the device identifiers_ 6. From the ‘Value’ window, copy the most detailed Hardware ID – we will use this in the policies. - ![HWID](images/device-installation-dm-printer-hardware-ids.png) + ![HWID.](images/device-installation-dm-printer-hardware-ids.png) - ![Compatible ID](images/device-installation-dm-printer-compatible-ids.png)
_HWID and Compatible ID_ + ![Compatible ID.](images/device-installation-dm-printer-compatible-ids.png)
_HWID and Compatible ID_ > [!TIP] > You can also determine your device identification strings by using the PnPUtil command-line utility. For more information, see [PnPUtil - Windows drivers](/windows-hardware/drivers/devtest/pnputil) in Microsoft Docs. @@ -360,7 +360,7 @@ Creating the policy to prevent all printers from being installed: 6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} - ![List of prevent Class GUIDs](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ + ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ 7. Click ‘OK’. @@ -399,7 +399,7 @@ Getting the right device identifier to prevent it from being installed: 1. Get your printer’s Hardware ID – in this example we will use the identifier we found previously - ![Printer Hardware ID identifier](images/device-installation-dm-printer-hardware-ids.png)
_Printer Hardware ID_ + ![Printer Hardware ID identifier.](images/device-installation-dm-printer-hardware-ids.png)
_Printer Hardware ID_ 2. Write down the device ID (in this case Hardware ID) – WSDPRINT\CanonMX920_seriesC1A0; Take the more specific identifier to make sure you block a specific printer and not a family of printers @@ -417,7 +417,7 @@ Creating the policy to prevent a single printer from being installed: 5. Enter the printer device ID you found above – WSDPRINT\CanonMX920_seriesC1A0 - ![Prevent Device ID list](images/device-installation-gpo-prevent-device-id-list-printer.png)
_Prevent Device ID list_ + ![Prevent Device ID list.](images/device-installation-gpo-prevent-device-id-list-printer.png)
_Prevent Device ID list_ 6. Click ‘OK’. @@ -477,7 +477,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} - ![List of prevent Class GUIDs](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ + ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ 7. Click ‘OK’. @@ -489,7 +489,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one ![Image of Local Group Policy Editor that shows the policies under "Device Installation Restrictions" and the policy named in this step.](images/device-installation-apply-layered_policy-1.png) - ![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria."](images/device-installation-apply-layered-policy-2.png)
_Apply layered order of evaluation policy_ + ![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.".](images/device-installation-apply-layered-policy-2.png)
_Apply layered order of evaluation policy_ 9. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. @@ -497,7 +497,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 11. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0. - ![Allow Printer Hardware ID](images/device-installation-gpo-allow-device-id-list-printer.png)
_Allow Printer Hardware ID_ + ![Allow Printer Hardware ID.](images/device-installation-gpo-allow-device-id-list-printer.png)
_Allow Printer Hardware ID_ 12. Click ‘OK’. @@ -532,22 +532,22 @@ Getting the right device identifier to prevent it from being installed and its l 3. Find the USB thumb-drive and select it. - ![Selecting the usb thumb-drive in Device Manager](images/device-installation-dm-usb-by-device.png)
_Selecting the usb thumb-drive in Device Manager_ + ![Selecting the usb thumb-drive in Device Manager.](images/device-installation-dm-usb-by-device.png)
_Selecting the usb thumb-drive in Device Manager_ 4. Change View (in the top menu) to ‘Devices by connections’. This view represents the way devices are installed in the PnP tree. - ![Changing view in Device Manager to see the PnP connection tree](images/device-installation-dm-usb-by-connection.png)
_Changing view in Device Manager to see the PnP connection tree_ + ![Changing view in Device Manager to see the PnP connection tree.](images/device-installation-dm-usb-by-connection.png)
_Changing view in Device Manager to see the PnP connection tree_ > [!NOTE] > When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a “Generic USB Hub” from being installed, all the devices that lay below a “Generic USB Hub” will be blocked. - ![Blocking nested devices from the root](images/device-installation-dm-usb-by-connection-blocked.png)
_When blocking one device, all the devices that are nested below it will be blocked as well_ + ![Blocking nested devices from the root.](images/device-installation-dm-usb-by-connection-blocked.png)
_When blocking one device, all the devices that are nested below it will be blocked as well_ 5. Double-click the USB thumb-drive and move to the ‘Details’ tab. 6. From the ‘Value’ window, copy the most detailed Hardware ID—we will use this in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07 - ![USB device hardware IDs](images/device-installation-dm-usb-hwid.png)
_USB device hardware IDs_ + ![USB device hardware IDs.](images/device-installation-dm-usb-hwid.png)
_USB device hardware IDs_ Creating the policy to prevent a single USB thumb-drive from being installed: @@ -563,7 +563,7 @@ Creating the policy to prevent a single USB thumb-drive from being installed: 5. Enter the USB thumb-drive device ID you found above – USBSTOR\DiskGeneric_Flash_Disk______8.07 - ![Prevent Device IDs list](images/device-installation-gpo-prevent-device-id-list-usb.png)
_Prevent Device IDs list_ + ![Prevent Device IDs list.](images/device-installation-gpo-prevent-device-id-list-usb.png)
_Prevent Device IDs list_ 6. Click ‘OK’. @@ -620,7 +620,7 @@ As mentioned in scenario #4, it is not enough to enable only a single hardware I - “USB Root Hub (USB 3.0)” -> USB\ROOT_HUB30 - “Generic USB Hub” -> USB\USB20_HUB -![USB devices nested in the PnP tree](images/device-installation-dm-usb-by-connection-layering.png)
_USB devices nested under each other in the PnP tree_ +![USB devices nested in the PnP tree.](images/device-installation-dm-usb-by-connection-layering.png)
_USB devices nested under each other in the PnP tree_ These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them should not enable any external/peripheral device from being installed on the machine. @@ -663,7 +663,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 9. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it – this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device. - ![Apply layered order of evaluation policy](images/device-installation-apply-layered_policy-1.png)
_Apply layered order of evaluation policy_ + ![Apply layered order of evaluation policy.](images/device-installation-apply-layered_policy-1.png)
_Apply layered order of evaluation policy_ 10. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. @@ -671,7 +671,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 12. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation – USBSTOR\DiskGeneric_Flash_Disk______8.07 - ![Image of an example list of devices that have been configured for the policy "Allow installation of devices that match any of these Device IDs."](images/device-installation-gpo-allow-device-id-list-usb.png)
_Allowed USB Device IDs list_ + ![Image of an example list of devices that have been configured for the policy "Allow installation of devices that match any of these Device IDs.".](images/device-installation-gpo-allow-device-id-list-usb.png)
_Allowed USB Device IDs list_ 13. Click ‘OK’. diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md index a177277d07..f64ee0de0c 100644 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ b/windows/client-management/manage-settings-app-with-group-policy.md @@ -35,7 +35,7 @@ Policy paths: **User Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. -![Settings page visibility policy](images/settings-page-visibility-gp.png) +![Settings page visibility policy.](images/settings-page-visibility-gp.png) ## Configuring the Group Policy diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 22ba2d74a8..0e9dd8a789 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -92,7 +92,7 @@ For more information about how Windows 10 and Azure AD optimize access to work r As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD. -![Decision tree for device authentication options](images/windows-10-management-cyod-byod-flow.png) +![Decision tree for device authentication options.](images/windows-10-management-cyod-byod-flow.png) ## Settings and Configuration diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index b5b30659d6..7b77f47742 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -75,7 +75,7 @@ First, you create a default user profile with the customizations that you want, > [!TIP] > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following: > - > ![Microsoft Bing Translator package error](images/sysprep-error.png) + > ![Microsoft Bing Translator package error.](images/sysprep-error.png) > > Use the [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true) and [Remove-AppxPackage -AllUsers](/powershell/module/appx/remove-appxpackage?view=win10-ps&preserve-view=true) cmdlet in Windows PowerShell to uninstall the app that is listed in the log. @@ -86,11 +86,11 @@ First, you create a default user profile with the customizations that you want, 1. In **User Profiles**, click **Default Profile**, and then click **Copy To**. - ![Example of User Profiles UI](images/copy-to.png) + ![Example of User Profiles UI.](images/copy-to.png) 1. In **Copy To**, under **Permitted to use**, click **Change**. - ![Example of Copy To UI](images/copy-to-change.png) + ![Example of Copy To UI.](images/copy-to-change.png) 1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**. @@ -98,11 +98,11 @@ First, you create a default user profile with the customizations that you want, - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path. - ![Example of Copy profile to](images/copy-to-path.png) + ![Example of Copy profile to.](images/copy-to-path.png) - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location. - ![Example of Copy To UI with UNC path](images/copy-to-path.png) + ![Example of Copy To UI with UNC path.](images/copy-to-path.png) 1. Click **OK** to copy the default user profile. @@ -139,9 +139,9 @@ When a user is configured with a mandatory profile, Windows 10 starts as though | Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 | | --- | --- | --- | --- | --- | -| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | -| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | -| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | +| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | +| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | +| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported.](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | > [!NOTE] > The Group Policy settings above can be applied in Windows 10 Professional edition. diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md index 930343209f..42722f7bd7 100644 --- a/windows/client-management/mdm/accountmanagement-csp.md +++ b/windows/client-management/mdm/accountmanagement-csp.md @@ -22,7 +22,7 @@ AccountManagement CSP is used to configure setting in the Account Manager servic The following diagram shows the AccountManagement configuration service provider in tree format. -![accountmanagement csp](images/provisioning-csp-accountmanagement.png) +![accountmanagement csp.](images/provisioning-csp-accountmanagement.png) **./Vendor/MSFT/AccountManagement** Root node for the AccountManagement configuration service provider. diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md index 34f60116f4..64394a6989 100644 --- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md +++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md @@ -21,45 +21,45 @@ Here's a step-by-step guide to adding an Azure Active Directory tenant, adding a 1. Sign up for Azure AD tenant from [this website](https://account.windowsazure.com/organization) by creating an administrator account for your organization. - ![sign up for azure ad tenant](images/azure-ad-add-tenant1.png) + ![sign up for azure ad tenant.](images/azure-ad-add-tenant1.png) 2. Enter the information for your organization. Select **check availability** to verify that domain name that you selected is available. - ![sign up for azure ad](images/azure-ad-add-tenant2.png) + ![sign up for azure ad.](images/azure-ad-add-tenant2.png) 3. Complete the login and country information. Enter a valid phone number, then select **Send text message** or **Call me**. - ![create azure account](images/azure-ad-add-tenant3.png) + ![create azure account.](images/azure-ad-add-tenant3.png) 4. Enter the code that you receive and then select **Verify code**. After the code is verified and the continue button turns green, select **continue**. - ![add aad tenant](images/azure-ad-add-tenant3-b.png) + ![add aad tenant.](images/azure-ad-add-tenant3-b.png) 5. After you finish creating your Azure account, you can add an Azure AD subscription. If you don't have a paid subscription to any Microsoft service, you can purchase an Azure AD premium subscription. Go to the Office 356 portal at https://portal.office.com/, and then sign in using the admin account that you created in Step 4 (for example, user1@contosoltd.onmicrosoftcom). - ![login to office 365](images/azure-ad-add-tenant4.png) + ![login to office 365.](images/azure-ad-add-tenant4.png) 6. Select **Install software**. - ![login to office 365](images/azure-ad-add-tenant5.png) + ![login to office 365.](images/azure-ad-add-tenant5.png) 7. In the Microsoft 365 admin center, select **Purchase Services** from the left navigation. - ![purchase service option in admin center menu](images/azure-ad-add-tenant6.png) + ![purchase service option in admin center menu.](images/azure-ad-add-tenant6.png) 8. On the **Purchase services** page, scroll down until you see **Azure Active Directory Premium**, then select to purchase. - ![azure active directory option in purchase services page](images/azure-ad-add-tenant7.png) + ![azure active directory option in purchase services page.](images/azure-ad-add-tenant7.png) 9. Continue with your purchase. - ![azure active directory premium payment page](images/azure-ad-add-tenant8.png) + ![azure active directory premium payment page.](images/azure-ad-add-tenant8.png) 10. After the purchase is completed, you can log in to your Office 365 Admin Portal and you will see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint, Exchange, etc....). - ![admin center left navigation menu](images/azure-ad-add-tenant9.png) + ![admin center left navigation menu.](images/azure-ad-add-tenant9.png) When you choose Azure AD, it will take you to the Azure AD portal where you can manage your Azure AD applications. @@ -69,27 +69,27 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent 1. Sign in to the Microsoft 365 admin center at using your organization's account. - ![register azuread](images/azure-ad-add-tenant10.png) + ![register azuread.](images/azure-ad-add-tenant10.png) 2. On the **Home** page, select on the Admin tools icon. - ![register azuread](images/azure-ad-add-tenant11.png) + ![register azuread.](images/azure-ad-add-tenant11.png) 3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information. - ![register azuread](images/azure-ad-add-tenant12.png) + ![register azuread.](images/azure-ad-add-tenant12.png) 4. On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**. - ![register azuread](images/azure-ad-add-tenant13.png) + ![register azuread.](images/azure-ad-add-tenant13.png) 5. It may take a few minutes to process the request. - ![register azuread](images/azure-ad-add-tenant14.png) + ![register azuread.](images/azure-ad-add-tenant14.png) 6. You will see a welcome page when the process completes. - ![register azuread](images/azure-ad-add-tenant15.png) + ![register azuread.](images/azure-ad-add-tenant15.png) diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 3df830bda7..5669fcf0f8 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -263,16 +263,16 @@ Supported operations are Get, Add, Delete, and Replace. The **Device Portal** page opens on your browser. - ![device portal screenshot](images/applocker-screenshot1.png) + ![device portal screenshot.](images/applocker-screenshot1.png) 8. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**. 9. On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps. - ![device portal app manager](images/applocker-screenshot3.png) + ![device portal app manager.](images/applocker-screenshot3.png) 10. If you do not see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. - ![app manager](images/applocker-screenshot2.png) + ![app manager.](images/applocker-screenshot2.png) The following table shows the mapping of information to the AppLocker publisher rule field. diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index 157bf6f4d0..4c8f6eaecd 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -23,7 +23,7 @@ manager: dansimp [EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md) -![enterpriseappvmanagement csp](images/provisioning-csp-enterpriseappvmanagement.png) +![enterpriseappvmanagement csp.](images/provisioning-csp-enterpriseappvmanagement.png)

(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.

diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 82a11f3eb6..97f22aae88 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -90,7 +90,7 @@ After the users accepts the Terms of Use, the device is registered in Azure AD a The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Subsequently, the device is enrolled for management with the MDM. This is done by calling the enrollment endpoint and requesting enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is made available to the MDM in the form of claims within an access token presented at the enrollment endpoint. -![azure ad enrollment flow](images/azure-ad-enrollment-flow.png) +![azure ad enrollment flow.](images/azure-ad-enrollment-flow.png) The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this topic. @@ -173,7 +173,7 @@ IT administrators use the Azure AD app gallery to add an MDM for their organizat The following image illustrates how MDM applications will show up in the Azure app gallery in a category dedicated to MDM software. -![azure ad add an app for mdm](images/azure-ad-app-gallery.png) +![azure ad add an app for mdm.](images/azure-ad-app-gallery.png) ### Add cloud-based MDM to the app gallery @@ -732,7 +732,7 @@ Response: When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data. -![aadj unenrollment](images/azure-ad-unenrollment.png) +![aadj unenrollment.](images/azure-ad-unenrollment.png) ## Error codes diff --git a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index 21499425a9..ce25592491 100644 --- a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -20,10 +20,10 @@ manager: dansimp 2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app. 3. Select **Microsoft Intune** and configure the blade. -![How to get to the Blade](images/azure-mdm-intune.png) +![How to get to the Blade.](images/azure-mdm-intune.png) Configure the blade -![Configure the Blade](images/azure-intune-configure-scope.png) +![Configure the Blade.](images/azure-intune-configure-scope.png) You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users). diff --git a/windows/client-management/mdm/bootstrap-csp.md b/windows/client-management/mdm/bootstrap-csp.md index 0bb9326924..e07354fa81 100644 --- a/windows/client-management/mdm/bootstrap-csp.md +++ b/windows/client-management/mdm/bootstrap-csp.md @@ -27,7 +27,7 @@ The BOOTSTRAP configuration service provider sets the Trusted Provisioning Serve The following image shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. -![bootstrap csp (cp)](images/provisioning-csp-bootstrap-cp.png) +![bootstrap csp (cp).](images/provisioning-csp-bootstrap-cp.png) **CONTEXT-ALLOW** Optional. Specifies a context for the TPS. Only one context is supported, so this parameter is ignored and "0" is assumed for its value. diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md index 46ee3a5e98..15a939f7eb 100644 --- a/windows/client-management/mdm/browserfavorite-csp.md +++ b/windows/client-management/mdm/browserfavorite-csp.md @@ -30,7 +30,7 @@ This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID The following diagram shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. -![browserfavorite csp (cp)](images/provisioning-csp-browserfavorite-cp.png) +![browserfavorite csp (cp).](images/provisioning-csp-browserfavorite-cp.png) ***favorite name*** Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer. diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index 4fabdbc971..d1db6d514e 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -57,7 +57,7 @@ Using the WCD, create a provisioning package using the enrollment information re 1. Open the WCD tool. 2. Click **Advanced Provisioning**. - ![icd start page](images/bulk-enrollment7.png) + ![icd start page.](images/bulk-enrollment7.png) 3. Enter a project name and click **Next**. 4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then click **Next**. 5. Skip **Import a provisioning package (optional)** and click **Finish**. @@ -74,20 +74,20 @@ Using the WCD, create a provisioning package using the enrollment information re For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md). Here is the screenshot of the WCD at this point. - ![bulk enrollment screenshot](images/bulk-enrollment.png) + ![bulk enrollment screenshot.](images/bulk-enrollment.png) 9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). 10. When you are done adding all the settings, on the **File** menu, click **Save**. 11. On the main menu click **Export** > **Provisioning package**. - ![icd menu for export](images/bulk-enrollment2.png) + ![icd menu for export.](images/bulk-enrollment2.png) 12. Enter the values for your package and specify the package output location. - ![enter package information](images/bulk-enrollment3.png) - ![enter additional information for package information](images/bulk-enrollment4.png) - ![specify file location](images/bulk-enrollment6.png) + ![enter package information.](images/bulk-enrollment3.png) + ![enter additional information for package information.](images/bulk-enrollment4.png) + ![specify file location.](images/bulk-enrollment6.png) 13. Click **Build**. - ![icb build window](images/bulk-enrollment5.png) + ![icb build window.](images/bulk-enrollment5.png) 14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). 15. Apply the package to your devices. @@ -108,7 +108,7 @@ Using the WCD, create a provisioning package using the enrollment information re 5. Set **ExportCertificate** to False. 6. For **KeyLocation**, select **Software only**. - ![icd certificates section](images/bulk-enrollment8.png) + ![icd certificates section.](images/bulk-enrollment8.png) 7. Specify the workplace settings. 1. Got to **Workplace** > **Enrollments**. 2. Enter the **UPN** for the enrollment and then click **Add**. diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md index 64372f26a8..ab4cb97c8f 100644 --- a/windows/client-management/mdm/cellularsettings-csp.md +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -21,7 +21,7 @@ The CellularSettings configuration service provider is used to configure cellula The following image shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider. -![provisioning for cellular settings](images/provisioning-csp-cellularsettings.png) +![provisioning for cellular settings.](images/provisioning-csp-cellularsettings.png) **DataRoam**

Optional. Integer. Specifies the default roaming value. Valid values are:

diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 5063181c3f..1d42413872 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -20,7 +20,7 @@ This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capa The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider. -![cm\-cellularentries csp](images/provisioning-csp-cm-cellularentries.png) +![cm\-cellularentries csp.](images/provisioning-csp-cm-cellularentries.png) ***entryname***

Defines the name of the connection.

diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index cce8060fe3..d4793c91e6 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2555,36 +2555,36 @@ The following list shows the CSPs supported in HoloLens devices: | Configuration service provider | HoloLens (1st gen) Development Edition | HoloLens (1st gen) Commercial Suite | HoloLens 2 | |------|--------|--------|--------| -| [AccountManagement CSP](accountmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) -| [Accounts CSP](accounts-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [ApplicationControl CSP](applicationcontrol-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | -| [AppLocker CSP](applocker-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![cross mark](images/crossmark.png) | -| [AssignedAccess CSP](assignedaccess-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | -| [CertificateStore CSP](certificatestore-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)| ![check mark](images/checkmark.png) | -| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DevDetail CSP](devdetail-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DeveloperSetup CSP](developersetup-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 2 (runtime provisioning via provisioning packages only; no MDM support)| ![check mark](images/checkmark.png) | -| [DeviceManageability CSP](devicemanageability-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | -| [DeviceStatus CSP](devicestatus-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DevInfo CSP](devinfo-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DiagnosticLog CSP](diagnosticlog-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DMAcc CSP](dmacc-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DMClient CSP](dmclient-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | -| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [NetworkProxy CSP](networkproxy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | -| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 8| -| [NodeCache CSP](nodecache-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -[PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [Policy CSP](policy-configuration-service-provider.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | -| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | -| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | -| [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [VPNv2 CSP](vpnv2-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [WiFi CSP](wifi-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [WindowsLicensing CSP](windowslicensing-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![cross mark](images/crossmark.png) | +| [AccountManagement CSP](accountmanagement-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) +| [Accounts CSP](accounts-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [ApplicationControl CSP](applicationcontrol-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [AppLocker CSP](applocker-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![cross mark](images/crossmark.png) | +| [AssignedAccess CSP](assignedaccess-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | +| [CertificateStore CSP](certificatestore-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png)| ![check mark](images/checkmark.png) | +| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DevDetail CSP](devdetail-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DeveloperSetup CSP](developersetup-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) 2 (runtime provisioning via provisioning packages only; no MDM support)| ![check mark](images/checkmark.png) | +| [DeviceManageability CSP](devicemanageability-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [DeviceStatus CSP](devicestatus-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DevInfo CSP](devinfo-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DiagnosticLog CSP](diagnosticlog-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DMAcc CSP](dmacc-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DMClient CSP](dmclient-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | +| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [NetworkProxy CSP](networkproxy-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 8| +| [NodeCache CSP](nodecache-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +[PassportForWork CSP](passportforwork-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [Policy CSP](policy-configuration-service-provider.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [RemoteFind CSP](remotefind-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | +| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | +| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | +| [Update CSP](update-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [VPNv2 CSP](vpnv2-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [WiFi CSP](wifi-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [WindowsLicensing CSP](windowslicensing-csp.md) | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![cross mark](images/crossmark.png) | ## CSPs supported in Microsoft Surface Hub diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index 8e886f3661..cc589f1f13 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -42,7 +42,7 @@ For more information about the CSPs, see [Update CSP](update-csp.md) and the upd The following diagram provides a conceptual overview of how this works: -![mobile device update management](images/mdm-update-sync.png) +![mobile device update management.](images/mdm-update-sync.png) The diagram can be roughly divided into three areas: @@ -56,7 +56,7 @@ The Microsoft Update Catalog is huge and contains many updates that are not need This section describes how this is done. The following diagram shows the server-server sync protocol process. -![mdm server-server sync](images/deviceupdateprocess2.png) +![mdm server-server sync.](images/deviceupdateprocess2.png) MSDN provides much information about the Server-Server sync protocol. In particular: @@ -140,7 +140,7 @@ The enterprise IT can configure auto-update polices via OMA DM using the [Policy The following diagram shows the Update policies in a tree format. -![update policies](images/update-policies.png) +![update policies.](images/update-policies.png) **Update/ActiveHoursEnd** > [!NOTE] @@ -676,7 +676,7 @@ Example The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following diagram shows the Update CSP in tree format.. -![provisioning csp update](images/provisioning-csp-update.png) +![provisioning csp update.](images/provisioning-csp-update.png) **Update** The root node. @@ -889,9 +889,9 @@ Here is the list of older policies that are still supported for backward compati The following screenshots of the administrator console show the list of update titles, approval status, and additional metadata fields. -![mdm update management screenshot](images/deviceupdatescreenshot1.png) +![mdm update management screenshot.](images/deviceupdatescreenshot1.png) -![mdm update management metadata screenshot](images/deviceupdatescreenshot2.png) +![mdm update management metadata screenshot.](images/deviceupdatescreenshot2.png) ## SyncML example @@ -945,5 +945,5 @@ Set auto update to notify and defer. The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog. -![mdm device update management screenshot3](images/deviceupdatescreenshot3.png)![mdm device update management screenshot4](images/deviceupdatescreenshot4.png)![mdm device update management screenshot5](images/deviceupdatescreenshot5.png)![mdm device update management screenshot6](images/deviceupdatescreenshot6.png)![mdm device update management screenshot7](images/deviceupdatescreenshot7.png)![mdm device update management screenshot8](images/deviceupdatescreenshot8.png)![mdm device update management screenshot9](images/deviceupdatescreenshot9.png) +![mdm device update management screenshot3.](images/deviceupdatescreenshot3.png)![mdm device update management screenshot4](images/deviceupdatescreenshot4.png)![mdm device update management screenshot5](images/deviceupdatescreenshot5.png)![mdm device update management screenshot6](images/deviceupdatescreenshot6.png)![mdm device update management screenshot7](images/deviceupdatescreenshot7.png)![mdm device update management screenshot8](images/deviceupdatescreenshot8.png)![mdm device update management screenshot9](images/deviceupdatescreenshot9.png) diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md index f24564545c..0db22bf159 100644 --- a/windows/client-management/mdm/deviceinstanceservice-csp.md +++ b/windows/client-management/mdm/deviceinstanceservice-csp.md @@ -26,7 +26,7 @@ The DeviceInstance CSP is only supported in Windows 10 Mobile. The following diagram shows the DeviceInstanceService configuration service provider in tree format. -![provisioning\-csp\-deviceinstanceservice](images/provisioning-csp-deviceinstanceservice.png) +![provisioning\-csp\-deviceinstanceservice.](images/provisioning-csp-deviceinstanceservice.png) **Roaming** A boolean value that specifies the roaming status of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/Roaming is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/Roaming. diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md index cef65071ec..9933e58a23 100644 --- a/windows/client-management/mdm/devicelock-csp.md +++ b/windows/client-management/mdm/devicelock-csp.md @@ -32,7 +32,7 @@ The DevicePasswordEnabled setting must be set to 0 (device password is enabled) The following image shows the DeviceLock configuration service provider in tree format. -![devicelock csp](images/provisioning-csp-devicelock.png) +![devicelock csp.](images/provisioning-csp-devicelock.png) **Provider** Required. An interior node to group all policy providers. Scope is permanent. Supported operation is Get. diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index 6043b61d8c..92ed52968c 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -20,13 +20,13 @@ To help diagnose enrollment or device management issues in Windows 10 devices m 1. On your managed device go to **Settings** > **Accounts** > **Access work or school**. 1. Click your work or school account, then click **Info.** - ![Access work or school page in Settings](images/diagnose-mdm-failures15.png) + ![Access work or school page in Settings.](images/diagnose-mdm-failures15.png) 1. At the bottom of the **Settings** page, click **Create report**. - ![Access work or school page and then Create report](images/diagnose-mdm-failures16.png) + ![Access work or school page and then Create report.](images/diagnose-mdm-failures16.png) 1. A window opens that shows the path to the log files. Click **Export**. - ![Access work or school log files](images/diagnose-mdm-failures17.png) + ![Access work or school log files.](images/diagnose-mdm-failures17.png) 1. In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report. @@ -59,7 +59,7 @@ Starting with the Windows 10, version 1511, MDM logs are captured in the Event Here's a screenshot: -![mdm event viewer](images/diagnose-mdm-failures1.png) +![mdm event viewer.](images/diagnose-mdm-failures1.png) In this location, the **Admin** channel logs events by default. However, if you need more details logs you can enable **Debug** logs by choosing **Show Analytic and Debug** logs option in **View** menu in Event Viewer. @@ -238,26 +238,26 @@ For best results, ensure that the PC or VM on which you are viewing logs matches 1. Open eventvwr.msc. 2. Right-click on **Event Viewer(Local)** and select **Open Saved Log**. - ![event viewer screenshot](images/diagnose-mdm-failures9.png) + ![event viewer screenshot.](images/diagnose-mdm-failures9.png) 3. Navigate to the etl file that you got from the device and then open the file. 4. Click **Yes** when prompted to save it to the new log format. - ![event viewer prompt](images/diagnose-mdm-failures10.png) + ![event viewer prompt.](images/diagnose-mdm-failures10.png) - ![diagnose mdm failures](images/diagnose-mdm-failures11.png) + ![diagnose mdm failures.](images/diagnose-mdm-failures11.png) 5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu. - ![event viewer actions](images/diagnose-mdm-failures12.png) + ![event viewer actions.](images/diagnose-mdm-failures12.png) 6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**. - ![event filter for Device Management](images/diagnose-mdm-failures13.png) + ![event filter for Device Management.](images/diagnose-mdm-failures13.png) 7. Now you are ready to start reviewing the logs. - ![event viewer review logs](images/diagnose-mdm-failures14.png) + ![event viewer review logs.](images/diagnose-mdm-failures14.png) ## Collect device state data diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index 35fe6568b0..5f48d033a0 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -137,7 +137,7 @@ You can only use the Work Access page to unenroll under the following conditions When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data. -![aadj unenerollment](images/azure-ad-unenrollment.png) +![aadj unenerollment.](images/azure-ad-unenrollment.png) When a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be re-imaged. When devices are remotely unenrolled from MDM, the AAD association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state. diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md index 43882781ec..2ef69ad6c3 100644 --- a/windows/client-management/mdm/eap-configuration.md +++ b/windows/client-management/mdm/eap-configuration.md @@ -24,35 +24,35 @@ To get the EAP configuration from your desktop using the rasphone tool that is s 1. Run rasphone.exe. - ![vpnv2 rasphone](images/vpnv2-csp-rasphone.png) + ![vpnv2 rasphone.](images/vpnv2-csp-rasphone.png) 1. If you don't currently have a VPN connection and you see the following message, select **OK**. - ![vpnv2 csp network connections](images/vpnv2-csp-networkconnections.png) + ![vpnv2 csp network connections.](images/vpnv2-csp-networkconnections.png) 1. In the wizard, select **Workplace network**. - ![vpnv2 csp set up connection](images/vpnv2-csp-setupnewconnection.png) + ![vpnv2 csp set up connection.](images/vpnv2-csp-setupnewconnection.png) 1. Enter an Internet address and connection name. These can be fake since it does not impact the authentication parameters. - ![vpnv2 csp set up connection 2](images/vpnv2-csp-setupnewconnection2.png) + ![vpnv2 csp set up connection 2.](images/vpnv2-csp-setupnewconnection2.png) 1. Create a fake VPN connection. In the UI shown here, select **Properties**. - ![vpnv2 csp choose nw connection](images/vpnv2-csp-choosenetworkconnection.png) + ![vpnv2 csp choose nw connection.](images/vpnv2-csp-choosenetworkconnection.png) 1. In the **Test Properties** dialog, select the **Security** tab. - ![vpnv2 csp test props](images/vpnv2-csp-testproperties.png) + ![vpnv2 csp test props.](images/vpnv2-csp-testproperties.png) 1. On the **Security** tab, select **Use Extensible Authentication Protocol (EAP)**. - ![vpnv2 csp test props2](images/vpnv2-csp-testproperties2.png) + ![vpnv2 csp test props2.](images/vpnv2-csp-testproperties2.png) 1. From the drop-down menu, select the EAP method that you want to configure, and then select **Properties** to configure as needed. - ![vpnv2 csp test props3](images/vpnv2-csp-testproperties3.png)![vpnv2 csp test props4](images/vpnv2-csp-testproperties4.png) + ![vpnv2 csp test props3.](images/vpnv2-csp-testproperties3.png)![vpnv2 csp test props4](images/vpnv2-csp-testproperties4.png) 1. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML. @@ -267,7 +267,7 @@ Alternatively, you can use the following procedure to create an EAP configuratio 1. Follow steps 1 through 7 in the EAP configuration article. 1. In the **Microsoft VPN SelfHost Properties** dialog box, select **Microsoft: Smart Card or other Certificate** from the drop-down menu (this selects EAP TLS). - ![vpn self host properties window](images/certfiltering1.png) + ![vpn self host properties window.](images/certfiltering1.png) > [!NOTE] > For PEAP or TTLS, select the appropriate method and continue following this procedure. @@ -277,11 +277,11 @@ Alternatively, you can use the following procedure to create an EAP configuratio 1. Select the **Properties** button underneath the drop-down menu. 1. On the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. - ![smart card or other certificate properties window](images/certfiltering2.png) + ![smart card or other certificate properties window.](images/certfiltering2.png) 1. On the **Configure Certificate Selection** menu, adjust the filters as needed. - ![configure certificate window](images/certfiltering3.png) + ![configure certificate window.](images/certfiltering3.png) 1. Select **OK** to close the windows and get back to the main rasphone.exe dialog box. 1. Close the rasphone dialog box. diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index d6a0127bab..cfc9928a0b 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -47,19 +47,19 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune]( 2. Under **Best match**, click **Edit group policy** to launch it. - ![GPEdit search](images/admx-gpedit-search.png) + ![GPEdit search.](images/admx-gpedit-search.png) 3. In **Local Computer Policy** navigate to the policy you want to configure. In this example, navigate to **Administrative Templates > System > App-V**. - ![App-V policies](images/admx-appv.png) + ![App-V policies.](images/admx-appv.png) 4. Double-click **Enable App-V Client**. The **Options** section is empty, which means there are no parameters necessary to enable the policy. If the **Options** section is not empty, follow the procedure in [Enable a policy that requires parameters](#enable-a-policy-that-requires-parameters) - ![Enable App-V client](images/admx-appv-enableapp-vclient.png) + ![Enable App-V client.](images/admx-appv-enableapp-vclient.png) 3. Create the SyncML to enable the policy that does not require any parameter. @@ -99,15 +99,15 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune]( 1. Double-click **Publishing Server 2 Settings** to see the parameters you need to configure when you enable this policy. - ![Enable publishing server 2 policy](images/admx-appv-publishingserver2.png) + ![Enable publishing server 2 policy.](images/admx-appv-publishingserver2.png) - ![Enable publishing server 2 settings](images/admx-app-v-enablepublishingserver2settings.png) + ![Enable publishing server 2 settings.](images/admx-app-v-enablepublishingserver2settings.png) 2. Find the variable names of the parameters in the ADMX file. You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](policy-configuration-service-provider.md#appvirtualization-publishingallowserver2). - ![Publishing server 2 policy description](images/admx-appv-policy-description.png) + ![Publishing server 2 policy description.](images/admx-appv-policy-description.png) 3. Navigate to **C:\Windows\PolicyDefinitions** (default location of the admx files) and open appv.admx. diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md index f4c951af17..bab52cb7fd 100644 --- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md +++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md @@ -84,7 +84,7 @@ After the upgrade to Windows 10 is complete, if you decide to push down a new we The following diagram shows a high-level overview of the process. -![update process for windows embedded 8.1 devices](images/windowsembedded-update.png) +![update process for windows embedded 8.1 devices.](images/windowsembedded-update.png) ## Step 1: Prepare a test device to download updates from Microsoft Update @@ -107,15 +107,15 @@ Trigger the device to check for updates either manually or using Microsoft Endpo 1. Remotely trigger a scan of the test device by deploying a Trigger Scan configuration baseline. - ![device scan using Configuration Manager](images/windowsembedded-update2.png) + ![device scan using Configuration Manager.](images/windowsembedded-update2.png) 2. Set the value of this OMA-URI by going to **Configuration Item**, and then selecting the newly created Trigger Scan settings from the previous step. - ![device scan using Configuration Manager](images/windowsembedded-update3.png) + ![device scan using Configuration Manager.](images/windowsembedded-update3.png) 3. Ensure that the value that is specified for this URI is greater than the value on the device(s), and that the **Remediate noncompliant rules when supported** option is selected. For the first time, any value that is greater than 0 will work, but for subsequent configurations, ensure that you specify an incremented value. - ![device scan using Configuration Manager](images/windowsembedded-update4.png) + ![device scan using Configuration Manager.](images/windowsembedded-update4.png) 4. Create a configuration baseline for Trigger Scan and Deploy. We recommend that this configuration baseline be deployed after the Controlled Updates baseline has been applied to the device. (The corresponding files are deployed on the device through a device sync session.) 5. Follow the prompts for downloading the updates, but do not install the updates on the device. @@ -216,11 +216,11 @@ The deployment process has three parts: 1. Create a configuration item. In the **Browse Settings** window, select **Device File** as a filter, and then select **Select**. - ![embedded device update](images/windowsembedded-update18.png) + ![embedded device update.](images/windowsembedded-update18.png) 2. Browse to the DUControlledUpdates.xml that was created from the test device, and then specify the file path and name on the device as `NonPersistent\DUControlledUpdates.xml`. - ![embedded device update](images/windowsembedded-update19.png) + ![embedded device update.](images/windowsembedded-update19.png) 3. Select **Remediate noncompliant settings**, and then select **OK**. @@ -231,7 +231,7 @@ The deployment process has three parts: 1. Create a configuration item and specify the file path and name on the device as `NonPersistent\DUCustomContentURIs.xml` 2. Select **Remediate noncompliant settings**. - ![embedded device update](images/windowsembedded-update21.png) + ![embedded device update.](images/windowsembedded-update21.png) 3. Select **OK**. @@ -242,11 +242,11 @@ The deployment process has three parts: 1. Create a configuration baseline item and give it a name (such as ControlledUpdates). 2. Add the DUControlledUpdates and DUCustomContentURIs configuration items, and then select **OK**. - ![embedded device update](images/windowsembedded-update22.png) + ![embedded device update.](images/windowsembedded-update22.png) 3. Deploy the configuration baseline to the appropriate device or device collection. - ![embedded device update](images/windowsembedded-update23.png) + ![embedded device update.](images/windowsembedded-update23.png) 4. Select **OK**. @@ -472,57 +472,57 @@ Use this procedure for pre-GDR1 devices: 2. In Microsoft Endpoint Configuration Manager, under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Items**. 3. Select **Create Configuration Item**. - ![device update using Configuration Manager](images/windowsembedded-update5.png) + ![device update using Configuration Manager.](images/windowsembedded-update5.png) 4. Enter a filename (such as GetDUReport), and then select **Mobile Device**. 5. On the **Mobile Device Settings** page, select **Configure Additional Settings that are not in the default settings group**, and then select **Next**. - ![device update using Configuration Manager](images/windowsembedded-update6.png) + ![device update using Configuration Manager.](images/windowsembedded-update6.png) 6. On the **Additional Settings** page, select **Add**. - ![device update using Configuration Manager](images/windowsembedded-update7.png) + ![device update using Configuration Manager.](images/windowsembedded-update7.png) 7. On the **Browse Settings** page, select **Create Setting**. - ![device update](images/windowsembedded-update8.png) + ![device update.](images/windowsembedded-update8.png) 8. Enter a unique **Name**. For **Setting type**, select **OMA-URI**, and for **Data type**, select **String**. 9. In the **OMA-URI** text box, enter `./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml`, and then select **OK**. - ![handheld device update](images/windowsembedded-update9.png) + ![handheld device update.](images/windowsembedded-update9.png) 10. On the **Browse Settings** page, select **Close**. 11. On the **Create Configuration Item Wizard** page, select **All Windows Embedded 8.1 Handheld** as the supported platform, and then select **Next**. - ![embedded device update](images/windowsembedded-update10.png) + ![embedded device update.](images/windowsembedded-update10.png) 12. Close the **Create Configuration Item Wizard** page. 13. Right-click on the newly create configuration item, and then select the **Compliance Rules** tab. 14. Select the new created mobile device setting (such as DUReport), and then select **Select**. 15. Enter a dummy value (such as zzz) that is different from the one on the device. - ![embedded device update](images/windowsembedded-update11.png) + ![embedded device update.](images/windowsembedded-update11.png) 16. Disable remediation by deselecting the **Remediate noncompliant rules when supported** option. 17. Select **OK** to close the **Edit Rule** page. 18. Create a new configuration baseline. Under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Baselines**. 19. Select **Create Configuration Item**. - ![embedded device update](images/windowsembedded-update12.png) + ![embedded device update.](images/windowsembedded-update12.png) 20. Enter a baseline name (such as RetrieveDUReport). 21. Add the configuration item that you just created. Select **Add**, and then select the configuration item that you just created (such as DUReport). - ![embedded device update](images/windowsembedded-update13.png) + ![embedded device update.](images/windowsembedded-update13.png) 22. Select **OK**, and then select **OK** again to complete the configuration baseline. 23. Deploy the newly created configuration baseline to the appropriate device collection. Right-click on the configuration baseline that you created, and then select **Deploy**. - ![embedded device update](images/windowsembedded-update14.png) + ![embedded device update.](images/windowsembedded-update14.png) 24. Select **Remediate noncompliant rules when supported**. 25. Select the appropriate device collection and define the schedule. - ![device update](images/windowsembedded-update15.png) + ![device update.](images/windowsembedded-update15.png) 26. To view the DUReport content, select the appropriate deployment for the configuration baseline that you created. Right-click on the deployment, and then select **View Status**. 27. Select **Run Summarization**, and then select **Refresh**. The test device(s) should be listed on the **Non-Compliant** tab. 28. Under **Asset Details**, right-click on the test device, and then select **Mode Details**. - ![device update](images/windowsembedded-update16.png) + ![device update.](images/windowsembedded-update16.png) 29. On the **Non-compliant** tab, you can see the DUReport, but you cannot retrieve the content from here. - ![device update](images/windowsembedded-update17.png) + ![device update.](images/windowsembedded-update17.png) 30. To retrieve the DUReport, open C:\\Program Files\\SMS\_CCM\\SMS\_DM.log. 31. In the log file, search from the bottom for "./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml" RuleExression="Equals zzz," where zzz is the dummy value. Just above this, copy the information for UpdateData and use this information to create the DUControlledUpdates.xml. diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 322e4dbc40..c9f13235e0 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -46,11 +46,11 @@ To ensure that the auto-enrollment feature is working as expected, you must veri The following steps demonstrate required settings using the Intune service: 1. Verify that the user who is going to enroll the device has a valid Intune license. - ![Intune license verification](images/auto-enrollment-intune-license-verification.png) + ![Intune license verification.](images/auto-enrollment-intune-license-verification.png) 2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). - ![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png) + ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png) > [!IMPORTANT] > For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled. @@ -62,23 +62,23 @@ The following steps demonstrate required settings using the Intune service: You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**. - ![Auto-enrollment device status result](images/auto-enrollment-device-status-result.png) + ![Auto-enrollment device status result.](images/auto-enrollment-device-status-result.png) Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**. - ![Auto-enrollment Azure AD prt verification](images/auto-enrollment-azureadprt-verification.png) + ![Auto-enrollment Azure AD prt verification.](images/auto-enrollment-azureadprt-verification.png) This information can also be found on the Azure AD device list. - ![Azure AD device list](images/azure-ad-device-list.png) + ![Azure AD device list.](images/azure-ad-device-list.png) 5. Verify that the MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc - ![MDM discovery URL](images/auto-enrollment-mdm-discovery-url.png) + ![MDM discovery URL.](images/auto-enrollment-mdm-discovery-url.png) 6. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**. - ![Mobility setting MDM intune](images/auto-enrollment-microsoft-intune-setting.png) + ![Mobility setting MDM intune.](images/auto-enrollment-microsoft-intune-setting.png) 7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully. @@ -87,7 +87,7 @@ You may contact your domain administrators to verify if the group policy has bee 9. Verify that Microsoft Intune should allow enrollment of Windows devices. - ![Enrollment of Windows devices](images/auto-enrollment-enrollment-of-windows-devices.png) + ![Enrollment of Windows devices.](images/auto-enrollment-enrollment-of-windows-devices.png) ## Configure the auto-enrollment Group Policy for a single PC @@ -102,18 +102,18 @@ Requirements: Click Start, then in the text box type gpedit. - ![GPEdit desktop app search result](images/autoenrollment-gpedit.png) + ![GPEdit desktop app search result.](images/autoenrollment-gpedit.png) 2. Under **Best match**, click **Edit group policy** to launch it. 3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**. > [!div class="mx-imgBorder"] - > ![MDM policies](images/autoenrollment-mdm-policies.png) + > ![MDM policies.](images/autoenrollment-mdm-policies.png) 4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use. - ![MDM autoenrollment policy](images/autoenrollment-policy.png) + ![MDM autoenrollment policy.](images/autoenrollment-policy.png) 5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**. @@ -129,7 +129,7 @@ Requirements: If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot. - ![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png) + ![Two-factor authentication notification.](images/autoenrollment-2-factor-auth.png) > [!Tip] > You can avoid this behavior by using Conditional Access Policies in Azure AD. @@ -139,7 +139,7 @@ Requirements: 7. Click **Info** to see the MDM enrollment information. - ![Work School Settings](images/autoenrollment-settings-work-school.png) + ![Work School Settings.](images/autoenrollment-settings-work-school.png) If you do not see the **Info** button or the enrollment information, it is possible that the enrollment failed. Check the status in [Task Scheduler app](#task-scheduler-app). @@ -148,13 +148,13 @@ Requirements: 1. Click **Start**, then in the text box type **task scheduler**. - ![Task Scheduler search result](images/autoenrollment-task-schedulerapp.png) + ![Task Scheduler search result.](images/autoenrollment-task-schedulerapp.png) 2. Under **Best match**, click **Task Scheduler** to launch it. 3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**. - ![Auto-enrollment scheduled task](images/autoenrollment-scheduled-task.png) + ![Auto-enrollment scheduled task.](images/autoenrollment-scheduled-task.png) To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab. @@ -239,13 +239,13 @@ To collect Event Viewer logs: 3. Search for event ID 75, which represents a successful auto-enrollment. Here is an example screenshot that shows the auto-enrollment completed successfully: - ![Event ID 75](images/auto-enrollment-troubleshooting-event-id-75.png) + ![Event ID 75.](images/auto-enrollment-troubleshooting-event-id-75.png) If you cannot find event ID 75 in the logs, it indicates that the auto-enrollment failed. This can happen because of the following reasons: - The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here is an example screenshot that shows that the auto-enrollment failed: - ![Event ID 76](images/auto-enrollment-troubleshooting-event-id-76.png) + ![Event ID 76.](images/auto-enrollment-troubleshooting-event-id-76.png) To troubleshoot, check the error code that appears in the event. See [Troubleshooting Windows device enrollment problems in Microsoft Intune](https://support.microsoft.com/en-ph/help/4469913/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for more information. @@ -253,7 +253,7 @@ To collect Event Viewer logs: The auto-enrollment process is triggered by a task (**Microsoft > Windows > EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is successfully deployed to the target machine as shown in the following screenshot: - ![Task scheduler](images/auto-enrollment-task-scheduler.png) + ![Task scheduler.](images/auto-enrollment-task-scheduler.png) > [!Note] > This task isn't visible to standard users - run Scheduled Tasks with administrative credentials to find the task. @@ -262,24 +262,24 @@ To collect Event Viewer logs: **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from AAD is triggered by event ID 107. - ![Event ID 107](images/auto-enrollment-event-id-107.png) + ![Event ID 107.](images/auto-enrollment-event-id-107.png) When the task is completed, a new event ID 102 is logged. - ![Event ID 102](images/auto-enrollment-event-id-102.png) + ![Event ID 102.](images/auto-enrollment-event-id-102.png) Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment. If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required. One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen: - ![Outdated enrollment entries](images/auto-enrollment-outdated-enrollment-entries.png) + ![Outdated enrollment entries.](images/auto-enrollment-outdated-enrollment-entries.png) By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016. A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot: - ![Manually deleted entries](images/auto-enrollment-activation-verification-less-entries.png) + ![Manually deleted entries.](images/auto-enrollment-activation-verification-less-entries.png) ### Related topics diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md index b809041a65..c29e2047ad 100644 --- a/windows/client-management/mdm/enterprise-app-management.md +++ b/windows/client-management/mdm/enterprise-app-management.md @@ -41,7 +41,7 @@ These classifications are represented as nodes in the EnterpriseModernAppManagem The following diagram shows the EnterpriseModernAppManagement CSP in a tree format. -![enterprisemodernappmanagement csp diagram](images/provisioning-csp-enterprisemodernappmanagement.png) +![enterprisemodernappmanagement csp diagram.](images/provisioning-csp-enterprisemodernappmanagement.png) Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System). diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md index 51c1a6581f..98249aad50 100644 --- a/windows/client-management/mdm/enterpriseappmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md @@ -23,7 +23,7 @@ The EnterpriseAppManagement enterprise configuration service provider is used to The following diagram shows the EnterpriseAppManagement configuration service provider in tree format. -![enterpriseappmanagement csp](images/provisioning-csp-enterpriseappmanagement.png) +![enterpriseappmanagement csp.](images/provisioning-csp-enterpriseappmanagement.png) ***EnterpriseID*** Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications. diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md index 12547591ba..3df7b51be2 100644 --- a/windows/client-management/mdm/filesystem-csp.md +++ b/windows/client-management/mdm/filesystem-csp.md @@ -24,7 +24,7 @@ The FileSystem configuration service provider is used to query, add, modify, and The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider. -![filesystem csp (dm)](images/provisioning-csp-filesystem-dm.png) +![filesystem csp (dm).](images/provisioning-csp-filesystem-dm.png) **FileSystem** Required. Defines the root of the file system management object. It functions as the root directory for file system queries. diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 9f691cab8c..03fb5b432d 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -104,7 +104,7 @@ The following is a list of functions performed by the Device HealthAttestation C - Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device - Receives attestation requests (DHA-Requests) from a DHA-Enabled-MDM, and replies with a device health report (DHA-Report) -![healthattestation service diagram](images/healthattestation_2.png) +![healthattestation service diagram.](images/healthattestation_2.png)
diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md index 36a979715e..af7934b674 100644 --- a/windows/client-management/mdm/hotspot-csp.md +++ b/windows/client-management/mdm/hotspot-csp.md @@ -27,7 +27,7 @@ The HotSpot configuration service provider is used to configure and enable Inter The following diagram shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider. -![hotspot csp (cp)](images/provisioning-csp-hotspot-cp.png) +![hotspot csp (cp).](images/provisioning-csp-hotspot-cp.png) **Enabled** Required. Specifies whether to enable Internet sharing on the device. The default is false. diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index 08a455f462..68633b48af 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -44,7 +44,7 @@ To make applications WIP-aware, app developers need to include the following dat MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.  -![Mobile application management app](images/implement-server-side-mobile-application-management.png) +![Mobile application management app.](images/implement-server-side-mobile-application-management.png) MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. Please note: if the MDM service in an organization is not integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.  diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index 12e50c7af7..875c7d0ded 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -59,13 +59,13 @@ The Store for Business provides services that enable a management tool to synchr The following diagram provides an overview of app distribution from acquisition of an offline-licensed application to distribution to a client. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. -![business store offline app distribution](images/businessstoreportalservices2.png) +![business store offline app distribution.](images/businessstoreportalservices2.png) ### Online-licensed application distribution The following diagram provides an overview of app distribution from acquisition of an online-licensed application to distribution to a client. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. For online-licensed applications, the management tool calls back into the Store for Business management services to assign an application prior to issuing the policy to install the application. -![business store online app distribution](images/businessstoreportalservices3.png) +![business store online app distribution.](images/businessstoreportalservices3.png) ## Integrate with Azure Active Directory @@ -105,7 +105,7 @@ After registering your management tool with Azure AD, the management tool can ca The diagram below shows the call patterns for acquiring a new or updated application. -![business store portal service flow diagram](images/businessstoreportalservicesflow.png) +![business store portal service flow diagram.](images/businessstoreportalservicesflow.png) **Here is the list of available operations**: diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index d1e7b033f2..6dbe747d92 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -25,7 +25,7 @@ In today’s cloud-first world, enterprise IT departments increasingly want to l You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 does not require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain. -![active directory azure ad signin](images/unifiedenrollment-rs1-1.png) +![active directory azure ad signin.](images/unifiedenrollment-rs1-1.png) ### Connect your device to an Active Directory domain (join a domain) @@ -40,15 +40,15 @@ Joining your device to an Active Directory domain during the out-of-box-experien 1. On the **Who Owns this PC?** page, select **My work or school owns it**. - ![oobe local account creation](images/unifiedenrollment-rs1-2.png) + ![oobe local account creation.](images/unifiedenrollment-rs1-2.png) 2. Next, select **Join a domain**. - ![select domain or azure ad](images/unifiedenrollment-rs1-3.png) + ![select domain or azure ad.](images/unifiedenrollment-rs1-3.png) 3. You'll see a prompt to set up a local account on the device. Enter your local account details, and then select **Next** to continue. - ![create pc account](images/unifiedenrollment-rs1-4.png) + ![create pc account.](images/unifiedenrollment-rs1-4.png) ### Use the Settings app @@ -56,27 +56,27 @@ To create a local account and connect the device: 1. Launch the Settings app. - ![windows settings page](images/unifiedenrollment-rs1-5.png) + ![windows settings page.](images/unifiedenrollment-rs1-5.png) 2. Next, select **Accounts**. - ![windows settings accounts select](images/unifiedenrollment-rs1-6.png) + ![windows settings accounts select.](images/unifiedenrollment-rs1-6.png) 3. Navigate to **Access work or school**. - ![select access work or school](images/unifiedenrollment-rs1-7.png) + ![select access work or school.](images/unifiedenrollment-rs1-7.png) 4. Select **Connect**. - ![connect to work or school](images/unifiedenrollment-rs1-8.png) + ![connect to work or school.](images/unifiedenrollment-rs1-8.png) 5. Under **Alternate actions**, select **Join this device to a local Active Directory domain**. - ![join account to active directory domain](images/unifiedenrollment-rs1-9.png) + ![join account to active directory domain.](images/unifiedenrollment-rs1-9.png) 6. Type in your domain name, follow the instructions, and then select **Next** to continue. After you complete the flow and restart your device, it should be connected to your Active Directory domain. You can now sign in to the device using your domain credentials. - ![type in domain name](images/unifiedenrollment-rs1-10.png) + ![type in domain name.](images/unifiedenrollment-rs1-10.png) ### Help with connecting to an Active Directory domain @@ -101,11 +101,11 @@ To join a domain: 1. Select **My work or school owns it**, then select **Next.** - ![oobe local account creation](images/unifiedenrollment-rs1-11.png) + ![oobe local account creation.](images/unifiedenrollment-rs1-11.png) 2. Select **Join Azure AD**, and then select **Next.** - ![select domain or azure ad](images/unifiedenrollment-rs1-12.png) + ![select domain or azure ad.](images/unifiedenrollment-rs1-12.png) 3. Type in your Azure AD username. This is the email address you use to log into Microsoft Office 365 and similar services. @@ -113,7 +113,7 @@ To join a domain: Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization’s Azure AD domain. - ![azure ad signin](images/unifiedenrollment-rs1-13.png) + ![azure ad signin.](images/unifiedenrollment-rs1-13.png) ### Use the Settings app @@ -121,27 +121,27 @@ To create a local account and connect the device: 1. Launch the Settings app. - ![windows settings page](images/unifiedenrollment-rs1-14.png) + ![windows settings page.](images/unifiedenrollment-rs1-14.png) 2. Next, navigate to **Accounts**. - ![windows settings accounts select](images/unifiedenrollment-rs1-15.png) + ![windows settings accounts select.](images/unifiedenrollment-rs1-15.png) 3. Navigate to **Access work or school**. - ![select access work or school](images/unifiedenrollment-rs1-16.png) + ![select access work or school.](images/unifiedenrollment-rs1-16.png) 4. Select **Connect**. - ![connect to work or school](images/unifiedenrollment-rs1-17.png) + ![connect to work or school.](images/unifiedenrollment-rs1-17.png) 5. Under **Alternate Actions**, selct **Join this device to Azure Active Directory**. - ![join work or school account to azure ad](images/unifiedenrollment-rs1-18.png) + ![join work or school account to azure ad.](images/unifiedenrollment-rs1-18.png) 6. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services. - ![azure ad sign in](images/unifiedenrollment-rs1-19.png) + ![azure ad sign in.](images/unifiedenrollment-rs1-19.png) 7. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication. @@ -151,7 +151,7 @@ To create a local account and connect the device: After you reach the end of the flow, your device should be connected to your organization’s Azure AD domain. You may now log out of your current account and sign in using your Azure AD username. - ![corporate sign in](images/unifiedenrollment-rs1-20.png) + ![corporate sign in.](images/unifiedenrollment-rs1-20.png) ### Help with connecting to an Azure AD domain @@ -183,19 +183,19 @@ To create a local account and connect the device: 1. Launch the Settings app, and then select **Accounts** >**Start** > **Settings** > **Accounts**. - ![windows settings page](images/unifiedenrollment-rs1-21-b.png) + ![windows settings page.](images/unifiedenrollment-rs1-21-b.png) 2. Navigate to **Access work or school**. - ![select access work or school](images/unifiedenrollment-rs1-23-b.png) + ![select access work or school.](images/unifiedenrollment-rs1-23-b.png) 3. Select **Connect**. - ![connect to work or school](images/unifiedenrollment-rs1-24-b.png) + ![connect to work or school.](images/unifiedenrollment-rs1-24-b.png) 4. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services. - ![join work or school account to azure ad](images/unifiedenrollment-rs1-25-b.png) + ![join work or school account to azure ad.](images/unifiedenrollment-rs1-25-b.png) 5. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication. @@ -205,11 +205,11 @@ To create a local account and connect the device: Starting in Windows 10, version 1709, you will see the status page that shows the progress of your device being set up. - ![corporate sign in](images/unifiedenrollment-rs1-26.png) + ![corporate sign in.](images/unifiedenrollment-rs1-26.png) 6. After you complete the flow, your Microsoft account will be connected to your work or school account. - ![account successfully added](images/unifiedenrollment-rs1-27.png) + ![account successfully added.](images/unifiedenrollment-rs1-27.png) ### Connect to MDM on a desktop (enrolling in device management) @@ -221,29 +221,29 @@ To create a local account and connect the device: 1. Launch the Settings app. - ![windows settings page](images/unifiedenrollment-rs1-28.png) + ![windows settings page.](images/unifiedenrollment-rs1-28.png) 2. Next, navigate to **Accounts**. - ![windows settings accounts page](images/unifiedenrollment-rs1-29.png) + ![windows settings accounts page.](images/unifiedenrollment-rs1-29.png) 3. Navigate to **Access work or school**. - ![access work or school](images/unifiedenrollment-rs1-30.png) + ![access work or school.](images/unifiedenrollment-rs1-30.png) 4. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link). - ![connect to work or school](images/unifiedenrollment-rs1-31.png) + ![connect to work or school.](images/unifiedenrollment-rs1-31.png) 5. Type in your work email address. - ![set up work or school account](images/unifiedenrollment-rs1-32.png) + ![set up work or school account.](images/unifiedenrollment-rs1-32.png) 6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you will see the enrollment progress on screen. - ![corporate sign in](images/unifiedenrollment-rs1-33-b.png) + ![corporate sign in.](images/unifiedenrollment-rs1-33-b.png) After you complete the flow, your device will be connected to your organization’s MDM. @@ -300,7 +300,7 @@ To connect your devices to MDM using deep links: - IT admins can add this link to a welcome email that users can select to enroll into MDM. - ![using enrollment deeplink in email](images/deeplinkenrollment1.png) + ![using enrollment deeplink in email.](images/deeplinkenrollment1.png) - IT admins can also add this link to an internal web page that users refer to enrollment instructions. @@ -308,20 +308,20 @@ To connect your devices to MDM using deep links: Type in your work email address. - ![set up work or school account](images/deeplinkenrollment3.png) + ![set up work or school account.](images/deeplinkenrollment3.png) 3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. After you complete the flow, your device will be connected to your organization's MDM. - ![corporate sign in](images/deeplinkenrollment4.png) + ![corporate sign in.](images/deeplinkenrollment4.png) ## Manage connections To manage your work or school connections, select **Settings** > **Accounts** > **Access work or school**. Your connections will show on this page and selecting one will expand options for that connection. -![managing work or school account](images/unifiedenrollment-rs1-34-b.png) +![managing work or school account.](images/unifiedenrollment-rs1-34-b.png) ### Info @@ -335,7 +335,7 @@ Selecting the **Info** button will open a new page in the Settings app that prov Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screenshot. -![work or school info](images/unifiedenrollment-rs1-35-b.png) +![work or school info.](images/unifiedenrollment-rs1-35-b.png) > [!NOTE] > Starting in Windows 10, version 1709, the **Manage** button is no longer available. @@ -357,7 +357,7 @@ You can collect diagnostic logs around your work connections by going to **Setti Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you will see the button to create a report, as shown here. -![collecting enrollment management log files](images/unifiedenrollment-rs1-37-c.png) +![collecting enrollment management log files.](images/unifiedenrollment-rs1-37-c.png) diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md index e9383e871f..ad2d4edddc 100644 --- a/windows/client-management/mdm/messaging-csp.md +++ b/windows/client-management/mdm/messaging-csp.md @@ -17,7 +17,7 @@ The Messaging configuration service provider is used to configure the ability to The following diagram shows the Messaging configuration service provider in tree format. -![messaging csp](images/provisioning-csp-messaging.png) +![messaging csp.](images/provisioning-csp-messaging.png) **./User/Vendor/MSFT/Messaging** diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index 32f9b5ee66..6c898afe02 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -68,7 +68,7 @@ Devices that are joined to an on-premises Active Directory can enroll into MDM v Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**. -![Disable MDM enrollment policy in GP Editor](images/mdm-enrollment-disable-policy.png) +![Disable MDM enrollment policy in GP Editor.](images/mdm-enrollment-disable-policy.png) Here is the corresponding registry key: diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md index 1b5f5ecdd4..0b715c1a53 100644 --- a/windows/client-management/mdm/napdef-csp.md +++ b/windows/client-management/mdm/napdef-csp.md @@ -27,11 +27,11 @@ The NAPDEF configuration service provider is used to add, modify, or delete WAP The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider. -![napdef csp (cp) (initial bootstrapping)](images/provisioning-csp-napdef-cp.png) +![napdef csp (cp) (initial bootstrapping).](images/provisioning-csp-napdef-cp.png) The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider. -![napdef csp (cp) (update bootstrapping)](images/provisioning-csp-napdef-cp-2.png) +![napdef csp (cp) (update bootstrapping).](images/provisioning-csp-napdef-cp-2.png) **NAPAUTHINFO** Defines a group of authentication settings. diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index ce79fdb702..272489e4a8 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -240,7 +240,7 @@ Passing CDATA in data in SyncML to ConfigManager and CSPs does not work in Windo The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10. In Windows Phone 8.1, when you set the client certificate to "Accept," it works fine. -![ssl settings](images/ssl-settings.png) +![ssl settings.](images/ssl-settings.png) ### MDM enrollment fails on the mobile device when traffic is going through proxy @@ -439,7 +439,7 @@ Alternatively you can use the following procedure to create an EAP Configuration 1. Follow steps 1 through 7 in the [EAP configuration](eap-configuration.md) article. 2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop down (this selects EAP TLS.) - ![vpn selfhost properties window](images/certfiltering1.png) + ![vpn selfhost properties window.](images/certfiltering1.png) > [!NOTE] > For PEAP or TTLS, select the appropriate method and continue following this procedure. @@ -447,10 +447,10 @@ Alternatively you can use the following procedure to create an EAP Configuration 3. Click the **Properties** button underneath the drop down menu. 4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. - ![smart card or other certificate properties window](images/certfiltering2.png) + ![smart card or other certificate properties window.](images/certfiltering2.png) 5. In the **Configure Certificate Selection** menu, adjust the filters as needed. - ![configure certificate selection window](images/certfiltering3.png) + ![configure certificate selection window.](images/certfiltering3.png) 6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box. 7. Close the rasphone dialog box. 8. Continue following the procedure in the [EAP configuration](eap-configuration.md) article from Step 9 to get an EAP TLS profile with appropriate filtering. @@ -492,7 +492,7 @@ No. Only one MDM is allowed. 4. Click **Configure**. 5. Set quota to unlimited. - ![aad maximum joined devices](images/faq-max-devices.png) + ![aad maximum joined devices.](images/faq-max-devices.png) ### **What is dmwappushsvc?** diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index c73d5fdc8d..84ff8f5e34 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -23,13 +23,13 @@ The PassportForWork configuration service provider is used to provision Windows The following diagram shows the PassportForWork configuration service provider in tree format. -![passportforwork csp](images/provisioning-csp-passportforwork.png) +![passportforwork csp.](images/provisioning-csp-passportforwork.png) ### Device configuration diagram The following diagram shows the PassportForWork configuration service provider in tree format. -![passportforwork diagram](images/provisioning-csp-passportforwork2.png) +![passportforwork diagram.](images/provisioning-csp-passportforwork2.png) **PassportForWork** Root node for PassportForWork configuration service provider. diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index ddeb61f84a..da0f0543dc 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -44,7 +44,7 @@ The Policy configuration service provider has the following sub-categories: The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. -![policy csp diagram](images/provisioning-csp-policy.png) +![policy csp diagram.](images/provisioning-csp-policy.png) **./Vendor/MSFT/Policy** diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 9d7aa06011..013edacaec 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -549,7 +549,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and ``` You can also change the evaluation order of device installation policy settings by using a custom profile in Intune. -:::image type="content" source="images/edit-row.png" alt-text="This is a edit row image"::: +:::image type="content" source="images/edit-row.png" alt-text="This is a edit row image."::: @@ -743,7 +743,7 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i You can also block installation by using a custom profile in Intune. -![Custom profile prevent devices](images/custom-profile-prevent-other-devices.png) +![Custom profile prevent devices.](images/custom-profile-prevent-other-devices.png) @@ -863,7 +863,7 @@ You can also block installation and usage of prohibited peripherals by using a c For example, this custom profile blocks installation and usage of USB devices with hardware IDs "USB\Composite" and "USB\Class_FF", and applies to USB devices with matching hardware IDs that are already installed. -![Custom profile prevent device ids](images/custom-profile-prevent-device-ids.png) +![Custom profile prevent device ids.](images/custom-profile-prevent-device-ids.png) @@ -977,7 +977,7 @@ You can also block installation and usage of prohibited peripherals by using a c For example, this custom profile prevents installation of devices with matching device instance IDs. -![Custom profile](images/custom-profile-prevent-device-instance-ids.png) +![Custom profile.](images/custom-profile-prevent-device-instance-ids.png) To prevent installation of devices with matching device instance IDs by using custom profile in Intune: 1. Locate the device instance ID. diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index cdf909411f..7f7e8ae961 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -40,20 +40,6 @@ manager: dansimp -Steps to use this policy correctly: - -1. Create a device configuration profile for kiosk targeting Azure AD groups and assign it to HoloLens device(s). -1. Create a custom OMA URI based device configuration that sets this policy value to desired number of days (> 0) and assign it to HoloLens device(s). - 1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays - 1. The value can be between min / max allowed. -1. Enroll HoloLens devices and verify both configurations get applied to the device. -1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created. -1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days. -1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point here is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted. - -> [!NOTE] -> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments. -
@@ -79,6 +65,20 @@ Steps to use this policy correctly:
+Steps to use this policy correctly: + +1. Create a device configuration profile for kiosk targeting Azure AD groups and assign it to HoloLens device(s). +1. Create a custom OMA URI based device configuration that sets this policy value to desired number of days (> 0) and assign it to HoloLens device(s). + 1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays + 1. The value can be between min / max allowed. +1. Enroll HoloLens devices and verify both configurations get applied to the device. +1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created. +1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days. +1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point here is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted. + +> [!NOTE] +> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments. +

diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index b02ba826b4..d627137d97 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 10/14/2020 +ms.date: 08/26/2021 ms.reviewer: manager: dansimp --- @@ -62,7 +62,7 @@ manager: dansimp System/AllowUserToResetPhone
- System/AllowWuFBCloudProcessing + System/AllowWUfBCloudProcessing
System/BootStartDriverInitialization @@ -964,7 +964,7 @@ The following list shows the supported values:
-**System/AllowWuFBCloudProcessing** +**System/AllowWUfBCloudProcessing**
@@ -985,6 +985,15 @@ If you disable or do not configure this policy setting, devices enrolled to the
+ + +The following list shows the supported values: + +- 0 - Disabled. +- 8 - Enabled. + + + **System/BootStartDriverInitialization** diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md index a0a34ee244..92df20eba2 100644 --- a/windows/client-management/mdm/push-notification-windows-mdm.md +++ b/windows/client-management/mdm/push-notification-windows-mdm.md @@ -52,34 +52,34 @@ To get a PFN and WNS credentials, you must create an Microsoft Store app. 1. Go to the Windows [Dashboard](https://dev.windows.com/en-US/dashboard) and sign in with your developer account. - ![mdm push notification1](images/push-notification1.png) + ![mdm push notification1.](images/push-notification1.png) 2. Create a new app. - ![mdm push notification2](images/push-notification2.png) + ![mdm push notification2.](images/push-notification2.png) 3. Reserve an app name. - ![mdm push notification3](images/push-notification3.png) + ![mdm push notification3.](images/push-notification3.png) 4. Click **Services**. - ![mdm push notification4](images/push-notification4.png) + ![mdm push notification4.](images/push-notification4.png) 5. Click **Push notifications**. - ![mdm push notification5](images/push-notification5.png) + ![mdm push notification5.](images/push-notification5.png) 6. Click **Live Services site**. A new window opens for the **Application Registration Portal** page. - ![mdm push notification6](images/push-notification6.png) + ![mdm push notification6.](images/push-notification6.png) 7. In the **Application Registration Portal** page, you will see the properties for the app that you created, such as: - Application Id - Application Secrets - Microsoft Store Package SID, Application Identity, and Publisher. - ![mdm push notification7](images/push-notification7.png) + ![mdm push notification7.](images/push-notification7.png) 8. Click **Save**. 9. Close the **Application Registration Portal** window and go back to the Windows Dev Center Dashboard. 10. Select your app from the list on the left. 11. From the left nav, expand **App management** and then click **App identity**. - ![mdm push notification10](images/push-notification10.png) + ![mdm push notification10.](images/push-notification10.png) 12. In the **App identity** page, you will see the **Package Family Name (PFN)** of your app.   diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md index 48baff3fe8..e2d40a822a 100644 --- a/windows/client-management/mdm/pxlogical-csp.md +++ b/windows/client-management/mdm/pxlogical-csp.md @@ -23,11 +23,11 @@ The PXLOGICAL configuration service provider is used to add, remove, or modify W The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for initial bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider. -![pxlogical csp (cp) (initial bootstrapping)](images/provisioning-csp-pxlogical-cp.png) +![pxlogical csp (cp) (initial bootstrapping).](images/provisioning-csp-pxlogical-cp.png) The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for updating the bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider. -![pxlogical csp (cp) (update bootstrapping)](images/provisioning-csp-pxlogical-cp-2.png) +![pxlogical csp (cp) (update bootstrapping).](images/provisioning-csp-pxlogical-cp-2.png) **PXPHYSICAL** Defines a group of logical proxy settings. diff --git a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md index be9c8a5339..28e198aa1f 100644 --- a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md +++ b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md @@ -23,15 +23,15 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent 1. Sign in to the Microsoft 365 admin center at using your organization's account. - ![register azuread](images/azure-ad-add-tenant10.png) + ![register azuread.](images/azure-ad-add-tenant10.png) 2. On the **Home** page, click on the Admin tools icon. - ![register azuread](images/azure-ad-add-tenant11.png) + ![register azuread.](images/azure-ad-add-tenant11.png) 3. On the **Admin center** page, under Admin Centers on the left, click **Azure Active Directory**. This will take you to the Azure Active Directory portal. - ![Azure-AD-updated](https://user-images.githubusercontent.com/41186174/71594506-e4845300-2b40-11ea-9a08-c21c824e12a4.png) + ![Azure-AD-updated.](https://user-images.githubusercontent.com/41186174/71594506-e4845300-2b40-11ea-9a08-c21c824e12a4.png) diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md index 9e203d4d39..4ffdbad557 100644 --- a/windows/client-management/mdm/securitypolicy-csp.md +++ b/windows/client-management/mdm/securitypolicy-csp.md @@ -25,7 +25,7 @@ For the SecurityPolicy CSP, you cannot use the Replace command unless the node a The following diagram shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. -![securitypolicy csp (dm,cp)](images/provisioning-csp-securitypolicy-dmandcp.png) +![securitypolicy csp (dm,cp).](images/provisioning-csp-securitypolicy-dmandcp.png) ***PolicyID*** Defines the security policy identifier as a decimal value. diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index 5b211a0f55..21f39c4389 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -56,11 +56,11 @@ Group Policy option button setting: The following diagram shows the main display for the Group Policy Editor. -![Group Policy editor](images/group-policy-editor.png) +![Group Policy editor.](images/group-policy-editor.png) The following diagram shows the settings for the "Publishing Server 2 Settings" Group Policy in the Group Policy Editor. -![Group Policy publisher server 2 settings](images/group-policy-publisher-server-2-settings.png) +![Group Policy publisher server 2 settings.](images/group-policy-publisher-server-2-settings.png) Note that most Group Policies are a simple Boolean type. For a Boolean Group Policy, if you select **Enabled**, the options panel contains no data input fields and the payload of the SyncML is simply ``. However, if there are data input fields in the options panel, the MDM server must supply this data. The following *Enabling a Group Policy* example illustrates this complexity. In this example, 10 name-value pairs are described by `` tags in the payload, which correspond to the 10 data input fields in the Group Policy Editor options panel for the "Publishing Server 2 Settings" Group Policy. The ADMX file, which defines the Group Policies, is consumed by the MDM server, similarly to how the Group Policy Editor consumes it. The Group Policy Editor displays a UI to receive the complete Group Policy instance data, which the MDM server's IT administrator console must also do. For every `` element and id attribute in the ADMX policy definition, there must be a corresponding `` element and id attribute in the payload. The ADMX file drives the policy definition and is required by the MDM server via the SyncML protocol. diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md index 7916778bec..00d2b86cd5 100644 --- a/windows/client-management/mdm/unifiedwritefilter-csp.md +++ b/windows/client-management/mdm/unifiedwritefilter-csp.md @@ -119,7 +119,7 @@ Currently SwapfileSize should not be relied for determining or controlling the o **CurrentSession/MaximumOverlaySize** or **NextSession/MaximumOverlaySize** should be used for that purpose. -:::image type="content" source="images/overlaysetting.png" alt-text="This is the overlay setting"::: +:::image type="content" source="images/overlaysetting.png" alt-text="This is the overlay setting."::: > [!NOTE] > Only single swapfile is supported in current implementation and creating swapfile on specific volume will disable any other swapfile created on other volumes. diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md index 3f6badf192..42a6882673 100644 --- a/windows/client-management/mdm/vpn-csp.md +++ b/windows/client-management/mdm/vpn-csp.md @@ -33,7 +33,7 @@ Important considerations: The following diagram shows the VPN configuration service provider in tree format. -![provisioning\-csp\-vpnimg](images/provisioning-csp-vpn.png) +![provisioning\-csp\-vpnimg.](images/provisioning-csp-vpn.png) ***ProfileName*** Unique alpha numeric Identifier for the profile. The profile name must not include a forward slash (/). diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index d6b9110b32..e7321b1888 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -25,7 +25,7 @@ The default security roles are defined in the root characteristic, and map to ea The following diagram shows the configuration service provider in tree format as used by OMA Client Provisioning. -![w4 application csp (cp)](images/provisioning-csp-w4-application-cp.png) +![w4 application csp (cp).](images/provisioning-csp-w4-application-cp.png) **APPID** Required. This parameter takes a string value. The only supported value for configuring MMS is "w4". diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md index 20f21f79bc..7aaa801796 100644 --- a/windows/client-management/mdm/w7-application-csp.md +++ b/windows/client-management/mdm/w7-application-csp.md @@ -23,7 +23,7 @@ The APPLICATION configuration service provider that has an APPID of w7 is used f The following image shows the configuration service provider in tree format as used by OMA Client Provisioning. -![w7 application csp (dm)](images/provisioning-csp-w7-application-dm.png) +![w7 application csp (dm).](images/provisioning-csp-w7-application-dm.png) > **Note**   All parm names and characteristic types are case sensitive and must use all uppercase. Both APPSRV and CLIENT credentials must be provided in provisioning XML. diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 125bbfb687..e867ae66ef 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -31,7 +31,7 @@ Programming considerations: The following image shows the WiFi configuration service provider in tree format. -![wi-fi csp diagram](images/provisioning-csp-wifi.png) +![wi-fi csp diagram.](images/provisioning-csp-wifi.png) The following list shows the characteristics and parameters. diff --git a/windows/client-management/mdm/windows-mdm-enterprise-settings.md b/windows/client-management/mdm/windows-mdm-enterprise-settings.md index a8be6bba9c..e5e7511669 100644 --- a/windows/client-management/mdm/windows-mdm-enterprise-settings.md +++ b/windows/client-management/mdm/windows-mdm-enterprise-settings.md @@ -25,7 +25,7 @@ The DM client is configured during the enrollment process to be invoked by the t The following diagram shows the work flow between server and client. -![windows client and server mdm diagram](images/enterprise-workflow.png) +![windows client and server mdm diagram.](images/enterprise-workflow.png) ## Management workflow diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index c68424cd04..fc13fd3034 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -19,7 +19,7 @@ The Windows Defender Advanced Threat Protection (WDATP) configuration service pr The following diagram shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM). -![windowsadvancedthreatprotection csp diagram](images/provisioning-csp-watp.png) +![windowsadvancedthreatprotection csp diagram.](images/provisioning-csp-watp.png) The following list describes the characteristics and parameters. diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md index 2f3cdf7fc7..2fe71b5e76 100644 --- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md +++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md @@ -213,16 +213,16 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw | Class | Test completed in Windows 10 for desktop | |--------------------------------------------------------------------------|------------------------------------------| -| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | -| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | -| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | -| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | +| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | +| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | +| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | +| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | | [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | | -| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | -| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | -| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | -| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | -| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark](images/checkmark.png) | +| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | +| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | +| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | +| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | +| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) | @@ -232,17 +232,17 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw |--------------------------------------------------------------------------|------------------------------------------| [**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) | [**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) | -[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | ![cross mark](images/checkmark.png) -[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | ![cross mark](images/checkmark.png) +[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | ![cross mark.](images/checkmark.png) +[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | ![cross mark.](images/checkmark.png) [**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) | -[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | ![cross mark](images/checkmark.png) -[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | ![cross mark](images/checkmark.png) -[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | ![cross mark](images/checkmark.png) +[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | ![cross mark.](images/checkmark.png) +[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | ![cross mark.](images/checkmark.png) +[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | ![cross mark.](images/checkmark.png) [**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) | -[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |![cross mark](images/checkmark.png) -[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | ![cross mark](images/checkmark.png) +[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |![cross mark.](images/checkmark.png) +[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | ![cross mark.](images/checkmark.png) [**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) | -[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | ![cross mark](images/checkmark.png) +[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | ![cross mark.](images/checkmark.png) [**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) | [**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) | [**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) | @@ -252,23 +252,23 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw [**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) | [**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) | [**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) | -[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | ![cross mark](images/checkmark.png) +[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | ![cross mark.](images/checkmark.png) [**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) | -[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | ![cross mark](images/checkmark.png) +[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | ![cross mark.](images/checkmark.png) [**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) | -[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | ![cross mark](images/checkmark.png) +[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | ![cross mark.](images/checkmark.png) [**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) | [**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) | [**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) | [**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) | [**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) | -[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | ![cross mark](images/checkmark.png) +[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | ![cross mark.](images/checkmark.png) [**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) | [**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) | [**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) | [**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) | [**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) | -[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | ![cross mark](images/checkmark.png) +[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | ![cross mark.](images/checkmark.png) [**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) | [**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) | [**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) | @@ -277,25 +277,25 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw [**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) | [**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) | [**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) | -[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | ![cross mark](images/checkmark.png) -[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | ![cross mark](images/checkmark.png) +[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | ![cross mark.](images/checkmark.png) +[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | ![cross mark.](images/checkmark.png) [**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) | [**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) | [**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) | [**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) | [**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) | -[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | ![cross mark](images/checkmark.png) -[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | ![cross mark](images/checkmark.png) +[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | ![cross mark.](images/checkmark.png) +[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | ![cross mark.](images/checkmark.png) [**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) | [**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) | -[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | ![cross mark](images/checkmark.png) +[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | ![cross mark.](images/checkmark.png) [**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) | -[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | ![cross mark](images/checkmark.png) +[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | ![cross mark.](images/checkmark.png) [**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) | -[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | ![cross mark](images/checkmark.png) +[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | ![cross mark.](images/checkmark.png) [**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) | [**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) | -[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | ![cross mark](images/checkmark.png) +[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | ![cross mark.](images/checkmark.png) [**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) | **Win32\_WindowsUpdateAgentVersion** | diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 6a50151342..acdcd2d268 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -57,7 +57,7 @@ Both the helper and sharer must be able to reach these endpoints over port 443: 7. RDP shares the video to the helper over https (port 443) through the RDP relay service to the helper's RDP control. Input is shared from the helper to the sharer through the RDP relay service. -:::image type="content" source="images/quick-assist-flow.png" lightbox="images/quick-assist-flow.png" alt-text="Schematic flow of connections when a Quick Assist session is established"::: +:::image type="content" source="images/quick-assist-flow.png" lightbox="images/quick-assist-flow.png" alt-text="Schematic flow of connections when a Quick Assist session is established."::: ### Data and privacy diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index e0afd3d480..490b24075a 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -119,7 +119,7 @@ To verify the BCD entries: > [!NOTE] > If the computer is UEFI-based, the file path value that's specified in the **path** parameter of **{bootmgr}** and **{default}** contains an **.efi** extension. - ![bcdedit](images/screenshot1.png) + ![bcdedit.](images/screenshot1.png) If any of the information is wrong or missing, we recommend that you create a backup of the BCD store. To do this, run `bcdedit /export C:\temp\bcdbackup`. This command creates a backup in **C:\\temp\\** that's named **bcdbackup**. To restore the backup, run `bcdedit /import C:\temp\bcdbackup`. This command overwrites all BCD settings by using the settings in **bcdbackup**. @@ -179,11 +179,11 @@ Dism /Image:: /Get-packages After you run this command, you'll see the **Install pending** and **Uninstall Pending** packages: -![Dism output pending update](images/pendingupdate.png) +![Dism output pending update.](images/pendingupdate.png) 1. Run the `dism /Image:C:\ /Cleanup-Image /RevertPendingActions` command. Replace **C:** with the system partition for your computer. - ![Dism output revert pending](images/revertpending.png) + ![Dism output revert pending.](images/revertpending.png) 2. Navigate to ***OSdriveLetter*:\Windows\WinSxS**, and then check whether the **pending.xml** file exists. If it does, rename it to **pending.xml.old**. @@ -193,14 +193,14 @@ After you run this command, you'll see the **Install pending** and **Uninstall P 5. Navigate to ***OSdriveLetter*:\Windows\System32\config**, select the file that's named **COMPONENT** (with no extension), and then select **Open**. When you're prompted, enter the name **OfflineComponentHive** for the new hive. - ![Load Hive](images/loadhive.png) + ![Load Hive.](images/loadhive.png) 6. Expand **HKEY_LOCAL_MACHINE\OfflineComponentHive**, and check whether the **PendingXmlIdentifier** key exists. Create a backup of the **OfflineComponentHive** key, and then delete the **PendingXmlIdentifier** key. 7. Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File** > **Unload hive**. > [!div class="mx-imgBorder"] - > ![Unload Hive](images/unloadhive.png)![Unload Hive](images/unloadhive1.png) + > ![Unload Hive.](images/unloadhive.png)![Unload Hive](images/unloadhive1.png) 8. Select **HKEY_LOCAL_MACHINE**, go to **File** > **Load Hive**, navigate to ***OSdriveLetter*:\Windows\System32\config**, select the file that's named **SYSTEM** (with no extension), and then select **Open**. When you're prompted, enter the name **OfflineSystemHive** for the new hive. @@ -256,7 +256,7 @@ Check whether there are any non-Microsoft upper and lower filter drivers on the \Control\Class\\{71A27CDD-812A-11D0-BEC7-08002BE2092F} > [!div class="mx-imgBorder"] - > ![Registry](images/controlset.png) + > ![Registry.](images/controlset.png) If an **UpperFilters** or **LowerFilters** entry is non-standard (for example, it's not a Windows default filter driver, such as PartMgr), remove the entry. To remove it, double-click it in the right pane, and then delete only that value. @@ -274,8 +274,8 @@ Check whether there are any non-Microsoft upper and lower filter drivers on the * `chkdsk /f /r OsDrive:` - ![Check disk](images/check-disk.png) + ![Check disk.](images/check-disk.png) * `sfc /scannow /offbootdir=OsDrive:\ /offwindir=OsDrive:\Windows` - ![SFC scannow](images/sfc-scannow.png) + ![SFC scannow.](images/sfc-scannow.png) diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md index 454101462a..390add3169 100644 --- a/windows/client-management/troubleshoot-stop-errors.md +++ b/windows/client-management/troubleshoot-stop-errors.md @@ -165,13 +165,13 @@ You can use the tools such as Windows Software Development KIT (SDK) and Symbols 6. Click on **Open Crash Dump**, and then open the memory.dmp file that you copied. See the example below. - ![WinDbg img](images/windbg.png) + ![WinDbg img.](images/windbg.png) 7. There should be a link that says **!analyze -v** under **Bugcheck Analysis**. Click that link. This will enter the command !analyze -v in the prompt at the bottom of the page. 8. A detailed bugcheck analysis will appear. See the example below. - ![Bugcheck analysis](images/bugcheck-analysis.png) + ![Bugcheck analysis.](images/bugcheck-analysis.png) 9. Scroll down to the section where it says **STACK_TEXT**. There will be rows of numbers with each row followed by a colon and some text. That text should tell you what DLL is causing the crash and if applicable what service is crashing the DLL. diff --git a/windows/client-management/troubleshoot-tcpip-connectivity.md b/windows/client-management/troubleshoot-tcpip-connectivity.md index 77e524634d..10ae554304 100644 --- a/windows/client-management/troubleshoot-tcpip-connectivity.md +++ b/windows/client-management/troubleshoot-tcpip-connectivity.md @@ -44,17 +44,17 @@ If the initial TCP handshake is failing because of packet drops, then you would Source side connecting on port 445: -![Screenshot of frame summary in Network Monitor](images/tcp-ts-6.png) +![Screenshot of frame summary in Network Monitor.](images/tcp-ts-6.png) Destination side: applying the same filter, you do not see any packets. -![Screenshot of frame summary with filter in Network Monitor](images/tcp-ts-7.png) +![Screenshot of frame summary with filter in Network Monitor.](images/tcp-ts-7.png) For the rest of the data, TCP will retransmit the packets five times. **Source 192.168.1.62 side trace:** -![Screenshot showing packet side trace](images/tcp-ts-8.png) +![Screenshot showing packet side trace.](images/tcp-ts-8.png) **Destination 192.168.1.2 side trace:** @@ -79,15 +79,15 @@ In the below screenshots, you see that the packets seen on the source and the de **Source Side** -![Screenshot of packets on source side in Network Monitor](images/tcp-ts-9.png) +![Screenshot of packets on source side in Network Monitor.](images/tcp-ts-9.png) **On the destination-side trace** -![Screenshot of packets on destination side in Network Monitor](images/tcp-ts-10.png) +![Screenshot of packets on destination side in Network Monitor.](images/tcp-ts-10.png) You also see an ACK+RST flag packet in a case when the TCP establishment packet SYN is sent out. The TCP SYN packet is sent when the client wants to connect on a particular port, but if the destination/server for some reason does not want to accept the packet, it would send an ACK+RST packet. -![Screenshot of packet flag](images/tcp-ts-11.png) +![Screenshot of packet flag.](images/tcp-ts-11.png) The application that's causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection. @@ -110,8 +110,8 @@ auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /fai You can then review the Security event logs to see for a packet drop on a particular port-IP and a filter ID associated with it. -![Screenshot of Event Properties](images/tcp-ts-12.png) +![Screenshot of Event Properties.](images/tcp-ts-12.png) Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. After you open this file and filter for the ID that you find in the above event (2944008), you'll be able to see a firewall rule name that's associated with this ID that's blocking the connection. -![Screenshot of wfpstate.xml file](images/tcp-ts-13.png) +![Screenshot of wfpstate.xml file.](images/tcp-ts-13.png) diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md index b432191920..daa23de8b1 100644 --- a/windows/client-management/troubleshoot-tcpip-netmon.md +++ b/windows/client-management/troubleshoot-tcpip-netmon.md @@ -21,7 +21,7 @@ In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is To get started, [download Network Monitor tool](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image: -![Adapters](images/nm-adapters.png) +![Adapters.](images/nm-adapters.png) When the driver gets hooked to the network interface card (NIC) during installation, the NIC is reinitialized, which might cause a brief network glitch. @@ -29,15 +29,15 @@ When the driver gets hooked to the network interface card (NIC) during installat 1. Run netmon in an elevated status by choosing Run as Administrator. - ![Image of Start search results for Netmon](images/nm-start.png) + ![Image of Start search results for Netmon.](images/nm-start.png) 2. Network Monitor opens with all network adapters displayed. Select the network adapters where you want to capture traffic, click **New Capture**, and then click **Start**. - ![Image of the New Capture option on menu](images/tcp-ts-4.png) + ![Image of the New Capture option on menu.](images/tcp-ts-4.png) 3. Reproduce the issue, and you will see that Network Monitor grabs the packets on the wire. - ![Frame summary of network packets](images/tcp-ts-5.png) + ![Frame summary of network packets.](images/tcp-ts-5.png) 4. Select **Stop**, and go to **File > Save as** to save the results. By default, the file will be saved as a ".cap" file. diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index ca8551b1dd..4c1e8b1b7f 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -58,19 +58,19 @@ Since outbound connections start to fail, you will see a lot of the below behavi - Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work. - ![Screenshot of error for NETLOGON in Event Viewer](images/tcp-ts-14.png) + ![Screenshot of error for NETLOGON in Event Viewer.](images/tcp-ts-14.png) - Group Policy update failures: - ![Screenshot of event properties for Group Policy failure](images/tcp-ts-15.png) + ![Screenshot of event properties for Group Policy failure.](images/tcp-ts-15.png) - File shares are inaccessible: - ![Screenshot of error message "Windows cannot access"](images/tcp-ts-16.png) + ![Screenshot of error message "Windows cannot access."](images/tcp-ts-16.png) - RDP from the affected server fails: - ![Screenshot of error when Remote Desktop is unable to connect](images/tcp-ts-17.png) + ![Screenshot of error when Remote Desktop is unable to connect.](images/tcp-ts-17.png) - Any other application running on the machine will start to give out errors @@ -84,15 +84,15 @@ If you suspect that the machine is in a state of port exhaustion: a. **Event ID 4227** - ![Screenshot of event id 4227 in Event Viewer](images/tcp-ts-18.png) + ![Screenshot of event id 4227 in Event Viewer.](images/tcp-ts-18.png) b. **Event ID 4231** - ![Screenshot of event id 4231 in Event Viewer](images/tcp-ts-19.png) + ![Screenshot of event id 4231 in Event Viewer.](images/tcp-ts-19.png) 3. Collect a `netstat -anob` output from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID. - ![Screenshot of netstate command output](images/tcp-ts-20.png) + ![Screenshot of netstate command output.](images/tcp-ts-20.png) After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state. @@ -136,7 +136,7 @@ If method 1 does not help you identify the process (prior to Windows 10 and Wind 1. Add a column called “handles” under details/processes. 2. Sort the column handles to identify the process with the highest number of handles. Usually the process with handles greater than 3000 could be the culprit except for processes like System, lsass.exe, store.exe, sqlsvr.exe. - ![Screenshot of handles column in Windows Task Maner](images/tcp-ts-21.png) + ![Screenshot of handles column in Windows Task Maner.](images/tcp-ts-21.png) 3. If any other process than these has a higher number, stop that process and then try to login using domain credentials and see if it succeeds. @@ -157,7 +157,7 @@ Steps to use Process explorer: File \Device\AFD - ![Screenshot of Process Explorer](images/tcp-ts-22.png) + ![Screenshot of Process Explorer.](images/tcp-ts-22.png) 10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app. diff --git a/windows/client-management/troubleshoot-tcpip-rpc-errors.md b/windows/client-management/troubleshoot-tcpip-rpc-errors.md index 37b4dfa002..ba02501c81 100644 --- a/windows/client-management/troubleshoot-tcpip-rpc-errors.md +++ b/windows/client-management/troubleshoot-tcpip-rpc-errors.md @@ -16,7 +16,7 @@ manager: dansimp You might encounter an **RPC server unavailable** error when connecting to Windows Management Instrumentation (WMI), SQL Server, during a remote connection, or for some Microsoft Management Console (MMC) snap-ins. The following image is an example of an RPC error. -![The following error has occurred: the RPC server is unavailable](images/rpc-error.png) +![The following error has occurred: the RPC server is unavailable.](images/rpc-error.png) This is a commonly encountered error message in the networking world and one can lose hope very fast without trying to understand much, as to what is happening ‘under the hood’. @@ -37,7 +37,7 @@ Before getting in to troubleshooting the *RPC server unavailable- error Client A wants to execute some functions or wants to make use of a service running on the remote server, will first establish the connection with the Remote Server by doing a three-way handshake. -![Diagram illustrating connection to remote server](images/rpc-flow.png) +![Diagram illustrating connection to remote server.](images/rpc-flow.png) RPC ports can be given from a specific range as well. ### Configure RPC dynamic port allocation @@ -162,13 +162,13 @@ Open the traces in [Microsoft Network Monitor 3.4](troubleshoot-tcpip-netmon.md) - Now check if you are getting a response from the server. If you get a response, note the dynamic port number that you have been allocated to use. - ![Screenshot of Network Monitor with dynamic port highlighted](images/tcp-ts-23.png) + ![Screenshot of Network Monitor with dynamic port highlighted.](images/tcp-ts-23.png) - Check if we are connecting successfully to this Dynamic port successfully. - The filter should be something like this: `tcp.port==` and `ipv4.address==` - ![Screenshot of Network Monitor with filter applied](images/tcp-ts-24.png) + ![Screenshot of Network Monitor with filter applied.](images/tcp-ts-24.png) This should help you verify the connectivity and isolate if any network issues are seen. @@ -177,7 +177,7 @@ This should help you verify the connectivity and isolate if any network issues a The most common reason why we would see the RPC server unavailable is when the dynamic port that the client tries to connect is not reachable. The client side trace would then show TCP SYN retransmits for the dynamic port. -![Screenshot of Network Monitor with TCP SYN retransmits](images/tcp-ts-25.png) +![Screenshot of Network Monitor with TCP SYN retransmits.](images/tcp-ts-25.png) The port cannot be reachable due to one of the following reasons: diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md index 29a781be98..16c416a9cd 100644 --- a/windows/client-management/windows-version-search.md +++ b/windows/client-management/windows-version-search.md @@ -22,27 +22,27 @@ Click **Start** > **Settings** > **System** > click **About** from the bottom of You'll now see **Edition**, **Version**, and **OS Build** information. Something like this: -![screenshot of the system properties window for a device running Windows 10](images/systemcollage.png) +![screenshot of the system properties window for a device running Windows 10.](images/systemcollage.png) ## Using Keyword Search You can simply type the following in the search bar and press **ENTER** to see version details for your device. **“winver”** -![screenshot of the About Windows display text](images/winver.png) +![screenshot of the About Windows display text.](images/winver.png) **“msinfo”** or **"msinfo32"** to open **System Information**: -![screenshot of the System Information display text](images/msinfo32.png) +![screenshot of the System Information display text.](images/msinfo32.png) ## Using Command Prompt or PowerShell At the Command Prompt or PowerShell interface, type **"systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"** and then press **ENTER** -![screenshot of system information display text](images/refcmd.png) +![screenshot of system information display text.](images/refcmd.png) At the Command Prompt or PowerShell, type **"slmgr /dlv"**, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the image below: -![screenshot of software licensing manager](images/slmgr_dlv.png) +![screenshot of software licensing manager.](images/slmgr_dlv.png) ## What does it all mean? diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index 15407ebc50..5f433844ac 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -31,7 +31,7 @@ The order of apps in the XML file dictates the order of pinned apps on the taskb The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square). -![Windows left, user center, enterprise to the right](images/taskbar-generic.png) +![Windows left, user center, enterprise to the right.](images/taskbar-generic.png) ## Configure taskbar (general) @@ -142,11 +142,11 @@ The `` section will append listed apps to the tas ``` **Before:** -![default apps pinned to taskbar](images/taskbar-default.png) +![default apps pinned to taskbar.](images/taskbar-default.png) **After:** - ![additional apps pinned to taskbar](images/taskbar-default-plus.png) + ![additional apps pinned to taskbar.](images/taskbar-default-plus.png) ## Remove default apps and add your own @@ -175,11 +175,11 @@ If you only want to remove some of the default pinned apps, you would use this m ``` **Before:** -![Taskbar with default apps](images/taskbar-default.png) +![Taskbar with default apps.](images/taskbar-default.png) **After:** -![Taskbar with default apps removed](images/taskbar-default-removed.png) +![Taskbar with default apps removed.](images/taskbar-default-removed.png) ## Remove default apps @@ -250,15 +250,15 @@ The following example shows you how to configure taskbars by country or region. When the preceding example XML file is applied, the resulting taskbar for computers in the US or UK: -![taskbar for US and UK locale](images/taskbar-region-usuk.png) +![taskbar for US and UK locale.](images/taskbar-region-usuk.png) The resulting taskbar for computers in Germany or France: -![taskbar for DE and FR locale](images/taskbar-region-defr.png) +![taskbar for DE and FR locale.](images/taskbar-region-defr.png) The resulting taskbar for computers in any other country region: -![taskbar for all other regions](images/taskbar-region-other.png) +![taskbar for all other regions.](images/taskbar-region-other.png) > [!NOTE] diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md index e8a0cdee55..1190119050 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md @@ -19,7 +19,7 @@ Cortana integration is a Preview feature that's available for your test or dev e >[!NOTE] >For more info about Dynamics CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](https://go.microsoft.com/fwlink/p/?LinkId=746819). -![Cortana at work, showing the sales data pulled from Dynamics CRM](../images/cortana-crm-screen.png) +![Cortana at work, showing the sales data pulled from Dynamics CRM.](../images/cortana-crm-screen.png) ## Turn on Cortana with Dynamics CRM in your organization You must be a CRM administrator to turn on and use Preview features. For more info about what Preview features are and how to use them, see [What are Preview features and how do I enable them](https://go.microsoft.com/fwlink/p/?LinkId=746817)? @@ -43,7 +43,7 @@ You must tell your employees to turn on Cortana, before they’ll be able to use 2. Click on **Connected Services**, click **Dynamics CRM**, and then click **Connect**. - ![Cotana at work, showing how to turn on the connected services for Dynamics CRM](../images/cortana-connect-crm.png) + ![Cotana at work, showing how to turn on the connected services for Dynamics CRM.](../images/cortana-connect-crm.png) The employee can also disconnect by clicking **Disconnect** from the **Dynamics CRM** screen. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md index 65919eb8e8..481cb27659 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md @@ -48,35 +48,35 @@ Before you can start this testing scenario, you must first set up your test envi 2. Expand the left rail by clicking the **Show the navigation pane** icon. - ![Cortana at work, showing the navigation expand icon in Power BI](../images/cortana-powerbi-expand-nav.png) + ![Cortana at work, showing the navigation expand icon in Power BI.](../images/cortana-powerbi-expand-nav.png) 3. Click **Get Data** from the left-hand navigation in Power BI. - ![Cortana at work, showing the Get Data link](../images/cortana-powerbi-getdata.png) + ![Cortana at work, showing the Get Data link.](../images/cortana-powerbi-getdata.png) 4. Click **Samples** from the **Content Pack Library** area of the **Get Data** screen. - ![Cortana at work, showing the Samples link](../images/cortana-powerbi-getdata-samples.png) + ![Cortana at work, showing the Samples link.](../images/cortana-powerbi-getdata-samples.png) 5. Click **Retail Analysis Sample**, and then click **Connect**. - ![Cortana at work, showing the Samples link](../images/cortana-powerbi-retail-analysis-sample.png) + ![Cortana at work, showing the Samples link.](../images/cortana-powerbi-retail-analysis-sample.png) The sample data is imported and you’re returned to the **Power BI** screen. 6. Click **Dashboards** from the left pane of the **Power BI** screen, and then click **Retail Analysis Sample**. - ![Cortana at work, showing a dashboard view of the sample data](../images/cortana-powerbi-retail-analysis-dashboard.png) + ![Cortana at work, showing a dashboard view of the sample data.](../images/cortana-powerbi-retail-analysis-dashboard.png) 7. In the upper right-hand menu, click the **Settings** icon, and then click **Settings**. - ![Cortana at work, showing where to find the Settings option](../images/cortana-powerbi-settings.png) + ![Cortana at work, showing where to find the Settings option.](../images/cortana-powerbi-settings.png) 8. Click the **Datasets** tab, and then pick the **Retail Analysis Sample** dataset from the list. 9. Click **Q&A and Cortana**, check the **Allow Cortana to access this dataset** box, and then click **Apply**. - ![Cortana at work, showing where to find the dataset options](../images/cortana-powerbi-retail-analysis-dataset.png) + ![Cortana at work, showing where to find the dataset options.](../images/cortana-powerbi-retail-analysis-dataset.png) >[!NOTE] >It can take up to 30 minutes for a new dataset to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.

If you enable a dataset for Cortana, and that dataset is part of a content pack you own, you’ll need to re-publish for your colleagues to also use it with Cortana. @@ -92,7 +92,7 @@ After you’ve finished creating your Answer Page, you can continue to the inclu **To create a custom sales data Answer Page for Cortana** 1. In Power BI, click **My Workspace**, click **Create**, and then click **Report**. - ![Cortana at work, showing where to create the new report](../images/cortana-powerbi-create-report.png) + ![Cortana at work, showing where to create the new report.](../images/cortana-powerbi-create-report.png) 2. In the **Create Report** screen, click the **Retail Analysis Sample**, and then click **Create**. @@ -100,11 +100,11 @@ After you’ve finished creating your Answer Page, you can continue to the inclu 3. In the **Visualizations** pane, click the paint roller icon, expand **Page Size**, and then pick **Cortana** from the **Type** drop-down list. - ![Cortana at work, showing the Visualizations options](../images/cortana-powerbi-pagesize.png) + ![Cortana at work, showing the Visualizations options.](../images/cortana-powerbi-pagesize.png) 4. In the **Fields** pane, click to expand **Sales**, expand **This year sales**, and then add both **Value** and **Goal**. - ![Cortana at work, showing the Field options](../images/cortana-powerbi-field-selection.png) + ![Cortana at work, showing the Field options.](../images/cortana-powerbi-field-selection.png) The automatically generated graph is added to your blank report. You have the option to change colors, add borders, add additional visualizations, and modify this page so that it answers the question about sales data as precisely, and in as custom a way, as you want. You just need to make sure that it all stays within the page borders. @@ -112,7 +112,7 @@ After you’ve finished creating your Answer Page, you can continue to the inclu The alternate names help Cortana to know what questions to look for and when to show this report. To also improve your results, you should avoid using the names of your report columns. - ![Cortana at work, showing the page info for your specific report](../images/cortana-powerbi-report-qna.png) + ![Cortana at work, showing the page info for your specific report.](../images/cortana-powerbi-report-qna.png) 6. Click **File**, click **Save as**, and save the report as _Sales data 2016_. @@ -128,13 +128,13 @@ Now that you’ve set up your device, you can use Cortana to show your info from Cortana shows you the available results. - ![Cortana at work, showing the best matches based on the Power BI data](../images/cortana-powerbi-search.png) + ![Cortana at work, showing the best matches based on the Power BI data.](../images/cortana-powerbi-search.png) 3. In the **Power BI** area, click **This year in sales – in Retail Analysis Sample**. Cortana returns your custom report. - ![Cortana at work, showing your custom report from Power BI](../images/cortana-powerbi-myreport.png) + ![Cortana at work, showing your custom report from Power BI.](../images/cortana-powerbi-myreport.png) >[!NOTE] >For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/). diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md index 478aeb7938..c701623a88 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md @@ -49,7 +49,7 @@ While these aren't line-of-business apps, we've worked to make sure to implement 2. Click on **Connected Services**, click **Uber**, and then click **Connect**. - ![Cortana at work, showing where to connect the Uber service to Cortana](../images/cortana-connect-uber.png) + ![Cortana at work, showing where to connect the Uber service to Cortana.](../images/cortana-connect-uber.png) **To use the voice-enabled commands with Cortana** 1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box). diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index 601ad70810..f50e213ce8 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -161,7 +161,7 @@ When you have the Start layout that you want your users to see, use the [Export- A partial Start layout enables you to add one or more customized tile groups to users' Start screens or menus, while still allowing users to make changes to other parts of the Start layout. All groups that you add are *locked*, meaning users cannot change the contents of those tile groups, however users can change the location of those groups. Locked groups are identified with an icon, as shown in the following image. -![locked tile group](images/start-pinned-app.png) +![locked tile group.](images/start-pinned-app.png) When a partial Start layout is applied for the first time, the new groups are added to the users' existing Start layouts. If an app tile is in both an existing group and in a new locked group, the duplicate app tile is removed from the existing (unlocked) group. diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 12f62c8444..7b7dcaed64 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -92,13 +92,13 @@ This procedure adds the customized Start and taskbar layout to the user configur 2. Go to **User Configuration** or **Computer Configuration** > **Administrative Templates** >**Start Menu and Taskbar**. - ![start screen layout policy settings](images/starttemplate.jpg) + ![start screen layout policy settings.](images/starttemplate.jpg) 3. Right-click **Start Layout** in the right pane, and click **Edit**. This opens the **Start Layout** policy settings. - ![policy settings for start screen layout](images/startlayoutpolicy.jpg) + ![policy settings for start screen layout.](images/startlayoutpolicy.jpg) 4. Enter the following settings, and then click **OK**: diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index ea856b24cd..42b70e6248 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -87,7 +87,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L 7. Open the customizations.xml file in a text editor. The **<Customizations>** section will look like this: - ![Customizations file with the placeholder text to replace highlighted](images/customization-start.png) + ![Customizations file with the placeholder text to replace highlighted.](images/customization-start.png) 7. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape). diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index aa195fb89f..f5540c6ddd 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -50,7 +50,7 @@ To get the names and AUMIDs for all apps installed for the current user, perform 3. In the **Choose Details** window, select **AppUserModelId**, and then select **OK**. (You might need to change the **View** setting from **Tiles** to **Details**.) -![Image of the Choose Details options](images/aumid-file-explorer.png) +![Image of the Choose Details options.](images/aumid-file-explorer.png) ## To find the AUMID of an installed app for the current user by using the registry diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index bd502511d7..9efa2b652d 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -24,13 +24,13 @@ Some desktop devices in an enterprise serve a special purpose, such as a PC in t A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen. - ![Illustration of a full-screen kiosk experience](images/kiosk-fullscreen.png) + ![Illustration of a full-screen kiosk experience.](images/kiosk-fullscreen.png) - **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. - ![Illustration of a kiosk Start screen](images/kiosk-desktop.png) + ![Illustration of a kiosk Start screen.](images/kiosk-desktop.png) Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. @@ -38,25 +38,25 @@ There are several kiosk configuration methods that you can choose from, dependin - **Which type of app will your kiosk run?** - ![icon that represents apps](images/office-logo.png) + ![icon that represents apps.](images/office-logo.png) Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), simply select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md) - **Which type of kiosk do you need?** - ![icon that represents a kiosk](images/kiosk.png) + ![icon that represents a kiosk.](images/kiosk.png) If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#uwp) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop). - **Which edition of Windows 10 will the kiosk run?** - ![icon that represents Windows](images/windows.png) + ![icon that represents Windows.](images/windows.png) All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. - **Which type of user account will be the kiosk account?** - ![icon that represents a user account](images/user.png) + ![icon that represents a user account.](images/user.png) The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method. diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 154b35c3d0..ba1aaa2b58 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -54,7 +54,7 @@ Disable removable media. | Go to **Group Policy Editor** > **Computer Con Logs can help you [troubleshoot issues](./kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. -![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png) +![Event Viewer, right-click Operational, select enable log.](images/enable-assigned-access-log.png) ## Automatic logon @@ -257,7 +257,7 @@ A single-app kiosk configuration runs an app above the lock screen. It doesn't w When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** is not selected in the **View** menu; that means it's a basic session. -![VM windows, View menu, Extended session is not selected](images/vm-kiosk.png) +![VM windows, View menu, Extended session is not selected.](images/vm-kiosk.png) To connect to a VM in a basic session, do not select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog. diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md index f510b637bd..73e724bd75 100644 --- a/windows/configuration/kiosk-shelllauncher.md +++ b/windows/configuration/kiosk-shelllauncher.md @@ -137,7 +137,7 @@ The OMA-URI path is `./Device/Vendor/MSFT/AssignedAccess/ShellLauncher`. For the value, you can select data type `String` and paste the desired configuration file content into the value box. If you wish to upload the xml instead of pasting the content, choose data type `String (XML file)`. -![Screenshot of custom OMA-URI settings](images/slv2-oma-uri.png) +![Screenshot of custom OMA-URI settings.](images/slv2-oma-uri.png) After you configure the profile containing the custom Shell Launcher setting, select **All Devices** or selected groups of devices to apply the profile to. Don't assign the profile to users or user groups. diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 8baee6a466..eac49be093 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -24,7 +24,7 @@ ms.topic: article A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app. -![Illustration of a single-app kiosk experience](images/kiosk-fullscreen-sm.png) +![Illustration of a single-app kiosk experience.](images/kiosk-fullscreen-sm.png) >[!IMPORTANT] >[User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode. @@ -66,7 +66,7 @@ When your kiosk is a local device that is not managed by Active Directory or Azu - If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. -![Screenshot of automatic sign-in setting](images/auto-signin.png) +![Screenshot of automatic sign-in setting.](images/auto-signin.png) ### Instructions for Windows 10, version 1809 @@ -98,7 +98,7 @@ To remove assigned access, select the account tile on the **Set up a kiosk** pag When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) -![The Set up assigned access page in Settings](images/kiosk-settings.png) +![The Set up assigned access page in Settings.](images/kiosk-settings.png) **To set up assigned access in PC settings** @@ -131,7 +131,7 @@ To remove assigned access, choose **Turn off assigned access and sign out of the > >Account type: Local standard user -![PowerShell windows displaying Set-AssignedAccess cmdlet](images/set-assignedaccess.png) +![PowerShell windows displaying Set-AssignedAccess cmdlet.](images/set-assignedaccess.png) You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. @@ -191,7 +191,7 @@ Clear-AssignedAccess > >Account type: Local standard user, Active Directory -![Kiosk wizard option in Windows Configuration Designer](images/kiosk-wizard.png) +![Kiosk wizard option in Windows Configuration Designer.](images/kiosk-wizard.png) >[!IMPORTANT] diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md index 75781737fb..e34bee8204 100644 --- a/windows/configuration/kiosk-troubleshoot.md +++ b/windows/configuration/kiosk-troubleshoot.md @@ -53,7 +53,7 @@ For example: 3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration. 4. Additional logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. -![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png) +![Event Viewer, right-click Operational, select enable log.](images/enable-assigned-access-log.png) ### Automatic logon issues diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md index c2221b549a..5c2cfa795b 100644 --- a/windows/configuration/lock-down-windows-10-applocker.md +++ b/windows/configuration/lock-down-windows-10-applocker.md @@ -34,7 +34,7 @@ AppLocker rules are organized into collections based on file format. If no AppLo This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy. -![install create lockdown customize](images/lockdownapps.png) +![install create lockdown customize.](images/lockdownapps.png) ## Install apps @@ -50,13 +50,13 @@ After you install the desired apps, set up AppLocker rules to only allow specifi 2. Go to **Security Settings** > **Application Control Policies** > **AppLocker**, and select **Configure rule enforcement**. - ![configure rule enforcement](images/apprule.png) + ![configure rule enforcement.](images/apprule.png) 3. Check **Configured** under **Executable rules**, and then click **OK**. 4. Right-click **Executable Rules** and then click **Automatically generate rules**. - ![automatically generate rules](images/genrule.png) + ![automatically generate rules.](images/genrule.png) 5. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps. @@ -68,7 +68,7 @@ After you install the desired apps, set up AppLocker rules to only allow specifi 9. Read the message and click **Yes**. - ![default rules warning](images/appwarning.png) + ![default rules warning.](images/appwarning.png) 10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users. diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 702221c085..2bbcd7f1a3 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -81,7 +81,7 @@ Let's start by looking at the basic structure of the XML file. - A profile has no effect if it’s not associated to a config section. - ![profile = app and config = account](images/profile-config.png) + ![profile = app and config = account.](images/profile-config.png) You can start your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this topic. You can see a full sample version in the [Assigned access XML reference.](kiosk-xml.md) @@ -271,7 +271,7 @@ This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, >[!NOTE] >If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen. -![What the Start screen looks like when the XML sample is applied](images/sample-start.png) +![What the Start screen looks like when the XML sample is applied.](images/sample-start.png) ##### Taskbar @@ -494,7 +494,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L 7. In the center pane, click **Browse** to locate and select the assigned access configuration XML file that you created. - ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](images/multiappassignedaccesssettings.png) + ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer.](images/multiappassignedaccesssettings.png) 8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed. @@ -544,7 +544,7 @@ Provisioning packages can be applied to a device during the first-run experience 1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. - ![The first screen to set up a new PC](images/oobe.jpg) + ![The first screen to set up a new PC.](images/oobe.jpg) 2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**. @@ -552,11 +552,11 @@ Provisioning packages can be applied to a device during the first-run experience 3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. - ![Provision this device](images/prov.jpg) + ![Provision this device.](images/prov.jpg) 4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. - ![Choose a package](images/choose-package.png) + ![Choose a package.](images/choose-package.png) 5. Select **Yes, add it**. @@ -570,7 +570,7 @@ Provisioning packages can be applied to a device during the first-run experience >[!NOTE] >if your provisioning package doesn’t include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device. -![add a package option](images/package.png) +![add a package option.](images/package.png) ### Use MDM to deploy the multi-app configuration diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md index d577b69cff..6dc4c73ddb 100644 --- a/windows/configuration/manage-wifi-sense-in-enterprise.md +++ b/windows/configuration/manage-wifi-sense-in-enterprise.md @@ -46,7 +46,7 @@ You can manage your Wi-Fi Sense settings by using Group Policy and your Group Po 1. Open your Group Policy editor and go to the `Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services` setting. - ![Group Policy Editor, showing the Wi-Fi Sense setting](images/wifisense-grouppolicy.png) + ![Group Policy Editor, showing the Wi-Fi Sense setting.](images/wifisense-grouppolicy.png) 2. Turn Wi-Fi Sense on (enabled) or off (disabled), based on your company's environment. @@ -60,7 +60,7 @@ You can manage your Wi-Fi Sense settings by using registry keys and the Registry 2. Create and set a new **DWORD (32-bit) Value** named, **AutoConnectAllowedOEM**, with a **Value data** of **0 (zero)**.

Setting this value to 0 turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see How to configure Wi-Fi Sense on Windows 10 in an enterprise. - ![Registry Editor, showing the creation of a new DWORD value](images/wifisense-registry.png) + ![Registry Editor, showing the creation of a new DWORD value.](images/wifisense-registry.png) ### Using the Windows Provisioning settings You can manage your Wi-Fi Sense settings by changing the Windows provisioning setting, **WiFISenseAllowed**. @@ -81,7 +81,7 @@ If your company still uses Unattend, you can manage your Wi-Fi Sense settings by ### How employees can change their own Wi-Fi Sense settings If you don’t turn off the ability for your employees to use Wi-Fi Sense, they can turn it on locally by selecting **Settings > Network & Internet > Wi-Fi > Manage Wi-Fi settings**, and then turning on **Connect to suggested open hotspots**. -![Wi-Fi Sense options shown to employees if it's not turned off](images/wifisense-settingscreens.png) +![Wi-Fi Sense options shown to employees if it's not turned off.](images/wifisense-settingscreens.png) **Important**
The service that was used to share networks with Facebook friends, Outlook.com contacts, or Skype contacts is no longer available. This means: diff --git a/windows/configuration/mobile-devices/lockdown-xml.md b/windows/configuration/mobile-devices/lockdown-xml.md index ecf485cb1d..87f2b7b7cf 100644 --- a/windows/configuration/mobile-devices/lockdown-xml.md +++ b/windows/configuration/mobile-devices/lockdown-xml.md @@ -62,7 +62,7 @@ The settings for the Default role and other roles must be listed in your XML fil ## Action Center -![XML for Action Center](../images/ActionCenterXML.jpg) +![XML for Action Center.](../images/ActionCenterXML.jpg) The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. @@ -92,7 +92,7 @@ The following example is a complete lockdown XML file that disables Action Cente ## Apps -![XML for Apps](../images/AppsXML.png) +![XML for Apps.](../images/AppsXML.png) The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running. @@ -110,7 +110,7 @@ The following example makes Outlook Calendar available on the device. When you list an app, you can also set the app to be pinned to the Start screen by specifying the tile size and location. Tip: draw a grid and mark your app tiles on it to make sure you get the result you want. The width (X axis) in the following example is the limit for Windows 10 Mobile, but the length (Y axis) is unlimited. The number of columns available to you depends on the value for [StartScreenSize](#start-screen-size). -![Grid to lay out tiles for Start](../images/StartGrid.jpg) +![Grid to lay out tiles for Start.](../images/StartGrid.jpg) Tile sizes are: * Small: 1x1 @@ -152,7 +152,7 @@ In the following example, Outlook Calendar and Outlook Mail are pinned to the St That layout would appear on a device like this: -![Example of the layout on a Start screen](../images/StartGridPinnedApps.jpg) +![Example of the layout on a Start screen.](../images/StartGridPinnedApps.jpg) You can create and pin folders to Start by using the Apps setting. Each folder requires a **folderId**, which must be a consecutive positive integer starting with `1`. You can also specify a **folderName** (optional) which will be displayed on Start. @@ -203,7 +203,7 @@ When an app is contained in a folder, its **PinToStart** configuration (tile siz ## Buttons -![XML for buttons](../images/ButtonsXML.jpg) +![XML for buttons.](../images/ButtonsXML.jpg) In the Buttons setting, you use ButtonLockdownList to disable hardware buttons and ButtonRemapList to change button events to open an app that you specify. @@ -213,11 +213,11 @@ When a user taps a button that is in the lockdown list, nothing will happen. The Button | Press | PressAndHold | All ---|:---:|:---:|:--:|- -Start | ![no](../images/crossmark.png) | ![yes](../images/checkmark.png) | ![no](../images/crossmark.png) -Back | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) -Search | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) -Camera | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) -Custom 1, 2, and 3 | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) +Start | ![no.](../images/crossmark.png) | ![yes](../images/checkmark.png) | ![no](../images/crossmark.png) +Back | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) +Search | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) +Camera | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) +Custom 1, 2, and 3 | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) > [!NOTE] > Custom buttons are hardware buttons that can be added to devices by OEMs. @@ -270,7 +270,7 @@ In the following example, when a user presses the Search button, the phone diale ## CSPRunner -![XML for CSP Runner](../images/CSPRunnerXML.jpg) +![XML for CSP Runner.](../images/CSPRunnerXML.jpg) You can use CSPRunner to include settings that are not defined in AssignedAccessXML. For example, you can include settings from other sections of EnterpriseAssignedAccess CSP, such as lockscreen, theme, and time zone. You can also include settings from other CSPs, such as [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) or [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). @@ -317,7 +317,7 @@ SyncML entry | Description ## Menu items -![XML for menu items](../images/MenuItemsXML.png) +![XML for menu items.](../images/MenuItemsXML.png) Use DisableMenuItems to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Apps list. You can include this entry in the default profile and in any additional user role profiles that you create. @@ -329,7 +329,7 @@ Use DisableMenuItems to prevent use of the context menu, which is displayed when ## Settings -![XML for settings](../images/SettingsXML.png) +![XML for settings.](../images/SettingsXML.png) The **Settings** section contains an `allow` list of pages in the Settings app and quick actions. The following example allows all settings. @@ -363,7 +363,7 @@ For a list of the settings and quick actions that you can allow or block, see [S ## Tiles - ![XML for tiles](../images/TilesXML.png) + ![XML for tiles.](../images/TilesXML.png) By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile. @@ -446,7 +446,7 @@ Use the Windows ICD tool included in the Windows Assessment and Deployment Kit ( 3. In the center pane, click **Browse** to locate and select the lockdown XML file that you created. - ![browse button](../images/icdbrowse.png) + ![browse button.](../images/icdbrowse.png) 4. On the **File** menu, select **Save.** diff --git a/windows/configuration/mobile-devices/mobile-lockdown-designer.md b/windows/configuration/mobile-devices/mobile-lockdown-designer.md index 68774e0da5..a7d82f6088 100644 --- a/windows/configuration/mobile-devices/mobile-lockdown-designer.md +++ b/windows/configuration/mobile-devices/mobile-lockdown-designer.md @@ -16,7 +16,7 @@ manager: dansimp # Use the Lockdown Designer app to create a Lockdown XML file -![Lockdown Designer in the Store](../images/ldstore.png) +![Lockdown Designer in the Store.](../images/ldstore.png) Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. @@ -55,7 +55,7 @@ Perform these steps on the device running Windows 10 Mobile that you will use to >[!IMPORTANT] >Check **Settings > Personalization > Start > Show more tiles** on the test mobile device. If **Show more tiles** is **On**, you must select **Large** on the [**Start screen** page](#start) in Lockdown Designer. If you want to apply a **Small** layout, set **Show more tiles** on the test mobile device to **Off**. > ->![turn off show more tiles for small start screen size](../images/show-more-tiles.png) +>![turn off show more tiles for small start screen size.](../images/show-more-tiles.png) ## Prepare the PC @@ -89,7 +89,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf 3. Click **Pair**. - ![Pair](../images/ld-pair.png) + ![Pair.](../images/ld-pair.png) **Connect to remote device** appears. @@ -99,7 +99,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf 6. Next, click **Sync** to pull information from the device in to Lockdown Designer. - ![Sync](../images/ld-sync.png) + ![Sync.](../images/ld-sync.png) 7. Click the **Save** icon and enter a name for your project. @@ -113,7 +113,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf 3. On the **Project setting** > **General settings** page, click **Pair**. - ![Pair](../images/ld-pair.png) + ![Pair.](../images/ld-pair.png) **Connect to remote device** appears. @@ -123,7 +123,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf 6. Next, click **Sync** to pull information from the device in to Lockdown Designer. - ![Sync](../images/ld-sync.png) + ![Sync.](../images/ld-sync.png) 7. Click the **Save** icon and enter a name for your project. @@ -134,13 +134,13 @@ The apps and settings available in the pages of Lockdown Designer should now be | Page | Description | | --- | --- | -| ![Applications](../images/ld-apps.png) | Each app from the test mobile device is listed. Select the apps that you want visible to users.

You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. | -| ![CSP Runner](../images/ld-csp.png) | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner) | -| ![Settings](../images/ld-settings.png) | On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI. | -| ![Quick actions](../images/ld-quick.png) | On this page, you select the settings that you want visible to users. | -| ![Buttons](../images/ld-buttons.png) | Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.

Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. | -| ![Other settings](../images/ld-other.png) | This page contains several settings that you can configure:

- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.

- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.

- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. | -| ![Start screen](../images/ld-start.png) | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)

On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.

When you are done changing the layout on the test mobile device, click **Accept** on the PC. | +| ![Applications.](../images/ld-apps.png) | Each app from the test mobile device is listed. Select the apps that you want visible to users.

You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. | +| ![CSP Runner.](../images/ld-csp.png) | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner) | +| ![Settings.](../images/ld-settings.png) | On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI. | +| ![Quick actions.](../images/ld-quick.png) | On this page, you select the settings that you want visible to users. | +| ![Buttons.](../images/ld-buttons.png) | Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.

Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. | +| ![Other settings.](../images/ld-other.png) | This page contains several settings that you can configure:

- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.

- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.

- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. | +| ![Start screen.](../images/ld-start.png) | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)

On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.

When you are done changing the layout on the test mobile device, click **Accept** on the PC. | ## Validate and export @@ -169,4 +169,4 @@ You can create additional roles for the device and have unique configurations fo 4. Configure the settings for the role as above, but make sure on each page that you select the correct role. - ![Current role selection box](../images/ld-role.png) \ No newline at end of file + ![Current role selection box.](../images/ld-role.png) \ No newline at end of file diff --git a/windows/configuration/mobile-devices/provisioning-configure-mobile.md b/windows/configuration/mobile-devices/provisioning-configure-mobile.md index 1d321fd9cb..ebd4218503 100644 --- a/windows/configuration/mobile-devices/provisioning-configure-mobile.md +++ b/windows/configuration/mobile-devices/provisioning-configure-mobile.md @@ -66,13 +66,13 @@ You can apply a provisioning package to a device running Windows 10 Mobile by us 1. Insert an SD card containing the provisioning package into the device. 2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. - ![add a package option](../images/packages-mobile.png) + ![add a package option.](../images/packages-mobile.png) 3. Click **Add**. 4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. - ![Is this package from a source you trust](../images/package-trust.png) + ![Is this package from a source you trust.](../images/package-trust.png) ### Copying the provisioning package to the device @@ -82,7 +82,7 @@ You can apply a provisioning package to a device running Windows 10 Mobile by us 3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. - ![Is this package from a source you trust](../images/package-trust.png) + ![Is this package from a source you trust.](../images/package-trust.png) ## Related topics diff --git a/windows/configuration/mobile-devices/provisioning-nfc.md b/windows/configuration/mobile-devices/provisioning-nfc.md index 571a1488af..42ff3ff229 100644 --- a/windows/configuration/mobile-devices/provisioning-nfc.md +++ b/windows/configuration/mobile-devices/provisioning-nfc.md @@ -31,7 +31,7 @@ All Windows 10 Mobile Enterprise and Windows 10 Mobile images have the NFC provi On all Windows devices, device provisioning during OOBE can be triggered by 5 fast taps on the Windows hardware key, which shows the **Provision this device** screen. In the **Provision this device** screen, select **NFC** for NFC-based provisioning. -![Example of Provision this device screen](../images/nfc.png) +![Example of Provision this device screen.](../images/nfc.png) If there is an error during NFC provisioning, the device will show a message if any of the following errors occur: diff --git a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md index 711f3cfc4e..a265a544e3 100644 --- a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md +++ b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md @@ -168,28 +168,28 @@ Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or **To set up Apps Corner** -1. On Start ![start](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) > **Accounts** > **Apps Corner**. +1. On Start ![start.](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) > **Accounts** > **Apps Corner**. -2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![done icon](images/doneicon.png). +2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![done icon.](images/doneicon.png). -3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back](../images/backicon.png) to the Apps Corner settings. +3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back.](../images/backicon.png) to the Apps Corner settings. 4. Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode. 5. Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them. -6. Press **Back** ![back](../images/backicon.png) when you're done. +6. Press **Back** ![back.](../images/backicon.png) when you're done. **To use Apps Corner** -1. On Start ![start](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) > **Accounts** > **Apps Corner** > launch ![launch](../images/launchicon.png). +1. On Start ![start.](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) > **Accounts** > **Apps Corner** > launch ![launch](../images/launchicon.png). >[!TIP] >Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** > **pin** to pin the Apps Corner tile to your Start screen. 2. Give the device to someone else, so they can use the device and only the one app you chose. -3. When they're done and you get the device back, press and hold Power ![power](../images/powericon.png), and then swipe right to exit Apps Corner. +3. When they're done and you get the device back, press and hold Power ![power.](../images/powericon.png), and then swipe right to exit Apps Corner. ## Related topics diff --git a/windows/configuration/mobile-devices/start-layout-xml-mobile.md b/windows/configuration/mobile-devices/start-layout-xml-mobile.md index 41fc17fe04..858de39174 100644 --- a/windows/configuration/mobile-devices/start-layout-xml-mobile.md +++ b/windows/configuration/mobile-devices/start-layout-xml-mobile.md @@ -36,7 +36,7 @@ On Windows 10 Mobile, the customized Start works by: The following diagrams show the default Windows 10, version 1607 Start layouts for single SIM and dual SIM devices with Cortana support, and single SIM and dual SIM devices with no Cortana support. -![Start layout for Windows 10 Mobile](../images/mobile-start-layout.png) +![Start layout for Windows 10 Mobile.](../images/mobile-start-layout.png) The diagrams show: diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/provisioning-apn.md index 326ea5b8b8..a8d47b38e2 100644 --- a/windows/configuration/provisioning-apn.md +++ b/windows/configuration/provisioning-apn.md @@ -53,11 +53,11 @@ For users who work in different locations, you can configure one APN to connect 5. Enter a name for the connection, and then click **Add**. - ![Example of APN connection name](images/apn-add.png) + ![Example of APN connection name.](images/apn-add.png) 6. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection. - ![settings for new connection](images/apn-add-details.png) + ![settings for new connection.](images/apn-add-details.png) 7. The following table describes the settings available for the connection. diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index 67c28a8b90..38d6791423 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -38,7 +38,7 @@ Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](/win CSPs are behind many of the management tasks and policies for Windows 10, both in Microsoft Intune and in non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). -![how intune maps to csp](../images/policytocsp.png) +![how intune maps to csp.](../images/policytocsp.png) CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Endpoint Configuration Manager, can also target CSPs, by using a client-side Windows Management Instrumentation (WMI)-to-CSP Bridge. @@ -66,7 +66,7 @@ You can use Windows Configuration Designer to create [provisioning packages](./p Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image. -![how help content appears in icd](../images/cspinicd.png) +![how help content appears in icd.](../images/cspinicd.png) [Provisioning packages in Windows 10](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package. @@ -86,7 +86,7 @@ All CSPs in Windows 10 are documented in the [Configuration service provider ref The [main CSP topic](/windows/client-management/mdm/configuration-service-provider-reference) tells you which CSPs are supported on each edition of Windows 10, and links to the documentation for each individual CSP. -![csp per windows edition](../images/csptable.png) +![csp per windows edition.](../images/csptable.png) The documentation for each CSP follows the same structure. After an introduction that explains the purpose of the CSP, a diagram shows the parts of the CSP in tree format. @@ -94,7 +94,7 @@ The full path to a specific configuration setting is represented by its Open Mob The following example shows the diagram for the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes, and rectangular elements are settings or policies for which a value must be supplied. -![assigned access csp tree](../images/provisioning-csp-assignedaccess.png) +![assigned access csp tree.](../images/provisioning-csp-assignedaccess.png) The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see that it uses the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). @@ -104,7 +104,7 @@ The element in the tree diagram after the root node tells you the name of the CS When an element in the diagram uses _italic_ font, it indicates a placeholder for specific information, such as the tenant ID in the following example. -![placeholder in csp tree](../images/csp-placeholder.png) +![placeholder in csp tree.](../images/csp-placeholder.png) After the diagram, the documentation describes each element. For each policy or setting, the valid values are listed. diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index 38b7e01c09..818a935488 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -58,7 +58,7 @@ Provisioning packages can include management instructions and policies, installa > [!TIP] > Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc. > ->![open advanced editor](../images/icd-simple-edit.png) +>![open advanced editor.](../images/icd-simple-edit.png) ## Create the provisioning package @@ -68,11 +68,11 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L 2. Click **Provision desktop devices**. - ![ICD start options](../images/icd-create-options-1703.png) + ![ICD start options.](../images/icd-create-options-1703.png) 3. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps. - ![ICD desktop provisioning](../images/icd-desktop-1703.png) + ![ICD desktop provisioning.](../images/icd-desktop-1703.png) > [!IMPORTANT] > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md index a71916bfab..68cfcc37af 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md @@ -46,7 +46,7 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi 2. Click **Advanced provisioning**. - ![ICD start options](../images/icdstart-option.png) + ![ICD start options.](../images/icdstart-option.png) 3. Name your project and click **Next**. @@ -73,19 +73,19 @@ Universal apps that you can distribute in the provisioning package can be line-o 2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page. - ![details for offline app package](../images/uwp-family.png) + ![details for offline app package.](../images/uwp-family.png) 3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). 4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. - ![required frameworks for offline app package](../images/uwp-dependencies.png) + ![required frameworks for offline app package.](../images/uwp-dependencies.png) 5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. - In Microsoft Store for Business, generate the unencoded license for the app on the app's download page, and change the extension of the license file from **.xml** to **.ms-windows-store-license**. - ![generate license for offline app](../images/uwp-license.png) + ![generate license for offline app.](../images/uwp-license.png) - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**. diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index cca8b46be8..f6f7f9876b 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -74,11 +74,11 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate 2. Enter a name for the first app, and then click **Add**. - ![enter name for first app](../images/wcd-app-name.png) + ![enter name for first app.](../images/wcd-app-name.png) 3. Configure the settings for the appropriate installer type. - ![enter settings for first app](../images/wcd-app-commands.png) + ![enter settings for first app.](../images/wcd-app-commands.png) ## Add a universal app to your package @@ -88,19 +88,19 @@ Universal apps that you can distribute in the provisioning package can be line-o 2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page. - ![details for offline app package](../images/uwp-family.png) + ![details for offline app package.](../images/uwp-family.png) 3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). 4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. - ![required frameworks for offline app package](../images/uwp-dependencies.png) + ![required frameworks for offline app package.](../images/uwp-dependencies.png) 5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. - In Microsoft Store for Business, generate the unencoded license for the app on the app's download page. - ![generate license for offline app](../images/uwp-license.png) + ![generate license for offline app.](../images/uwp-license.png) - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**. diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md index 4a1bb159ac..4a9381ab1c 100644 --- a/windows/configuration/provisioning-packages/provisioning-apply-package.md +++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md @@ -35,7 +35,7 @@ Provisioning packages can be applied to a device during the first-run experience 1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. - ![The first screen to set up a new PC](../images/oobe.jpg) + ![The first screen to set up a new PC.](../images/oobe.jpg) 2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**. @@ -43,11 +43,11 @@ Provisioning packages can be applied to a device during the first-run experience 3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. - ![Provision this device](../images/prov.jpg) + ![Provision this device.](../images/prov.jpg) 4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. - ![Choose a package](../images/choose-package.png) + ![Choose a package.](../images/choose-package.png) 5. Select **Yes, add it**. @@ -59,7 +59,7 @@ Provisioning packages can be applied to a device during the first-run experience Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation. -![add a package option](../images/package.png) +![add a package option.](../images/package.png) ## Mobile editions @@ -68,13 +68,13 @@ Insert the USB drive to a desktop computer, navigate to **Settings** > **Account 1. Insert an SD card containing the provisioning package into the device. 2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. - ![add a package option](../images/packages-mobile.png) + ![add a package option.](../images/packages-mobile.png) 3. Click **Add**. 4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. - ![Is this package from a source you trust](../images/package-trust.png) + ![Is this package from a source you trust.](../images/package-trust.png) ### Copying the provisioning package to the device @@ -84,7 +84,7 @@ Insert the USB drive to a desktop computer, navigate to **Settings** > **Account 3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. - ![Is this package from a source you trust](../images/package-trust.png) + ![Is this package from a source you trust.](../images/package-trust.png) diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index b67e28b34d..0aa10c16b5 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -39,7 +39,7 @@ You can use Windows Configuration Designer to create a provisioning package (.pp 2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image: - ![Configuration Designer wizards](../images/icd-create-options-1703.png) + ![Configuration Designer wizards.](../images/icd-create-options-1703.png) - The following wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices: @@ -56,7 +56,7 @@ You can use Windows Configuration Designer to create a provisioning package (.pp >[!TIP] > You can start a project in the simple wizard editor and then switch the project to the advanced editor. > - > ![Switch to advanced editor](../images/icd-switch.png) + > ![Switch to advanced editor.](../images/icd-switch.png) 3. Enter a name for your project, and then select **Next**. @@ -87,7 +87,7 @@ You can use Windows Configuration Designer to create a provisioning package (.pp For an advanced provisioning project, Windows Configuration Designer opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings. -![What the ICD interface looks like](../images/icd-runtime.png) +![What the ICD interface looks like.](../images/icd-runtime.png) The settings in Windows Configuration Designer are based on Windows 10 configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](./how-it-pros-can-use-configuration-service-providers.md). @@ -103,14 +103,14 @@ The process for configuring settings is similar for all settings. The following For details on each specific setting, see [Windows Provisioning settings reference](../wcd/wcd.md). The reference topic for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image. -![Windows Configuration Designer opens the reference topic when you select a setting](../images/icd-setting-help.png) +![Windows Configuration Designer opens the reference topic when you select a setting.](../images/icd-setting-help.png) ## Build package 1. After you're done configuring your customizations, select **Export**, and then select **Provisioning Package**. - ![Export on top bar](../images/icd-export-menu.png) + ![Export on top bar.](../images/icd-export-menu.png) 2. In the **Describe the provisioning package** window, enter the following information, and then select **Next**: - **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field. diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index 8a7b9c464d..1a467d4e6d 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -66,7 +66,7 @@ On devices running Windows 10, you can install [the Windows Configuration Design 6. On the **Select the features you want to install** page, clear all selections except **Configuration Designer**, and then click **Install**. - ![Only Configuration Designer selected for installation](../images/icd-install.png) + ![Only Configuration Designer selected for installation.](../images/icd-install.png) ## Current Windows Configuration Designer limitations diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index e5d60aba7f..6e54b39009 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -35,7 +35,7 @@ In the XML file, you provide an **Id**, or friendly name, for each **Target**. E A **Target** can have more than one **TargetState**, and a **TargetState** can have more than one **Condition**. -![Target with multiple target states and conditions](../images/multi-target.png) +![Target with multiple target states and conditions.](../images/multi-target.png) The following table describes the logic for the target definition. diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index 2313b0e929..a3b4e25f84 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -124,7 +124,7 @@ For details about the settings you can customize in provisioning packages, see [ Windows ICD for Windows 10, version 1607, simplified common provisioning scenarios. -![Configuration Designer options](../images/icd.png) +![Configuration Designer options.](../images/icd.png) Windows ICD in Windows 10, version 1607, supported the following scenarios for IT administrators: diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md index a616731808..6e01640c44 100644 --- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md +++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md @@ -189,13 +189,13 @@ cmd /c InstallMyApp.bat In Windows Configuration Designer, this looks like: -![Command line in Selected customizations](../images/icd-script1.png) +![Command line in Selected customizations.](../images/icd-script1.png) You also need to add the relevant assets for that command line including the orchestrator script and any other assets it references such as installers or .cab files. In Windows Configuration Designer, that is done by adding files under the `ProvisioningCommands/DeviceContext/CommandFiles` setting. -![Command files in Selected customizations](../images/icd-script2.png) +![Command files in Selected customizations.](../images/icd-script2.png) When you are done, [build the package](provisioning-create-package.md#build-package). diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index e4327a7b35..ed5c4ee3a3 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -108,13 +108,13 @@ You can configure Windows to be in shared PC mode in a couple different ways: 8. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**. > [!div class="mx-imgBorder"] - > ![Shared PC mode in the Configuration settings page](images/shared_pc_3.png) + > ![Shared PC mode in the Configuration settings page.](images/shared_pc_3.png) 11. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**. - A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**. - ![Shared PC settings in ICD](images/icd-adv-shared-pc.png) + ![Shared PC settings in ICD.](images/icd-adv-shared-pc.png) - WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the [MDM_SharedPC class](/windows/win32/dmwmibridgeprov/mdm-sharedpc). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following: @@ -189,7 +189,7 @@ You can apply the provisioning package to a PC during initial setup or to a PC t 1. Start with a PC on the setup screen. - ![The first screen to set up a new PC](images/oobe.jpg) + ![The first screen to set up a new PC.](images/oobe.jpg) 2. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times. @@ -206,7 +206,7 @@ You can apply the provisioning package to a PC during initial setup or to a PC t On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and selects the package to install. -![add a package option](images/package.png) +![add a package option.](images/package.png) > [!NOTE] > If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost. diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md index 24dbcd1b32..5a39031455 100644 --- a/windows/configuration/start-layout-troubleshoot.md +++ b/windows/configuration/start-layout-troubleshoot.md @@ -42,7 +42,7 @@ When troubleshooting basic Start issues (and for the most part, all other Window - `get-AppXPackage -Name Microsoft.Windows.ShellExperienceHost` - `get-AppXPackage -Name Microsoft.Windows.Cortana` - ![Example of output from cmdlets](images/start-ts-1.png) + ![Example of output from cmdlets.](images/start-ts-1.png) Failure messages will appear if they aren't installed @@ -188,7 +188,7 @@ Events for both PDC and Background Tasks Infrastructure Service will be recorded ### Symptom: Application tiles like Alarm, Calculator, and Edge are missing from Start menu and the Settings app fails to open on Windows 10, version 1709 when a local user profile is deleted -![Screenshots that show download icons on app tiles and missing app tiles](images/start-ts-2.png) +![Screenshots that show download icons on app tiles and missing app tiles.](images/start-ts-2.png) **Cause**: This issue is known. The first-time sign-in experience is not detected and does not trigger the install of some apps. @@ -236,11 +236,11 @@ Specifically, behaviors include - If a new roaming user is created, the first sign-in appears normal, but on subsequent sign-ins, tiles are missing. -![Example of a working layout](images/start-ts-3.png) +![Example of a working layout.](images/start-ts-3.png) *Working layout on first sign-in of a new roaming user profile* -![Example of a failing layout](images/start-ts-4.png) +![Example of a failing layout.](images/start-ts-4.png) *Failing layout on subsequent sign-ins* @@ -256,15 +256,15 @@ Specifically, behaviors include Before the upgrade: - ![Example of Start screen with customizations applied](images/start-ts-5.jpg) + ![Example of Start screen with customizations applied.](images/start-ts-5.jpg) After the upgrade the user pinned tiles are missing: - ![Example of Start screen with previously pinned tiles missing](images/start-ts-6.png) + ![Example of Start screen with previously pinned tiles missing.](images/start-ts-6.png) Additionally, users may see blank tiles if sign-in was attempted without network connectivity. - ![Example of blank tiles](images/start-ts-7.png) + ![Example of blank tiles.](images/start-ts-7.png) **Resolution**: This issue was fixed in the [October 2017 update](https://support.microsoft.com/en-us/help/4041676). diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md index d988f11531..351f09ce8e 100644 --- a/windows/configuration/start-secondary-tiles.md +++ b/windows/configuration/start-secondary-tiles.md @@ -31,15 +31,15 @@ In a Start layout for Windows 10, version 1703, you can include secondary tiles Suppose that the [Start layout that you export](customize-and-export-start-layout.md) had two secondary tiles, such as in the following image: -![tile for MSN and for a SharePoint site](images/edge-with-logo.png) +![tile for MSN and for a SharePoint site.](images/edge-with-logo.png) In prior versions of Windows 10, when you applied the Start layout to a device, the tiles would display as shown in the following image: -![tile for MSN and for a SharePoint site with no logos](images/edge-without-logo.png) +![tile for MSN and for a SharePoint site with no logos.](images/edge-without-logo.png) In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutEdgeAssets` and the policy setting `ImportEdgeAssets`, the tiles will now display the same as they did on the device from which you exported the Start layout. -![tile for MSN and for a SharePoint site](images/edge-with-logo.png) +![tile for MSN and for a SharePoint site.](images/edge-with-logo.png) **Example of secondary tiles in XML generated by Export-StartLayout** @@ -156,7 +156,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L 12. Open the customizations.xml file in a text editor. The **<Customizations>** section will look like this: - ![Customizations file with the placeholder text to replace highlighted](images/customization-start-edge.png) + ![Customizations file with the placeholder text to replace highlighted.](images/customization-start-edge.png) 13. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape). diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md index 83744db2ca..75fcbcdad0 100644 --- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md +++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md @@ -121,7 +121,7 @@ UE-V for Windows 10, version 1607 includes a new template generator. If you are --> -![Selecting UE-V features in ADK](images/uev-adk-select-uev-feature.png) +![Selecting UE-V features in ADK.](images/uev-adk-select-uev-feature.png) 3. To open the generator, select **Microsoft Application Virtualization Generator** from the **Start** menu. diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md index bb6d70d870..0d091fe1bb 100644 --- a/windows/configuration/ue-v/uev-for-windows.md +++ b/windows/configuration/ue-v/uev-for-windows.md @@ -41,7 +41,7 @@ The diagram below illustrates how UE-V components work together to synchronize u UE-V architecture, with server share, desktop, and UE-V service | **Component** | **Function** | @@ -65,7 +65,7 @@ Use these UE-V components to create and manage custom templates for your third-p --> -![UE-V template generator process](images/uev-generator-process.png) +![UE-V template generator process.](images/uev-generator-process.png) ## Settings synchronized by default diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md index bfc7cfa6f3..08853f5b22 100644 --- a/windows/configuration/ue-v/uev-prepare-for-deployment.md +++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md @@ -44,7 +44,7 @@ If you want to use UE-V to synchronize user-defined settings for custom applicat The workflow diagram below illustrates a typical UE-V deployment and the decisions you need to be prepared to make. -![UE-V deployment preparation](images/uev-deployment-preparation.png) +![UE-V deployment preparation.](images/uev-deployment-preparation.png) Update & Security --> Windows Update**. - **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update. diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md index f822925011..e56e7a3b5b 100644 --- a/windows/deployment/update/wufb-compliancedeadlines.md +++ b/windows/deployment/update/wufb-compliancedeadlines.md @@ -93,11 +93,11 @@ Once the device is in the pending restart state, it will attempt to restart the Notification users get for a quality update deadline: -![The notification users get for an impending quality update deadline](images/wufb-quality-notification.png) +![The notification users get for an impending quality update deadline.](images/wufb-quality-notification.png) Notification users get for a feature update deadline: -![The notification users get for an impending feature update deadline](images/wufb-feature-notification.png) +![The notification users get for an impending feature update deadline.](images/wufb-feature-notification.png) ### Deadline with user engagement @@ -130,17 +130,17 @@ Before the deadline the device will be in two states: auto-restart period and en Notification users get for quality update engaged deadline: -![The notification users get for an impending engaged quality update deadline example](images/wufb-quality-engaged-notification.png) +![The notification users get for an impending engaged quality update deadline example.](images/wufb-quality-engaged-notification.png) Notification users get for a quality update deadline: -![The notification users get for an impending quality update deadline example](images/wufb-quality-notification.png) +![The notification users get for an impending quality update deadline example.](images/wufb-quality-notification.png) Notification users get for a feature update engaged deadline: -![The notification users get for an impending feature update engaged deadline example](images/wufb-feature-update-engaged-notification.png) +![The notification users get for an impending feature update engaged deadline example.](images/wufb-feature-update-engaged-notification.png) Notification users get for a feature update deadline: -![The notification users get for an impending feature update deadline example](images/wufb-feature-update-deadline-notification.png) +![The notification users get for an impending feature update deadline example.](images/wufb-feature-update-deadline-notification.png) diff --git a/windows/deployment/update/wufb-manageupdate.md b/windows/deployment/update/wufb-manageupdate.md index 93a5ab27b7..8589495141 100644 --- a/windows/deployment/update/wufb-manageupdate.md +++ b/windows/deployment/update/wufb-manageupdate.md @@ -40,7 +40,7 @@ If you don't need a wave deployment and have a small set of devices to manage, w |Do not allow update deferral policies to cause scans against Windows Update|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not allow update deferral policies to cause scans against Windows Update|State: Disabled| ## Suggested configuration for a wave deployment -![Graphic showing a deployment divided into rings for a wave deployment](images/wufb-wave-deployment.png) +![Graphic showing a deployment divided into rings for a wave deployment.](images/wufb-wave-deployment.png) ## Early validation and testing Depending on your organizational size and requirements you might be able to test feature updates earlier to identify if there are impacts to Line of Business applications. Our recommendation is to enroll a set of devices that are a good representation of your device ecosystem (for example, devices with accounting software or engineering software). Learn more about [different deployment rings](https://insider.windows.com/how-to-pc/#working-with-rings). diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md index e044463423..8aafc8f67d 100644 --- a/windows/deployment/upgrade/quick-fixes.md +++ b/windows/deployment/upgrade/quick-fixes.md @@ -174,7 +174,7 @@ To check your system for unsigned drivers: 5. Type **sigverif** and press ENTER. 6. The File Signature Verification tool will open. Click **Start**. - ![File Signature Verification](../images/sigverif.png) + ![File Signature Verification.](../images/sigverif.png) 7. After the scanning process is complete, if you see **Your files have been scanned and verified as digitally signed** then you have no unsigned drivers. Otherwise, you will see **The following files have not been digitally signed** and a list will be provided with name, location, and version of all unsigned drivers. 8. To view and save a log file, click **Advanced**, and then click **View Log**. Save the log file if desired. @@ -268,7 +268,7 @@ To obtain the proper firmware drivers, search for the most updated driver versio When you begin a Windows Update, the setup process will ask you to **Get important updates**. Answer **Yes** if the computer you are updating is connected to the Internet. See the following example: -![Get important updates](../images/update.jpg) +![Get important updates.](../images/update.jpg) ### Verify disk space @@ -280,13 +280,13 @@ In File Explorer, click on **Computer** or **This PC** on the left, then look un The amount of space available on the system drive will be displayed under the drive. See the following example: -![System drive](../images/drive.png) +![System drive.](../images/drive.png) In the previous example, there is 703 GB of available free space on the system drive (C:). To free up additional space on the system drive, begin by running Disk Cleanup. You can access Disk Cleanup by right-clicking the hard drive icon and then clicking Properties. See the following example: -![Disk cleanup](../images/cleanup.png) +![Disk cleanup.](../images/cleanup.png) For instructions to run Disk Cleanup and other suggestions to free up hard drive space, see [Tips to free up drive space on your PC](https://support.microsoft.com/help/17421/windows-free-up-drive-space). diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index 9e7a29631c..1e87d9bff7 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -25,14 +25,14 @@ ms.topic: article >This is a 300 level topic (moderate advanced).
>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
- [![Download SetupDiag](../images/download.png)](https://go.microsoft.com/fwlink/?linkid=870142) + [![Download SetupDiag.](../images/download.png)](https://go.microsoft.com/fwlink/?linkid=870142) ## About SetupDiag -Current downloadable version of SetupDiag: 1.6.2107.27002 ->Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues. +Current downloadable version of SetupDiag: 1.6.2107.27002. +> Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues. -SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. +SetupDiag is a diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. SetupDiag works by examining Windows Setup log files. It attempts to parse these log files to determine the root cause of a failure to update or upgrade the computer to Windows 10. SetupDiag can be run on the computer that failed to update, or you can export logs from the computer to another location and run SetupDiag in offline mode. @@ -344,6 +344,10 @@ Each rule name and its associated unique rule identifier are listed with a descr ## Release notes +07/27/2021 - SetupDiag v1.6.2107.27002 is released with 61 rules, as a standalone tool available in the Download Center. +- This version contains compliance updates and minor bug fixes. +- With this release and subsequent releases, the version number of the downloadable SetupDiag tool is different from the one included with Windows Setup. + 05/06/2021 - SetupDiag v1.6.1.0 is released with 61 rules, as a standalone tool available in the Download Center. - This version of SetupDiag is included with Windows 10, version 21H1. - A new rule is added: UserProfileSuffixMismatch. @@ -563,7 +567,7 @@ Refer to "https://docs.microsoft.com/windows/desktop/Debug/system-error-codes" f ## Sample registry key -![Example of Addreg](./../images/addreg.png) +![Example of Addreg.](./../images/addreg.png) ## Related topics diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md index 580a08b67c..1cde13e1eb 100644 --- a/windows/deployment/upgrade/submit-errors.md +++ b/windows/deployment/upgrade/submit-errors.md @@ -61,7 +61,7 @@ Click **Submit** to send your feedback. See the following example: -![feedback example](../images/feedback.png) +![feedback example.](../images/feedback.png) After you click Submit, that's all you need to do. Microsoft will receive your feedback and begin analyzing the issue. You can check on your feedback periodically to see what solutions have been provided. @@ -69,7 +69,7 @@ After you click Submit, that's all you need to do. Microsoft will receive your f After your feedback is submitted, you can email or post links to it by opening the Feedback Hub, clicking My feedback at the top, clicking the feedback item you submitted, clicking **Share**, then copying the short link that is displayed. -![share link](../images/share.jpg) +![share.](../images/share.jpg) ## Related topics diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md index 842e478dcf..bdb7e4814a 100644 --- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md +++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md @@ -59,31 +59,31 @@ When performing an operating system upgrade, Windows Setup uses phases described 1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Windows files are copied and installation components are gathered. - ![downlevel phase](../images/downlevel.png) + ![downlevel phase.](../images/downlevel.png) 2. **Safe OS phase**: A recovery partition is configured, Windows files are expanded, and updates are installed. An OS rollback is prepared if needed. Example error codes: 0x2000C, 0x20017. - ![safeOS phase](../images/safeos.png) + ![safeOS phase.](../images/safeos.png) 3. **First boot phase**: Initial settings are applied. Example error codes: 0x30018, 0x3000D. - ![first boot phase](../images/firstboot.png) + ![first boot phase.](../images/firstboot.png) 4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**. Example error codes: 0x4000D, 0x40017. At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed. - ![second boot phase](../images/secondboot.png) + ![second boot phase.](../images/secondboot.png) - ![second boot phase](../images/secondboot2.png) + ![second boot phase.](../images/secondboot2.png) - ![second boot phase](../images/secondboot3.png) + ![second boot phase.](../images/secondboot3.png) 5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015. **Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown): -![Upgrade process](../images/upgrade-process.png) +![Upgrade process.](../images/upgrade-process.png) DU = Driver/device updates.
OOBE = Out of box experience.
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index 57307ee3d0..c8a2c54c5a 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -33,9 +33,9 @@ The following table shows the methods and paths available to change the edition > [!TIP] > Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Endpoint Configuration Manager. -![not supported](../images/x_blk.png) (X) = not supported
-![supported, reboot required](../images/check_grn.png) (green checkmark) = supported, reboot required
-![supported, no reboot](../images/check_blu.png) (blue checkmark) = supported, no reboot required
+![not supported.](../images/x_blk.png) (X) = not supported
+![supported, reboot required.](../images/check_grn.png) (green checkmark) = supported, reboot required
+![supported, no reboot.](../images/check_blu.png) (blue checkmark) = supported, no reboot required
| Edition upgrade | Using mobile device management (MDM) | Using a provisioning package | Using a command-line tool | Using Microsoft Store for Business or PC | Entering a product key manually | Purchasing a license from the Microsoft Store | |-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- | -| **Home > Pro** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | -| **Home > Pro for Workstations** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | -| **Home > Pro Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Home > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro > Pro for Workstations** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | -| **Pro > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(1703 - PC)
(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(1703 - PC)
(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro Education > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Enterprise > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Home > Pro** | ![not supported.](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | +| **Home > Pro for Workstations** | ![not supported.](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | +| **Home > Pro Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Home > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro > Pro for Workstations** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | +| **Pro > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(1703 - PC)
(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(1703 - PC)
(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro Education > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Enterprise > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | > [!NOTE] > - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md) diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md index 08c4982f9c..50aad1782d 100644 --- a/windows/deployment/upgrade/windows-error-reporting.md +++ b/windows/deployment/upgrade/windows-error-reporting.md @@ -63,7 +63,7 @@ Ten parameters are listed in the event: The event will also contain links to log files that can be used to perform a detailed diagnosis of the error. An example of this event from a successful upgrade is shown below. -![Windows Error Reporting](../images/event.png) +![Windows Error Reporting.](../images/event.png) ## Related topics diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md index 84a87a0aac..52b489720f 100644 --- a/windows/deployment/usmt/migration-store-types-overview.md +++ b/windows/deployment/usmt/migration-store-types-overview.md @@ -49,7 +49,7 @@ You use a command-line option,**/hardlink** , to create a hard-link migration st The following flowchart illustrates the procedural differences between a local migration store and a remote migration store. In this example, a hard-link migration store is used for the local store. -![migration store comparison](images/dep-win8-l-usmt-migrationcomparemigstores.gif) +![migration store comparison.](images/dep-win8-l-usmt-migrationcomparemigstores.gif) ## Local Store vs. Remote Store diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md index 30930ac481..b94bc3041b 100644 --- a/windows/deployment/usmt/usmt-common-migration-scenarios.md +++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md @@ -49,7 +49,7 @@ The following diagram shows a PC-refresh migration, also known as a computer ref   -![usmt pc refresh scenario](images/dep-win8-l-usmt-pcrefresh.jpg) +![usmt pc refresh scenario.](images/dep-win8-l-usmt-pcrefresh.jpg)   @@ -100,7 +100,7 @@ The following diagram shows a PC-replacement migration. First, the administrator   -![usmt pc replace scenario](images/dep-win8-l-usmt-pcreplace.jpg) +![usmt pc replace scenario.](images/dep-win8-l-usmt-pcreplace.jpg)   diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index f32ee0d61e..10e7c2e418 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -55,7 +55,7 @@ The process proceeds as follows: 3. Client computers are activated by receiving the activation object from a domain controller during startup. > [!div class="mx-imgBorder"] - > ![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg) + > ![Active Directory-based activation flow.](../images/volumeactivationforwindows81-10.jpg) **Figure 10**. The Active Directory-based activation flow @@ -80,31 +80,31 @@ When a reactivation event occurs, the client queries AD DS for the activation o 3. Add the Volume Activation Services role, as shown in Figure 11. - ![Adding the Volume Activation Services role](../images/volumeactivationforwindows81-11.jpg) + ![Adding the Volume Activation Services role.](../images/volumeactivationforwindows81-11.jpg) **Figure 11**. Adding the Volume Activation Services role 4. Click the link to launch the Volume Activation Tools (Figure 12). - ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-12.jpg) + ![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-12.jpg) **Figure 12**. Launching the Volume Activation Tools 5. Select the **Active Directory-Based Activation** option (Figure 13). - ![Selecting Active Directory-Based Activation](../images/volumeactivationforwindows81-13.jpg) + ![Selecting Active Directory-Based Activation.](../images/volumeactivationforwindows81-13.jpg) **Figure 13**. Selecting Active Directory-Based Activation 6. Enter your KMS host key and (optionally) a display name (Figure 14). - ![Choosing how to activate your product](../images/volumeactivationforwindows81-15.jpg) + ![Choosing how to activate your product.](../images/volumeactivationforwindows81-15.jpg) **Figure 14**. Entering your KMS host key 7. Activate your KMS host key by phone or online (Figure 15). - ![Entering your KMS host key](../images/volumeactivationforwindows81-14.jpg) + ![Entering your KMS host key.](../images/volumeactivationforwindows81-14.jpg) **Figure 15**. Choosing how to activate your product diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md index f9cfcf33ac..5fa4723874 100644 --- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md +++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md @@ -80,39 +80,39 @@ This scenario is commonly used in larger organizations that do not find the over 2. Launch Server Manager. 3. Add the Volume Activation Services role, as shown in Figure 4. - ![Adding the Volume Activation Services role in Server Manager](../images/volumeactivationforwindows81-04.jpg) + ![Adding the Volume Activation Services role in Server Manager.](../images/volumeactivationforwindows81-04.jpg) **Figure 4**. Adding the Volume Activation Services role in Server Manager 4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5). - ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-05.jpg) + ![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-05.jpg) **Figure 5**. Launching the Volume Activation Tools 5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6). This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10. - ![Configuring the computer as a KMS host](../images/volumeactivationforwindows81-06.jpg) + ![Configuring the computer as a KMS host.](../images/volumeactivationforwindows81-06.jpg) **Figure 6**. Configuring the computer as a KMS host 6. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7). - ![Installing your KMS host key](../images/volumeactivationforwindows81-07.jpg) + ![Installing your KMS host key.](../images/volumeactivationforwindows81-07.jpg) **Figure 7**. Installing your KMS host key 7. If asked to confirm replacement of an existing key, click **Yes**. 8. After the product key is installed, you must activate it. Click **Next** (Figure 8). - ![Activating the software](../images/volumeactivationforwindows81-08.jpg) + ![Activating the software.](../images/volumeactivationforwindows81-08.jpg) **Figure 8**. Activating the software The KMS key can be activated online or by phone. See Figure 9. - ![Choosing to activate online](../images/volumeactivationforwindows81-09.jpg) + ![Choosing to activate online.](../images/volumeactivationforwindows81-09.jpg) **Figure 9**. Choosing to activate online diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md index b88d65def4..728b60519b 100644 --- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md +++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md @@ -99,12 +99,12 @@ A MAK is used for one-time activation with Microsoft’s hosted activation servi You can activate computers by using a MAK in two ways: - **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16. - ![MAK independent activation](../images/volumeactivationforwindows81-16.jpg) + ![MAK independent activation.](../images/volumeactivationforwindows81-16.jpg) **Figure 16**. MAK independent activation - **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17. - ![MAK proxy activation with the VAMT](../images/volumeactivationforwindows81-17.jpg) + ![MAK proxy activation with the VAMT.](../images/volumeactivationforwindows81-17.jpg) **Figure 17**. MAK proxy activation with the VAMT diff --git a/windows/deployment/volume-activation/add-remove-computers-vamt.md b/windows/deployment/volume-activation/add-remove-computers-vamt.md index 4e2248db96..e671e92d02 100644 --- a/windows/deployment/volume-activation/add-remove-computers-vamt.md +++ b/windows/deployment/volume-activation/add-remove-computers-vamt.md @@ -34,7 +34,7 @@ Before adding computers, ensure that the Windows Management Instrumentation (WMI 5. VAMT searches for the specified computers and adds them to the VAMT database. During the search, VAMT displays the **Finding computers** message shown below. To cancel the search, click **Cancel**. When the search is complete the names of the newly-discovered computers appear in the product list view in the center pane. - ![VAMT, Finding computers dialog box](images/dep-win8-l-vamt-findingcomputerdialog.gif) + ![VAMT, Finding computers dialog box.](images/dep-win8-l-vamt-findingcomputerdialog.gif) **Important**   This step adds only the computers to the VAMT database, and not the products that are installed on the computers. To add the products, you need to run the **Update license status** function. diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md index 87cb8d7b0f..5cbd41f410 100644 --- a/windows/deployment/volume-activation/configure-client-computers-vamt.md +++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md @@ -45,7 +45,7 @@ Enable the VAMT to access client computers using the **Windows Firewall** Contro Enable the VAMT to access client computers across multiple subnets using the **Windows Firewall with Advanced Security** Control Panel: -![VAMT Firewall configuration for multiple subnets](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif) +![VAMT Firewall configuration for multiple subnets.](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif) 1. Open the Control Panel and double-click **Administrative Tools**. 2. Click **Windows Firewall with Advanced Security**. diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index f462f8655f..0b67293d6a 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -49,7 +49,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for 5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. - ![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png) + ![In this example, the instance name is SQLEXPRESS01.](images/sql-instance.png) ### Install VAMT using the ADK @@ -73,7 +73,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for 2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL. - ![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png) + ![Server name is .\SQLEXPRESS and database name is VAMT.](images/vamt-db.png) For remote SQL Server, use `servername.yourdomain.com`. diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md index 45619726e9..91d2d8540b 100644 --- a/windows/deployment/volume-activation/introduction-vamt.md +++ b/windows/deployment/volume-activation/introduction-vamt.md @@ -45,7 +45,7 @@ VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type prod VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab. -![VAMT in the enterprise](images/dep-win8-l-vamt-image001-enterprise.jpg) +![VAMT in the enterprise.](images/dep-win8-l-vamt-image001-enterprise.jpg) In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection. The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab. @@ -54,7 +54,7 @@ The Isolated Lab environment is a workgroup that is physically separate from the The following screenshot shows the VAMT graphical user interface. -![VAMT user interface](images/vamtuserinterfaceupdated.jpg) +![VAMT user interface.](images/vamtuserinterfaceupdated.jpg) VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as: diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md index 443e1e417b..71d990f500 100644 --- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md +++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md @@ -120,7 +120,7 @@ In the core network, a centralized KMS solution is recommended. You can also use A typical core network that includes a KMS host is shown in Figure 1. -![Typical core network](../images/volumeactivationforwindows81-01.jpg) +![Typical core network.](../images/volumeactivationforwindows81-01.jpg) **Figure 1**. Typical core network @@ -140,7 +140,7 @@ If the isolated network cannot communicate with the core network’s KMS server, If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they are placed in the isolated network. -![New KMS host in an isolated network](../images/volumeactivationforwindows81-02.jpg) +![New KMS host in an isolated network.](../images/volumeactivationforwindows81-02.jpg) **Figure 2**. New KMS host in an isolated network @@ -222,7 +222,7 @@ The flow of KMS activation is shown in Figure 3, and it follows this sequence: 7. If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host. 8. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold has not yet been met, the client will try again. -![KMS activation flow](../images/volumeactivationforwindows81-03.jpg) +![KMS activation flow.](../images/volumeactivationforwindows81-03.jpg) **Figure 3**. KMS activation flow diff --git a/windows/deployment/volume-activation/scenario-online-activation-vamt.md b/windows/deployment/volume-activation/scenario-online-activation-vamt.md index 2716a475b8..118a656e49 100644 --- a/windows/deployment/volume-activation/scenario-online-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-online-activation-vamt.md @@ -25,7 +25,7 @@ In this scenario, the Volume Activation Management Tool (VAMT) is deployed in th - Retail The Secure Zone represents higher-security Core Network computers that have additional firewall protection. -![VAMT firewall configuration for multiple subnets](images/dep-win8-l-vamt-makindependentactivationscenario.jpg) +![VAMT firewall configuration for multiple subnets.](images/dep-win8-l-vamt-makindependentactivationscenario.jpg) ## In This Topic - [Install and start VAMT on a networked host computer](#bkmk-partone) diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md index 84e0a8ea19..d3b906680d 100644 --- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md @@ -19,7 +19,7 @@ ms.topic: article In this scenario, the Volume Activation Management Tool (VAMT) is used to activate products that are installed on workgroup computers in an isolated lab environment. For workgroups which are isolated from the larger network, you can perform proxy activation of Multiple Activation Keys (MAKs), KMS Host keys (CSVLKs), Generic Volume License Keys (GVLKs) (or KMS client keys), or retail keys. Proxy activation is performed by installing a second instance of VAMT on a computer in the isolated workgroup. You can then use removable media to transfer VAMT Computer Information Lists (CILXs) between the instance of VAMT in the isolated workgroup and another VAMT host that has Internet access. The following diagram shows a Multiple Activation Key (MAK) proxy activation scenario: -![VAMT MAK proxy activation scenario](images/dep-win8-l-vamt-makproxyactivationscenario.jpg) +![VAMT MAK proxy activation scenario.](images/dep-win8-l-vamt-makproxyactivationscenario.jpg) ## Step 1: Install VAMT on a Workgroup Computer in the Isolated Lab diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md index c8e7913ed2..562251c0a9 100644 --- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md +++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md @@ -51,7 +51,7 @@ You can use the VAMT to complete the activation process in products by using MAK The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing. -![VAMT showing the licensing status of multiple computers](../images/volumeactivationforwindows81-18.jpg) +![VAMT showing the licensing status of multiple computers.](../images/volumeactivationforwindows81-18.jpg) **Figure 18**. The VAMT showing the licensing status of multiple computers @@ -59,7 +59,7 @@ The VAMT provides an overview of the activation and licensing status of computer The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it is and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage. -![VAMT showing key types and usage](../images/volumeactivationforwindows81-19.jpg) +![VAMT showing key types and usage.](../images/volumeactivationforwindows81-19.jpg) **Figure 19**. The VAMT showing key types and usage diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md index 844c46ba14..55fd4c1684 100644 --- a/windows/deployment/volume-activation/vamt-known-issues.md +++ b/windows/deployment/volume-activation/vamt-known-issues.md @@ -30,7 +30,7 @@ The current known issues with the Volume Activation Management Tool (VAMT), vers Another known issue is that when you try to add a Windows 10 Key Management Service (KMS) Host key (CSVLK) or a Windows Server 2012 R2 for Windows 10 CSVLK into VAMT 3.1 (version 10.0.10240.0), you receive the error message shown here. -![VAMT error message](./images/vamt-known-issue-message.png) +![VAMT error message.](./images/vamt-known-issue-message.png) This issue occurs because VAMT 3.1 does not contain the correct Pkconfig files to recognize this kind of key. To work around this issue, use one of the following methods. diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md index 3bda096ca5..2a0f0da2a9 100644 --- a/windows/deployment/windows-10-deployment-posters.md +++ b/windows/deployment/windows-10-deployment-posters.md @@ -26,13 +26,13 @@ The following posters step through various options for deploying Windows 10 with The Windows Autopilot poster is two pages in portrait mode (11x17). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10AutopilotFlowchart.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10Autopilotflowchart.vsdx) format. -[![Deploy Windows 10 with Autopilot](./media/windows10-autopilot-flowchart.png)](./media/Windows10AutopilotFlowchart.pdf) +[![Deploy Windows 10 with Autopilot.](./media/windows10-autopilot-flowchart.png)](./media/Windows10AutopilotFlowchart.pdf) ## Deploy Windows 10 with Microsoft Endpoint Configuration Manager The Configuration Manager poster is one page in landscape mode (17x11). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.vsdx) format. -[![Deploy Windows 10 with Configuration Manager](./media/windows10-deployment-config-manager.png)](./media/Windows10DeploymentConfigManager.pdf) +[![Deploy Windows 10 with Configuration Manager.](./media/windows10-deployment-config-manager.png)](./media/Windows10DeploymentConfigManager.pdf) ## See also diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md index a90baefd20..0e160f2943 100644 --- a/windows/deployment/windows-10-media.md +++ b/windows/deployment/windows-10-media.md @@ -42,7 +42,7 @@ Windows 10, version 1709 is available starting on 10/17/2017 in all relevant dis For ISOs that you download from the VLSC or Visual Studio Subscriptions, you can still search for the individual Windows editions. However, each of these editions (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education) will point to the same ISO file, so you only need to download the ISO once. A single Windows image (WIM) file is included in the ISO that contains all the volume licensing images: -![Images](images/table01.png) +![Images.](images/table01.png) When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or Microsoft Endpoint Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update. @@ -69,7 +69,7 @@ This Semi-Annual Channel release of Windows 10 continues the Windows as a servic See the following example for Windows 10, version 1709: -![Windows 10, version 1709 lang pack](images/lang-pack-1709.png) +![Windows 10, version 1709 lang pack.](images/lang-pack-1709.png) ### Features on demand diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md index 7e6d238721..9d18e1af46 100644 --- a/windows/deployment/windows-10-poc-mdt.md +++ b/windows/deployment/windows-10-poc-mdt.md @@ -284,7 +284,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env 10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example: - ![custom image](images/image.png) + ![custom image.](images/image.png) ### Create the deployment task sequence @@ -459,7 +459,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env 7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed. 8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator. - ![finish](images/deploy-finish.png) + ![finish.](images/deploy-finish.png) This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section. diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 603113f920..d69cc3b5db 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -331,7 +331,7 @@ WDSUTIL /Set-Server /AnswerClients:None - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure. See the following example: - ![Config Mgr PXE](images/configmgr-pxe.png) + ![Config Mgr PXE.](images/configmgr-pxe.png) 5. Click **OK**. 6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: @@ -803,7 +803,7 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce >Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter. -![contoso.com\Computers](images/poc-computers.png) +![contoso.com\Computers.](images/poc-computers.png) In the replace procedure, PC1 will not be migrated to a new operating system. It is simplest to perform this procedure before performing the refresh procedure. After refreshing PC1, the operating system will be new. The next (replace) procedure does not install a new operating system on PC1 but rather performs a side-by-side migration of PC1 and another computer (PC4), to copy users and settings from PC1 to the new computer. @@ -907,7 +907,7 @@ The **Client** column indicates that the Configuration Manager client is not cur 14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example: - ![site](images/configmgr-site.png) + ![site.](images/configmgr-site.png) If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated. @@ -915,7 +915,7 @@ The **Client** column indicates that the Configuration Manager client is not cur 16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: - ![client](images/configmgr-client.png) + ![client.](images/configmgr-client.png) >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**. @@ -976,7 +976,7 @@ The **Client** column indicates that the Configuration Manager client is not cur 11. Click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but do not proceed until PC4 is available. See the following example: - ![collection](images/configmgr-collection.png) + ![collection.](images/configmgr-collection.png) ### Create a device collection for PC1 @@ -1026,7 +1026,7 @@ In the Configuration Manager console, in the Software Library workspace under Op 4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example: - ![software](images/configmgr-software-cntr.png) + ![software.](images/configmgr-software-cntr.png) >If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available. @@ -1064,17 +1064,17 @@ In the Configuration Manager console, in the Software Library workspace under Op 3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**. 4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example: - ![installOS](images/configmgr-install-os.png) + ![installOS.](images/configmgr-install-os.png) The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example: - ![asset](images/configmgr-asset.png) + ![asset.](images/configmgr-asset.png) You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**. When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system. - ![post-refresh](images/configmgr-post-refresh.png) + ![post-refresh.](images/configmgr-post-refresh.png) ## Related Topics diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 319121950d..d4a667a65b 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -150,7 +150,7 @@ Hardware requirements are displayed below: The lab architecture is summarized in the following diagram: -![PoC diagram](images/poc.png) +![PoC diagram.](images/poc.png) - Computer 1 is configured to host four VMs on a private, PoC network. - Two VMs are running Windows Server 2012 R2 with required network services and tools installed. @@ -224,9 +224,9 @@ Starting with Windows 8, the host computer’s microprocessor must support secon >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: - ![hyper-v features](images/hyper-v-feature.png) + ![hyper-v features.](images/hyper-v-feature.png) - ![hyper-v](images/svr_mgr2.png) + ![hyper-v.](images/svr_mgr2.png)

If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. @@ -449,7 +449,7 @@ Notes:
3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation). 4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example: - ![disk2vhd 1](images/disk2vhd.png) + ![disk2vhd 1.](images/disk2vhd.png) >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. @@ -482,7 +482,7 @@ Notes:
5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example: - ![disk2vhd 2](images/disk2vhd-gen2.png) + ![disk2vhd 2.](images/disk2vhd-gen2.png) >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. @@ -506,7 +506,7 @@ Notes:
3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later. 4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example: - ![disk2vhd 3](images/disk2vhd4.png) + ![disk2vhd 3.](images/disk2vhd4.png) >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. @@ -821,7 +821,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area. - ![PoC 1](images/installing-drivers.png) + ![PoC 1.](images/installing-drivers.png) >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease. @@ -879,7 +879,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to See the following example: - ![ISE 1](images/ISE.png) + ![ISE 1.](images/ISE.png) 19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host. 20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1: diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 447ea81cfb..16e8c70c2a 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -65,7 +65,7 @@ To support Inherited Activation, both the host computer and the VM must be runni The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic. -![Illustration of how Windows 10 deployment has evolved](images/sa-evolution.png) +![Illustration of how Windows 10 deployment has evolved.](images/sa-evolution.png) - **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
@@ -117,11 +117,11 @@ If the device is running Windows 10, version 1809 or later: - When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below: - ![Subscription Activation with MFA example 1](images/sa-mfa1.png)
+ ![Subscription Activation with MFA example 1.](images/sa-mfa1.png)
- ![Subscription Activation with MFA example 2](images/sa-mfa2.png)
+ ![Subscription Activation with MFA example 2.](images/sa-mfa2.png)
- ![Subscription Activation with MFA example 3](images/sa-mfa3.png) + ![Subscription Activation with MFA example 3.](images/sa-mfa3.png) ### Windows 10 Education requirements @@ -162,7 +162,7 @@ The device is AAD joined from **Settings > Accounts > Access work or school**. The IT administrator assigns Windows 10 Enterprise to a user. See the following figure. -![Windows 10 Enterprise](images/ent.png) +![Windows 10 Enterprise.](images/ent.png) When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user’s subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires. @@ -171,10 +171,10 @@ Devices running Windows 10 Pro, version 1703 or Windows 10 Pro Education, versio The following figures summarize how the Subscription Activation model works: Before Windows 10, version 1903:
-![1703](images/before.png) +![1703.](images/before.png) After Windows 10, version 1903:
-![1903](images/after.png) +![1903.](images/after.png) > [!NOTE] > diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index d132aa99a6..74e099fc82 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -115,9 +115,9 @@ When you are prompted to restart the computer, choose **Yes**. The computer migh Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: - ![Hyper-V feature](images/hyper-v-feature.png) + ![Hyper-V feature.](images/hyper-v-feature.png) - ![Hyper-V](images/svr_mgr2.png) + ![Hyper-V.](images/svr_mgr2.png)

If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. @@ -232,21 +232,21 @@ PS C:\autopilot> Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples: - ![Windows setup example 1](images/winsetup1.png) - ![Windows setup example 2](images/winsetup2.png) - ![Windows setup example 3](images/winsetup3.png) - ![Windows setup example 4](images/winsetup4.png) - ![Windows setup example 5](images/winsetup5.png) - ![Windows setup example 6](images/winsetup6.png) + ![Windows setup example 1.](images/winsetup1.png) + ![Windows setup example 2.](images/winsetup2.png) + ![Windows setup example 3.](images/winsetup3.png) + ![Windows setup example 4.](images/winsetup4.png) + ![Windows setup example 5.](images/winsetup5.png) + ![Windows setup example 6.](images/winsetup6.png) After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example: - ![Windows setup example 7](images/winsetup7.png) + ![Windows setup example 7.](images/winsetup7.png) Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. > [!div class="mx-imgBorder"] - > ![Windows setup example 8](images/winsetup8.png) + > ![Windows setup example 8.](images/winsetup8.png) To create a checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following: @@ -322,7 +322,7 @@ Follow these steps to run the PowerShell script: > [!NOTE] > Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below. - ![Serial number and hardware hash](images/hwid.png) + ![Serial number and hardware hash.](images/hwid.png) You will need to upload this data into Intune to register your device for Autopilot, so the next step is to transfer this file to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM). @@ -338,11 +338,11 @@ With the hardware ID captured in a file, prepare your Virtual Machine for Window On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**. Select **Remove everything** and **Just remove my files**. If you are asked **How would you like to reinstall Windows**, select Local reinstall. Finally, click on **Reset**. -![Reset this PC final prompt](images/autopilot-reset-prompt.jpg) +![Reset this PC final prompt.](images/autopilot-reset-prompt.jpg) Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process. -![Reset this PC screen capture](images/autopilot-reset-progress.jpg) +![Reset this PC screen capture.](images/autopilot-reset-progress.jpg) ## Verify subscription level @@ -350,13 +350,13 @@ For this lab, you need an AAD Premium subscription. You can tell if you have a **Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune** -![MDM and Intune](images/mdm-intune2.png) +![MDM and Intune.](images/mdm-intune2.png) If the configuration blade shown above does not appear, it's likely that you don't have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium. To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5. -![License conversion option](images/aad-lic1.png) +![License conversion option.](images/aad-lic1.png) ## Configure company branding @@ -367,7 +367,7 @@ If you already have company branding configured in Azure Active Directory, you c Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE. -![Configure company branding](images/branding.png) +![Configure company branding.](images/branding.png) When you are finished, click **Save**. @@ -382,7 +382,7 @@ Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**. -![MDM user scope in the Mobility blade](images/ap-aad-mdm.png) +![MDM user scope in the Mobility blade.](images/ap-aad-mdm.png) ## Register your VM @@ -392,14 +392,14 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B 1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**. - ![Intune device import](images/enroll1.png) + ![Intune device import.](images/enroll1.png) > [!NOTE] > If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared. 2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It's okay if other fields (Windows Product ID) are left blank. - ![HWID CSV](images/enroll2.png) + ![HWID CSV.](images/enroll2.png) You should receive confirmation that the file is formatted correctly before uploading it, as shown above. @@ -407,7 +407,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B 4. Click **Refresh** to verify your VM or device has been added. See the following example. - ![Import HWID](images/enroll3.png) + ![Import HWID.](images/enroll3.png) ### Autopilot registration using MSfB @@ -426,11 +426,11 @@ Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft. Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example: -![Microsoft Store for Business](images/msfb.png) +![Microsoft Store for Business.](images/msfb.png) Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added. -![Microsoft Store for Business Devices](images/msfb-device.png) +![Microsoft Store for Business Devices.](images/msfb-device.png) ## Create and assign a Windows Autopilot deployment profile @@ -446,7 +446,7 @@ Pick one: > [!NOTE] > Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list. -![Devices](images/enroll4.png) +![Devices.](images/enroll4.png) #### Create a device group @@ -463,7 +463,7 @@ The Autopilot deployment profile wizard will ask for a device group, so we must 3. Click **Members** and add the Autopilot VM to the group. See the following example: > [!div class="mx-imgBorder"] - > ![add members](images/group1.png) + > ![add members.](images/group1.png) 4. Click **Create**. @@ -472,12 +472,12 @@ The Autopilot deployment profile wizard will ask for a device group, so we must To create a Windows Autopilot profile, scroll back to the left hand pane and click **Devices**, then under **Enroll devices | Windows enrollment** select **Deployment Profiles**. > [!div class="mx-imgBorder"] -> ![Deployment profiles](images/dp.png) +> ![Deployment profiles.](images/dp.png) Click on **Create profile** and then select **Windows PC**. > [!div class="mx-imgBorder"] -> ![Create deployment profile](images/create-profile.png) +> ![Create deployment profile.](images/create-profile.png) On the **Create profile** blade, use the following values: @@ -512,7 +512,7 @@ Click **Next** to continue with the **Assignments** settings: 2. Click the **Autopilot Lab** group, and then click **Select**. 3. Click **Next** to continue and then click **Create**. See the following example: -![Deployment profile](images/profile.png) +![Deployment profile.](images/profile.png) Click on **OK** and then click on **Create**. @@ -529,7 +529,7 @@ First, sign in to the [Microsoft Store for Business](https://businessstore.micro Click **Manage** from the top menu, then click **Devices** from the left navigation tree. -![MSfB manage](images/msfb-manage.png) +![MSfB manage.](images/msfb-manage.png) Click the **Windows Autopilot Deployment Program** link in the **Devices** tile. @@ -538,17 +538,17 @@ To CREATE the profile: Select your device from the **Devices** list: > [!div class="mx-imgBorder"] -> ![MSfB create step 1](images/msfb-create1.png) +> ![MSfB create step 1.](images/msfb-create1.png) On the Autopilot deployment dropdown menu, select **Create new profile**: > [!div class="mx-imgBorder"] -> ![MSfB create step 2](images/msfb-create2.png) +> ![MSfB create step 2.](images/msfb-create2.png) Name the profile, choose your desired settings, and then click **Create**: > [!div class="mx-imgBorder"] -> ![MSfB create step 3](images/msfb-create3.png) +> ![MSfB create step 3.](images/msfb-create3.png) The new profile is added to the Autopilot deployment list. @@ -557,12 +557,12 @@ To ASSIGN the profile: To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown: > [!div class="mx-imgBorder"] -> ![MSfB assign step 1](images/msfb-assign1.png) +> ![MSfB assign step 1.](images/msfb-assign1.png) Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column: > [!div class="mx-imgBorder"] -> ![MSfB assign step 2](images/msfb-assign2.png) +> ![MSfB assign step 2.](images/msfb-assign2.png) > [!IMPORTANT] > The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device. @@ -572,7 +572,7 @@ Confirm the profile was successfully assigned to the intended device by checking If you shut down your VM after the last reset, it's time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**: > [!div class="mx-imgBorder"] -> ![Device status](images/device-status.png) +> ![Device status.](images/device-status.png) Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up. @@ -583,12 +583,12 @@ Also, make sure to wait at least 30 minutes from the time you've [configured com - Turn on the device - Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip). -![OOBE sign-in page](images/autopilot-oobe.png) +![OOBE sign-in page.](images/autopilot-oobe.png) Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated. > [!div class="mx-imgBorder"] -> ![Device enabled](images/devices1.png) +> ![Device enabled.](images/devices1.png) Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done. @@ -606,7 +606,7 @@ To use the device (or VM) for other purposes after completion of this lab, you w You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into the MEM admin center, then navigate to **Intune > Devices > All Devices**. Select the device you want to delete, then click the Delete button along the top menu. > [!div class="mx-imgBorder"] -> ![Delete device step 1](images/delete-device1.png) +> ![Delete device step 1.](images/delete-device1.png) This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**. @@ -618,7 +618,7 @@ The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment To remove the device from the Autopilot program, select the device and click **Delete**. You will get a popup dialog box to confirm deletion. > [!div class="mx-imgBorder"] -> ![Delete device](images/delete-device2.png) +> ![Delete device.](images/delete-device2.png) At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program: @@ -686,7 +686,7 @@ Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-ms Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example: > [!div class="mx-imgBorder"] -> ![Add app example](images/app01.png) +> ![Add app example.](images/app01.png) After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps. @@ -696,20 +696,20 @@ Log into the Azure portal and select **Intune**. Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package. -![Add app step 1](images/app02.png) +![Add app step 1.](images/app02.png) Under **App Type**, select **Windows app (Win32)**: -![Add app step 2](images/app03.png) +![Add app step 2.](images/app03.png) On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**: > [!div class="mx-imgBorder"] -> ![Add app step 3](images/app04.png) +> ![Add app step 3.](images/app04.png) On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as: -![Add app step 4](images/app05.png) +![Add app step 4.](images/app05.png) On the **Program Configuration** blade, supply the install and uninstall commands: @@ -721,7 +721,7 @@ Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q > [!NOTE] > Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) automatically generated them when it converted the .msi file into a .intunewin file. -![Add app step 5](images/app06.png) +![Add app step 5.](images/app06.png) Simply using an install command like "notepad++.exe /S" will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn't actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available). @@ -730,23 +730,23 @@ Click **OK** to save your input and activate the **Requirements** blade. On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**: > [!div class="mx-imgBorder"] -> ![Add app step 6](images/app07.png) +> ![Add app step 6.](images/app07.png) Next, configure the **Detection rules**. For our purposes, we will select manual format: > [!div class="mx-imgBorder"] -> ![Add app step 7](images/app08.png) +> ![Add app step 7.](images/app08.png) Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule: -![Add app step 8](images/app09.png) +![Add app step 8.](images/app09.png) Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration. **Return codes**: For our purposes, leave the return codes at their default values: > [!div class="mx-imgBorder"] -> ![Add app step 9](images/app10.png) +> ![Add app step 9.](images/app10.png) Click **OK** to exit. @@ -757,12 +757,12 @@ Click the **Add** button to finalize and save your app package. Once the indicator message says the addition has completed. > [!div class="mx-imgBorder"] -> ![Add app step 10](images/app11.png) +> ![Add app step 10.](images/app11.png) You will be able to find your app in your app list: > [!div class="mx-imgBorder"] -> ![Add app step 11](images/app12.png) +> ![Add app step 11.](images/app12.png) #### Assign the app to your Intune profile @@ -772,7 +772,7 @@ You will be able to find your app in your app list: In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu: > [!div class="mx-imgBorder"] -> ![Assign app step 1](images/app13.png) +> ![Assign app step 1.](images/app13.png) Select **Add Group** to open the **Add group** pane that is related to the app. @@ -783,10 +783,10 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu Select **Included Groups** and assign the groups you previously created that will use this app: -![Assign app step 2](images/app14.png) +![Assign app step 2.](images/app14.png) > [!div class="mx-imgBorder"] -> ![Assign app step 3](images/app15.png) +> ![Assign app step 3.](images/app15.png) In the **Select groups** pane, click the **Select** button. @@ -797,7 +797,7 @@ In the **Add group** pane, select **OK**. In the app **Assignments** pane, select **Save**. > [!div class="mx-imgBorder"] -> ![Assign app step 4](images/app16.png) +> ![Assign app step 4.](images/app16.png) At this point, you have completed steps to add a Win32 app to Intune. @@ -811,16 +811,16 @@ Log into the Azure portal and select **Intune**. Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package. -![Create app step 1](images/app17.png) +![Create app step 1.](images/app17.png) Under **App Type**, select **Office 365 Suite > Windows 10**: -![Create app step 2](images/app18.png) +![Create app step 2.](images/app18.png) Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel: > [!div class="mx-imgBorder"] -> ![Create app step 3](images/app19.png) +> ![Create app step 3.](images/app19.png) Click **OK**. @@ -829,13 +829,13 @@ In the **App Suite Information** pane, enter a unique suite name, and a s Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal. > [!div class="mx-imgBorder"] -> ![Create app step 4](images/app20.png) +> ![Create app step 4.](images/app20.png) Click **OK**. In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**: -![Create app step 5](images/app21.png) +![Create app step 5.](images/app21.png) Click **OK** and then click **Add**. @@ -847,7 +847,7 @@ Click **OK** and then click **Add**. In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu: > [!div class="mx-imgBorder"] -> ![Create app step 6](images/app22.png) +> ![Create app step 6.](images/app22.png) Select **Add Group** to open the **Add group** pane that is related to the app. @@ -857,10 +857,10 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu Select **Included Groups** and assign the groups you previously created that will use this app: -![Create app step 7](images/app23.png) +![Create app step 7.](images/app23.png) > [!div class="mx-imgBorder"] -> ![Create app step 8](images/app24.png) +> ![Create app step 8.](images/app24.png) In the **Select groups** pane, click the **Select** button. @@ -870,7 +870,7 @@ In the **Add group** pane, select **OK**. In the app **Assignments** pane, select **Save**. -![Create app step 9](images/app25.png) +![Create app step 9.](images/app25.png) At this point, you have completed steps to add Office to Intune. @@ -878,7 +878,7 @@ For more information on adding Office apps to Intune, see [Assign Office 365 app If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate: -![Create app step 10](images/app26.png) +![Create app step 10.](images/app26.png) ## Glossary diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index 0d04abd1e0..04f798b127 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -29,7 +29,7 @@ In this topic, you also learn about different types of reference images that you Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more details, see [Windows ADK for Windows 10](/windows-hardware/get-started/adk-install) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md). -![figure 1](images/win-10-adk-select.png) +![figure 1.](images/win-10-adk-select.png) The Windows 10 ADK feature selection page. @@ -50,7 +50,7 @@ Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All -Source D:\Sources\SxS -LimitAccess ``` -![figure 2](images/mdt-11-fig05.png) +![figure 2.](images/mdt-11-fig05.png) Using DISM functions in PowerShell. @@ -77,7 +77,7 @@ In addition to these tools, there are also XML templates that manage which data - **Custom templates.** Custom templates that you create. - **Config template.** An optional template, called Config.xml, which you can use to exclude or include components in a migration without modifying the other standard XML templates. -![figure 3](images/mdt-11-fig06.png) +![figure 3.](images/mdt-11-fig06.png) A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files. @@ -100,7 +100,7 @@ These are the settings migrated by the default MigUser.xml and MigApp.xml templa Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This is particularly useful for setting up new devices, without the need for re-imaging the device with a custom image. -![figure 4](images/windows-icd.png) +![figure 4.](images/windows-icd.png) Windows Imaging and Configuration Designer. @@ -110,7 +110,7 @@ For more information, see [Windows Imaging and Configuration Designer](/windows/ Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or Configuration Manager, you don’t need Windows SIM very often because those systems automatically update the Unattend.xml file during the deployment, greatly simplifying the process overall. -![figure 7](images/mdt-11-fig07.png) +![figure 7.](images/mdt-11-fig07.png) Windows answer file opened in Windows SIM. @@ -120,7 +120,7 @@ For more information, see [Windows System Image Manager Technical Reference]( ht If you don’t use KMS, you can still manage your MAKs centrally with the Volume Activation Management Tool (VAMT). With this tool, you can install and manage product keys throughout the organization. VAMT also can activate on behalf of clients without Internet access, acting as a MAK proxy. -![figure 6](images/mdt-11-fig08.png) +![figure 6.](images/mdt-11-fig08.png) The updated Volume Activation Management Tool. @@ -138,7 +138,7 @@ Windows PE is a “Lite” version of Windows 10 and was created to act as a dep The key thing to know about Windows PE is that, like the operating system, it needs drivers for at least network and storage devices in each PC. Luckily Windows PE includes the same drivers as the full Windows 10 operating system, which means much of your hardware will work out of the box. -![figure 7](images/mdt-11-fig09.png) +![figure 7.](images/mdt-11-fig09.png) A machine booted with the Windows ADK default Windows PE boot image. @@ -149,7 +149,7 @@ For more details on Windows PE, see [Windows PE (WinPE)](/windows-hardware/manuf Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you will see an automatic failover into Windows RE. -![figure 8](images/mdt-11-fig10.png) +![figure 8.](images/mdt-11-fig10.png) A Windows 10 client booted into Windows RE, showing Advanced options. @@ -160,7 +160,7 @@ For more information on Windows RE, see [Windows Recovery Environment](/windows- Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you will use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker. -![figure 9](images/mdt-11-fig11.png) +![figure 9.](images/mdt-11-fig11.png) Windows Deployment Services using multicast to deploy three machines. @@ -176,7 +176,7 @@ Also, there are a few new features related to TFTP performance: - **Scalable port management.** Provides the capability to service clients with shared UDP port allocation, increasing scalability. - **Variable-size transmission window (Variable Windows Extension).** Improves TFTP performance by allowing the client and server to determine the largest workable window size. -![figure 10](images/mdt-11-fig12.png) +![figure 10.](images/mdt-11-fig12.png) TFTP changes are now easy to perform. @@ -192,7 +192,7 @@ Lite Touch and Zero Touch are marketing names for the two solutions that MDT sup -![figure 11](images/mdt-11-fig13.png) +![figure 11.](images/mdt-11-fig13.png) The Deployment Workbench in, showing a task sequence. @@ -203,7 +203,7 @@ For more information on MDT, see the [Microsoft Deployment Toolkit](/mem/configm [Microsoft SCM](https://go.microsoft.com/fwlink/p/?LinkId=619246) is a free utility used to create baseline security settings for the Windows client and server environment. The baselines can be exported and then deployed via Group Policy, local policies, MDT, or Configuration Manager. The current version of Security Compliance Manager includes baselines for Windows 8.1 and several earlier versions of Windows, Windows Server, and Internet Explorer. -![figure 12](images/mdt-11-fig14.png) +![figure 12.](images/mdt-11-fig14.png) The SCM console showing a baseline configuration for a fictional client's computer security compliance. @@ -228,7 +228,7 @@ For more information on the benefits of an MDOP subscription, see [Microsoft Des There has been a version of IEAK for every version of Internet Explorer since 3.0. It gives you the capability to customize Internet Explorer as you would like. The end result of using IEAK is an Internet Explorer package that can be deployed unattended. The wizard creates one .exe file and one .msi file. -![figure 13](images/mdt-11-fig15.png) +![figure 13.](images/mdt-11-fig15.png) The User Experience selection screen in IEAK 11. @@ -239,7 +239,7 @@ To download IEAK 11, see the [Internet Explorer Administration Kit (IEAK) Inform WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment. -![figure 14](images/mdt-11-fig16.png) +![figure 14.](images/mdt-11-fig16.png) The Windows Server Update Services console. diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md index 930819c367..5852e85928 100644 --- a/windows/privacy/Microsoft-DiagnosticDataViewer.md +++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md @@ -64,7 +64,7 @@ Note that this setting does not control whether your device sends diagnostic dat 2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option. - ![Location to turn on data viewing](images/ddv-data-viewing.png) + ![Location to turn on data viewing.](images/ddv-data-viewing.png) **To turn on data viewing through PowerShell** @@ -134,7 +134,7 @@ When you're done reviewing your diagnostic data, we recommend turning off data v 2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option. - ![Location to turn off data viewing](images/ddv-settings-off.png) + ![Location to turn off data viewing.](images/ddv-settings-off.png) **To turn off data viewing through PowerShell** diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index 3b40651ee2..dc9a127179 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -38,7 +38,7 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn 2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option. - ![Location to turn on data viewing](images/ddv-data-viewing.png) + ![Location to turn on data viewing.](images/ddv-data-viewing.png) ### Download the Diagnostic Data Viewer Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. @@ -54,7 +54,7 @@ You can start this app from the **Settings** panel. 2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button. - ![Location to turn on the Diagnostic Data Viewer](images/ddv-settings-launch.png)

-OR-

+ ![Location to turn on the Diagnostic Data Viewer.](images/ddv-settings-launch.png)

-OR-

Go to **Start** and search for _Diagnostic Data Viewer_. @@ -73,7 +73,7 @@ The Diagnostic Data Viewer provides you with the following features to view and >[!Important] >Seeing an event does not necessarily mean it has been uploaded yet. It’s possible that some events are still queued and will be uploaded at a later time. - ![View your diagnostic events](images/ddv-event-view.jpg) + ![View your diagnostic events.](images/ddv-event-view.jpg) - **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text. @@ -83,7 +83,7 @@ The Diagnostic Data Viewer provides you with the following features to view and - **Help to make your Windows experience better.** Microsoft only needs diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others. - To signify your contribution, you’ll see this icon (![Icon to review the device-level sampling](images/ddv-device-sample.png)) if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)). + To signify your contribution, you’ll see this icon (![Icon to review the device-level sampling.](images/ddv-device-sample.png)) if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)). - **Provide diagnostic event feedback.** The **Feedback** icon in the upper right corner of the window opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events. @@ -99,7 +99,7 @@ The Diagnostic Data Viewer provides you with the following features to view and >[!Important] >This content is a reflection of the history of Windows data the app has stored. If you'd like to have extended analyses, please modify the storage capacity of Diagnostic Data Viewer. - ![Look at an overview of what data you've shared with Microsoft through the 'About my data' page in Diagnostic Data Viewer](images/ddv-analytics.png) + ![Look at an overview of what data you've shared with Microsoft through the 'About my data' page in Diagnostic Data Viewer.](images/ddv-analytics.png) ## View Office Diagnostic Data By default, Diagnostic Data Viewer shows you Windows data. You can also view Office diagnostic data by enabling the feature in the app settings page. To learn more about how to view Office diagnostic data, please visit this [page](https://go.microsoft.com/fwlink/?linkid=2023830). @@ -112,7 +112,7 @@ When you're done reviewing your diagnostic data, you should turn of data viewing 2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option. - ![Location to turn off data viewing](images/ddv-settings-off.png) + ![Location to turn off data viewing.](images/ddv-settings-off.png) ## Modifying the size of your data history By default, Diagnostic Data Viewer shows you up to 1GB or 30 days of data (whichever comes first) for Windows diagnostic data. Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first. @@ -139,7 +139,7 @@ You can also use the Windows Error Reporting tool available in the Control Panel Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer. -![Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer](images/ddv-problem-reports.png) +![Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer.](images/ddv-problem-reports.png) **To view your Windows Error Reporting diagnostic data using the Control Panel** @@ -147,7 +147,7 @@ Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Secu Go to **Start** and search for _Problem Reports_. The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft. -![View problem reports tool with report statuses](images/control-panel-problem-reports-screen.png) +![View problem reports tool with report statuses.](images/control-panel-problem-reports-screen.png) ## Known Issues with Diagnostic Data Viewer diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index aad2616468..f1f0d9469a 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -57,60 +57,60 @@ The following table lists management options for each setting, beginning with Wi | Setting | UI | Group Policy | Registry | | - | :-: | :-: | :-: | -| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [2. Cortana and Search](#bkmk-cortana) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [8. Internet Explorer](#bkmk-ie) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [9. License Manager](#bkmk-licmgr) | | | ![Check mark](images/checkmark.png) | -| [10. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [12. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | -| [13. Microsoft Edge](#bkmk-edge) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | +| [2. Cortana and Search](#bkmk-cortana) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | +| [3. Date & Time](#bkmk-datetime) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | +| [5. Find My Device](#find-my-device) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | +| [6. Font streaming](#font-streaming) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | +| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | +| [8. Internet Explorer](#bkmk-ie) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | +| [9. License Manager](#bkmk-licmgr) | | | ![Check mark.](images/checkmark.png) | +| [10. Live Tiles](#live-tiles) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | +| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark.](images/checkmark.png) | | ![Check mark.](images/checkmark.png) | +| [12. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark.](images/checkmark.png) | +| [13. Microsoft Edge](#bkmk-edge) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [16. OneDrive](#bkmk-onedrive) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [17. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | [18. Settings > Privacy](#bkmk-settingssection) | | | | -|     [18.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)| -|     [18.6 Speech](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.21 Inking & Typing](#bkmk-priv-ink) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -|     [18.22 Activity History](#bkmk-act-history) | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.23 Voice Activation](#bkmk-voice-act) | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [20. Storage Health](#bkmk-storage-health) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.1 General](#bkmk-general) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.2 Location](#bkmk-priv-location) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.3 Camera](#bkmk-priv-camera) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.4 Microphone](#bkmk-priv-microphone) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.5 Notifications](#bkmk-priv-notifications) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png)| +|     [18.6 Speech](#bkmk-priv-speech) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.7 Account info](#bkmk-priv-accounts) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.8 Contacts](#bkmk-priv-contacts) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.9 Calendar](#bkmk-priv-calendar) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.10 Call history](#bkmk-priv-callhistory) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.11 Email](#bkmk-priv-email) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.12 Messaging](#bkmk-priv-messaging) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.14 Radios](#bkmk-priv-radios) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.17 Background apps](#bkmk-priv-background) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.18 Motion](#bkmk-priv-motion) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.19 Tasks](#bkmk-priv-tasks) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.21 Inking & Typing](#bkmk-priv-ink) | ![Check mark.](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +|     [18.22 Activity History](#bkmk-act-history) | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.23 Voice Activation](#bkmk-voice-act) | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [20. Storage Health](#bkmk-storage-health) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [22. Teredo](#bkmk-teredo) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [28. Delivery Optimization](#bkmk-updates) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [29. Windows Update](#bkmk-wu) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) | | -| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ### Settings for Windows Server 2016 with Desktop Experience @@ -119,20 +119,20 @@ See the following table for a summary of the management settings for Windows Ser | Setting | UI | Group Policy | Registry | | - | :-: | :-: | :-: | -| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [2. Cortana and Search](#bkmk-cortana) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [8. Internet Explorer](#bkmk-ie) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [10. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [2. Cortana and Search](#bkmk-cortana) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [3. Date & Time](#bkmk-datetime) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [6. Font streaming](#font-streaming) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [8. Internet Explorer](#bkmk-ie) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [10. Live Tiles](#live-tiles) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [12. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | -| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [16. OneDrive](#bkmk-onedrive) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [18. Settings > Privacy](#bkmk-settingssection) | | | | -| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [22. Teredo](#bkmk-teredo) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | @@ -172,54 +172,54 @@ See the following table for a summary of the management settings for Windows Ser | - | :-: | :-: | :-: | | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [2. Cortana and Search](#bkmk-cortana) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [3. Date & Time](#bkmk-datetime) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [5. Find My Device](#find-my-device) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [8. Internet Explorer](#bkmk-ie) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [10. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark.](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | [12. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | | [13. Microsoft Edge](#bkmk-edge) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [17. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | [18. Settings > Privacy](#bkmk-settingssection) | | | | -|     [18.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)| -|     [18.6 Speech](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.21 Inking & Typing](#bkmk-priv-ink) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -|     [18.22 Activity History](#bkmk-act-history) | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -|     [18.23 Voice Activation](#bkmk-voice-act) | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.1 General](#bkmk-general) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.2 Location](#bkmk-priv-location) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.3 Camera](#bkmk-priv-camera) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.4 Microphone](#bkmk-priv-microphone) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.5 Notifications](#bkmk-priv-notifications) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)| +|     [18.6 Speech](#bkmk-priv-speech) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.7 Account info](#bkmk-priv-accounts) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.8 Contacts](#bkmk-priv-contacts) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.9 Calendar](#bkmk-priv-calendar) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.10 Call history](#bkmk-priv-callhistory) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.11 Email](#bkmk-priv-email) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.12 Messaging](#bkmk-priv-messaging) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.14 Radios](#bkmk-priv-radios) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.17 Background apps](#bkmk-priv-background) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.18 Motion](#bkmk-priv-motion) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.19 Tasks](#bkmk-priv-tasks) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.21 Inking & Typing](#bkmk-priv-ink) | ![Check mark.](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +|     [18.22 Activity History](#bkmk-act-history) | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +|     [18.23 Voice Activation](#bkmk-voice-act) | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [20. Storage Health](#bkmk-storage-health) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | -| [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) | +| [28. Delivery Optimization](#bkmk-updates) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) | | | [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md index 8ac3729427..69dba47679 100644 --- a/windows/security/identity-protection/access-control/active-directory-accounts.md +++ b/windows/security/identity-protection/access-control/active-directory-accounts.md @@ -592,7 +592,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s > **Note**  You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see [Delegation of Administration in Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx). - ![Active Directory local accounts](images/adlocalaccounts-proc1-sample1.gif) + ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample1.gif) 3. Close Active Directory Users and Computers. @@ -600,13 +600,13 @@ In this procedure, the workstations are dedicated to domain administrators. By s 5. Right-click the new OU, and > **Create a GPO in this domain, and Link it here**. - ![Active Directory local accounts](images/adlocalaccounts-proc1-sample2.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample2.png) 6. Name the GPO, and > **OK**. 7. Expand the GPO, right-click the new GPO, and > **Edit**. - ![Active Directory local accounts](images/adlocalaccounts-proc1-sample3.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample3.png) 8. Configure which members of accounts can log on locally to these administrative workstations as follows: @@ -625,7 +625,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s 5. Click **Add User or Group**, type **Administrators**, and > **OK**. - ![Active Directory local accounts](images/adlocalaccounts-proc1-sample4.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample4.png) 9. Configure the proxy configuration: @@ -633,7 +633,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s 2. Double-click **Proxy Settings**, select the **Enable proxy settings** check box, type **127.0.0.1** (the network Loopback IP address) as the proxy address, and > **OK**. - ![Active Directory local accounts](images/adlocalaccounts-proc1-sample5.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample5.png) 10. Configure the loopback processing mode to enable the user Group Policy proxy setting to apply to all users on the computer as follows: @@ -696,11 +696,11 @@ In this procedure, the workstations are dedicated to domain administrators. By s 1. Right-click **Windows Firewall with Advanced Security LDAP://path**, and > **Properties**. - ![Active Directory local accounts](images/adlocalaccounts-proc1-sample6.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample6.png) 2. On each profile, ensure that the firewall is enabled and that inbound connections are set to **Block all connections**. - ![Active Directory local accounts](images/adlocalaccounts-proc1-sample7.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample7.png) 3. Click **OK** to complete the configuration. @@ -738,11 +738,11 @@ For this procedure, do not link accounts to the OU that contain workstations for 3. Right-click **Group Policy Objects**, and > **New**. - ![Active Directory local accounts](images/adlocalaccounts-proc2-sample1.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample1.png) 4. In the **New GPO** dialog box, name the GPO that restricts administrators from signing in to workstations, and > **OK**. - ![Active Directory local accounts](images/adlocalaccounts-proc2-sample2.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample2.png) 5. Right-click **New GPO**, and > **Edit**. @@ -756,7 +756,7 @@ For this procedure, do not link accounts to the OU that contain workstations for 3. Click **Add User or Group**, click **Browse**, type **Domain Admins**, and > **OK**. - ![Active Directory local accounts](images/adlocalaccounts-proc2-sample3.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample3.png) **Note** You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations. @@ -778,7 +778,7 @@ For this procedure, do not link accounts to the OU that contain workstations for 3. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**. - ![Active Directory local accounts](images/adlocalaccounts-proc2-sample4.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample4.png) **Note** You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations. @@ -791,7 +791,7 @@ For this procedure, do not link accounts to the OU that contain workstations for 6. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**. - ![Active Directory local accounts](images/adlocalaccounts-proc2-sample5.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample5.png) **Note** You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations. @@ -804,11 +804,11 @@ For this procedure, do not link accounts to the OU that contain workstations for 1. Right-click the workstation OU, and then > **Link an Existing GPO**. - ![Active Directory local accounts](images/adlocalaccounts-proc2-sample6.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample6.png) 2. Select the GPO that you just created, and > **OK**. - ![Active Directory local accounts](images/adlocalaccounts-proc2-sample7.png) + ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample7.png) 10. Test the functionality of enterprise applications on workstations in the first OU and resolve any issues caused by the new policy. @@ -831,7 +831,7 @@ It is a best practice to configure the user objects for all sensitive accounts i As with any configuration change, test this enabled setting fully to ensure that it performs correctly before you implement it. -![Active Directory local accounts](images/adlocalaccounts-proc3-sample1.png) +![Active Directory local accounts.](images/adlocalaccounts-proc3-sample1.png) ## Secure and manage domain controllers diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index d67808e585..6ad17afded 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -367,15 +367,15 @@ The following table shows the Group Policy and registry settings that are used t 3. In the console tree, right-click **Group Policy Objects**, and > **New**. - ![local accounts 1](images/localaccounts-proc1-sample1.png) + ![local accounts 1.](images/localaccounts-proc1-sample1.png) 4. In the **New GPO** dialog box, type <**gpo\_name**>, and > **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer. - ![local accounts 2](images/localaccounts-proc1-sample2.png) + ![local accounts 2.](images/localaccounts-proc1-sample2.png) 5. In the details pane, right-click <**gpo\_name**>, and > **Edit**. - ![local accounts 3](images/localaccounts-proc1-sample3.png) + ![local accounts 3.](images/localaccounts-proc1-sample3.png) 6. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by doing the following: @@ -391,7 +391,7 @@ The following table shows the Group Policy and registry settings that are used t 2. Right-click **Registry**, and > **New** > **Registry Item**. - ![local accounts 4](images/localaccounts-proc1-sample4.png) + ![local accounts 4.](images/localaccounts-proc1-sample4.png) 3. In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**. @@ -407,7 +407,7 @@ The following table shows the Group Policy and registry settings that are used t 9. Verify this configuration, and > **OK**. - ![local accounts 5](images/localaccounts-proc1-sample5.png) + ![local accounts 5.](images/localaccounts-proc1-sample5.png) 8. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following: @@ -415,7 +415,7 @@ The following table shows the Group Policy and registry settings that are used t 2. Right-click the **Workstations** OU, and > **Link an existing GPO**. - ![local accounts 6](images/localaccounts-proc1-sample6.png) + ![local accounts 6.](images/localaccounts-proc1-sample6.png) 3. Select the GPO that you just created, and > **OK**. @@ -495,11 +495,11 @@ The following table shows the Group Policy settings that are used to deny networ 4. In the **New GPO** dialog box, type <**gpo\_name**>, and then > **OK** where *gpo\_name* is the name of the new GPO indicates that it is being used to restrict the local administrative accounts from interactively signing in to the computer. - ![local accounts 7](images/localaccounts-proc2-sample1.png) + ![local accounts 7.](images/localaccounts-proc2-sample1.png) 5. In the details pane, right-click <**gpo\_name**>, and > **Edit**. - ![local accounts 8](images/localaccounts-proc2-sample2.png) + ![local accounts 8.](images/localaccounts-proc2-sample2.png) 6. Configure the user rights to deny network logons for administrative local accounts as follows: diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md index e770d29de4..be0a573f71 100644 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ b/windows/security/identity-protection/access-control/security-identifiers.md @@ -52,7 +52,7 @@ SIDs always remain unique. Security authorities never issue the same SID twice, A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID. -![Security identifier architecture](images/security-identifider-architecture.jpg) +![Security identifier architecture.](images/security-identifider-architecture.jpg) The individual values of a SID are described in the following table. diff --git a/windows/security/identity-protection/access-control/security-principals.md b/windows/security/identity-protection/access-control/security-principals.md index 26564af45a..293acd13c9 100644 --- a/windows/security/identity-protection/access-control/security-principals.md +++ b/windows/security/identity-protection/access-control/security-principals.md @@ -42,7 +42,7 @@ The following diagram illustrates the Windows authorization and access control **Authorization and access control process** -![authorization and access control process](images/authorizationandaccesscontrolprocess.gif) +![authorization and access control process.](images/authorizationandaccesscontrolprocess.gif) Security principals are closely related to the following components and technologies: diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md index f055141697..9423de2923 100644 --- a/windows/security/identity-protection/configure-s-mime.md +++ b/windows/security/identity-protection/configure-s-mime.md @@ -52,11 +52,11 @@ On the device, perform the following steps: (add select certificate) 2. Open **Settings** by tapping the gear icon on a PC, or the ellipsis (...) and then the gear icon on a phone. - :::image type="content" alt-text="settings icon in mail app" source="images/mailsettings.png"::: + :::image type="content" alt-text="settings icon in mail app." source="images/mailsettings.png"::: 3. Tap **Email security**. - :::image type="content" alt-text="email security settings" source="images/emailsecurity.png"::: + :::image type="content" alt-text="email security settings." source="images/emailsecurity.png"::: 4. In **Select an account**, select the account for which you want to configure S/MIME options. @@ -77,7 +77,7 @@ On the device, perform the following steps: (add select certificate) 2. Use **Sign** and **Encrypt** icons to turn on digital signature and encryption for this message. - :::image type="content" alt-text="sign or encrypt message" source="images/signencrypt.png"::: + :::image type="content" alt-text="sign or encrypt message." source="images/signencrypt.png"::: ## Read signed or encrypted messages @@ -93,5 +93,5 @@ When you receive a signed email, the app provide feature to install correspondin 3. Tap **Install.** - :::image type="content" alt-text="message security information" source="images/installcert.png"::: + :::image type="content" alt-text="message security information." source="images/installcert.png":::   \ No newline at end of file diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md index 8d0219c5dd..b122158529 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md @@ -33,7 +33,7 @@ When Windows Defender Credential Guard is enabled, Kerberos does not allow uncon Here's a high-level overview on how the LSA is isolated by using virtualization-based security: -![Windows Defender Credential Guard overview](images/credguard.png) +![Windows Defender Credential Guard overview.](images/credguard.png) ## See also diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index c737034fd5..936172770d 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -45,7 +45,7 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will 5. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. Check [this article](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) for more details. - ![Windows Defender Credential Guard Group Policy setting](images/credguard-gp-2.png) + ![Windows Defender Credential Guard Group Policy setting.](images/credguard-gp-2.png) 6. Close the Group Policy Management Console. @@ -168,7 +168,7 @@ You can view System Information to check that Windows Defender Credential Guard Here's an example: > [!div class="mx-imgBorder"] - > ![System Information](images/credguard-msinfo32.png) + > ![System Information.](images/credguard-msinfo32.png) You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md index 8a678b6ff4..fea29a3fc3 100644 --- a/windows/security/identity-protection/enterprise-certificate-pinning.md +++ b/windows/security/identity-protection/enterprise-certificate-pinning.md @@ -176,7 +176,7 @@ Certutil writes the binary information to the following registration location: | Value | Binary contents from the certificate pin rules certificate trust list file | | Data type | REG_BINARY | -![Registry binary information](images/enterprise-pinning-registry-binary-information.png) +![Registry binary information.](images/enterprise-pinning-registry-binary-information.png) ### Deploying Enterprise Pin Rule Settings using Group Policy @@ -203,7 +203,7 @@ Sign-in to the reference computer using domain administrator equivalent credenti 11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Click **OK** to save your settings and close the dialog box. - ![PinRules Properties](images/enterprise-certificate-pinning-pinrules-properties.png) + ![PinRules Properties.](images/enterprise-certificate-pinning-pinrules-properties.png) 12. Close the **Group Policy Management Editor** to save your settings. 13. Link the **Enterprise Certificate Pinning Rules** Group Policy object to apply to computers that run Windows 10, version 1703 in your enterprise. When these domain-joined computers apply Group Policy, the registry information configured in the Group Policy object is applied to the computer. @@ -258,7 +258,7 @@ These dates must be properly formatted and represented in UTC. You can use Windows PowerShell to format these dates. You can then copy and paste the output of the cmdlet into the XML file. -![Representing a date](images/enterprise-certificate-pinning-representing-a-date.png) +![Representing a date.](images/enterprise-certificate-pinning-representing-a-date.png) For simplicity, you can truncate decimal point (.) and the numbers after it. However, be certain to append the uppercase “Z” to the end of the XML date string. @@ -272,7 +272,7 @@ However, be certain to append the uppercase “Z” to the end of the XML date s You can also use Windows PowerShell to validate convert an XML date into a human readable date to validate it’s the correct date. -![Converting an XML date](images/enterprise-certificate-pinning-converting-an-xml-date.png) +![Converting an XML date.](images/enterprise-certificate-pinning-converting-an-xml-date.png) ## Representing a Duration in XML @@ -280,13 +280,13 @@ Some elements may be configured to use a duration rather than a date. You must represent the duration as an XML timespan data type. You can use Windows PowerShell to properly format and validate durations (timespans) and copy and paste them into your XML file. -![Representing a duration](images/enterprise-certificate-pinning-representing-a-duration.png) +![Representing a duration.](images/enterprise-certificate-pinning-representing-a-duration.png) ## Converting an XML Duration You can convert a XML formatted timespan into a timespan variable that you can read. -![Converting an XML duration](images/enterprise-certificate-pinning-converting-a-duration.png) +![Converting an XML duration.](images/enterprise-certificate-pinning-converting-a-duration.png) ## Certificate Trust List XML Schema Definition (XSD) diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index b7018e4477..f80ffec25c 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -372,11 +372,11 @@ The Group Policy object contains the policy settings needed to trigger Windows H 7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. - ![Group Policy Editor](images/multifactorUnlock/gpme.png) + ![Group Policy Editor.](images/multifactorUnlock/gpme.png) 8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values. - ![Multifactor Policy Setting](images/multifactorUnlock/gp-setting.png) + ![Multifactor Policy Setting.](images/multifactorUnlock/gp-setting.png) 9. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configuring-unlock-factors). diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index 16be1aa6bc..25d27e28d3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -38,23 +38,23 @@ Determining an adequate number of Windows Server domain controllers is important Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following: -![dc-chart1](images/plan/dc-chart1.png) +![dc-chart1.](images/plan/dc-chart1.png) The environment changes. The first change includes DC1 upgraded to Windows Server 2016 or later to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following: -![dc-chart2](images/plan/dc-chart2.png) +![dc-chart2.](images/plan/dc-chart2.png) The Windows Server 2016 or later domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of password authentication. Why? This behavior occurs because domain controllers 2 - 10 only support password and certificate trust authentication; only a Windows Server 2016 and above domain controller supports public key trust authentication. The Windows Server 2016 and above domain controller still understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will bear more of the authentication load, and easily become overloaded. What if another Windows Server 2016 or later domain controller is added, but without deploying Windows Hello for Business to any more clients? -![dc-chart3](images/plan/dc-chart3.png) +![dc-chart3.](images/plan/dc-chart3.png) Upgrading another domain controller to Windows Server 2016 or later distributes the public key trust authentication across two domain controllers - each supporting 50 percent of the load. But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2019 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016 or later, but the number of WHFB clients remains the same. -![dc-chart4](images/plan/dc-chart4.png) +![dc-chart4.](images/plan/dc-chart4.png) Domain controllers 1 through 5 now share the public key trust authentication load where each domain controller handles 20 percent of the public key trust load but they each still handle 10 percent of the password and certificate trust authentication. These domain controllers still have a heavier load than domain controllers 6 through 10; however, the load is adequately distributed. Now look the scenario when half of the client computers are upgraded to Windows Hello for Business using a key-trust deployment. -![dc-chart5](images/plan/dc-chart5.png) +![dc-chart5.](images/plan/dc-chart5.png) You'll notice the distribution did not change. Each Windows Server 2016 or later domain controller handles 20 percent of the public key trust authentication. However, increasing the volume of authentication (by increasing the number of clients) increases the amount of work that is represented by the same 20 percent. In the previous example, 20 percent of public key trust authentication equated to a volume of 20 authentications per domain controller capable of public key trust authentication. However, with upgraded clients, that same 20 percent represents a volume of 100 public key trust authentications per public key trust capable domain controller. Also, the distribution of non-public key trust authentication remained at 10 percent, but the volume of password and certificate trust authentications decreased across the older domain controllers. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index ab73eab4f9..f354ae19d4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -91,7 +91,7 @@ Sign-in the federation server with domain administrator equivalent credentials. 5. Click **Next** on the **Select Certificate Enrollment Policy** page. 6. On the **Request Certificates** page, Select the **Internal Web Server** check box. 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link - ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png) + ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/hello-internal-web-server-cert.png) 8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. 9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Repeat the same to add device registration service name (*enterpriseregistration.contoso.com*) as another alternative name. Click **OK** when finished. 10. Click **Enroll**. @@ -184,7 +184,7 @@ Sign-in the federation server with _domain administrator_ equivalent credentials 1. Start **Server Manager**. 2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. -![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) +![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png) 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. 4. Click **Next** on the **Connect to Active Directory Domain Services** page. 5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*. @@ -204,7 +204,7 @@ Sign-in the federation server with _domain administrator_ equivalent credentials 1. Start **Server Manager**. 2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. -![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) +![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png) 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. 4. Click **Next** on the **Connect to Active Directory Domain Services** page. 5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net. @@ -456,7 +456,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. 6. On the **Select server roles** page, click **Next**. 7. Select **Network Load Balancing** on the **Select features** page. 8. Click **Install** to start the feature installation. - ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png) + ![Feature selection screen with NLB selected.](images/hello-nlb-feature-install.png) ### Configure Network Load Balancing for AD FS @@ -465,25 +465,25 @@ Before you can load balance all the nodes in the AD FS farm, you must first crea Sign-in a node of the federation farm with _Admin_ equivalent credentials. 1. Open **Network Load Balancing Manager** from **Administrative Tools**. - ![NLB Manager user interface](images/hello-nlb-manager.png) + ![NLB Manager user interface.](images/hello-nlb-manager.png) 2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**. 3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**. - ![NLB Manager - Connect to new Cluster screen](images/hello-nlb-connect.png) + ![NLB Manager - Connect to new Cluster screen.](images/hello-nlb-connect.png) 4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.) 5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**. 6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**. - ![NLB Manager - Add IP to New Cluster screen](images/hello-nlb-add-ip.png) + ![NLB Manager - Add IP to New Cluster screen.](images/hello-nlb-add-ip.png) 7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster. - ![NLB Manager - Cluster IP Configuration screen](images/hello-nlb-cluster-ip-config.png) + ![NLB Manager - Cluster IP Configuration screen.](images/hello-nlb-cluster-ip-config.png) 8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**. 9. In Port Rules, click Edit to modify the default port rules to use port 443. - ![NLB Manager - Add\Edit Port Rule screen](images/hello-nlb-cluster-port-rule.png) + ![NLB Manager - Add\Edit Port Rule screen.](images/hello-nlb-cluster-port-rule.png) ### Additional AD FS Servers 1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**. 2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same. - ![NLB Manager - Cluster with nodes](images/hello-nlb-cluster.png) + ![NLB Manager - Cluster with nodes.](images/hello-nlb-cluster.png) ## Configure DNS for Device Registration diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index 0686de8a9a..57f12a0692 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -34,7 +34,7 @@ To locate the schema master role holder, open and command prompt and type: ```Netdom query fsmo | findstr -i “schema”``` -![Netdom example output](images/hello-cmd-netdom.png) +![Netdom example output.](images/hello-cmd-netdom.png) The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md index bafde6afc2..0bbce98b00 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md @@ -51,7 +51,7 @@ Three approaches are documented here: 1. Right-click the **Smartcard Logon** template and click **Duplicate Template** - ![Duplicating Smartcard Template](images/rdpcert/duplicatetemplate.png) + ![Duplicating Smartcard Template.](images/rdpcert/duplicatetemplate.png) 1. On the **Compatibility** tab: 1. Clear the **Show resulting changes** check box @@ -109,7 +109,7 @@ Three approaches are documented here: 1. In the Certificate Authority console, right-click **Certificate Templates**, select **New**, and select **Certificate Template to Issue** - ![Selecting Certificate Template to Issue](images/rdpcert/certificatetemplatetoissue.png) + ![Selecting Certificate Template to Issue.](images/rdpcert/certificatetemplatetoissue.png) 1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and click **OK**. It can take some time for the template to replicate to all servers and become available in this list. @@ -123,7 +123,7 @@ Three approaches are documented here: 1. In the left pane of the MMC, right-click **Personal**, click **All Tasks**, and then click **Request New Certificate…** - ![Request a new certificate](images/rdpcert/requestnewcertificate.png) + ![Request a new certificate.](images/rdpcert/requestnewcertificate.png) 1. On the Certificate Enrollment screen, click **Next**. diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 476aed7683..48a0d130df 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -29,7 +29,7 @@ When you set up Windows Hello in Windows 10, you may get an error during the ** The following image shows an example of an error during **Create a PIN**. -![PIN error](images/pinerror.png) +![PIN error.](images/pinerror.png) ## Error mitigations diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 0ecc622ba4..2fbed0b012 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -97,20 +97,20 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se 1. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account. - ![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png) + ![PIN reset service application in Azure.](images/pinreset/pin-reset-service-prompt.png) 1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. 1. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account. - ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png) + ![PIN reset client application in Azure.](images/pinreset/pin-reset-client-prompt.png) > [!NOTE] > After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant. 1. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant. - :::image type="content" alt-text="PIN reset service permissions page" source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications.png"::: + :::image type="content" alt-text="PIN reset service permissions page." source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications.png"::: ### Configure Windows devices to use PIN reset using Group Policy @@ -210,7 +210,7 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au - **Data type:** String - **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be _signin.contoso.com;portal.contoso.com_ (without quotation marks) - :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy" source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png"::: + :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png"::: 1. Click the Save button to save the custom configuration. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index 30dc6c78e6..b5361a656c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -55,7 +55,7 @@ Windows Hello for Business emulates a smart card for application compatibility. Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it. > [!div class="mx-imgBorder"] -> ![WHFB Certificate GP Setting](images/rdpbio/rdpbiopolicysetting.png) +> ![WHFB Certificate GP Setting.](images/rdpbio/rdpbiopolicysetting.png) > [!IMPORTANT] > The remote desktop with biometric feature does not work with [Dual Enrollment](hello-feature-dual-enrollment.md) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature. diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index a90f1587c2..1efcc90b24 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -31,7 +31,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c ## Azure AD join authentication to Azure Active Directory -![Azure AD join authentication to Azure Active Directory](images/howitworks/auth-aadj-cloud.png) +![Azure AD join authentication to Azure Active Directory.](images/howitworks/auth-aadj-cloud.png) | Phase | Description | | :----: | :----------- | @@ -42,7 +42,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c |E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| ## Azure AD join authentication to Active Directory using a Key -![Azure AD join authentication to Active Directory using a Key](images/howitworks/auth-aadj-keytrust-kerb.png) +![Azure AD join authentication to Active Directory using a Key.](images/howitworks/auth-aadj-keytrust-kerb.png) | Phase | Description | @@ -56,7 +56,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c ## Azure AD join authentication to Active Directory using a Certificate -![Azure AD join authentication to Active Directory using a Certificate](images/howitworks/auth-aadj-certtrust-kerb.png) +![Azure AD join authentication to Active Directory using a Certificate.](images/howitworks/auth-aadj-certtrust-kerb.png) | Phase | Description | | :----: | :----------- | @@ -69,7 +69,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c ## Hybrid Azure AD join authentication using a Key -![Hybrid Azure AD join authentication using a Key](images/howitworks/auth-haadj-keytrust.png) +![Hybrid Azure AD join authentication using a Key.](images/howitworks/auth-haadj-keytrust.png) | Phase | Description | | :----: | :----------- | @@ -85,7 +85,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c > In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time. ## Hybrid Azure AD join authentication using a Certificate -![Hybrid Azure AD join authentication using a Certificate](images/howitworks/auth-haadj-certtrust.png) +![Hybrid Azure AD join authentication using a Certificate.](images/howitworks/auth-haadj-certtrust.png) | Phase | Description | | :----: | :----------- | diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index 0fb161ccb5..20008e7565 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -37,7 +37,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, ## Azure AD joined provisioning in a Managed environment -![Azure AD joined provisioning in a Managed environment](images/howitworks/prov-aadj-managed.png) +![Azure AD joined provisioning in a Managed environment.](images/howitworks/prov-aadj-managed.png) | Phase | Description | | :----: | :----------- | @@ -48,7 +48,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Return to top](#windows-hello-for-business-provisioning) ## Azure AD joined provisioning in a Federated environment -![Azure AD joined provisioning in a Managed environment](images/howitworks/prov-aadj-federated.png) +![Azure AD joined provisioning in a Managed environment.](images/howitworks/prov-aadj-federated.png) | Phase | Description | | :----: | :----------- | @@ -58,7 +58,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Return to top](#windows-hello-for-business-provisioning) ## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment -![Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment](images/howitworks/prov-haadj-keytrust-managed.png) +![Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment.](images/howitworks/prov-haadj-keytrust-managed.png) | Phase | Description | @@ -76,7 +76,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Return to top](#windows-hello-for-business-provisioning) ## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment -![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](images/howitworks/prov-haadj-instant-certtrust-federated.png) +![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment.](images/howitworks/prov-haadj-instant-certtrust-federated.png) | Phase | Description | @@ -94,7 +94,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Return to top](#windows-hello-for-business-provisioning) ## Domain joined provisioning in an On-premises Key Trust deployment -![Domain joined provisioning in an On-premises Key Trust deployment](images/howitworks/prov-onprem-keytrust.png) +![Domain joined provisioning in an On-premises Key Trust deployment.](images/howitworks/prov-onprem-keytrust.png) | Phase | Description | | :----: | :----------- | @@ -105,7 +105,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Return to top](#windows-hello-for-business-provisioning) ## Domain joined provisioning in an On-premises Certificate Trust deployment -![Domain joined provisioning in an On-premises Certificate Trust deployment](images/howitworks/prov-onprem-certtrust.png) +![Domain joined provisioning in an On-premises Certificate Trust deployment.](images/howitworks/prov-onprem-certtrust.png) | Phase | Description | | :----: | :----------- | diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 8e0a208a86..13246cec6f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -40,19 +40,19 @@ Before adding Azure Active Directory (Azure AD) joined devices to your existing Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure. To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate. Ensure you have Azure AD Connect installed and functioning properly. To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect). If you upgraded your Active Directory schema to the Windows Server 2016 schema after installing Azure AD Connect, run Azure AD Connect and run **Refresh directory schema** from the list of tasks. -![Azure AD Connect Schema Refresh](images/aadj/aadconnectschema.png) +![Azure AD Connect Schema Refresh.](images/aadj/aadconnectschema.png) ### Azure Active Directory Device Registration A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration. A user cannot provision Windows Hello for Business unless the device from which they are trying to provision has registered with Azure Active Directory. For more information about device registration, read [Introduction to device management in Azure Active Directory](/azure/active-directory/devices/overview). You can use the **dsregcmd.exe** command to determine if your device is registered to Azure Active Directory. -![dsregcmd output](images/aadj/dsregcmd.png) +![dsregcmd output.](images/aadj/dsregcmd.png) ### CRL Distribution Point (CDP) Certificates issued by a certificate authority can be revoked. When a certificate authority revokes as certificate, it writes information about the certificate into a revocation list. During certificate validation, Windows 10 consults the CRL distribution point within the certificate to get a list of revoked certificates. Validation compares the current certificate with information in the certificate revocation list to determine if the certificate remains valid. -![Domain Controller Certificate with LDAP CDP](images/aadj/Certificate-CDP.png) +![Domain Controller Certificate with LDAP CDP.](images/aadj/Certificate-CDP.png) The preceding domain controller certificate shows a CRL distribution path (CDP) using Active Directory. You can determine this because the value in the URL begins with **ldap**. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Azure Active Directory joined devices and users on Azure Active Directory joined devices cannot read data from Active Directory, and certificate validation does not provide an opportunity to authenticate prior to reading the certificate revocation list. This becomes a circular problem as the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user cannot read Active Directory because they have not authenticated. @@ -122,16 +122,16 @@ You need to host your new certificate revocation list of a web server so Azure A 1. From **Windows Administrative Tools**, Open **Internet Information Services (IIS) Manager**. 2. Expand the navigation pane to show **Default Web Site**. Select and then right-click **Default Web site** and click **Add Virtual Directory...**. 3. In the **Add Virtual Directory** dialog box, type **cdp** in **alias**. For physical path, type or browse for the physical file location where you will host the certificate revocation list. For this example, the path **c:\cdp** is used. Click **OK**. - ![Add Virtual Directory](images/aadj/iis-add-virtual-directory.png) + ![Add Virtual Directory.](images/aadj/iis-add-virtual-directory.png) > [!NOTE] > Make note of this path as you will use it later to configure share and file permissions. 4. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Directory Browsing** in the content pane. Click **Enable** in the details pane. 5. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Configuration Editor**. 6. In the **Section** list, navigate to **system.webServer/security/requestFiltering**. - ![IIS Configuration Editor requestFiltering](images/aadj/iis-config-editor-requestFiltering.png) + ![IIS Configuration Editor requestFiltering.](images/aadj/iis-config-editor-requestFiltering.png) In the list of named value-pairs in the content pane, configure **allowDoubleEscaping** to **True**. Click **Apply** in the actions pane. - ![IIS Configuration Editor double escaping](images/aadj/iis-config-editor-allowDoubleEscaping.png) + ![IIS Configuration Editor double escaping.](images/aadj/iis-config-editor-allowDoubleEscaping.png) 7. Close **Internet Information Services (IIS) Manager**. #### Create a DNS resource record for the CRL distribution point URL @@ -139,7 +139,7 @@ You need to host your new certificate revocation list of a web server so Azure A 1. On your DNS server or from an administrative workstation, open **DNS Manager** from **Administrative Tools**. 2. Expand **Forward Lookup Zones** to show the DNS zone for your domain. Right-click your domain name in the navigation pane and click **New Host (A or AAAA)...**. 3. In the **New Host** dialog box, type **crl** in **Name**. Type the IP address of the web server you configured in **IP Address**. Click **Add Host**. Click **OK** to close the **DNS** dialog box. Click **Done**. -![Create DNS host record](images/aadj/dns-new-host-dialog.png) +![Create DNS host record.](images/aadj/dns-new-host-dialog.png) 4. Close the **DNS Manager**. ### Prepare a file share to host the certificate revocation list @@ -151,12 +151,12 @@ These procedures configure NTFS and share permissions on the web server to allow 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server). 2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**. 3. Select **Share this folder**. Type **cdp$** in **Share name**. Click **Permissions**. -![cdp sharing](images/aadj/cdp-sharing.png) +![cdp sharing.](images/aadj/cdp-sharing.png) 4. In the **Permissions for cdp$** dialog box, click **Add**. 5. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**. In the **Object Types** dialog box, select **Computers**, and then click **OK**. 7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the server running the certificate authority issuing the certificate revocation list, and then click **Check Names**. Click **OK**. 8. In the **Permissions for cdp$** dialog box, select the certificate authority from the **Group or user names list**. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**. -![CDP Share Permissions](images/aadj/cdp-share-permissions.png) +![CDP Share Permissions.](images/aadj/cdp-share-permissions.png) 9. In the **Advanced Sharing** dialog box, click **OK**. > [!Tip] @@ -166,7 +166,7 @@ These procedures configure NTFS and share permissions on the web server to allow 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server). 2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**. 3. Click **Caching**. Select **No files or programs from the shared folder are available offline**. -![CDP disable caching](images/aadj/cdp-disable-caching.png) +![CDP disable caching.](images/aadj/cdp-disable-caching.png) 4. Click **OK**. #### Configure NTFS permission for the CDP folder @@ -175,7 +175,7 @@ These procedures configure NTFS and share permissions on the web server to allow 2. Right-click the **cdp** folder and click **Properties**. Click the **Security** tab. 3. On the **Security** tab, click Edit. 5. In the **Permissions for cdp** dialog box, click **Add**. -![CDP NTFS Permissions](images/aadj/cdp-ntfs-permissions.png) +![CDP NTFS Permissions.](images/aadj/cdp-ntfs-permissions.png) 6. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**. In the **Object Types** dialog box, select **Computers**. Click **OK**. 7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the certificate authority, and then click **Check Names**. Click **OK**. 8. In the **Permissions for cdp** dialog box, select the name of the certificate authority from the **Group or user names** list. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**. @@ -192,11 +192,11 @@ The web server is ready to host the CRL distribution point. Now, configure the 2. In the navigation pane, right-click the name of the certificate authority and click **Properties** 3. Click **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list. 4. On the **Extensions** tab, click **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, ** or ** (do not forget the trailing forward slash). - ![CDP New Location dialog box](images/aadj/cdp-extension-new-location.png) + ![CDP New Location dialog box.](images/aadj/cdp-extension-new-location.png) 5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. 6. Type **.crl** at the end of the text in **Location**. Click **OK**. 7. Select the CDP you just created. - ![CDP complete http](images/aadj/cdp-extension-complete-http.png) + ![CDP complete http.](images/aadj/cdp-extension-complete-http.png) 8. Select **Include in CRLs. Clients use this to find Delta CRL locations**. 9. Select **Include in the CDP extension of issued certificates**. 10. Click **Apply** save your selections. Click **No** when ask to restart the service. @@ -213,7 +213,7 @@ The web server is ready to host the CRL distribution point. Now, configure the 5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. 6. Type **.crl** at the end of the text in **Location**. Click **OK**. 7. Select the CDP you just created. - ![CDP publishing location](images/aadj/cdp-extension-complete-unc.png) + ![CDP publishing location.](images/aadj/cdp-extension-complete-unc.png) 8. Select **Publish CRLs to this location**. 9. Select **Publish Delta CRLs to this location**. 10. Click **Apply** save your selections. Click **Yes** when ask to restart the service. Click **OK** to close the properties dialog box. @@ -222,7 +222,7 @@ The web server is ready to host the CRL distribution point. Now, configure the 1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**. 2. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and click **Publish** -![Publish a New CRL](images/aadj/publish-new-crl.png) +![Publish a New CRL.](images/aadj/publish-new-crl.png) 3. In the **Publish CRL** dialog box, select **New CRL** and click **OK**. #### Validate CDP Publishing @@ -230,7 +230,7 @@ The web server is ready to host the CRL distribution point. Now, configure the Validate your new CRL distribution point is working. 1. Open a web browser. Navigate to http://crl.[yourdomain].com/cdp. You should see two files created from publishing your new CRL. - ![Validate the new CRL](images/aadj/validate-cdp-using-browser.png) + ![Validate the new CRL.](images/aadj/validate-cdp-using-browser.png) ### Reissue domain controller certificates @@ -239,9 +239,9 @@ With the CA properly configured with a valid HTTP-based CRL distribution point, 1. Sign-in a domain controller using administrative credentials. 2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer. 3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, select the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**. -![Certificate Manager Personal store](images/aadj/certlm-personal-store.png) +![Certificate Manager Personal store.](images/aadj/certlm-personal-store.png) 4. Right-click the selected certificate. Hover over **All Tasks** and then select **Renew Certificate with New Key...**. In the **Certificate Enrollment** wizard, click **Next**. -![Renew with New key](images/aadj/certlm-renew-with-new-key.png) +![Renew with New key.](images/aadj/certlm-renew-with-new-key.png) 5. In the **Request Certificates** page of the wizard, verify the selected certificate has the correct certificate template and ensure the status is available. Click **Enroll**. 6. After the enrollment completes, click **Finish** to close the wizard. 7. Repeat this procedure on all your domain controllers. @@ -259,7 +259,7 @@ With the CA properly configured with a valid HTTP-based CRL distribution point, 3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**. 4. Click the **Details** tab. Scroll down the list until **CRL Distribution Points** is visible in the **Field** column of the list. Select **CRL Distribution Point**. 5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Click **OK**.
-![New Certificate with updated CDP](images/aadj/dc-cert-with-new-cdp.png) +![New Certificate with updated CDP.](images/aadj/dc-cert-with-new-cdp.png) ## Configure and Assign a Trusted Certificate Device Configuration Profile @@ -276,13 +276,13 @@ Steps you will perform include: 2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer. 3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**. 4. Click the **Certification Path** tab. In the **Certification path** view, select the top most node and click **View Certificate**. -![Certificate Path](images/aadj/certlm-cert-path-tab.png) +![Certificate Path.](images/aadj/certlm-cert-path-tab.png) 5. In the new **Certificate** dialog box, click the **Details** tab. Click **Copy to File**. -![Details tab and copy to file](images/aadj/certlm-root-cert-details-tab.png) +![Details tab and copy to file.](images/aadj/certlm-root-cert-details-tab.png) 6. In the **Certificate Export Wizard**, click **Next**. 7. On the **Export File Format** page of the wizard, click **Next**. 8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box. -![Export root certificate](images/aadj/certlm-export-root-certificate.png) +![Export root certificate.](images/aadj/certlm-export-root-certificate.png) 9. Click **OK** two times to return to the **Certificate Manager** for the local computer. Close the **Certificate Manager**. ### Create and Assign a Trust Certificate Device Configuration Profile @@ -291,12 +291,12 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted 1. Sign-in to the [Microsoft Azure Portal](https://portal.azure.com) and select **Microsoft Intune**. 2. Click **Device configuration**. In the **Device Configuration** blade, click **Create profile**. -![Intune Create Profile](images/aadj/intune-create-device-config-profile.png) +![Intune Create Profile.](images/aadj/intune-create-device-config-profile.png) 3. In the **Create profile** blade, type **Enterprise Root Certificate** in **Name**. Provide a description. Select **Windows 10 and later** from the **Platform** list. Select **Trusted certificate** from the **Profile type** list. Click **Configure**. 4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate). Click **OK**. Click **Create**. -![Intune Trusted Certificate Profile](images/aadj/intune-create-trusted-certificate-profile.png) +![Intune Trusted Certificate Profile.](images/aadj/intune-create-trusted-certificate-profile.png) 5. In the **Enterprise Root Certificate** blade, click **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**. -![Intune Profile assignment](images/aadj/intune-device-config-enterprise-root-assignment.png) +![Intune Profile assignment.](images/aadj/intune-device-config-enterprise-root-assignment.png) 6. Sign out of the Microsoft Azure Portal. > [!NOTE] > After the creation, the **supported platform** parameter of the profile will contain the value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same. @@ -310,7 +310,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 3. Choose **Enroll devices**. 4. Select **Windows enrollment**. 5. Under **Windows enrollment**, select **Windows Hello for Business**. - ![Create Windows Hello for Business Policy](images/aadj/MEM.png) + ![Create Windows Hello for Business Policy.](images/aadj/MEM.png) 6. Select **Enabled** from the **Configure Windows Hello for Business** list. 7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys. 8. Enter the desired **Minimum PIN length** and **Maximum PIN length**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index b8ce7af3da..e4ada9da90 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -82,7 +82,7 @@ The easiest way to verify the onPremisesDistingushedNamne attribute is synchroni 2. Click **Login** and provide Azure credentials 3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go** 4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user. - ![Azure AD Connect On-Prem DN Attribute](images/aadjcert/aadconnectonpremdn.png) + ![Azure AD Connect On-Prem DN Attribute.](images/aadjcert/aadconnectonpremdn.png) ## Prepare the Network Device Enrollment Services (NDES) Service Account @@ -259,15 +259,15 @@ Sign-in to the certificate authority or management workstations with an _Enterpr 1. Open **Server Manager** on the NDES server. 2. Click **Manage**. Click **Add Roles and Features**. 3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**. Select **Role-based or feature-based installation** on the **Select installation type** page. Click **Next**. Click **Select a server from the server pool**. Select the local server from the **Server Pool** list. Click **Next**. - ![Server Manager destination server](images/aadjCert/servermanager-destination-server-ndes.png) + ![Server Manager destination server.](images/aadjCert/servermanager-destination-server-ndes.png) 4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list. - ![Server Manager AD CS Role](images/aadjCert/servermanager-adcs-role.png) + ![Server Manager AD CS Role.](images/aadjCert/servermanager-adcs-role.png) Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**. - ![Server Manager Add Features](images/aadjcert/serverManager-adcs-add-features.png) + ![Server Manager Add Features.](images/aadjcert/serverManager-adcs-add-features.png) 5. On the **Features** page, expand **.NET Framework 3.5 Features**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Expand **.NET Framework 4.5 Features**. Expand **WCF Services**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**. - ![Server Manager Feature HTTP Activation](images/aadjcert/servermanager-adcs-http-activation.png) + ![Server Manager Feature HTTP Activation.](images/aadjcert/servermanager-adcs-http-activation.png) 6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**. Click **Add Features** on the **Add Roles and Features Wizard** dialog box. Click **Next**. - ![Server Manager ADCS NDES Role](images/aadjcert/servermanager-adcs-ndes-role-checked.png) + ![Server Manager ADCS NDES Role.](images/aadjcert/servermanager-adcs-ndes-role-checked.png) 7. Click **Next** on the **Web Server Role (IIS)** page. 8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**. * **Web Server > Security > Request Filtering** @@ -275,11 +275,11 @@ Sign-in to the certificate authority or management workstations with an _Enterpr * **Web Server > Application Development > ASP.NET 4.5**. . * **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility** * **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility** - ![Server Manager Web Server Role](images/aadjcert/servermanager-adcs-webserver-role.png) + ![Server Manager Web Server Role.](images/aadjcert/servermanager-adcs-webserver-role.png) 9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**. > [!IMPORTANT] > .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \:\\Sources\SxS\ - ![.NET Side by Side](images/aadjcert/dotNet35sidebyside.png) + ![.NET Side by Side.](images/aadjcert/dotNet35sidebyside.png) ### Configure the NDES service account This task adds the NDES service account to the local IIS_USRS group. The task also configures the NDES service account for Kerberos authentication and delegation @@ -308,7 +308,7 @@ Sign-in the NDES server with access equivalent to _Domain Admins_. > [!NOTE] > If you use the same service account for multiple NDES Servers, repeat the following task for each NDES server under which the NDES service runs. -![Set SPN command prompt](images/aadjcert/setspn-commandprompt.png) +![Set SPN command prompt.](images/aadjcert/setspn-commandprompt.png) #### Configure the NDES Service account for delegation The NDES service enrolls certificates on behalf of users. Therefore, you want to limit the actions it can perform on behalf of the user. You do this through delegation. @@ -317,16 +317,16 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_. 1. Open **Active Directory Users and Computers** 2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab. - ![NDES Delegation Tab](images/aadjcert/ndessvcdelegationtab.png) + ![NDES Delegation Tab.](images/aadjcert/ndessvcdelegationtab.png) 3. Select **Trust this user for delegation to specified services only**. 4. Select **Use any authentication protocol**. 5. Click **Add**. 6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Avaiable services** list, select **HOST**. Click **OK**. - ![NDES Service delegation to NDES host](images/aadjcert/ndessvcdelegation-host-ndes-spn.png) + ![NDES Service delegation to NDES host.](images/aadjcert/ndessvcdelegation-host-ndes-spn.png) 7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**. 8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**. 9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates. - ![NDES Service delegation complete](images/aadjcert/ndessvcdelegation-host-ca-spn.png) + ![NDES Service delegation complete.](images/aadjcert/ndessvcdelegation-host-ca-spn.png) 10. Click **OK**. Close **Active Directory Users and Computers**. ### Configure the NDES Role and Certificate Templates @@ -338,21 +338,21 @@ Sign-in to the certificate authority or management workstations with an _Enterpr > [!NOTE] > If you closed Server Manger from the last set of tasks, start Server Manager and click the action flag that shows a yellow exclamation point. -![Server Manager Post-Install Yellow flag](images/aadjcert/servermanager-post-ndes-yellowactionflag.png) +![Server Manager Post-Install Yellow flag.](images/aadjcert/servermanager-post-ndes-yellowactionflag.png) 1. Click the **Configure Active Directory Certificate Services on the destination server** link. 2. On the **Credentials** page, click **Next**. - ![NDES Installation Credentials](images/aadjcert/ndesconfig01.png) + ![NDES Installation Credentials.](images/aadjcert/ndesconfig01.png) 3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next** - ![NDES Role Services](images/aadjcert/ndesconfig02.png) + ![NDES Role Services.](images/aadjcert/ndesconfig02.png) 4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**. - ![NDES Service Account for NDES](images/aadjcert/ndesconfig03b.png) + ![NDES Service Account for NDES.](images/aadjcert/ndesconfig03b.png) 5. On the **CA for NDES** page, select **CA name**. Click **Select...**. Select the issuing certificate authority from which the NDES server requests certificates. Click **Next**. - ![NDES CA selection](images/aadjcert/ndesconfig04.png) + ![NDES CA selection.](images/aadjcert/ndesconfig04.png) 6. On the **RA Information**, click **Next**. 7. On the **Cryptography for NDES** page, click **Next**. 8. Review the **Confirmation** page. Click **Configure**. - ![NDES Confirmation](images/aadjcert/ndesconfig05.png) + ![NDES Confirmation.](images/aadjcert/ndesconfig05.png) 8. Click **Close** after the configuration completes. #### Configure Certificate Templates on NDES @@ -407,18 +407,18 @@ Sign-in a workstation with access equivalent to a _domain user_. 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. 3. Under **MANAGE**, click **Application proxy**. 4. Click **Download connector service**. Click **Accept terms & Download**. Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain. - ![Azure Application Proxy Connectors](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png) + ![Azure Application Proxy Connectors.](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png) 5. Sign-in the computer that will run the connector with access equivalent to a _domain user_. > [!IMPORTANT] > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers. 6. Start **AADApplicationProxyConnectorInstaller.exe**. 7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**. - ![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-01.png) + ![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-01.png) 8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**. - ![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-02.png) + ![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-02.png) 9. When the installation completes. Read the information regarding outbound proxy servers. Click **Close**. - ![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-03.png) + ![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-03.png) 10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments. #### Create a Connector Group @@ -427,9 +427,9 @@ Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. 3. Under **MANAGE**, click **Application proxy**. - ![Azure Application Proxy Connector groups](images/aadjcert/azureconsole-applicationproxy-connectors-default.png) + ![Azure Application Proxy Connector groups.](images/aadjcert/azureconsole-applicationproxy-connectors-default.png) 4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**. - ![Azure Application New Connector Group](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png) + ![Azure Application New Connector Group.](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png) 5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests. 6. Click **Save**. @@ -443,7 +443,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL. 6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**. 7. Under **Internal URL**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net). - ![Azure NDES Application Proxy Configuration](images/aadjcert/azureconsole-appproxyconfig.png) + ![Azure NDES Application Proxy Configuration.](images/aadjcert/azureconsole-appproxyconfig.png) 8. Select **Passthrough** from the **Pre Authentication** list. 9. Select **NDES WHFB Connectors** from the **Connector Group** list. 10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**. @@ -465,7 +465,7 @@ Sign-in the NDES server with access equivalent to _local administrators_. 5. Click **Next** on the **Select Certificate Enrollment Policy** page. 6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box. 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link - ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png) + ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png) 8. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**. 9. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished. 9. Click **Enroll** @@ -478,12 +478,12 @@ Sign-in the NDES server with access equivalent to _local administrator_. 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. 2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. - ![NDES IIS Console](images/aadjcert/ndes-iis-console.png) + ![NDES IIS Console.](images/aadjcert/ndes-iis-console.png) 3. Click **Bindings...*** under **Actions**. Click **Add**. - ![NDES IIS Console](images/aadjcert/ndes-iis-bindings.png) + ![NDES IIS Console.](images/aadjcert/ndes-iis-bindings.png) 4. Select **https** from **Type**. Confirm the value for **Port** is **443**. 5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**. - ![NDES IIS Console](images/aadjcert/ndes-iis-bindings-add-443.png) + ![NDES IIS Console.](images/aadjcert/ndes-iis-bindings-add-443.png) 6. Select **http** from the **Site Bindings** list. Click **Remove**. 7. Click **Close** on the **Site Bindings** dialog box. 8. Close **Internet Information Services (IIS) Manager**. @@ -509,10 +509,10 @@ Sign-in the NDES server with access equivalent to _local administrator_. A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. -![NDES IIS Console](images/aadjcert/ndes-https-website-test-01.png) +![NDES IIS Console.](images/aadjcert/ndes-https-website-test-01.png) Confirm the web site uses the server authentication certificate. -![NDES IIS Console](images/aadjcert/ndes-https-website-test-01-show-cert.png) +![NDES IIS Console.](images/aadjcert/ndes-https-website-test-01-show-cert.png) ## Configure Network Device Enrollment Services to work with Microsoft Intune @@ -527,7 +527,7 @@ Sign-in the NDES server with access equivalent to _local administrator_. 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. 2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. 3. In the content pane, double-click **Request Filtering**. Click **Edit Feature Settings...** in the action pane. - ![Intune NDES Request filtering](images/aadjcert/NDES-IIS-RequestFiltering.png) + ![Intune NDES Request filtering.](images/aadjcert/NDES-IIS-RequestFiltering.png) 4. Select **Allow unlisted file name extensions**. 5. Select **Allow unlisted verbs**. 6. Select **Allow high-bit characters**. @@ -554,7 +554,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**. 3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section. - ![Intune Certificate Authority](images/aadjcert/profile01.png) + ![Intune Certificate Authority.](images/aadjcert/profile01.png) 4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server. 5. Sign-out of the Microsoft Endpoint Manager admin center. @@ -564,26 +564,26 @@ Sign-in the NDES server with access equivalent to _domain administrator_. 1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server. 2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server. 3. On the **Microsoft Intune** page, click **Next**. - ![Intune Connector Install 01](images/aadjcert/intunecertconnectorinstall-01.png) + ![Intune Connector Install 01.](images/aadjcert/intunecertconnectorinstall-01.png) 4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation. 5. On the **Destination Folder** page, click **Next**. 6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**. - ![Intune Connector Install 03](images/aadjcert/intunecertconnectorinstall-03.png) + ![Intune Connector Install 03.](images/aadjcert/intunecertconnectorinstall-03.png) 7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**. - ![Intune Connector Install 05](images/aadjcert/intunecertconnectorinstall-05.png) + ![Intune Connector Install 05.](images/aadjcert/intunecertconnectorinstall-05.png) > [!NOTE] > The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page. 8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**. 9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**. - ![Intune Connector Install 06](images/aadjcert/intunecertconnectorinstall-06.png) + ![Intune Connector Install 06.](images/aadjcert/intunecertconnectorinstall-06.png) > [!NOTE] > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder. 10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task. - ![Intune Connector install 07](images/aadjcert/intunecertconnectorinstall-07.png) + ![Intune Connector install 07.](images/aadjcert/intunecertconnectorinstall-07.png) ### Configure the Intune Certificate Connector Sign-in the NDES server with access equivalent to _domain administrator_. @@ -594,10 +594,10 @@ Sign-in the NDES server with access equivalent to _domain administrator_. > If the **NDES Connector** user interface is not open, you can start it from **\\NDESConnectorUI\NDESConnectorUI.exe**. 2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect. Click **Apply** - ![Intune Certificate Connector Configuration 01](images/aadjcert/intunecertconnectorconfig-01.png) + ![Intune Certificate Connector Configuration 01.](images/aadjcert/intunecertconnectorconfig-01.png) 3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role. - ![Intune Certificate Connector Configuration 02](images/aadjcert/intunecertconnectorconfig-02.png) + ![Intune Certificate Connector Configuration 02.](images/aadjcert/intunecertconnectorconfig-02.png) > [!IMPORTANT] > The user account must have a valid Intune license assigned. If the user account does not have a valid Intune license, the sign-in fails. @@ -614,7 +614,7 @@ Sign-in the certificate authority used by the NDES Connector with access equival 1. Start the **Certification Authority** management console. 2. In the navigation pane, right-click the name of the certificate authority and select **Properties**. 3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**. - ![Configure Intune certificate revocation 02](images/aadjcert/intuneconfigcertrevocation-02.png) + ![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png) 4. Close the **Certification Authority** #### Enable the NDES Connector for certificate revocation @@ -622,7 +622,7 @@ Sign-in the NDES server with access equivalent to _domain administrator_. 1. Open the **NDES Connector** user interface (**\\NDESConnectorUI\NDESConnectorUI.exe**). 2. Click the **Advanced** tab. Select **Specify a different account username and password**. Type the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**. - ![Intune Connector cert revocation configuration 04](images/aadjcert/intunecertconnectorconfig-04.png) + ![Intune Connector cert revocation configuration 04.](images/aadjcert/intunecertconnectorconfig-04.png) 3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**. ### Test the NDES Connector @@ -641,7 +641,7 @@ Sign-in the NDES server with access equivalent to _domain admin_. ``` where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. - ![NDES web site test after Intune Certificate Connector](images/aadjcert/ndes-https-website-test-after-intune-connector.png) + ![NDES web site test after Intune Certificate Connector.](images/aadjcert/ndes-https-website-test-after-intune-connector.png) 6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**. ## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile @@ -656,7 +656,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 5. Under **Group Name**, type the name of the group. For example, **AADJ WHFB Certificate Users**. 6. Provide a **Group description**, if applicable. 7. Select **Assigned** from the **Membership type** list. - ![Azure AD new group creation](images/aadjcert/azureadcreatewhfbcertgroup.png) + ![Azure AD new group creation.](images/aadjcert/azureadcreatewhfbcertgroup.png) 8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**. 9. Click **Create**. @@ -666,7 +666,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. Select **Devices**, and then click **Configuration Profiles**. 3. Select **Create Profile**. - ![Intune Device Configuration Create Profile](images/aadjcert/profile02.png) + ![Intune Device Configuration Create Profile.](images/aadjcert/profile02.png) 4. Select **Windows 10 and later** from the **Platform** list. 5. Choose **SCEP certificate** from the **Profile** list, and select **Create**. 6. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**. @@ -689,7 +689,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile. 15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**. 16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**. - ![WHFB SCEP certificate Profile EKUs](images/aadjcert/profile03.png) + ![WHFB SCEP certificate Profile EKUs.](images/aadjcert/profile03.png) 17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile. 18. Click **Next**. 19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**. @@ -702,7 +702,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 3. Click **WHFB Certificate Enrollment**. 4. Select **Properties**, and then click **Edit** next to the **Assignments** section. 5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list. Click **Select groups to include**. - ![WHFB SCEP Profile Assignment](images/aadjcert/profile04.png) + ![WHFB SCEP Profile Assignment.](images/aadjcert/profile04.png) 6. Select the **AADJ WHFB Certificate Users** group. Click **Select**. 7. Click **Review + Save**, and then **Save**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index e80dc75f72..9e100bc146 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -70,7 +70,7 @@ To locate the schema master role holder, open and command prompt and type: ```Netdom query fsmo | findstr -i schema``` -![Netdom example output](images/hello-cmd-netdom.png) +![Netdom example output.](images/hello-cmd-netdom.png) The command should return the name of the domain controller where you need to run adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. @@ -114,14 +114,14 @@ When you are ready to install, follow the **Configuring federation with AD FS** ### Create AD objects for AD FS Device Authentication If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration. -![Device Registration](images/hybridct/device1.png) +![Device Registration.](images/hybridct/device1.png) > [!NOTE] > The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1. 1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**. -![Device Registration](images/hybridct/device2.png) +![Device Registration.](images/hybridct/device2.png) 2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands: @@ -132,7 +132,7 @@ If your AD FS farm is not already configured for Device Authentication (you can > [!NOTE] > If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$" -![Device Registration](images/hybridct/device3.png) +![Device Registration.](images/hybridct/device3.png) The above PSH creates the following objects: @@ -140,11 +140,11 @@ The above PSH creates the following objects: - Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration - Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration -![Device Registration](images/hybridct/device4.png) +![Device Registration.](images/hybridct/device4.png) 4. Once this is done, you will see a successful completion message. -![Device Registration](images/hybridct/device5.png) +![Device Registration.](images/hybridct/device5.png) ### Create Service Connection Point (SCP) in Active Directory If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS @@ -155,13 +155,13 @@ If you plan to use Windows 10 domain join (with automatic registration to Azure > [!NOTE] > If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep -![Device Registration](images/hybridct/device6.png) +![Device Registration.](images/hybridct/device6.png) 2. Provide your Azure AD global administrator credentials `PS C:>$aadAdminCred = Get-Credential` -![Device Registration](images/hybridct/device7.png) +![Device Registration.](images/hybridct/device7.png) 3. Run the following PowerShell command @@ -517,7 +517,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe - Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - Container Device Registration Service DKM under the above container -![Device Registration](images/hybridct/device8.png) +![Device Registration.](images/hybridct/device8.png) - object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - read/write access to the specified AD connector account name on the new object diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index cfaf049efd..35bd16ed3e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -27,22 +27,22 @@ ms.reviewer: ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. -![Event358 from User Device Registration log showing Windows Hello for Business prerequisite check result](images/Event358.png) +![Event358 from User Device Registration log showing Windows Hello for Business prerequisite check result.](images/Event358.png) The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**. Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**. -![Setup a PIN Provisioning](images/setupapin.png) +![Setup a PIN Provisioning.](images/setupapin.png) The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment. Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA. The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry. -![MFA prompt during provisioning](images/mfa.png) +![MFA prompt during provisioning.](images/mfa.png) After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity requirements that you deployed to the environment. -![Create a PIN during provisioning](images/createPin.png) +![Create a PIN during provisioning.](images/createPin.png) The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment. * A successful single factor authentication (username and password at sign-in) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md index 9caf362da6..e60e0b15f0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md @@ -27,22 +27,22 @@ ms.reviewer: ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. -![Event358](images/Event358-2.png) +![Event358.](images/Event358-2.png) The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**. Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**. -![Setup a PIN Provisioning](images/setupapin.png) +![Setup a PIN Provisioning.](images/setupapin.png) The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment. Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA. The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry. -![MFA prompt during provisioning](images/mfa.png) +![MFA prompt during provisioning.](images/mfa.png) After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity requirements that you deployed to the environment. -![Create a PIN during provisioning](images/createPin.png) +![Create a PIN during provisioning.](images/createPin.png) The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment. * A successful single factor authentication (username and password at sign-in) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index 99491fb5c3..4e83f31ec3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -73,7 +73,7 @@ Sign-in the federation server with domain administrator equivalent credentials. 5. Click **Next** on the **Select Certificate Enrollment Policy** page. 6. On the **Request Certificates** page, Select the **Internal Web Server** check box. 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link - ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png) + ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/hello-internal-web-server-cert.png) 8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Click **OK** when finished. 9. Click **Enroll**. @@ -155,7 +155,7 @@ Use the following procedures to configure AD FS when your environment uses **Win Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. 1. Start **Server Manager**. 2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. - ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) + ![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png) 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. 4. Click **Next** on the **Connect to Active Directory Domain Services** page. @@ -175,7 +175,7 @@ Use the following procedures to configure AD FS when your environment uses **Win Sign-in the federation server with _Domain Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. 1. Start **Server Manager**. 2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. - ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) + ![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png) 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. 4. Click **Next** on the **Connect to Active Directory Domain Services** page. @@ -262,7 +262,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. 6. On the **Select server roles** page, click **Next**. 7. Select **Network Load Balancing** on the **Select features** page. 8. Click **Install** to start the feature installation - ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png) + ![Feature selection screen with NLB selected.](images/hello-nlb-feature-install.png) ### Configure Network Load Balancing for AD FS @@ -270,25 +270,25 @@ Before you can load balance all the nodes in the AD FS farm, you must first crea Sign-in a node of the federation farm with _Admin_ equivalent credentials. 1. Open **Network Load Balancing Manager** from **Administrative Tools**. - ![NLB Manager user interface](images/hello-nlb-manager.png) + ![NLB Manager user interface.](images/hello-nlb-manager.png) 2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**. 3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**. - ![NLB Manager - Connect to new Cluster screen](images/hello-nlb-connect.png) + ![NLB Manager - Connect to new Cluster screen.](images/hello-nlb-connect.png) 4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.) 5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**. 6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**. - ![NLB Manager - Add IP to New Cluster screen](images/hello-nlb-add-ip.png) + ![NLB Manager - Add IP to New Cluster screen.](images/hello-nlb-add-ip.png) 7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster. - ![NLB Manager - Cluster IP Configuration screen](images/hello-nlb-cluster-ip-config.png) + ![NLB Manager - Cluster IP Configuration screen.](images/hello-nlb-cluster-ip-config.png) 8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**. 9. In Port Rules, click Edit to modify the default port rules to use port 443. - ![NLB Manager - Add\Edit Port Rule screen](images/hello-nlb-cluster-port-rule.png) + ![NLB Manager - Add\Edit Port Rule screen.](images/hello-nlb-cluster-port-rule.png) ### Additional AD FS Servers 1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**. 2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same. - ![NLB Manager - Cluster with nodes](images/hello-nlb-cluster.png) + ![NLB Manager - Cluster with nodes.](images/hello-nlb-cluster.png) ## Configure DNS for Device Registration diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 00fa16c254..1a2b17c308 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -69,7 +69,7 @@ In Windows 10, Windows Hello replaces passwords. When the identity provider sup >[!NOTE] >Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password. -![How authentication works in Windows Hello](images/authflow.png) +![How authentication works in Windows Hello.](images/authflow.png) Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device. diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md index 3ff85f511f..e7d6a0cea8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md @@ -35,11 +35,11 @@ People who are currently using virtual or physical smart cards for authenticatio When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**. -![who owns this pc](images/corpown.png) +![who owns this pc.](images/corpown.png) Next, they select a way to connect. Tell the people in your enterprise which option they should pick here. -![choose how you'll connect](images/connect.png) +![choose how you'll connect.](images/connect.png) They sign in, and are then asked to verify their identity. People have options to choose from a text message, phone call, or the authentication application. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length. @@ -55,7 +55,7 @@ People can go to **Settings** > **Accounts** > **Work or school**, select If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it. -![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png) +![sign in to windows, apps, and services using fingerprint or face.](images/hellosettings.png) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 87e71bc747..2b1c101fc0 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -21,7 +21,7 @@ ms.reviewer: ## Four steps to password freedom Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. At Microsoft Ignite 2017, we shared our four-step approach to password freedom. -![Passwordless approach](images/four-steps-passwordless.png) +![Passwordless approach.](images/four-steps-passwordless.png) ### 1. Develop a password replacement offering @@ -203,24 +203,24 @@ Windows provides two ways to prevent your users from using passwords. You can us ##### Security Policy You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**. The name of the policy setting depends on the version of the operating systems you use to configure Group Policy. -![securityPolicyLocation](images/passwordless/00-securityPolicy.png) +![securityPolicyLocation.](images/passwordless/00-securityPolicy.png) **Windows Server 2016 and earlier** The policy name for these operating systems is **Interactive logon: Require smart card**. -![securityPolicyBefore2016](images/passwordless/00-securitypolicy-2016.png) +![securityPolicyBefore2016.](images/passwordless/00-securitypolicy-2016.png) **Windows 10, version 1703 or later using Remote Server Administrator Tools** The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**. -![securityPolicyRSAT](images/passwordless/00-updatedsecuritypolicytext.png) +![securityPolicyRSAT.](images/passwordless/00-updatedsecuritypolicytext.png) When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. #### Excluding the password credential provider You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon** -![HideCredProvPolicy](images/passwordless/00-hidecredprov.png) +![HideCredProvPolicy.](images/passwordless/00-hidecredprov.png) The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**. -![HideCredProvPolicy2](images/passwordless/01-hidecredprov.png) +![HideCredProvPolicy2.](images/passwordless/01-hidecredprov.png) Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs. @@ -261,7 +261,7 @@ The account options on a user account includes an option -- **Smart card is requ > [!NOTE] > Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally). A user account configured for SCRIL is enforced at the domain controller. -![SCRIL setting on AD Users and Computers](images/passwordless/00-scril-dsa.png) +![SCRIL setting on AD Users and Computers.](images/passwordless/00-scril-dsa.png) **SCRIL setting for a user on Active Directory Users and Computers.** When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because: @@ -270,13 +270,13 @@ When you configure a user account for SCRIL, Active Directory changes the affect - the user is not asked to change their password - domain controllers do not allow passwords for interactive authentication -![SCRIL setting from ADAC on Windows Server 2012](images/passwordless/01-scril-adac-2012.png) +![SCRIL setting from ADAC on Windows Server 2012.](images/passwordless/01-scril-adac-2012.png) **SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012.** > [!NOTE] > Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account (clear the check box, save the settings, select the check box and save the settings) to generate a new random 128 bit password. However, you should consider upgrading the domain to Windows Server 2016 domain forest functional level and allow the domain controller to do this for you automatically. -![SCRIL setting from ADAC on Windows Server 2016](images/passwordless/01-scril-adac-2016.png) +![SCRIL setting from ADAC on Windows Server 2016.](images/passwordless/01-scril-adac-2016.png) **SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016.** > [!NOTE] @@ -286,7 +286,7 @@ When you configure a user account for SCRIL, Active Directory changes the affect Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for SCRIL-enabled users by configuring the domain to automatically change the password for SCRIL users. In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or any authentication outages. -![Rotate Password 2016](images/passwordless/02-rotate-scril-2016.png) +![Rotate Password 2016.](images/passwordless/02-rotate-scril-2016.png) > [!NOTE] > Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely. diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md index 5e24e71b64..2ad3bb1f3b 100644 --- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md @@ -54,7 +54,7 @@ It’s important to keep in mind that there are no physical containers on disk, The container actually contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container. -![Each logical container holds one or more sets of keys](../images/passport-fig3-logicalcontainer.png) +![Each logical container holds one or more sets of keys.](../images/passport-fig3-logicalcontainer.png) Containers can contain several types of key material: diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index 57bbf194fc..65fa656745 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -34,13 +34,13 @@ Administrator credentials are highly privileged and must be protected. By using The following diagram helps you to understand how a standard Remote Desktop session to a server without Windows Defender Remote Credential Guard works: -![RDP connection to a server without Windows Defender Remote Credential Guard.png](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png) +![RDP connection to a server without Windows Defender Remote Credential Guard.png.](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png)
The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option: -![Windows Defender Remote Credential Guard](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png) +![Windows Defender Remote Credential Guard.](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png)
As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection. @@ -152,7 +152,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C 2. Double-click **Restrict delegation of credentials to remote servers**. - ![Windows Defender Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png) + ![Windows Defender Remote Credential Guard Group Policy.](images/remote-credential-guard-gp.png) 3. Under **Use the following restricted mode**: diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md index 635a9631d6..d5c9651f0f 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md +++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md @@ -34,7 +34,7 @@ Smart card support is required to enable many Remote Desktop Services scenarios. In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using. In a smart card sign-in scenario, the smart card service on the remote server redirects to the smart card reader that is connected to the local computer where the user is trying to sign in. -![Smart card service redirects to smart card reader](images/sc-image101.png) +![Smart card service redirects to smart card reader.](images/sc-image101.png) **Remote Desktop redirection** diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md index 0663f9a479..63cbad9b26 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md +++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md @@ -52,7 +52,7 @@ Interactive sign-in in Windows begins when the user presses CTRL+ALT+DEL. The CT After receiving the SAS, the UI then generates the sign-in tile from the information received from the registered credential providers. The following graphic shows the architecture for credential providers in the Windows operating system. -![Credential provider architecture](images/sc-image201.gif) +![Credential provider architecture.](images/sc-image201.gif) **Figure 1**  **Credential provider architecture** @@ -88,7 +88,7 @@ Vendors provide smart cards and smart card readers, and in many cases the vendor Figure 2 illustrates the relationship between the CryptoAPI, CSPs, the Smart Card Base Cryptographic Service Provider (Base CSP), and smart card minidrivers. -![Base CSP and smart card minidriver architecture](images/sc-image203.gif) +![Base CSP and smart card minidriver architecture.](images/sc-image203.gif) **Figure 2**  **Base CSP and smart card minidriver architecture** @@ -236,7 +236,7 @@ Applications can call the Base CSP with CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL, set In some of the following scenarios, the user can be prompted to insert a smart card. If the user context is silent, this operation fails and no UI is displayed. Otherwise, in response to the UI, the user can insert a smart card or click **Cancel**. If the user cancels the operation, the operation fails. The flow chart in Figure 3 shows the selection steps performed by the Windows operating system. -![Smart card selection process](images/sc-image205.png) +![Smart card selection process.](images/sc-image205.png) **Figure 3**  **Smart card selection behavior** @@ -314,7 +314,7 @@ For other operations, the caller may be able to acquire a "verify" context again Figure 4 shows the Cryptography architecture that is used by the Windows operating system. -![Cryptography architecture](images/sc-image206.gif) +![Cryptography architecture.](images/sc-image206.gif) **Figure 4**  **Cryptography architecture** diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md index ae671b4ace..dbcf86ee67 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md @@ -38,7 +38,7 @@ The following figure shows the flow of the certificate propagation service. The **Certificate propagation service** -![Certificate propagation service](images/sc-image302.gif) +![Certificate propagation service.](images/sc-image302.gif) 1. A signed-in user inserts a smart card. diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md index ef209588b9..a220e7e658 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md @@ -89,7 +89,7 @@ If you enable the **Allow signature keys valid for Logon** credential provider p The following diagram illustrates how smart card sign-in works in the supported versions of Windows. -![Smart card sign-in flow](images/sc-image402.png) +![Smart card sign-in flow.](images/sc-image402.png) **Smart card sign-in flow** @@ -206,21 +206,21 @@ SSL/TLS can map certificates that do not have SAN, and the mapping is done by us **Certificate revocation list distribution points** -![Certificate revocation list distribution points](images/sc-image403.png) +![Certificate revocation list distribution points.](images/sc-image403.png) **UPN in Subject Alternative Name field** -![UPN in Subject Alternative Name field](images/sc-image404.png) +![UPN in Subject Alternative Name field.](images/sc-image404.png) **Subject and Issuer fields** -![Subject and Issuer fields](images/sc-image405.png) +![Subject and Issuer fields.](images/sc-image405.png) This account mapping is supported by the KDC in addition to six other mapping methods. The following figure demonstrates a flow of user account mapping logic that is used by the KDC. **High-level flow of certificate processing for sign-in** -![High-level flow of certificate processing for sign-in](images/sc-image406.png) +![High-level flow of certificate processing for sign-in.](images/sc-image406.png) The certificate object is parsed to look for content to perform user account mapping. @@ -236,7 +236,7 @@ The following figure illustrates the process of mapping user accounts for sign-i **Certificate processing logic** -![Certificate processing logic](images/sc-image407.png) +![Certificate processing logic.](images/sc-image407.png) NT\_AUTH policy is best described in the CERT\_CHAIN\_POLICY\_NT\_AUTH parameter section of the CertVerifyCertificateChainPolicy function. For more information, see [CertVerifyCertificateChainPolicy](/windows/win32/api/wincrypt/nf-wincrypt-certverifycertificatechainpolicy). diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md index fa36cf563f..3f72307e25 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md @@ -26,7 +26,7 @@ The smart card removal policy service is applicable when a user has signed in wi **Smart card removal policy service** -![Smart card removal policy service](images/sc-image501.gif) +![Smart card removal policy service.](images/sc-image501.gif) The numbers in the previous figure represent the following actions: diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md index 10ffd31a84..76159c664d 100644 --- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md +++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md @@ -34,7 +34,7 @@ In order to better understand how this process happens, let's look at the Window The following shows how the logon process for an administrator differs from the logon process for a standard user. -![uac windows logon process](images/uacwindowslogonprocess.gif) +![uac windows logon process.](images/uacwindowslogonprocess.gif) By default, standard users and administrators access resources and run apps in the security context of standard users. When a user logs on to a computer, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges. @@ -56,7 +56,7 @@ With UAC enabled, Windows 10 prompts for consent or prompts for credentials of The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token. The following is an example of the UAC consent prompt. -![uac consent prompt](images/uacconsentprompt.gif) +![uac consent prompt.](images/uacconsentprompt.gif) **The credential prompt** @@ -64,7 +64,7 @@ The credential prompt is presented when a standard user attempts to perform a ta The following is an example of the UAC credential prompt. -![uac credential prompt](images/uaccredentialprompt.gif) +![uac credential prompt.](images/uaccredentialprompt.gif) **UAC elevation prompts** @@ -81,7 +81,7 @@ The elevation prompt color-coding is as follows: Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screen shot of the **Date and Time Properties** Control Panel item. -![uac shield icon](images/uacshieldicon.png) +![uac shield icon.](images/uacshieldicon.png) The shield icon on the **Change date and time** button indicates that the process requires a full administrator access token and will display a UAC elevation prompt. @@ -99,7 +99,7 @@ While malware could present an imitation of the secure desktop, this issue canno The following diagram details the UAC architecture. -![uac architecture](images/uacarchitecture.gif) +![uac architecture.](images/uacarchitecture.gif) To better understand each component, review the table below: diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md index badf574468..4468785ff0 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md @@ -24,7 +24,7 @@ This topic for the IT professional discusses the factors to consider when you de Traditional identity devices, such as physical smart cards, follow a predictable lifecycle in any deployment, as shown in the following diagram. -![Diagram of physical smart card lifecycle](images/vsc-physical-smart-card-lifecycle.png) +![Diagram of physical smart card lifecycle.](images/vsc-physical-smart-card-lifecycle.png) Physical devices are created by a dedicated manufacturer and then purchased by the corporation that will ultimately deploy it. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the administrator key, Personal Identification Number (PIN), PIN Unlock Key (PUK), and its physical appearance. To provision the device, it is loaded with the required certificates, such as a sign-in certificate. After you provision the device, it is ready for use. The device must simply be maintained. For example, you must replace cards when they are lost or stolen and reset PINs when users forget them. Finally, you’ll retire devices when they exceed their intended lifetime or when employees leave the company. diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md index 6fb462eb81..044f7c1fe1 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md @@ -28,7 +28,7 @@ A crucial aspect of TPM virtual smart cards is their ability to securely store a The following diagram illustrates the secure key hierarchy and the process of accessing the user key. -![Diagram of the process of accessing the user key](images/vsc-process-of-accessing-user-key.png) +![Diagram of the process of accessing the user key.](images/vsc-process-of-accessing-user-key.png) The following keys are stored on the hard disk: diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md index 6810a79d95..c6ad4e0710 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md @@ -62,21 +62,21 @@ On your domain server, you need to create a template for the certificate that yo 2. Click **File**, and then click **Add/Remove Snap-in**. - ![Add or remove snap-in](images/vsc-02-mmc-add-snap-in.png) + ![Add or remove snap-in.](images/vsc-02-mmc-add-snap-in.png) 3. In the available snap-ins list, click **Certificate Templates**, and then click **Add**. - ![Add Certificate Templates snap-in](images/vsc-03-add-certificate-templates-snap-in.png) + ![Add Certificate Templates snap-in.](images/vsc-03-add-certificate-templates-snap-in.png) 4. Certificate Templates is now located under **Console Root** in the MMC. Double-click it to view all the available certificate templates. 5. Right-click the **Smartcard Logon** template, and click **Duplicate Template**. - ![Duplicating the Smartcard Logon template](images/vsc-04-right-click-smartcard-logon-template.png) + ![Duplicating the Smartcard Logon template.](images/vsc-04-right-click-smartcard-logon-template.png) 6. On the **Compatibility** tab, under **Certification Authority**, review the selection, and change it if needed. - ![Compatibility tab, certification authority setting](images/vsc-05-certificate-template-compatibility.png) + ![Compatibility tab, certification authority setting.](images/vsc-05-certificate-template-compatibility.png) 7. On the **General** tab: @@ -102,23 +102,23 @@ On your domain server, you need to create a template for the certificate that yo 12. Select **File**, then click **Add/Remove Snap-in** to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably **Local Computer**. - ![Add Certification Authority snap-in](images/vsc-06-add-certification-authority-snap-in.png) + ![Add Certification Authority snap-in.](images/vsc-06-add-certification-authority-snap-in.png) 13. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list. 14. Right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**. - ![Right-click menu for Certificate Templates](images/vsc-07-right-click-certificate-templates.png) + ![Right-click menu for Certificate Templates.](images/vsc-07-right-click-certificate-templates.png) 15. From the list, select the new template that you just created (**TPM Virtual Smart Card Logon**), and then click **OK**. > **Note**  It can take some time for your template to replicate to all servers and become available in this list. - ![Selecting a certificate template](images/vsc-08-enable-certificate-template.png) + ![Selecting a certificate template.](images/vsc-08-enable-certificate-template.png) 16. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks**, and then click **Stop Service**. Then, right-click the name of the CA again, click **All Tasks**, and then click **Start Service**. - ![Stopping and starting the service](images/vsc-09-stop-service-start-service.png) + ![Stopping and starting the service.](images/vsc-09-stop-service-start-service.png) ## Step 2: Create the TPM virtual smart card @@ -128,7 +128,7 @@ In this step, you will create the virtual smart card on the client computer by u 1. On a domain-joined computer, open a Command Prompt window with Administrative credentials. - ![Cmd prompt, Run as administrator](images/vsc-10-cmd-run-as-administrator.png) + ![Cmd prompt, Run as administrator.](images/vsc-10-cmd-run-as-administrator.png) 2. At the command prompt, type the following, and then press ENTER: @@ -150,11 +150,11 @@ The virtual smart card must be provisioned with a sign-in certificate for it to 2. Right-click **Personal**, click **All Tasks**, and then click **Request New Certificate**. - ![Request New Certificate](images/vsc-11-certificates-request-new-certificate.png) + ![Request New Certificate.](images/vsc-11-certificates-request-new-certificate.png) 3. Follow the prompts and when offered a list of templates, select the **TPM Virtual Smart Card Logon** check box (or whatever you named the template in Step 1). - ![Certificate enrollment, select certificate](images/vsc-12-certificate-enrollment-select-certificate.png) + ![Certificate enrollment, select certificate.](images/vsc-12-certificate-enrollment-select-certificate.png) 4. If prompted for a device, select the Microsoft virtual smart card that corresponds to the one you created in the previous section. It displays as **Identity Device (Microsoft Profile)**. diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index 789da743aa..4d3f59ff0a 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -74,7 +74,7 @@ For more information about these Windows APIs, see: To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The following icon is displayed during sign in, and on other screens that require the user to enter the PIN for a virtual smart card. -![Icon for a virtual smart card](images/vsc-virtual-smart-card-icon.png) +![Icon for a virtual smart card.](images/vsc-virtual-smart-card-icon.png) A TPM-based virtual smart card is labeled **Security Device** in the user interface. diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md index 9665848076..2c0a581e8d 100644 --- a/windows/security/identity-protection/vpn/vpn-authentication.md +++ b/windows/security/identity-protection/vpn/vpn-authentication.md @@ -51,7 +51,7 @@ See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EA The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP). -![EAP XML configuration in Intune profile](images/vpn-eap-xml.png) +![EAP XML configuration in Intune profile.](images/vpn-eap-xml.png) ## Related topics diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md index 2c1405d9e0..44b05da541 100644 --- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md @@ -89,11 +89,11 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien The following image shows associating an app to a VPN connection in a VPN Profile configuration policy using Microsoft Intune. -![Add an app for the VPN connection](images/vpn-app-trigger.png) +![Add an app for the VPN connection.](images/vpn-app-trigger.png) After you add an associated app, if you select the **Only these apps can use this VPN connection (per-app VPN)** checkbox, the app becomes available in **Corporate Boundaries**, where you can configure rules for the app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details. -![Configure rules for the app](images/vpn-app-rules.png) +![Configure rules for the app.](images/vpn-app-rules.png) ## Related topics diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index 393bf3b90b..66baa88e46 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -87,7 +87,7 @@ Two client-side configuration service providers are leveraged for VPN device com The VPN client side connection flow works as follows: > [!div class="mx-imgBorder"] -> ![Device compliance workflow when VPN client attempts to connect](images/vpn-device-compliance.png) +> ![Device compliance workflow when VPN client attempts to connect.](images/vpn-device-compliance.png) When a VPNv2 Profile is configured with \ \true<\/Enabled> the VPN client uses this connection flow: diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md index e65b9b6d8b..465f79924f 100644 --- a/windows/security/identity-protection/vpn/vpn-connection-type.md +++ b/windows/security/identity-protection/vpn/vpn-connection-type.md @@ -23,7 +23,7 @@ Virtual private networks (VPNs) are point-to-point connections across a private There are many options for VPN clients. In Windows 10, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured. -![VPN connection types](images/vpn-connection.png) +![VPN connection types.](images/vpn-connection.png) ## Built-in VPN client @@ -67,12 +67,12 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune: > [!div class="mx-imgBorder"] -> ![Available connection types](images/vpn-connection-intune.png) +> ![Available connection types.](images/vpn-connection-intune.png) In Intune, you can also include custom XML for third-party plug-in profiles: > [!div class="mx-imgBorder"] -> ![Custom XML](images/vpn-custom-xml-intune.png) +> ![Custom XML.](images/vpn-custom-xml-intune.png) ## Related topics diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md index fcc360257b..70cec8d554 100644 --- a/windows/security/identity-protection/vpn/vpn-name-resolution.md +++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md @@ -64,7 +64,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien The following image shows name resolution options in a VPN Profile configuration policy using Microsoft Intune. -![Add DNS rule](images/vpn-name-intune.png) +![Add DNS rule.](images/vpn-name-intune.png) The fields in **Add or edit DNS rule** in the Intune profile correspond to the XML settings shown in the following table. diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md index 69940276c8..96eae8c6ac 100644 --- a/windows/security/identity-protection/vpn/vpn-profile-options.md +++ b/windows/security/identity-protection/vpn/vpn-profile-options.md @@ -312,7 +312,7 @@ After you configure the settings that you want using ProfileXML, you can apply i 10. Set Data type to **String (XML file)**. 11. Upload the profile XML file. 12. Click **OK**. - ![Custom VPN profile](images/custom-vpn-profile.png) + ![Custom VPN profile.](images/custom-vpn-profile.png) 13. Click **OK**, then **Create**. 14. Assign the profile. diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md index a33e2b0f3f..ea0cb1c3ae 100644 --- a/windows/security/identity-protection/vpn/vpn-routing.md +++ b/windows/security/identity-protection/vpn/vpn-routing.md @@ -53,11 +53,11 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien When you configure a VPN profile in Microsoft Intune, you select a checkbox to enable split tunnel configuration. -![split tunnel](images/vpn-split.png) +![split tunnel.](images/vpn-split.png) Next, in **Corporate Boundaries**, you add the routes that should use the VPN connection. -![add route for split tunnel](images/vpn-split-route.png) +![add route for split tunnel.](images/vpn-split-route.png) ## Related topics diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md index bd1a32dde4..c84ab32cb0 100644 --- a/windows/security/identity-protection/vpn/vpn-security-features.md +++ b/windows/security/identity-protection/vpn/vpn-security-features.md @@ -59,7 +59,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien The following image shows the interface to configure traffic rules in a VPN Profile configuration policy, using Microsoft Intune. -![Add a traffic rule](images/vpn-traffic-rules.png) +![Add a traffic rule.](images/vpn-traffic-rules.png) ## LockDown VPN diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md index 2c1a02b8db..62a4cf6cf0 100644 --- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md +++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md @@ -31,7 +31,7 @@ This guide explains how credential theft attacks occur and the strategies and co - Respond to suspicious activity - Recover from a breach -![Security stages](images/security-stages.png) +![Security stages.](images/security-stages.png) ## Attacks that steal credentials diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index fc9b15fdef..23b9d93073 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -89,7 +89,7 @@ On computers with a compatible TPM, operating system drives that are BitLocker-p In the following Group Policy example, TPM + PIN is required to unlock an operating system drive: -![Pre-boot authentication setting in Group Policy](images/pre-boot-authentication-group-policy.png) +![Pre-boot authentication setting in Group Policy.](images/pre-boot-authentication-group-policy.png) Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured. @@ -110,7 +110,7 @@ This Kernel DMA Protection is available only for new systems beginning with Wind You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection enabled: -![Kernel DMA protection](images/kernel-dma-protection.png) +![Kernel DMA protection.](images/kernel-dma-protection.png) If kernel DMA protection *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports: diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index 4864bdf4d4..cd0b6543e6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -34,31 +34,31 @@ This article depicts the BitLocker deployment comparison chart. |Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined | |Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | |Cloud or on premises | Cloud | On premises | On premises | -|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client | |Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | -|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | -|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | +|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database | |Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | -|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | -|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | | -|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | +|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | | +|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index eaccfb9c9f..a72324edf4 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -298,18 +298,18 @@ This policy can be configured using GPO under **Computer Configuration** > **Adm It can also be configured using Intune mobile device management (MDM) in the BitLocker CSP: *\./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage\* -![Custom URL](./images/bl-intune-custom-url.png) +![Custom URL.](./images/bl-intune-custom-url.png) Example of customized recovery screen: -![Customized BitLocker Recovery Screen](./images/bl-password-hint1.png) +![Customized BitLocker Recovery Screen.](./images/bl-password-hint1.png) ### BitLocker recovery key hints BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen. -![Customized BitLocker recovery screen](./images/bl-password-hint2.png) +![Customized BitLocker recovery screen.](./images/bl-password-hint2.png) > [!IMPORTANT] > We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft Account. @@ -339,7 +339,7 @@ There are rules governing which hint is shown during the recovery (in order of p **Result:** The hint for the Microsoft Account and the custom URL are displayed. -![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.png) +![Example 1 of Customized BitLocker recovery screen.](./images/rp-example1.png) #### Example 2 (single recovery key with single backup) @@ -354,7 +354,7 @@ There are rules governing which hint is shown during the recovery (in order of p **Result:** Only the custom URL is displayed. -![Example 2 of customized BitLocker recovery screen](./images/rp-example2.png) +![Example 2 of customized BitLocker recovery screen.](./images/rp-example2.png) #### Example 3 (single recovery key with multiple backups) @@ -369,7 +369,7 @@ There are rules governing which hint is shown during the recovery (in order of p **Result:** Only the Microsoft Account hint is displayed. -![Example 3 of customized BitLocker recovery screen](./images/rp-example3.png) +![Example 3 of customized BitLocker recovery screen.](./images/rp-example3.png) #### Example 4 (multiple recovery passwords) @@ -399,7 +399,7 @@ There are rules governing which hint is shown during the recovery (in order of p **Result:** Only the hint for a successfully backed up key is displayed, even if it isn't the most recent key. -![Example 4 of customized BitLocker recovery screen](./images/rp-example4.png) +![Example 4 of customized BitLocker recovery screen.](./images/rp-example4.png) #### Example 5 (multiple recovery passwords) @@ -429,7 +429,7 @@ There are rules governing which hint is shown during the recovery (in order of p **Result:** The hint for the most recent key is displayed. -![Example 5 of customized BitLocker recovery screen](./images/rp-example5.png) +![Example 5 of customized BitLocker recovery screen.](./images/rp-example5.png) ## Using additional recovery information diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index c6483a8057..e8045e225c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -52,7 +52,7 @@ manage-bde -status ``` This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume: -![Using manage-bde to check encryption status](images/manage-bde-status.png) +![Using manage-bde to check encryption status.](images/manage-bde-status.png) The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process. diff --git a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md index 2a08e910d0..664fb40db0 100644 --- a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md +++ b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md @@ -58,7 +58,7 @@ You can use Get-WinEvent in an elevated PowerShell window to display filtered in The output of such a command resembles the following. - ![Display of events that is produced by using Get-WinEvent and a BitLocker filter](./images/psget-winevent-1.png) + ![Display of events that is produced by using Get-WinEvent and a BitLocker filter.](./images/psget-winevent-1.png) - To export BitLocker-related information: ```ps @@ -77,7 +77,7 @@ You can use Get-WinEvent in an elevated PowerShell window to display filtered in The output of such a command resembles the following. - ![Display of events that is produced by using Get-WinEvent and a TPM filter](./images/psget-winevent-2.png) + ![Display of events that is produced by using Get-WinEvent and a TPM filter.](./images/psget-winevent-2.png) > [!NOTE] > If you intend to contact Microsoft Support, we recommend that you export the logs listed in this section. diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md index d41b2c7bf1..6268e09343 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md @@ -82,11 +82,11 @@ To verify that this issue has occurred, follow these steps: 1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring?view=powershell-6) command in the PowerShell window, as follows. - ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE](./images/ts-bitlocker-usb-sddl.png) + ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE.](./images/ts-bitlocker-usb-sddl.png) If you see NT AUTHORITY\INTERACTIVE (as highlighted), in the output of this command, this is the cause of the issue. Under typical conditions, the output should resemble the following: - ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users](./images/ts-bitlocker-usb-default-sddl.png) + ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users.](./images/ts-bitlocker-usb-default-sddl.png) > [!NOTE] > GPOs that change the security descriptors of services have been known to cause this issue. diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md index bab9c21e3e..1def746b1f 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md @@ -45,11 +45,11 @@ To install the tool, follow these steps: 1. Accept the default installation path. - ![Specify Location page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-1.png) + ![Specify Location page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-1.png) 1. Under **Select the features you want to install**, select **Windows Hardware Lab Kit—Controller + Studio**. - ![Select features page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-2.png) + ![Select features page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-2.png) 1. Finish the installation. @@ -60,7 +60,7 @@ To use TBSLogGenerator, follow these steps: This folder contains the TBSLogGenerator.exe file. - ![Properties and location of the TBSLogGenerator.exe file](./images/ts-tpm-3.png) + ![Properties and location of the TBSLogGenerator.exe file.](./images/ts-tpm-3.png) 1. Run the following command: ```cmd @@ -78,19 +78,19 @@ To use TBSLogGenerator, follow these steps: TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt ``` - ![Command Prompt window that shows an example of how to use TBSLogGenerator](./images/ts-tpm-4.png) + ![Command Prompt window that shows an example of how to use TBSLogGenerator.](./images/ts-tpm-4.png) The command produces a text file that uses the specified name. In the case of the example, the file is **0000000005-0000000000.txt**. The file is located in the same folder as the original .log file. - ![Windows Explorer window that shows the text file that TBSLogGenerator produces](./images/ts-tpm-5.png) + ![Windows Explorer window that shows the text file that TBSLogGenerator produces.](./images/ts-tpm-5.png) The content of this text file resembles the following. -![Contents of the text file, as shown in NotePad](./images/ts-tpm-6.png) +![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png) To find the PCR information, go to the end of the file. - ![View of NotePad that shows the PCR information at the end of the text file](./images/ts-tpm-7.png) + ![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png) ## Use PCPTool to decode Measured Boot logs @@ -114,4 +114,4 @@ where the variables represent the following values: The content of the XML file resembles the following. -![Command Prompt window that shows an example of how to use PCPTool](./images/pcptool-output.jpg) +![Command Prompt window that shows an example of how to use PCPTool.](./images/pcptool-output.jpg) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md index 60c34a7bb6..611dc64098 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md @@ -20,7 +20,7 @@ ms.custom: bitlocker This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices. -![The BitLocker status indictors on the Intune portal](./images/4509189-en-1.png) +![The BitLocker status indictors on the Intune portal.](./images/4509189-en-1.png) To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages: @@ -43,7 +43,7 @@ For information about how to verify that Intune policies are enforcing BitLocker Event ID 853 can carry different error messages, depending on the context. In this case, the Event ID 853 error message indicates that the device does not appear to have a TPM. The event information resembles the following: -![Details of event ID 853 (TPM is not available, cannot find TPM)](./images/4509190-en-1.png) +![Details of event ID 853 (TPM is not available, cannot find TPM).](./images/4509190-en-1.png) ### Cause @@ -64,7 +64,7 @@ For more information, see [Troubleshoot the TPM](../tpm/initialize-and-configure In this case, you see event ID 853, and the error message in the event indicates that bootable media is available to the device. The event information resembles the following. -![Details of event ID 853 (TPM is not available, bootable media found)](./images/4509191-en-1.png) +![Details of event ID 853 (TPM is not available, bootable media found).](./images/4509191-en-1.png) ### Cause @@ -100,7 +100,7 @@ You can resolve this issue by verifying the configuration of the disk partitions The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 10 automatically creates a recovery partition that contains the Winre.wim file. The partition configuration resembles the following. -![Default disk partitions, including the recovery partition](./images/4509194-en-1.png) +![Default disk partitions, including the recovery partition.](./images/4509194-en-1.png) To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands: @@ -108,11 +108,11 @@ To verify the configuration of the disk partitions, open an elevated Command Pro diskpart list volume ``` -![Output of the list volume command in the Diskpart app](./images/4509195-en-1.png) +![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png) If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager). -![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/configmgr-imageconfig.jpg) +![Windows image configuration in Microsoft Endpoint Configuration Manager.](./images/configmgr-imageconfig.jpg) #### Step 2: Verify the status of WinRE @@ -123,7 +123,7 @@ reagentc /info ``` The output of this command resembles the following. -![Output of the reagentc /info command](./images/4509193-en-1.png) +![Output of the reagentc /info command.](./images/4509193-en-1.png) If the **Windows RE status** is not **Enabled**, run the following command to enable it: @@ -141,7 +141,7 @@ bcdedit /enum all The output of this command resembles the following. -![Output of the bcdedit /enum all command](./images/4509196-en-1.png) +![Output of the bcdedit /enum all command.](./images/4509196-en-1.png) In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros. @@ -163,7 +163,7 @@ To verify the BIOS mode, use the System Information app. To do this, follow thes 1. Select **Start**, and enter **msinfo32** in the **Search** box. 1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**. - ![System Information app, showing the BIOS Mode setting](./images/4509198-en-1.png) + ![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png) 1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device. > [!NOTE] > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device. @@ -192,11 +192,11 @@ Manage-bde -protectors -get %systemdrive% In the TPM section of the output of this command, verify that the **PCR Validation Profile** setting includes **7**, as follows. -![Output of the manage-bde command](./images/4509199-en-1.png) +![Output of the manage-bde command.](./images/4509199-en-1.png) If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then Secure Boot is not turned on. -![Output of the manage-bde command when PCR 7 is not present](./images/4509200-en-1.png) +![Output of the manage-bde command when PCR 7 is not present.](./images/4509200-en-1.png) #### 2. Verify the Secure Boot state @@ -204,9 +204,9 @@ To verify the Secure Boot state, use the System Information app. To do this, fol 1. Select **Start**, and enter **msinfo32** in the **Search** box. 1. Verify that the **Secure Boot State** setting is **On**, as follows: - ![System Information app, showing a supported Secure Boot State](./images/4509201-en-1.png) + ![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png) 1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device. - ![System Information app, showing a unsupported Secure Boot State](./images/4509202-en-1.png) + ![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png) > [!NOTE] > You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi?view=win10-ps) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command: @@ -290,7 +290,7 @@ If your device runs Windows 10 version 1703 or later, supports Modern Standby (a If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker Drive Encryption. The settings for this policy should resemble the following: -![Intune policy settings](./images/4509186-en-1.png) +![Intune policy settings.](./images/4509186-en-1.png) The OMA-URI references for these settings are as follows: @@ -316,7 +316,7 @@ The Intune 1901 release provides settings that you can use to configure automati - Support Modern Standby - Use Windows 10 version 1803 or later -![Intune policy setting](./images/4509188-en-1.png) +![Intune policy setting.](./images/4509188-en-1.png) The OMA-URI references for these settings are as follows: @@ -331,17 +331,17 @@ The OMA-URI references for these settings are as follows: During regular operations, BitLocker Drive Encryption generates events such as Event ID 796 and Event ID 845. -![Event ID 796, as shown in Event Viewer](./images/4509203-en-1.png) +![Event ID 796, as shown in Event Viewer.](./images/4509203-en-1.png) -![Event ID 845, as shown in Event Viewer](./images/4509204-en-1.png) +![Event ID 845, as shown in Event Viewer.](./images/4509204-en-1.png) You can also determine whether the BitLocker recovery password has been uploaded to Azure AD by checking the device details in the Azure AD Devices section. -![BitLocker recovery information as viewed in Azure AD](./images/4509205-en-1.png) +![BitLocker recovery information as viewed in Azure AD.](./images/4509205-en-1.png) On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the following subkeys: - **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\BitLocker** - **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device** -![Registry subkeys that relate to Intune policy](./images/4509206-en-1.png) \ No newline at end of file +![Registry subkeys that relate to Intune policy.](./images/4509206-en-1.png) \ No newline at end of file diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 31fc1097a4..768d8cdd75 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -53,7 +53,7 @@ By default, peripherals with DMA Remapping incompatible drivers will be blocked ## User experience -![Kernel DMA protection user experience](images/kernel-dma-protection-user-experience.png) +![Kernel DMA protection user experience.](images/kernel-dma-protection-user-experience.png) By default, peripherals with DMA remapping compatible device drivers will be automatically enumerated and started. Peripherals with DMA Remapping incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. The peripheral will continue to function normally if the user locks the screen or logs out of the system. @@ -77,7 +77,7 @@ Systems running Windows 10 version 1803 that do support Kernel DMA Protection do Beginning with Windows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**. -![Kernel DMA protection in Security Center](bitlocker/images/kernel-dma-protection-security-center.png) +![Kernel DMA protection in Security Center.](bitlocker/images/kernel-dma-protection-security-center.png) ### Using System information @@ -85,7 +85,7 @@ Beginning with Windows 10 version 1809, you can use Security Center to check if 2. Check the value of **Kernel DMA Protection**. - ![Kernel DMA protection in System Information](bitlocker/images/kernel-dma-protection.png) + ![Kernel DMA protection in System Information.](bitlocker/images/kernel-dma-protection.png) 3. If the current state of **Kernel DMA Protection** is OFF and **Hyper-V - Virtualization Enabled in Firmware** is NO: @@ -113,11 +113,11 @@ No, Kernel DMA Protection only protects against drive-by DMA attacks after the O DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (i.e. the device driver does not support DMA-remapping). Please check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external). -![Kernel DMA protection user experience](images/device_details_tab_1903.png) +![Kernel DMA protection user experience.](images/device_details_tab_1903.png) *For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the following image. -![Kernel DMA protection user experience](images/device-details-tab.png) +![Kernel DMA protection user experience.](images/device-details-tab.png) ### What should I do if the drivers for my PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping? diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index 721ae1e1e3..3d8754473d 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -55,7 +55,7 @@ Windows 10 supports four features to help prevent rootkits and bootkits from lo Figure 1 shows the Windows 10 startup process. -![Windows 10 startup process](./images/dn168167.boot_process(en-us,MSDN.10).png) +![Windows 10 startup process.](./images/dn168167.boot_process(en-us,MSDN.10).png) **Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage** @@ -115,7 +115,7 @@ Depending on the implementation and configuration, the server can now determine Figure 2 illustrates the Measured Boot and remote attestation process. -![Measured Boot and remote attestation process](./images/dn168167.measure_boot(en-us,MSDN.10).png) +![Measured Boot and remote attestation process.](./images/dn168167.measure_boot(en-us,MSDN.10).png) **Figure 2. Measured Boot proves the PC’s health to a remote server** diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md index 06d8c54066..dd9e12558e 100644 --- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md @@ -84,7 +84,7 @@ Identity providers have flexibility in how they provision credentials on client • **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios. -![TPM Capabilities](images/tpm-capabilities.png) +![TPM Capabilities.](images/tpm-capabilities.png) *Figure 1: TPM Cryptographic Key Management* @@ -126,7 +126,7 @@ The TPM provides the following way for scenarios to use the measurements recorde When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state. -![Process to Create Evidence of Boot Software and Configuration Using TPM](images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png) +![Process to Create Evidence of Boot Software and Configuration Using TPM.](images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png) *Figure 2: Process used to create evidence of boot software and configuration using a TPM* diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index 4a5ddd2df2..5a5e12feb9 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -91,7 +91,7 @@ It's possible that you might revoke data from an unenrolled device only to later To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**. - ![Robocopy in S mode](images/robocopy-s-mode.png) + ![Robocopy in S mode.](images/robocopy-s-mode.png) If the employee performed a clean installation and there is no user profile, you need to recover the keys from the System Volume folder in each drive. Type: diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md index a605d96688..909073181d 100644 --- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md @@ -34,11 +34,11 @@ Follow these steps to associate your WIP policy with your organization's existin 2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**. - ![Microsoft Intune, Create a new policy using the portal](images/wip-azure-vpn-device-policy.png) + ![Microsoft Intune, Create a new policy using the portal.](images/wip-azure-vpn-device-policy.png) 3. In the **Create Profile** blade, type a name for your profile, such as *Contoso_VPN_Win10*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**. - ![Microsoft Intune, Create a new policy using the Create Profile blade](images/wip-azure-vpn-configure-policy.png) + ![Microsoft Intune, Create a new policy using the Create Profile blade.](images/wip-azure-vpn-configure-policy.png) 4. In the **Custom OMA-URI Settings** blade, click **Add**. @@ -54,7 +54,7 @@ Follow these steps to associate your WIP policy with your organization's existin - **Value.** Type your fully-qualified domain that should be used by the OMA-URI setting. For example, _corp.contoso.com_. - ![Microsoft Intune, Add your OMA-URI settings](images/wip-azure-vpn-custom-omauri.png) + ![Microsoft Intune, Add your OMA-URI settings.](images/wip-azure-vpn-custom-omauri.png) 6. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy. @@ -73,7 +73,7 @@ After you’ve created your VPN policy, you'll need to deploy it to the same gro The policy is deployed to the selected users' devices. - ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) + ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed.](images/wip-azure-add-user-groups.png) >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md index f13e30a044..32511b9cd5 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md @@ -36,12 +36,12 @@ After you've installed and set up Configuration Manager for your organization, y 1. Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. - ![Configuration Manager, Configuration Items screen](images/wip-configmgr-addpolicy.png) + ![Configuration Manager, Configuration Items screen.](images/wip-configmgr-addpolicy.png) 2. Click the **Create Configuration Item** button.

The **Create Configuration Item Wizard** starts. - ![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/wip-configmgr-generalscreen.png) + ![Create Configuration Item wizard, define the configuration item and choose the configuration type.](images/wip-configmgr-generalscreen.png) 3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. @@ -55,11 +55,11 @@ The **Create Configuration Item Wizard** starts. 5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**. - ![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-configmgr-supportedplat.png) + ![Create Configuration Item wizard, choose the supported platforms for the policy.](images/wip-configmgr-supportedplat.png) 6. On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**. - ![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-configmgr-devicesettings.png) + ![Create Configuration Item wizard, choose the Windows Information Protection settings.](images/wip-configmgr-devicesettings.png) The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. @@ -81,7 +81,7 @@ For this example, we're going to add Microsoft OneNote, a store app, to the **Ap The **Add app rule** box appears. - ![Create Configuration Item wizard, add a universal store app](images/wip-configmgr-adduniversalapp.png) + ![Create Configuration Item wizard, add a universal store app.](images/wip-configmgr-adduniversalapp.png) 2. Add a friendly name for your app into the **Title** box. In this example, it's *Microsoft OneNote*. @@ -141,7 +141,7 @@ For this example, we're going to add Internet Explorer, a desktop app, to the ** The **Add app rule** box appears. - ![Create Configuration Item wizard, add a classic desktop app](images/wip-configmgr-adddesktopapp.png) + ![Create Configuration Item wizard, add a classic desktop app.](images/wip-configmgr-adddesktopapp.png) 2. Add a friendly name for your app into the **Title** box. In this example, it's *Internet Explorer*. @@ -218,7 +218,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules** 2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. - ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) + ![Local security snap-in, showing the Packaged app Rules.](images/intune-local-security-snapin.png) 3. Right-click in the right-hand pane, and then click **Create New Rule**. @@ -226,33 +226,33 @@ For this example, we're going to add an AppLocker XML file to the **App Rules** 4. On the **Before You Begin** page, click **Next**. - ![Create a Packaged app Rules wizard and showing the Before You Begin page](images/intune-applocker-before-begin.png) + ![Create a Packaged app Rules wizard and showing the Before You Begin page.](images/intune-applocker-before-begin.png) 5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. - ![Create Packaged app Rules wizard, set action to Allow](images/intune-applocker-permissions.png) + ![Create Packaged app Rules wizard, set action to Allow.](images/intune-applocker-permissions.png) 6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. - ![Create Packaged app Rules wizard, select use an installed packaged app](images/intune-applocker-publisher.png) + ![Create Packaged app Rules wizard, select use an installed packaged app.](images/intune-applocker-publisher.png) 7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we're using Microsoft Photos. - ![Create Packaged app Rules wizard, select application and click ok](images/intune-applocker-select-apps.png) + ![Create Packaged app Rules wizard, select application and click ok.](images/intune-applocker-select-apps.png) 8. On the updated **Publisher** page, click **Create**. - ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) + ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page.](images/intune-applocker-publisher-with-app.png) 9. Review the Local Security Policy snap-in to make sure your rule is correct. - ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) + ![Local security snap-in, showing the new rule.](images/intune-local-security-snapin-updated.png) 10. In the left pane, right-click on **AppLocker**, and then click **Export policy**. The **Export policy** box opens, letting you export and save your new policy as XML. - ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) + ![Local security snap-in, showing the Export Policy option.](images/intune-local-security-export.png) 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. @@ -286,7 +286,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules** The **Add app rule** box appears. - ![Create Configuration Item wizard, add an AppLocker policy](images/wip-configmgr-addapplockerfile.png) + ![Create Configuration Item wizard, add an AppLocker policy.](images/wip-configmgr-addapplockerfile.png) 2. Add a friendly name for your app into the **Title** box. In this example, it's *Allowed app list*. @@ -353,7 +353,7 @@ You can specify multiple domains owned by your enterprise by separating them wit - Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. - ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-configmgr-corp-identity.png) + ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity.](images/wip-configmgr-corp-identity.png) ## Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. @@ -372,7 +372,7 @@ There are no default locations included with WIP, you must add each of your netw 2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. - ![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-configmgr-add-network-domain.png) + ![Add or edit corporate network definition box, Add your enterprise network locations.](images/wip-configmgr-add-network-domain.png) @@ -431,7 +431,7 @@ There are no default locations included with WIP, you must add each of your netw 5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-configmgr-dra.png) + ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate.](images/wip-configmgr-dra.png) After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. @@ -440,7 +440,7 @@ There are no default locations included with WIP, you must add each of your netw ## Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you'll be asked to decide if you want to add any optional WIP settings. -![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-configmgr-additionalsettings.png) +![Create Configuration Item wizard, Choose any additional, optional settings.](images/wip-configmgr-additionalsettings.png) **To set your optional settings** 1. Choose to set any or all of the optional settings: @@ -467,7 +467,7 @@ After you've finished configuring your policy, you can review all of your info o **To view the Summary screen** - Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy. - ![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-configmgr-summaryscreen.png) + ![Create Configuration Item wizard, Summary screen for all of your policy choices.](images/wip-configmgr-summaryscreen.png) A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page. diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 17dcaff4f3..0442c3778a 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -50,7 +50,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or 3. Click **Restore Default URLs** or enter the settings for MDM or MAM user scope and click **Save**: - ![Configure MDM or MAM provider](images/mobility-provider.png) + ![Configure MDM or MAM provider.](images/mobility-provider.png) ## Create a WIP policy @@ -58,7 +58,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or 2. Open Microsoft Intune and click **Apps** > **App protection policies** > **Create policy**. - ![Open Client apps](images/create-app-protection-policy.png) + ![Open Client apps.](images/create-app-protection-policy.png) 3. In the **App policy** screen, click **Add a policy**, and then fill out the fields: @@ -70,11 +70,11 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or - **Enrollment state.** Choose **Without enrollment** for MAM or **With enrollment** for MDM. - ![Add a mobile app policy](images/add-a-mobile-app-policy.png) + ![Add a mobile app policy.](images/add-a-mobile-app-policy.png) 4. Click **Protected apps** and then click **Add apps**. - ![Add protected apps](images/add-protected-apps.png) + ![Add protected apps.](images/add-protected-apps.png) You can add these types of apps: @@ -89,7 +89,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or Select **Recommended apps** and select each app you want to access your enterprise data or select them all, and click **OK**. -![Microsoft Intune management console: Recommended apps](images/recommended-apps.png) +![Microsoft Intune management console: Recommended apps.](images/recommended-apps.png) ### Add Store apps @@ -99,7 +99,7 @@ Select **Store apps**, type the app product name and publisher, and click **OK** - **Publisher**: `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` - **Product Name**: `Microsoft.MicrosoftPowerBIForWindows` -![Add Store app](images/add-a-protected-store-app.png) +![Add Store app.](images/add-a-protected-store-app.png) To add multiple Store apps, click the ellipsis **…**. @@ -201,7 +201,7 @@ To add **Desktop apps**, complete the following fields, based on what results yo To add another Desktop app, click the ellipsis **…**. After you’ve entered the info into the fields, click **OK**. -![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png) +![Microsoft Intune management console: Adding Desktop app info.](images/wip-azure-add-desktop-apps.png) If you’re unsure about what to include for the publisher, you can run this PowerShell command: @@ -242,7 +242,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo 2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. - ![Local security snap-in, showing the Packaged app Rules](images/wip-applocker-secpol-1.png) + ![Local security snap-in, showing the Packaged app Rules.](images/wip-applocker-secpol-1.png) 3. Right-click in the right-hand blade, and then click **Create New Rule**. @@ -250,7 +250,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo 4. On the **Before You Begin** page, click **Next**. - ![Screenshot of the Before You Begin tab](images/wip-applocker-secpol-wizard-1.png) + ![Screenshot of the Before You Begin tab.](images/wip-applocker-secpol-wizard-1.png) 5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. @@ -262,25 +262,25 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo 7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Dynamics 365. - ![Screenshot of the Select applications list](images/wip-applocker-secpol-wizard-4.png) + ![Screenshot of the Select applications list.](images/wip-applocker-secpol-wizard-4.png) 8. On the updated **Publisher** page, click **Create**. - ![Screenshot of the Publisher tab](images/wip-applocker-secpol-wizard-5.png) + ![Screenshot of the Publisher tab.](images/wip-applocker-secpol-wizard-5.png) 9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy. - ![Screenshot of AppLocker warning](images/wip-applocker-default-rule-warning.png) + ![Screenshot of AppLocker warning.](images/wip-applocker-default-rule-warning.png) 9. Review the Local Security Policy snap-in to make sure your rule is correct. - ![Local security snap-in, showing the new rule](images/wip-applocker-secpol-create.png) + ![Local security snap-in, showing the new rule.](images/wip-applocker-secpol-create.png) 10. In the left blade, right-click on **AppLocker**, and then click **Export policy**. The **Export policy** box opens, letting you export and save your new policy as XML. - ![Local security snap-in, showing the Export Policy option](images/wip-applocker-secpol-export.png) + ![Local security snap-in, showing the Export Policy option.](images/wip-applocker-secpol-export.png) 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. @@ -320,7 +320,7 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps. 3. Right-click **Executable Rules** > **Create New Rule**. - ![Local security snap-in, showing the Executable Rules](images/create-new-path-rule.png) + ![Local security snap-in, showing the Executable Rules.](images/create-new-path-rule.png) 4. On the **Before You Begin** page, click **Next**. @@ -328,11 +328,11 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps. 6. On the **Conditions** page, click **Path** and then click **Next**. - ![Screenshot with Path conditions selected in the Create Executable Rules wizard](images/path-condition.png) + ![Screenshot with Path conditions selected in the Create Executable Rules wizard.](images/path-condition.png) 7. Click **Browse Folders...** and select the path for the unsigned apps. For this example, we’re using "C:\Program Files". - ![Screenshot of the Path field of the Create Executable Rules wizard](images/select-path.png) + ![Screenshot of the Path field of the Create Executable Rules wizard.](images/select-path.png) 8. On the **Exceptions** page, add any exceptions and then click **Next**. @@ -351,11 +351,11 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps. 1. In **Protected apps**, click **Import apps**. - ![Import protected apps](images/import-protected-apps.png) + ![Import protected apps.](images/import-protected-apps.png) Then import your file. - ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/wip-azure-import-apps.png) + ![Microsoft Intune, Importing your AppLocker policy file using Intune.](images/wip-azure-import-apps.png) 2. Browse to your exported AppLocker policy file, and then click **Open**. @@ -366,7 +366,7 @@ If your app is incompatible with WIP, but still needs to be used with enterprise 1. In **Client apps - App protection policies**, click **Exempt apps**. - ![Exempt apps](images/exempt-apps.png) + ![Exempt apps.](images/exempt-apps.png) 2. In **Exempt apps**, click **Add apps**. @@ -391,7 +391,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi 1. From the **App protection policy** blade, click the name of your policy, and then click **Required settings**. - ![Microsoft Intune, Required settings blade showing Windows Information Protection mode](images/wip-azure-required-settings-protection-mode.png) + ![Microsoft Intune, Required settings blade showing Windows Information Protection mode.](images/wip-azure-required-settings-protection-mode.png) |Mode |Description | |-----|------------| @@ -413,11 +413,11 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor 2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field. - ![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png) + ![Microsoft Intune, Set your corporate identity for your organization.](images/wip-azure-required-settings-corp-identity.png) 3. To add domains, such your email domain names, click **Configure Advanced settings** > **Add network boundary** and select **Protected domains**. - ![Add protected domains](images/add-protected-domains.png) + ![Add protected domains.](images/add-protected-domains.png) ## Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include your enterprise network locations. @@ -426,7 +426,7 @@ There are no default locations included with WIP, you must add each of your netw To define the network boundaries, click **App policy** > the name of your policy > **Advanced settings** > **Add network boundary**. -![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png) +![Microsoft Intune, Set where your apps can access enterprise data on your network.](images/wip-azure-advanced-settings-network.png) Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the options covered in the following subsections, and then click **OK**. @@ -558,7 +558,7 @@ Decide if you want Windows to look for additional network settings: - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you turn this off, Windows will search for additional IP ranges on any domain-joined devices connected to your network. -![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise](images/wip-azure-advanced-settings-network-autodetect.png) +![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise.](images/wip-azure-advanced-settings-network-autodetect.png) ## Upload your Data Recovery Agent (DRA) certificate After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data. @@ -573,12 +573,12 @@ After you create and deploy your WIP policy to your employees, Windows begins to 2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png) + ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate.](images/wip-azure-advanced-settings-efsdra.png) ## Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you can choose optional settings. -![Advanced optional settings](images/wip-azure-advanced-settings-optional.png) +![Advanced optional settings.](images/wip-azure-advanced-settings-optional.png) **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: @@ -613,7 +613,7 @@ After you've decided where your protected apps can access enterprise data on you You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied. -![WIP encrypted file extensions](images/wip-encrypted-file-extensions.png) +![WIP encrypted file extensions.](images/wip-encrypted-file-extensions.png) ## Related topics diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md index 524199cf73..8d929e1db4 100644 --- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md @@ -34,7 +34,7 @@ After you’ve created your Windows Information Protection (WIP) policy, you'll The policy is deployed to the selected users' devices. - ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) + ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed.](images/wip-azure-add-user-groups.png) >[!NOTE] diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md index b54cc7cbe1..dd3fb2529e 100644 --- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md +++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md @@ -36,13 +36,13 @@ You need to add the Enterprise Context column to the **Details** tab of the Task The **Select columns** box appears. - ![Task Manager, Select column box with Enterprise Context option selected](images/wip-select-column.png) + ![Task Manager, Select column box with Enterprise Context option selected.](images/wip-select-column.png) 3. Scroll down and check the **Enterprise Context** option, and then click **OK** to close the box. The **Enterprise Context** column should now be available in Task Manager. - ![Task Manager, Enterprise Context column highlighted](images/wip-taskmgr.png) + ![Task Manager, Enterprise Context column highlighted.](images/wip-taskmgr.png) ## Review the Enterprise Context The **Enterprise Context** column shows you what each app can do with your enterprise data: diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index 1e97616ee8..e2f9ce0a1f 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -38,11 +38,11 @@ In the **Website learning report**, you can view a summary of the devices that h 1. Click **Intune** > **Client apps** > **App protection status** > **Reports**. - ![Image showing the UI path to the WIP report](images/access-wip-learning-report.png) + ![Image showing the UI path to the WIP report.](images/access-wip-learning-report.png) 1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**. - ![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png) + ![Image showing the UI with for app and website learning reports.](images/wip-learning-select-report.png) Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. @@ -75,7 +75,7 @@ The information needed for the following steps can be found using Device Health, 4. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app). - ![View of drop down menu for Store or desktop apps](images/wip-learning-choose-store-or-desktop-app.png) + ![View of drop down menu for Store or desktop apps.](images/wip-learning-choose-store-or-desktop-app.png) 5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above. @@ -87,7 +87,7 @@ The information needed for the following steps can be found using Device Health, `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US` - ![View of Add Apps app info entry boxes](images/wip-learning-app-info.png) + ![View of Add Apps app info entry boxes.](images/wip-learning-app-info.png) 6. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**). diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 1ede3ef4ed..ea4b252a30 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -58,7 +58,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP] 3. Double-click **Turn on Virtualization Based Security**. 4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**. - ![Enable HVCI using Group Policy](../images/enable-hvci-gp.png) + ![Enable HVCI using Group Policy.](../images/enable-hvci-gp.png) 5. Click **Ok** to close the editor. @@ -279,7 +279,7 @@ This field lists the computer name. All valid values for computer name. Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section. -![Windows Defender Device Guard properties in the System Summary](../images/dg-fig11-dgproperties.png) +![Windows Defender Device Guard properties in the System Summary.](../images/dg-fig11-dgproperties.png) ## Troubleshooting diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md index 6e6173e36d..def1ec0b93 100644 --- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md +++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md @@ -17,7 +17,7 @@ ms.technology: mde --- # Coordinated Malware Eradication -![coordinated-malware-eradication](images/CoordinatedMalware.png) +![coordinated-malware-eradication.](images/CoordinatedMalware.png) Coordinated Malware Eradication (CME) aims to bring organizations in cybersecurity and in other industries together to change the game against malware. While the cybersecurity industry today is effective at disrupting malware families through individual efforts, those disruptions rarely lead to eradication since malware authors quickly adapt their tactics to survive. diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md index e2029f3c2c..b125773d18 100644 --- a/windows/security/threat-protection/intelligence/fileless-threats.md +++ b/windows/security/threat-protection/intelligence/fileless-threats.md @@ -25,7 +25,7 @@ Attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) fo For clarity, fileless threats are grouped into different categories. -![Comprehensive diagram of fileless malware](images/fileless-malware.png)
+![Comprehensive diagram of fileless malware.](images/fileless-malware.png)
*Figure 1. Comprehensive diagram of fileless malware* Fileless threats can be classified by their entry point, which indicates how fileless malware can arrive on a machine. They can arrive via an exploit, through compromised hardware, or via regular execution of applications and scripts. @@ -56,7 +56,7 @@ It’s possible to carry out such installation via command line without requirin Some malware can have a sort of fileless persistence, but not without using files to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. Opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe. -![Image of Kovter's registry key](images/kovter-reg-key.png)
+![Image of Kovter's registry key.](images/kovter-reg-key.png)
*Figure 2. Kovter’s registry key* When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an autorun key configured to open such file when the machine starts. diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md index ef4a133061..3b37bdf391 100644 --- a/windows/security/threat-protection/intelligence/malware-naming.md +++ b/windows/security/threat-protection/intelligence/malware-naming.md @@ -20,7 +20,7 @@ ms.technology: mde We name the malware and unwanted software that we detect according to the Computer Antivirus Research Organization (CARO) malware naming scheme. The scheme uses the following format: -![coordinated-malware-eradication](images/NamingMalware1.png) +![coordinated-malware-eradication.](images/NamingMalware1.png) When our analysts research a particular threat, they'll determine what each of the components of the name will be. diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md index 1f997dac95..01c216b8fe 100644 --- a/windows/security/threat-protection/intelligence/phishing.md +++ b/windows/security/threat-protection/intelligence/phishing.md @@ -35,7 +35,7 @@ Here are several telltale signs of a phishing scam: * The links or URLs provided in emails are **not pointing to the correct location** or are pointing to a third-party site not affiliated with the sender of the email. For example, in the image below the URL provided doesn't match the URL that you'll be taken to. - ![example of how exploit kits work](./images/URLhover.png) + ![example of how exploit kits work.](./images/URLhover.png) * There's a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email. diff --git a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md index 00eafc82ce..ae7c0e8363 100644 --- a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md +++ b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md @@ -33,7 +33,7 @@ This process requires a global or application admin in the tenant. 2. Select **Grant admin consent for organization**. 3. If you're able to do so, review the API permissions required for this application, as the following image shows. Provide consent for the tenant. - ![grant consent image](images/msi-grant-admin-consent.jpg) + ![grant consent image.](images/msi-grant-admin-consent.jpg) 4. If the administrator receives an error while attempting to provide consent manually, try either [Option 1](#option-1-approve-enterprise-application-permissions-by-user-request) or [Option 2](#option-2-provide-admin-consent-by-authenticating-the-application-as-an-admin) as possible workarounds.   @@ -43,13 +43,13 @@ This process requires a global or application admin in the tenant. Azure Active Directory admins will need to allow for users to request admin consent to apps. Verify the setting is configured to **Yes** in [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/). -![Enterprise applications user settings](images/msi-enterprise-app-user-setting.jpg) +![Enterprise applications user settings.](images/msi-enterprise-app-user-setting.jpg) More information is available in [Configure Admin consent workflow](/azure/active-directory/manage-apps/configure-admin-consent-workflow). Once this setting is verified, users can go through the enterprise customer sign-in at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission), and submit a request for admin consent, including justification. -![Contoso sign in flow](images/msi-contoso-approval-required.png) +![Contoso sign in flow.](images/msi-contoso-approval-required.png) Admin will be able to review and approve the application permissions [Azure admin consent requests](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AccessRequests/menuId/). @@ -58,7 +58,7 @@ After providing consent, all users in the tenant will be able to use the applica ## Option 2 Provide admin consent by authenticating the application as an admin This process requires that global admins go through the Enterprise customer sign-in flow at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission). -![Consent sign in flow](images/msi-microsoft-permission-required.jpg) +![Consent sign in flow.](images/msi-microsoft-permission-required.jpg) Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and then select **Accept**. @@ -70,20 +70,20 @@ If neither of these options resolve the issue, try the following steps (as an ad 1. Remove previous configurations for the application. Go to [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/982e94b2-fea9-4d1f-9fca-318cda92f90b) and select **delete**. - ![Delete app permissions](images/msi-properties.png) + ![Delete app permissions.](images/msi-properties.png) 2. Capture TenantID from [Properties](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties). 3. Replace {tenant-id} with the specific tenant that needs to grant consent to this application in the URL below. Copy this URL into browser. The rest of the parameters are already completed. ``https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent?client_id=f0cf43e5-8a9b-451c-b2d5-7285c785684d&state=12345&redirect_uri=https%3a%2f%2fwww.microsoft.com%2fwdsi%2ffilesubmission&scope=openid+profile+email+offline_access`` - ![Permissions needed](images/msi-microsoft-permission-requested-your-organization.png) + ![Permissions needed.](images/msi-microsoft-permission-requested-your-organization.png) 4. Review the permissions required by the application, and then select **Accept**. 5. Confirm the permissions are applied in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/ce60a464-5fca-4819-8423-bcb46796b051). - ![Review that permissions are applied](images/msi-permissions.jpg) + ![Review that permissions are applied.](images/msi-permissions.jpg) 6. Sign in to [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission) as an enterprise user with a non-admin account to see if you have access. diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md index ed4e5aaf84..2aa32ed8f6 100644 --- a/windows/security/threat-protection/intelligence/worms-malware.md +++ b/windows/security/threat-protection/intelligence/worms-malware.md @@ -39,7 +39,7 @@ Both Bondat and Gamarue have clever ways of obscuring themselves to evade detect This image shows how a worm can quickly spread through a shared USB drive. -![Worm example](./images/WormUSB-flight.png) +![Worm example.](./images/WormUSB-flight.png) ### *Figure worm spreading from a shared USB drive* diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index f0c6938382..83a6f5e00b 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -29,8 +29,8 @@ For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with Po For example: -[![VBS script](images/vbs-example.png)](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline) -[![PowerShell script](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0) +[![VBS script.](images/vbs-example.png)](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline) +[![PowerShell script.](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0) The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it. The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it does not contain any information on non-security updates, tools or drivers. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index 994ade09de..3b18ab25d3 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -45,7 +45,7 @@ Applies to: You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container. The following diagram shows the flow between the host PC and the isolated container. -![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png) +![Flowchart for movement between Microsoft Edge and Application Guard.](images/application-guard-container-v-host.png) ## Install Application Guard @@ -55,7 +55,7 @@ Application Guard functionality is turned off by default. However, you can quick 1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**. - ![Windows Features, turning on Microsoft Defender Application Guard](images/turn-windows-features-on-off.png) + ![Windows Features, turning on Microsoft Defender Application Guard.](images/turn-windows-features-on-off.png) 2. Select the check box next to **Microsoft Defender Application Guard** and then click **OK**. @@ -86,7 +86,7 @@ Application Guard functionality is turned off by default. However, you can quick > [!IMPORTANT] > Make sure your organization's devices meet [requirements](reqs-md-app-guard.md) and are [enrolled in Intune](/mem/intune/enrollment/device-enrollment). -:::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune"::: +:::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune."::: 1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index de798293db..4ad66674a9 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -29,7 +29,7 @@ For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrus For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from the host operating system. This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials. -![Hardware isolation diagram](images/appguard-hardware-isolation.png) +![Hardware isolation diagram.](images/appguard-hardware-isolation.png) ### What types of devices should use Application Guard? diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index 74525211f8..d8ff39f397 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -33,7 +33,7 @@ You can see how an employee would use standalone mode with Application Guard. 2. Restart the device, start Microsoft Edge, and then select **New Application Guard window** from the menu. - ![New Application Guard window setting option](images/appguard-new-window.png) + ![New Application Guard window setting option.](images/appguard-new-window.png) 3. Wait for Application Guard to set up the isolated environment. @@ -42,7 +42,7 @@ You can see how an employee would use standalone mode with Application Guard. 4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues. - ![Untrusted website running in Application Guard](images/appguard-visual-cues.png) + ![Untrusted website running in Application Guard.](images/appguard-visual-cues.png) ## Application Guard in Enterprise-managed mode @@ -64,19 +64,19 @@ Before you can use Application Guard in managed mode, you must install Windows 1 c. For the purposes of this scenario, type `.microsoft.com` into the **Enterprise cloud resources** box. - ![Group Policy editor with Enterprise cloud resources setting](images/appguard-gp-network-isolation.png) + ![Group Policy editor with Enterprise cloud resources setting.](images/appguard-gp-network-isolation.png) d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting. e. For the purposes of this scenario, type `bing.com` into the **Neutral resources** box. - ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png) + ![Group Policy editor with Neutral resources setting.](images/appguard-gp-network-isolation-neutral.png) 4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Managed Mode** setting. 5. Click **Enabled**, choose Option **1**, and click **OK**. - ![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png) + ![Group Policy editor with Turn On/Off setting.](images/appguard-gp-turn-on.png) >[!NOTE] >Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario. @@ -85,13 +85,13 @@ Before you can use Application Guard in managed mode, you must install Windows 1 After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard. - ![Trusted website running on Microsoft Edge](images/appguard-turned-on-with-trusted-site.png) + ![Trusted website running on Microsoft Edge.](images/appguard-turned-on-with-trusted-site.png) 7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists. After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment. - ![Untrusted website running in Application Guard](images/appguard-visual-cues.png) + ![Untrusted website running in Application Guard.](images/appguard-visual-cues.png) ### Customize Application Guard @@ -118,7 +118,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. - ![Group Policy editor clipboard options](images/appguard-gp-clipboard.png) + ![Group Policy editor clipboard options.](images/appguard-gp-clipboard.png) 3. Choose how the clipboard works: @@ -144,7 +144,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. - ![Group Policy editor Print options](images/appguard-gp-print.png) + ![Group Policy editor Print options.](images/appguard-gp-print.png) 3. Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing. @@ -156,7 +156,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. - ![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png) + ![Group Policy editor Data Persistence options.](images/appguard-gp-persistence.png) 3. Open Microsoft Edge and browse to an untrusted, but safe URL. @@ -186,7 +186,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. - ![Group Policy editor Download options](images/appguard-gp-download.png) + ![Group Policy editor Download options.](images/appguard-gp-download.png) 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. @@ -200,7 +200,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. - ![Group Policy editor hardware acceleration options](images/appguard-gp-vgpu.png) + ![Group Policy editor hardware acceleration options.](images/appguard-gp-vgpu.png) 3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. @@ -217,7 +217,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled**, set **Options** to 2, and click **OK**. - ![Group Policy editor File trust options](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png) + ![Group Policy editor File trust options.](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png) 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. @@ -231,7 +231,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. - ![Group Policy editor Camera and microphone options](images/appguard-gp-allow-camera-and-mic.png) + ![Group Policy editor Camera and microphone options.](images/appguard-gp-allow-camera-and-mic.png) 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. @@ -245,7 +245,7 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**. - ![Group Policy editor Root certificate options](images/appguard-gp-allow-root-certificates.png) + ![Group Policy editor Root certificate options.](images/appguard-gp-allow-root-certificates.png) 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. @@ -258,10 +258,10 @@ Once a user has the extension and its companion app installed on their enterpris 1. Open either Firefox or Chrome — whichever browser you have the extension installed on. 2. Navigate to an enterprise website, i.e. an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded. - ![The evaluation page displayed while the page is being loaded, explaining that the user must wait](images/app-guard-chrome-extension-evaluation-page.png) + ![The evaluation page displayed while the page is being loaded, explaining that the user must wait.](images/app-guard-chrome-extension-evaluation-page.png) 3. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge. - ![A non-enterprise website being redirected to an Application Guard container -- the text displayed explains that the page is being opened in Application Guard for Microsoft Edge](images/app-guard-chrome-extension-launchIng-edge.png) + ![A non-enterprise website being redirected to an Application Guard container -- the text displayed explains that the page is being opened in Application Guard for Microsoft Edge.](images/app-guard-chrome-extension-launchIng-edge.png) 4. Open a new Application Guard window, by select the Microsoft Defender Application Guard icon, then **New Application Guard Window** ![The "New Application Guard Window" option is highlighted in red](images/app-guard-chrome-extension-new-app-guard-page.png) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index 80486846fb..146b20c787 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -61,7 +61,7 @@ If you believe a warning or block was incorrectly shown for a file or applicatio When submitting Microsoft Defender SmartScreen products, make sure to select **Microsoft Defender SmartScreen** from the product menu. -![Windows Security, Microsoft Defender SmartScreen controls](images/Microsoft-defender-smartscreen-submission.png) +![Windows Security, Microsoft Defender SmartScreen controls.](images/Microsoft-defender-smartscreen-submission.png) ## Viewing Microsoft Defender SmartScreen anti-phishing events diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md index 85c404a314..89c036958f 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md @@ -60,7 +60,7 @@ Starting with Windows 10, version 1703, users can use Windows Security to set up - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. - ![Windows Security, Microsoft Defender SmartScreen controls](images/windows-defender-smartscreen-control-2020.png) + ![Windows Security, Microsoft Defender SmartScreen controls.](images/windows-defender-smartscreen-control-2020.png) ## How Microsoft Defender SmartScreen works when a user tries to run an app Microsoft Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Microsoft Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization. diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md index c792222c8a..c2a1d31b98 100644 --- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md +++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md @@ -41,7 +41,7 @@ The following procedure describes how to use Group Policy to override individual 1. Open your Group Policy editor and go to the **Administrative Templates\System\Mitigation Options\Process Mitigation Options** setting. - ![Group Policy editor: Process Mitigation Options with setting enabled and Show button active](images/gp-process-mitigation-options.png) + ![Group Policy editor: Process Mitigation Options with setting enabled and Show button active.](images/gp-process-mitigation-options.png) 2. Click **Enabled**, and then in the **Options** area, click **Show** to open the **Show Contents** box, where you’ll be able to add your apps and the appropriate bit flag values, as shown in the [Setting the bit field](#setting-the-bit-field) and [Example](#example) sections of this topic. @@ -52,12 +52,12 @@ The following procedure describes how to use Group Policy to override individual **Note**
Setting bit flags in positions not specified here to anything other than ? might cause undefined behavior. - ![Group Policy editor: Process Mitigation Options with Show Contents box and example text](images/gp-process-mitigation-options-show.png) + ![Group Policy editor: Process Mitigation Options with Show Contents box and example text.](images/gp-process-mitigation-options-show.png) ## Setting the bit field Here’s a visual representation of the bit flag locations for the various Process Mitigation Options settings: -![Visual representation of the bit flag locations for the Process Mitigation Options settings](images/gp-process-mitigation-options-bit-flag-image.png) +![Visual representation of the bit flag locations for the Process Mitigation Options settings.](images/gp-process-mitigation-options-bit-flag-image.png) Where the bit flags are read from right to left and are defined as: diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index f98634584d..0a9058b91d 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -130,7 +130,7 @@ You can now see which processes have DEP enabled. -![Processes with DEP enabled in Windows 10](images/security-fig5-dep.png) +![Processes with DEP enabled in Windows 10.](images/security-fig5-dep.png) *Figure 2.  Processes on which DEP has been enabled in Windows 10* @@ -168,7 +168,7 @@ One of the most common techniques used to gain access to a system is to find a v Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts. -![ASLR at work](images/security-fig4-aslr.png) +![ASLR at work.](images/security-fig4-aslr.png) **Figure 3.  ASLR at work** diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index 220c774696..e24bb48367 100644 --- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -56,13 +56,13 @@ Because mobile devices are increasingly being used to access corporate informati Devices that are used to access corporate resources must be trusted. An efficient end-to-end security approach is able to evaluate device health and use the current security state when granting access to a high-value asset. -:::image type="content" alt-text="figure 1" source="images/hva-fig1-endtoend1.png"::: +:::image type="content" alt-text="figure 1." source="images/hva-fig1-endtoend1.png"::: A robust design needs to establish the user’s identity, strengthen the authentication method if needed, and learn behavior like the network location the user regularly connects from. Also, a modern approach must be able to release sensitive content only if user devices are determined to be healthy and secure. The following figure shows a solution built to assess device health from the cloud. The device authenticates the user through a connection to an identity provider in the cloud. If the managed asset contains highly confidential information, the conditional access engine of the identity provider may elect to verify the security compliance of the mobile device before access is granted. The user’s device is able to prove its health status that can be sent at any time or when mobile device management (MDM) requests it. -:::image type="content" alt-text="figure 2" source="images/hva-fig2-assessfromcloud2.png"::: +:::image type="content" alt-text="figure 2." source="images/hva-fig2-assessfromcloud2.png"::: Windows devices can be protected from low-level rootkits and bootkits by using low-level hardware technologies such as Unified Extensible Firmware Interface (UEFI) Secure Boot. @@ -94,7 +94,7 @@ In Windows 10, there are three pillars of investments: This section is an overview that describes different parts of the end-to-end security solution that helps protect high-value assets and information from attackers and malware. -:::image type="content" alt-text="figure 3" source="images/hva-fig3-endtoendoverview3.png"::: +:::image type="content" alt-text="figure 3." source="images/hva-fig3-endtoendoverview3.png"::: | Number | Part of the solution | Description | | - | - | - | @@ -115,7 +115,7 @@ This section describes what Windows 10 offers in terms of security defenses and The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the operating system early and prevent protection mechanisms and antimalware software from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal with low-level malware is to secure the boot process so that the device is protected from the very start. Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-req) section. -:::image type="content" alt-text="figure 4" source="images/hva-fig4-hardware.png"::: +:::image type="content" alt-text="figure 4." source="images/hva-fig4-hardware.png"::: Windows 10 supports features to help prevent sophisticated low-level malware like rootkits and bootkits from loading during the startup process: @@ -230,7 +230,7 @@ The following Windows 10 services are protected with virtualization-based securi The schema below is a high-level view of Windows 10 with virtualization-based security. -:::image type="content" alt-text="figure 5" source="images/hva-fig5-virtualbasedsecurity.png"::: +:::image type="content" alt-text="figure 5." source="images/hva-fig5-virtualbasedsecurity.png"::: ### Credential Guard @@ -425,11 +425,11 @@ The antimalware software can search to determine whether the boot sequence conta Health attestation logs the measurements in various TPM Platform Configuration Registers (PCRs) and TCG logs during the boot process. -:::image type="content" alt-text="figure 6" source="images/hva-fig6-logs.png"::: +:::image type="content" alt-text="figure 6." source="images/hva-fig6-logs.png"::: When starting a device equipped with TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log. -:::image type="content" alt-text="figure 7" source="images/hva-fig7-measurement.png"::: +:::image type="content" alt-text="figure 7." source="images/hva-fig7-measurement.png"::: The health attestation process works as follows: @@ -459,7 +459,7 @@ The following process describes how health boot measurements are sent to the hea 4. The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter. -:::image type="content" alt-text="figure 8" source="images/hva-fig8a-healthattest8a.png"::: +:::image type="content" alt-text="figure 8." source="images/hva-fig8a-healthattest8a.png"::: ### Device health attestation components @@ -632,7 +632,7 @@ A solution that leverages MDM and the Health Attestation Service consists of thr 2. After this is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return. 3. At any point after this, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it’s been attested. - :::image type="content" alt-text="figure 9" source="images/hva-fig8-evaldevicehealth8.png"::: + :::image type="content" alt-text="figure 9." source="images/hva-fig8-evaldevicehealth8.png"::: Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as follows: @@ -671,7 +671,7 @@ The remote device health attestation process uses measured boot data to verify t The figure below shows how the Health Attestation Service is expected to work with Microsoft’s cloud-based Intune MDM service. -:::image type="content" alt-text="figure 10" source="images/hva-fig9-intune.png"::: +:::image type="content" alt-text="figure 10." source="images/hva-fig9-intune.png"::: An MDM solution can then leverage health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware free, its antimalware system is functional and up to date, the firewall is running, and the devices patch state is compliant. @@ -705,7 +705,7 @@ If the device is not registered, the user will get a message with instructions o **Azure AD** authenticates the user and the device, **MDM** manages the compliance and conditional access policies, and the **Health Attestation Service** reports about the health of the device in an attested way. -:::image type="content" alt-text="figure 11" source="images/hva-fig10-conditionalaccesscontrol.png"::: +:::image type="content" alt-text="figure 11." source="images/hva-fig10-conditionalaccesscontrol.png"::: ### Office 365 conditional access control @@ -725,7 +725,7 @@ The user will be denied access to services when sign-in credentials are changed, Depending on the type of email application that employees use to access Exchange online, the path to establish secured access to email can be slightly different. However, the key components: Azure AD, Office 365/Exchange Online, and Intune, are the same. The IT experience and end-user experience also are similar. -:::image type="content" alt-text="figure 12" source="images/hva-fig11-office365.png"::: +:::image type="content" alt-text="figure 12." source="images/hva-fig11-office365.png"::: Clients that attempt to access Office 365 will be evaluated for the following properties: @@ -758,7 +758,7 @@ For on-premises applications there are two options to enable conditional access - For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more details, see the [Azure AD Conditional Access preview updated: Now supports On-Premises and Custom LOB apps](https://go.microsoft.com/fwlink/p/?LinkId=691618) blog post. - Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications. -:::image type="content" alt-text="figure 13" source="images/hva-fig12-conditionalaccess12.png"::: +:::image type="content" alt-text="figure 13." source="images/hva-fig12-conditionalaccess12.png"::: The following process describes how Azure AD conditional access works: diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md index eb88a41772..ce251bc758 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md @@ -36,7 +36,7 @@ Beginning with Windows 10 version 1607, new functionality was added to Windows 1 This functionality is controlled by a new **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The Privacy setting is off by default, which hides the details. -![Privacy setting](images/privacy-setting-in-sign-in-options.png) +![Privacy setting.](images/privacy-setting-in-sign-in-options.png) The **Interactive logon: Display user information when the session is locked** Group Policy setting controls the same functionality. diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md index 426d291c10..7a58b942a4 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md @@ -157,7 +157,7 @@ The following diagram shows Security Settings and related features. #### Security Settings Policies and Related Features -![components related to security policies](images/secpol-components.gif) +![components related to security policies.](images/secpol-components.gif) - **Scesrv.dll** @@ -181,7 +181,7 @@ The Security Settings extension of the Local Group Policy Editor is part of the **Security Settings Architecture** -![architecture of security policy settings](images/secpol-architecture.gif) +![architecture of security policy settings.](images/secpol-architecture.gif) The security settings configuration and analysis tools include a security configuration engine, which provides local computer (non-domain member) and Group Policy−based configuration and analysis of security settings policies. The security configuration engine also supports the creation of security policy files. The primary features of the security configuration engine are scecli.dll and scesrv.dll. @@ -321,7 +321,7 @@ In the context of Group Policy processing, security settings policy is processed **Multiple GPOs and Merging of Security Policy** - ![multiple gpos and merging of security policy](images/secpol-multigpomerge.gif) + ![multiple gpos and merging of security policy.](images/secpol-multigpomerge.gif) 1. The resultant security policies are stored in secedit.sdb, the security settings database. The security engine gets the security template files and imports them to secedit.sdb. 1. The security settings policies are applied to devices. @@ -329,7 +329,7 @@ The following figure illustrates the security settings policy processing. **Security Settings Policy Processing** -![process and interactions of security policy settings](images/secpol-processes.gif) +![process and interactions of security policy settings.](images/secpol-processes.gif) ### Merging of security policies on domain controllers diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index 277bc347d1..a8362c5bda 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -380,9 +380,9 @@ This can easily be extended to other Auto-Execution Start Points keys in the reg Use the following figures to see how you can configure those registry keys. -![default acl for run key](images/runkey.png) +![default acl for run key.](images/runkey.png) -![default acl for runonce key](images/runoncekey.png) +![default acl for runonce key.](images/runoncekey.png) ## Appendix C - Event channel settings (enable and channel access) methods @@ -399,7 +399,7 @@ The following GPO snippet performs the following: - Enables the **Microsoft-Windows-DriverFrameworks-UserMode/Operational** event channel. - Sets the maximum file size for **Microsoft-Windows-DriverFrameworks-UserMode/Operational** to 50MB. -![configure event channels](images/capi-gpo.png) +![configure event channels.](images/capi-gpo.png) ## Appendix D - Minimum GPO for WEF Client configuration @@ -409,7 +409,7 @@ Here are the minimum steps for WEF to operate: 2. Start the WinRM service. 3. Add the Network Service account to the built-in Event Log Readers security group. This allows reading from secured event channel, such as the security event channel. -![configure the wef client](images/wef-client-config.png) +![configure the wef client.](images/wef-client-config.png) ## Appendix E – Annotated baseline subscription event query diff --git a/windows/security/threat-protection/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md index 9b1eb730a6..11b4c1a58b 100644 --- a/windows/security/threat-protection/windows-10-mobile-security-guide.md +++ b/windows/security/threat-protection/windows-10-mobile-security-guide.md @@ -299,7 +299,7 @@ One of the most common techniques used by attackers to gain access to a system i Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. The below diagram illustrates how ASLR works, showing how the locations of different critical Windows components can change in memory between restarts. -![figure 3](images/mobile-security-guide-figure3.png) +![figure 3.](images/mobile-security-guide-figure3.png) Microsoft has substantively improved the ASLR implementation in Windows 10 Mobile over previous versions, applying it across the entire system rather than only in specific apps. With 64bit system and application processes that can take advantage of a vastly increased memory space, it is even more difficult for malware to predict where Windows 10 Mobile stores vital data. When used on systems that have TPMs, ASLR memory randomization becomes increasingly unique across devices, adding additional degrees of difficulty for repurposing successful exploits to another system. diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index ab40f94622..582297f71b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -37,7 +37,7 @@ Refer to the below video for an overview and brief demo. > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4mlcp] ## Policy Authorization Process -![Policy Authorization](images/wdac-intune-policy-authorization.png) +![Policy Authorization.](images/wdac-intune-policy-authorization.png) The general steps for expanding the S mode base policy on your Intune-managed devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups. Because you need access to WDAC PowerShell cmdlets to generate your supplemental policy, you should create and manage your policies on a non-S mode device. Once the policy has been uploaded to Intune, we recommend assigning it to a single test S-mode device to verify expected functioning before deploying the policy more broadly. 1. Generate a supplemental policy with WDAC tooling @@ -89,11 +89,11 @@ The general steps for expanding the S mode base policy on your Intune-managed de > When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion?view=win10-ps&preserve-view=true) for information on setting the version number. ## Standard Process for Deploying Apps through Intune -![Deploying Apps through Intune](images/wdac-intune-app-deployment.png) +![Deploying Apps through Intune.](images/wdac-intune-app-deployment.png) Refer to [Intune Standalone - Win32 app management](/intune/apps-win32-app-management) for guidance on the existing procedure of packaging signed catalogs and app deployment. ## Optional: Process for Deploying Apps using Catalogs -![Deploying Apps using Catalogs](images/wdac-intune-app-catalogs.png) +![Deploying Apps using Catalogs.](images/wdac-intune-app-catalogs.png) Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that will authorize all apps signed by that certificate, which may include apps you don't want to allow as well. Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) through the use of signed catalogs. This works for apps which may be unsigned or even signed apps when you don't want to trust all apps that may share the same signing certificate. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md index f197b8f4b2..af49d0b081 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md @@ -61,7 +61,7 @@ AppLocker can be configured to display the default message but with a custom URL The following image shows an example of the error message for a blocked app. You can use the **Set a support web link** policy setting to customize the **More information** link. -![applocker blocked application error message](images/blockedappmsg.gif) +![applocker blocked application error message.](images/blockedappmsg.gif) For steps to display a custom URL for the message, see [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md index 5350f5c843..9ffaf2b82c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md @@ -44,7 +44,7 @@ Because a computer's effective policy includes rules from each linked GPO, dupli The following figure demonstrates how AppLocker rule enforcement is applied through linked GPOs. -![applocker rule enforcement inheritance chart](images/applocker-plan-inheritance.gif) +![applocker rule enforcement inheritance chart.](images/applocker-plan-inheritance.gif) In the preceding illustration, note that all GPOs linked to Contoso are applied in order as configured. The rules that are not configured are also applied. For example, the result of the Contoso and Human Resources GPOs is 33 rules enforced, as shown in the client HR-Term1. The Human Resources GPO contains 10 non-configured rules. When the rule collection is configured for **Audit only**, no rules are enforced. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md index 0f909bdf3d..a51539d046 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md @@ -30,7 +30,7 @@ To successfully deploy AppLocker policies, you need to identify your application The following diagram shows the main points in the design, planning, and deployment process for AppLocker. -![applocker quick reference guide](images/applocker-plandeploy-quickreference.gif) +![applocker quick reference guide.](images/applocker-plandeploy-quickreference.gif) ## Resources to support the deployment process diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md index bc1218b82c..671bd29bf1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md @@ -46,7 +46,7 @@ To familiarize yourself with creating WDAC rules from audit events, follow these **Figure 1. Exceptions to the deployed WDAC policy**
- ![Event showing exception to WDAC policy](images/dg-fig23-exceptionstocode.png) + ![Event showing exception to WDAC policy.](images/dg-fig23-exceptionstocode.png) 3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**. diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index cb94565bff..706f2e6d6a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -45,7 +45,7 @@ To familiarize yourself with creating WDAC rules from audit events, follow these 2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md). **Figure 1. Exceptions to the deployed WDAC policy** - ![Event showing exception to WDAC policy](images/dg-fig23-exceptionstocode.png) + ![Event showing exception to WDAC policy.](images/dg-fig23-exceptionstocode.png) 3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md index b9ca84a296..761ea31822 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md @@ -39,7 +39,7 @@ ECDSA is not supported. 2. When connected, right-click **Certificate Templates**, and then click **Manage** to open the Certification Templates Console. - ![CA snap-in showing Certificate Templates](images/dg-fig27-managecerttemp.png) + ![CA snap-in showing Certificate Templates.](images/dg-fig27-managecerttemp.png) Figure 1. Manage the certificate templates @@ -55,7 +55,7 @@ ECDSA is not supported. 8. In the **Edit Basic Constraints Extension** dialog box, select **Enable this extension**, as shown in Figure 2. - ![Edit Basic Constraints Extension](images/dg-fig29-enableconstraints.png) + ![Edit Basic Constraints Extension.](images/dg-fig29-enableconstraints.png) Figure 2. Select constraints on the new template @@ -71,7 +71,7 @@ When this certificate template has been created, you must publish it to the CA p 1. In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then click **Certificate Template to Issue**, as shown in Figure 3. - ![Select Certificate Template to Issue](images/dg-fig30-selectnewcert.png) + ![Select Certificate Template to Issue.](images/dg-fig30-selectnewcert.png) Figure 3. Select the new certificate template to issue @@ -89,7 +89,7 @@ Now that the template is available to be issued, you must request one from the c 4. In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4. - ![Request Certificates: more information required](images/dg-fig31-getmoreinfo.png) + ![Request Certificates: more information required.](images/dg-fig31-getmoreinfo.png) Figure 4. Get more information for your code signing certificate diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index 52cac752d2..bdb0bb25f6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -142,7 +142,7 @@ To sign the existing catalog file, copy each of the following commands into an e 4. Verify the catalog file digital signature. Right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 1. - ![Digital Signature list in file Properties](images/dg-fig12-verifysigning.png) + ![Digital Signature list in file Properties.](images/dg-fig12-verifysigning.png) Figure 1. Verify that the signing certificate exists @@ -182,7 +182,7 @@ To simplify the management of catalog files, you can use Group Policy preference > [!NOTE] > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate). - ![Group Policy Management, create a GPO](images/dg-fig13-createnewgpo.png) + ![Group Policy Management, create a GPO.](images/dg-fig13-createnewgpo.png) Figure 2. Create a new GPO @@ -192,7 +192,7 @@ To simplify the management of catalog files, you can use Group Policy preference 5. Within the selected GPO, navigate to Computer Configuration\\Preferences\\Windows Settings\\Files. Right-click **Files**, point to **New**, and then click **File**, as shown in Figure 3. - ![Group Policy Management Editor, New File](images/dg-fig14-createnewfile.png) + ![Group Policy Management Editor, New File.](images/dg-fig14-createnewfile.png) Figure 3. Create a new file @@ -202,7 +202,7 @@ To simplify the management of catalog files, you can use Group Policy preference 7. To keep versions consistent, in the **New File Properties** dialog box (Figure 4), select **Replace** from the **Action** list so that the newest version is always used. - ![File Properties, Replace option](images/dg-fig15-setnewfileprops.png) + ![File Properties, Replace option.](images/dg-fig15-setnewfileprops.png) Figure 4. Set the new file properties @@ -235,7 +235,7 @@ As an alternative to Group Policy, you can use Configuration Manager to deploy c 3. Name the package, set your organization as the manufacturer, and select an appropriate version number. - ![Create Package and Program Wizard](images/dg-fig16-specifyinfo.png) + ![Create Package and Program Wizard.](images/dg-fig16-specifyinfo.png) Figure 5. Specify information about the new package @@ -257,7 +257,7 @@ As an alternative to Group Policy, you can use Configuration Manager to deploy c - From the **Drive mode** list, select **Runs with UNC name**. - ![Standard Program page of wizard](images/dg-fig17-specifyinfo.png) + ![Standard Program page of wizard.](images/dg-fig17-specifyinfo.png) Figure 6. Specify information about the standard program @@ -285,7 +285,7 @@ After you create the deployment package, deploy it to a collection so that the c - Select the **Commit changes at deadline or during a maintenance window (requires restarts)** check box. - ![Deploy Software Wizard, User Experience page](images/dg-fig18-specifyux.png) + ![Deploy Software Wizard, User Experience page.](images/dg-fig18-specifyux.png) Figure 7. Specify the user experience @@ -310,13 +310,13 @@ When catalog files have been deployed to the computers within your environment, 3. Name the new policy, and under **Select and then configure the custom settings for client devices**, select the **Software Inventory** check box, as shown in Figure 8. - ![Create Custom Client Device Settings](images/dg-fig19-customsettings.png) + ![Create Custom Client Device Settings.](images/dg-fig19-customsettings.png) Figure 8. Select custom settings 4. In the navigation pane, click **Software Inventory**, and then click **Set Types**, as shown in Figure 9. - ![Software Inventory settings for devices](images/dg-fig20-setsoftwareinv.png) + ![Software Inventory settings for devices.](images/dg-fig20-setsoftwareinv.png) Figure 9. Set the software inventory @@ -329,7 +329,7 @@ When catalog files have been deployed to the computers within your environment, 7. In the **Path Properties** dialog box, select **Variable or path name**, and then type **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}** in the box, as shown in Figure 10. - ![Path Properties, specifying a path](images/dg-fig21-pathproperties.png) + ![Path Properties, specifying a path.](images/dg-fig21-pathproperties.png) Figure 10. Set the path properties diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md index d20e96958f..dea3b62b33 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -43,7 +43,7 @@ To deploy and manage a WDAC policy with Group Policy: > [!NOTE] > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control policy management](plan-windows-defender-application-control-management.md). - ![Group Policy Management, create a GPO](images/dg-fig24-creategpo.png) + ![Group Policy Management, create a GPO.](images/dg-fig24-creategpo.png) 3. Name the new GPO. You can choose any name. @@ -51,7 +51,7 @@ To deploy and manage a WDAC policy with Group Policy: 5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**. - ![Edit the Group Policy for Windows Defender Application Control](images/wdac-edit-gp.png) + ![Edit the Group Policy for Windows Defender Application Control.](images/wdac-edit-gp.png) 6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the WDAC policy deployment path. @@ -60,7 +60,7 @@ To deploy and manage a WDAC policy with Group Policy: > [!NOTE] > This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers. - ![Group Policy called Deploy Windows Defender Application Control](images/dg-fig26-enablecode.png) + ![Group Policy called Deploy Windows Defender Application Control.](images/dg-fig26-enablecode.png) > [!NOTE] > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 250600e081..29fbbe9431 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -71,7 +71,7 @@ The steps to use Intune's custom OMA-URI functionality are: - **Certificate file**: upload your binary format policy file. You do not need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. > [!div class="mx-imgBorder"] - > ![Configure custom WDAC](images/wdac-intune-custom-oma-uri.png) + > ![Configure custom WDAC.](images/wdac-intune-custom-oma-uri.png) > [!NOTE] > For the _Policy GUID_ value, do not include the curly brackets. diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md index 848bfe1e62..0c319af7e6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md @@ -45,7 +45,7 @@ Most WDAC policies will evolve over time and proceed through a set of identifiab 6. Deploy the enforced mode policy to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly. 7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes. -![Recommended WDAC policy deployment process](images/policyflow.png) +![Recommended WDAC policy deployment process.](images/policyflow.png) ### Keep WDAC policies in a source control or document management solution diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md index 2c5382e43b..4915d3faea 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md @@ -43,7 +43,7 @@ Each of the template policies has a unique set of policy allow list rules that w More information about the Default Windows Mode and Allow Microsoft Mode policies can be accessed through the [Example WDAC base policies article](example-wdac-base-policies.md). -![Selecting a base template for the policy](images/wdac-wizard-template-selection.png) +![Selecting a base template for the policy.](images/wdac-wizard-template-selection.png) Once the base template is selected, give the policy a name and choose where to save the application control policy on disk. @@ -69,7 +69,7 @@ A description of each policy rule, beginning with the left-most column, is provi | **User Mode Code Integrity** | WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. | > [!div class="mx-imgBorder"] -> ![Rule options UI for Windows Allowed mode policy](images/wdac-wizard-rule-options-UI-advanced-collapsed.png) +> ![Rule options UI for Windows Allowed mode policy.](images/wdac-wizard-rule-options-UI-advanced-collapsed.png) ### Advanced Policy Rules Description @@ -84,7 +84,7 @@ Selecting the **+ Advanced Options** label will show another column of policy ru | **Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.| | **Require EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later drivers will meet this requirement. | -![Rule options UI for Windows Allowed mode](images/wdac-wizard-rule-options-UI.png) +![Rule options UI for Windows Allowed mode.](images/wdac-wizard-rule-options-UI.png) > [!NOTE] > We recommend that you **enable Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. For this reason, all templates have Audit Mode enabled by default. @@ -105,7 +105,7 @@ The Publisher file rule type uses properties in the code signing certificate cha | **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate as well as a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. | -![Custom filepublisher file rule creation](images/wdac-wizard-custom-publisher-rule.png) +![Custom filepublisher file rule creation.](images/wdac-wizard-custom-publisher-rule.png) ### Filepath Rules @@ -123,7 +123,7 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c | **Internal name** | Specifies the internal name of the binary. | > [!div class="mx-imgBorder"] -> ![Custom file attributes rule](images/wdac-wizard-custom-file-attribute-rule.png) +> ![Custom file attributes rule.](images/wdac-wizard-custom-file-attribute-rule.png) ### File Hash Rules diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md index bca81708e6..5f96c11702 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md @@ -33,15 +33,15 @@ Prerequisite information about application control can be accessed through the [ Once the Supplemental Policy type is chosen on the New Policy page, policy name and file dialog fields can be used to name and save the supplemental policy. The next step requires selecting a base policy to expand. To expand a base policy, the base must allow supplemental policies. The WDAC Wizard will verify if the base policy allows supplementals and will show the following confirmation. -![Base policy allows supplemental policies](images/wdac-wizard-supplemental-expandable.png) +![Base policy allows supplemental policies.](images/wdac-wizard-supplemental-expandable.png) If the base policy is not configured for supplemental policies, the Wizard will attempt to convert the policy to one that can be supplemented. Once successful, the Wizard will show a dialog demonstrating that the addition of the Allow Supplemental Policy rule was completed. -![Wizard confirms modification of base policy](images/wdac-wizard-confirm-base-policy-modification.png) +![Wizard confirms modification of base policy.](images/wdac-wizard-confirm-base-policy-modification.png) Policies that cannot be supplemented, for instance, a supplemental policy, will be detected by the Wizard and will show the following error. Only a base policy can be supplemented. More information on supplemental policies can be found on our [Multiple Policies article](deploy-multiple-windows-defender-application-control-policies.md). -![Wizard detects a bad base policy](images/wdac-wizard-supplemental-not-base.png) +![Wizard detects a bad base policy.](images/wdac-wizard-supplemental-not-base.png) ## Configuring Policy Rules @@ -60,7 +60,7 @@ There are only three policy rules that can be configured by the supplemental pol | **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. | | **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. | -![Rule options UI for Windows Allowed mode](images/wdac-wizard-supplemental-policy-rule-options-UI.png) +![Rule options UI for Windows Allowed mode.](images/wdac-wizard-supplemental-policy-rule-options-UI.png) ## Creating custom file rules @@ -78,7 +78,7 @@ The Publisher file rule type uses properties in the code signing certificate cha | **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate and a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. | -![Custom filepublisher file rule creation](images/wdac-wizard-custom-publisher-rule.png) +![Custom filepublisher file rule creation.](images/wdac-wizard-custom-publisher-rule.png) ### Filepath Rules @@ -96,7 +96,7 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c | **Internal name** | Specifies the internal name of the binary. | -![Custom file attributes rule](images/wdac-wizard-custom-file-attribute-rule.png) +![Custom file attributes rule.](images/wdac-wizard-custom-file-attribute-rule.png) ### File Hash Rules diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md index 2b94c7f004..09c88d84aa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md @@ -36,7 +36,7 @@ The WDAC Wizard makes editing and viewing WDAC policies easier than the PowerShe The `Policy Rules` page will load with the in-edit policy rules configured per the set rules. Selecting the `+ Advanced Options` button will reveal the advanced policy rule options panel. This grouping of rules contains additional policy rule options that are less common to the majority of users. To edit any of the rules, flip the corresponding policy rule state. For instance, to disable Audit Mode and enable Enforcement Mode in the figure below, the button beside the `Audit Mode` label needs only to be pressed. Once the policy rules are configured, select the Next button to continue the next stage of editing: [Adding File Rules](#adding-file-rules). -![Configuring the policy rules](images/wdac-wizard-edit-policy-rules.png) +![Configuring the policy rules.](images/wdac-wizard-edit-policy-rules.png) A description of the policy rule is shown at the bottom of the page when the cursor is placed over the rule title. For a complete list of the policy rules and their capabilities, see the [Windows Defender Application Control policy rules table](select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules). @@ -50,7 +50,7 @@ Selecting the `+ Custom Rules` button will open the Custom Rules panel. For more The WDAC Wizard makes deleting file rules from an existing policy quick and easy. To remove any type of file rule: publisher rule, path rule, filename rule, or a hash rule, select the rule in the `Policy Signing Rules List` table on the left-hand side of the page. Selecting the rule will highlight the entire row. Once the row is highlighted, select the remove icon underneath the table. The Wizard will prompt for user confirmation before removing the file rule. Once removed, the rule will no longer appear in the policy or the table. -![Removing file rule from policy during edit](images/wdac-wizard-edit-remove-file-rule.png) +![Removing file rule from policy during edit.](images/wdac-wizard-edit-remove-file-rule.png) **Note:** removing a publisher rule will also remove the associated File Attribute rules. For instance, in the xml block below, removing ID_SIGNER_CONTOSO_PUBLISHER would also remove the rules ID_FILEATTRIB_LOB_APP_1 and ID_FILEATTRIB_LOB_APP_2. diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md index ec6e988048..66ad01329f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md @@ -30,4 +30,4 @@ Select the policies you wish to merge into one policy using the `+ Add Policy` b Lastly, select a filepath save location for the final merged policy using the `Browse` button. If a minimum of two policies are selected, and the save location is specified, select the `Next` button to build the policy. -![Merging WDAC policies into a final WDAC policy](images/wdac-wizard-merge.png) +![Merging WDAC policies into a final WDAC policy.](images/wdac-wizard-merge.png) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md index 6da28ad681..ed1a7fe460 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md @@ -57,4 +57,4 @@ This can only be done in Group Policy. >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file +>![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md index 80d025f7ac..544e90142e 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md @@ -76,4 +76,4 @@ This can only be done in Group Policy. > [!NOTE] > If you hide all sections then the app will show a restricted interface, as in the following screenshot: > -> ![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file +> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md index 1bfddcc3f2..969d80c8bf 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md @@ -32,11 +32,11 @@ ms.technology: mde You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support. -![The security center custom fly-out](images/security-center-custom-flyout.png) +![The security center custom fly-out.](images/security-center-custom-flyout.png) This information will also be shown in some enterprise-specific notifications (including notifications for the [Block at first sight feature](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)). -![A security center notification](images/security-center-custom-notif.png) +![A security center notification.](images/security-center-custom-notif.png) Users can select the displayed information to initiate a support request: diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md index 919f2cb7a2..13fce0f2d5 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md @@ -56,4 +56,4 @@ This can only be done in Group Policy. >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file +>![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md index f0627d2869..f4d3053cd9 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md @@ -50,7 +50,7 @@ This can only be done in Group Policy. >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) +>![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) ## Disable the Clear TPM button If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md index c7d0fb4944..274c66bd66 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md @@ -55,4 +55,4 @@ This can only be done in Group Policy. >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file +>![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md index 5cf74d9fdf..3a14dc7c26 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md @@ -52,5 +52,5 @@ This can only be done in Group Policy. >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) +>![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md index 762e9c7402..87960171d1 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md @@ -63,7 +63,7 @@ This can only be done in Group Policy. >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) +>![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) ## Hide the Ransomware protection area diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md index 146bdcc78e..30cc06c3d0 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md @@ -34,7 +34,7 @@ Windows 10 in S mode is streamlined for tighter security and superior performanc The Windows Security interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically. -![Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode](images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png) +![Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode.](images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png) For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode). diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index 17eb0a98fd..fe03727f33 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -31,7 +31,7 @@ In Windows 10, version 1709 and later, the app also shows information from third In Windows 10, version 1803, the app has two new areas, **Account protection** and **Device security**. -![Screenshot of the Windows Security app showing that the device is protected and five icons for each of the features](images/security-center-home.png) +![Screenshot of the Windows Security app showing that the device is protected and five icons for each of the features.](images/security-center-home.png) > [!NOTE] > The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender for Endpoint](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). @@ -55,19 +55,19 @@ You can find more information about each section, including options for configur > [!NOTE] > If you hide all sections then the app will show a restricted interface, as in the following screenshot: > -> ![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) +> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png) ## Open the Windows Security app - Click the icon in the notification area on the taskbar. - ![Screenshot of the icon for the Windows Security app on the Windows task bar](images/security-center-taskbar.png) + ![Screenshot of the icon for the Windows Security app on the Windows task bar.](images/security-center-taskbar.png) - Search the Start menu for **Windows Security**. - ![Screenshot of the Start menu showing the results of a search for the Windows Security app, the first option with a large shield symbol is selected](images/security-center-start-menu.png) + ![Screenshot of the Start menu showing the results of a search for the Windows Security app, the first option with a large shield symbol is selected.](images/security-center-start-menu.png) - Open an area from Windows **Settings**. - ![Screenshot of Windows Settings showing the different areas available in the Windows Security](images/settings-windows-defender-security-center-areas.png) + ![Screenshot of Windows Settings showing the different areas available in the Windows Security.](images/settings-windows-defender-security-center-areas.png) > [!NOTE] > Settings configured with management tools, such as Group Policy, Microsoft Intune, or Microsoft Endpoint Configuration Manager, will generally take precedence over the settings in the Windows Security. See the topics for each of the sections for links to configuring the associated features or products. diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md index 8b55c05b3e..848345ef8b 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md +++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md @@ -52,7 +52,7 @@ DRTM lets the system freely boot into untrusted code initially, but shortly afte This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state. -![System Guard Secure Launch](images/system-guard-secure-launch.png) +![System Guard Secure Launch.](images/system-guard-secure-launch.png) Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly. @@ -82,7 +82,7 @@ While Windows Defender System Guard provides advanced protection that will help As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch will not support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. -![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png) +![Boot time integrity.](images/windows-defender-system-guard-boot-time-integrity.png) After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Endpoint Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources. diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 14695d80d0..55321967df 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -38,13 +38,13 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM) 2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**. - ![Secure Launch Configuration](images/secure-launch-group-policy.png) + ![Secure Launch Configuration.](images/secure-launch-group-policy.png) ### Windows Security Center Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**. - ![Windows Security Center](images/secure-launch-security-app.png) + ![Windows Security Center.](images/secure-launch-security-app.png) ### Registry @@ -58,13 +58,13 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** > 5. Double-click **Enabled**, change the value to **1**, and click **OK**. - ![Secure Launch Registry](images/secure-launch-registry.png) + ![Secure Launch Registry.](images/secure-launch-registry.png) ## How to verify System Guard Secure Launch is configured and running To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**. -![Verifying Secure Launch is running in the Windows Security Center](images/secure-launch-msinfo.png) +![Verifying Secure Launch is running in the Windows Security Center.](images/secure-launch-msinfo.png) > [!NOTE] > To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs). diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md index 71f0392376..5819f886fd 100644 --- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md +++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md @@ -38,7 +38,7 @@ type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](./op When you open the Windows Defender Firewall for the first time, you can see the default settings applicable to the local computer. The Overview panel displays security settings for each type of network to which the device can connect. -![Windows Defender Firewall with Advanced Security first time opening](images/fw01-profiles.png) +![Windows Defender Firewall with Advanced Security first time opening.](images/fw01-profiles.png) *Figure 1: Windows Defender Firewall* @@ -55,7 +55,7 @@ View detailed settings for each profile by right-clicking the top-level **Window Maintain the default settings in Windows Defender Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections. -![A screenshot of a cell phone Description automatically generated](images/fw03-defaults.png) +![A screenshot of a cell phone Description automatically generated.](images/fw03-defaults.png) *Figure 2: Default inbound/outbound settings* @@ -70,7 +70,7 @@ In many cases, a next step for administrators will be to customize these profile This can be accomplished by right-clicking either **Inbound Rules** or **Outbound Rules**, and selecting **New Rule**. The interface for adding a new rule looks like this: -![Rule creation wizard](images/fw02-createrule.png) +![Rule creation wizard.](images/fw02-createrule.png) *Figure 3: Rule Creation Wizard* @@ -131,7 +131,7 @@ To determine why some applications are blocked from communicating in the network Creation of application rules at runtime can also be prohibited by administrators using the Settings app or Group Policy. -![Windows Firewall prompt](images/fw04-userquery.png) +![Windows Firewall prompt.](images/fw04-userquery.png) *Figure 4: Dialog box to allow access* @@ -148,7 +148,7 @@ Rule merging settings control how rules from different policy sources can be com The rule merging settings either allow or prevent local admins from creating their own firewall rules in addition to those obtained from Group Policy. -![Customize settings](images/fw05-rulemerge.png) +![Customize settings.](images/fw05-rulemerge.png) *Figure 5: Rule merging setting* @@ -180,11 +180,11 @@ An important firewall feature you can use to mitigate damage during an active at Shields up can be achieved by checking **Block all incoming connections, including those in the list of allowed apps** setting found in either the Windows Settings app or the legacy file *firewall.cpl*. -![Incoming connections](images/fw06-block.png) +![Incoming connections.](images/fw06-block.png) *Figure 6: Windows settings App/Windows Security/Firewall Protection/Network Type* -![Firewall cpl](images/fw07-legacy.png) +![Firewall cpl.](images/fw07-legacy.png) *Figure 7: Legacy firewall.cpl* diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md index 0e67454be2..37d7edb647 100644 --- a/windows/security/threat-protection/windows-firewall/boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md @@ -32,7 +32,7 @@ The GPOs you build for the boundary zone include IPsec or connection security ru Because these boundary zone devices can receive unsolicited inbound communications from untrusted devices that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision. -![design flowchart](images/wfas-designflowchart1.gif) +![design flowchart.](images/wfas-designflowchart1.gif) The goal of this process is to determine whether the risk of adding a device to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk cannot be mitigated, membership must be denied. diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index bf9a3f7d47..479b2e67af 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -28,7 +28,7 @@ ms.technology: mde To get started, open Device Configuration in Intune, then create a new profile. Choose Windows 10 as the platform, and Endpoint Protection as the profile type. Select Windows Defender Firewall. -![Windows Defender Firewall in Intune](images/windows-firewall-intune.png) +![Windows Defender Firewall in Intune.](images/windows-firewall-intune.png) >[!IMPORTANT] >A single Endpoint Protection profile may contain up to a maximum of 150 firewall rules. If a client device requires more than 150 rules, then multiple profiles must be assigned to it. diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md index 0e7f47576b..8f27c49ab5 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md @@ -32,7 +32,7 @@ In addition to the basic protection provided by the firewall rules in the previo The following illustration shows the traffic protection needed for this design example. -![domain isolation policy design](images/wfas-design2example1.gif) +![domain isolation policy design.](images/wfas-design2example1.gif) 1. All devices on the Woodgrove Bank corporate network that are Active Directory domain members must authenticate inbound network traffic as coming from another computer that is a member of the domain. Unless otherwise specified in this section, Woodgrove Bank's devices reject all unsolicited inbound network traffic that is not authenticated. If the basic firewall design is also implemented, even authenticated inbound network traffic is dropped unless it matches an inbound firewall rule. diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md index 6c13157e59..659827d1c6 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md @@ -34,7 +34,7 @@ By using connection security rules based on IPsec, you provide a logical barrier The design is shown in the following illustration, with the arrows that show the permitted communication paths. -![isolated domain boundary zone](images/wfasdomainisoboundary.gif) +![isolated domain boundary zone.](images/wfasdomainisoboundary.gif) Characteristics of this design, as shown in the diagram, include the following: diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md index 90d5fd2514..718505a9d7 100644 --- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md +++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md @@ -22,7 +22,7 @@ Debugging packet drops is a continuous issue to Windows customers. In the past, Typically, when investigating packet drop events, a customer would use the field `Filter Run-Time ID` from Windows Filtering Platform (WFP) audits 5157 or 5152. -![Event properties](images/event-properties-5157.png) +![Event properties.](images/event-properties-5157.png) The filter ID uniquely identifies the filter that caused the packet drop. The filter ID can be searched in the WFP state dump output to trace back to the Firewall rule where the filter originated from. @@ -73,7 +73,7 @@ To enable a specific audit event, run the corresponding command in an administra As the audit surfaces `Filter Origin` and `Interface Index`, the network admin can determine the root cause of the network packet drop and the interface it happened on. -![Event audit](images/event-audit-5157.png) +![Event audit.](images/event-audit-5157.png) The next sections are divided by `Filter Origin` type, the value is either a rule name or the name of one of the default block filters. If the filter origin is one of the default block filters, skip to the section, **Firewall default block filters**. Otherwise, continue to the section **Firewall rules**. @@ -86,7 +86,7 @@ Get-NetFirewallRule -Name “” Get-NetFirewallRule -Name " {A549B7CF-0542-4B67-93F9-EEBCDD584377} " ``` -![Firewall rule](images/firewallrule.png) +![Firewall rule.](images/firewallrule.png) After identifying the rule that caused the drop, the network admin can now modify/disable the rule to allow the traffic they want through command prompt or using the Windows Defender UI. The network admin can find the rule in the UI with the rule’s `DisplayName`. @@ -118,7 +118,7 @@ Get-NetIPInterface –InterfaceIndex Get-NetIPInterface –InterfaceIndex 5 ``` -![Quarantine default block filter](images/quarantine-default-block-filter.png) +![Quarantine default block filter.](images/quarantine-default-block-filter.png) To learn more about the quarantine feature, see [Quarantine behavior](quarantine.md). @@ -139,7 +139,7 @@ To generate a list of all the query user block rules, you can run the following Get-NetFirewallRule | Where {$_.Name -like "*Query User*"} ``` -![Query user default block filter](images/query-user-default-block-filters.png) +![Query user default block filter.](images/query-user-default-block-filters.png) The query user pop-up feature is enabled by default. diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md index 8c8fb36ee5..5a6acfea96 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md @@ -38,7 +38,7 @@ The network administrators want to implement Windows Defender Firewall with Adva The following illustration shows the traffic protection needs for this design example. -![design example 1](images/wfas-designexample1.gif) +![design example 1.](images/wfas-designexample1.gif) 1. The network infrastructure servers that are running services, such as Active Directory, DNS, DHCP, or WINS, can receive unsolicited inbound requests from network clients. The network clients can receive the responses from the infrastructure servers. diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md index 7b95852c3d..265019f489 100644 --- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -41,7 +41,7 @@ The following are important factors in the implementation of your Windows Defend The next step in implementing your design is to determine in what order each of the deployment steps must be performed. This guide uses checklists to help you accomplish the various deployment tasks that are required to implement your design plan. As the following diagram shows, checklists and subchecklists are used as necessary to provide the end-to-end procedure for deploying a design. -![wfas implementation](images/wfas-implement.gif) +![wfas implementation.](images/wfas-implement.gif) Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Defender Firewall with Advanced Security design. diff --git a/windows/security/threat-protection/windows-firewall/quarantine.md b/windows/security/threat-protection/windows-firewall/quarantine.md index 87bab115a6..bd087a2124 100644 --- a/windows/security/threat-protection/windows-firewall/quarantine.md +++ b/windows/security/threat-protection/windows-firewall/quarantine.md @@ -196,7 +196,7 @@ Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /s Sample drop audit with `filterOrigin` as `Quarantine Default`. -![Quarantine default](images/quarantine-default1.png) +![Quarantine default.](images/quarantine-default1.png) Once the drop’s filter origin has been identified as the quarantine default inbound block filter, the interface should be further investigated. To find the relevant interface, use the `InterfaceIndex` value from the `netEvent` or event audit in the following PowerShell command to generate more information about the interface: @@ -205,7 +205,7 @@ Get-NetIPInterface –InterfaceIndex Get-NetIPInterface –InterfaceIndex 5 ``` -![Quarantine Interfaceindex](images/quarantine-interfaceindex1.png) +![Quarantine Interfaceindex.](images/quarantine-interfaceindex1.png) Using the interface name, event viewer can be searched for any interface related changes. diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md index 81a548b4ee..8fbeb35412 100644 --- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md @@ -30,7 +30,7 @@ For devices that share sensitive information over the network, Windows Defender The following illustration shows an encryption zone in an isolated domain. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory. -![encryption zone in an isolated domain](images/wfas-domainisoencrypt.gif) +![encryption zone in an isolated domain.](images/wfas-domainisoencrypt.gif) This goal provides the following benefits: diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md index a50232fe28..1a7c288575 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md @@ -34,7 +34,7 @@ You can restrict access by specifying either computer or user credentials. The following illustration shows an isolated server, and examples of devices that can and cannot communicate with it. Devices that are outside the Woodgrove corporate network, or computers that are in the isolated domain but are not members of the required NAG, cannot communicate with the isolated server. -![isolated domain with network access groups](images/wfas-domainnag.gif) +![isolated domain with network access groups.](images/wfas-domainnag.gif) This goal, which corresponds to [Server Isolation Policy Design](server-isolation-policy-design.md), provides the following features: diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md index d7de7d8963..5285e56ad9 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md @@ -35,7 +35,7 @@ The protection provided by domain isolation can help you comply with regulatory The following illustration shows an isolated domain, with one of the zones that are optionally part of the design. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory. -![domain isolation](images/wfas-domainiso.gif) +![domain isolation.](images/wfas-domainiso.gif) These goals, which correspond to [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md), provide the following benefits: diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md index 4c6f3f4fb7..8cb2a35d50 100644 --- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -59,7 +59,7 @@ These procedures assume that you already have a public key infrastructure (PKI) The following Windows PowerShell script establishes a connection security rule that uses IKEv2 for communication between two computers (CLIENT1 and SERVER1) that are joined to the corp.contoso.com domain as shown in Figure 1. -![the contoso corporate network](images/corpnet.gif) +![the contoso corporate network.](images/corpnet.gif) **Figure 1** The Contoso corporate network @@ -77,7 +77,7 @@ This script does the following: - Creates the IKEv2 connection security rule called **My IKEv2 Rule**. -![powershell logo](images/powershelllogosmall.gif)**Windows PowerShell commands** +![powershell logo.](images/powershelllogosmall.gif)**Windows PowerShell commands** Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. @@ -117,7 +117,7 @@ Use a Windows PowerShell script similar to the following to create a local IPsec >**Important:**  The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors. -![powershell logo](images/powershelllogosmall.gif)**Windows PowerShell commands** +![powershell logo.](images/powershelllogosmall.gif)**Windows PowerShell commands** Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md index 0e2b6ce11e..a0070cf114 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md @@ -46,7 +46,7 @@ In addition to the protection provided by the firewall rules and domain isolatio The following illustration shows the traffic protection needs for this design example. -![isolated server example](images/wfas-design3example1.gif) +![isolated server example.](images/wfas-design3example1.gif) 1. Access to the SQL Server devices must be restricted to only those computer or user accounts that have a business requirement to access the data. This includes the service accounts that are used by the WGBank front-end servers, and administrators of the SQL Server devices. In addition, access is only granted when it is sent from an authorized computer. Authorization is determined by membership in a network access group (NAG). diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md index f4d452b4cf..7d44e7c17c 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md @@ -32,7 +32,7 @@ You can implement a server isolation design without using domain isolation. To d The design is shown in the following illustration, with arrows that show the permitted communication paths. -![isolated domain with isolated server](images/wfas-domainisohighsec.gif) +![isolated domain with isolated server.](images/wfas-domainisohighsec.gif) Characteristics of this design include the following: diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index 3e383743a4..bf70a3a3b7 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -328,7 +328,7 @@ Windows PowerShell can create powerful, complex IPsec policies like in Netsh and In Netsh, the authentication and cryptographic sets were specified as a list of comma-separated tokens in a specific format. In Windows PowerShell, rather than using default settings, you first create your desired authentication or cryptographic proposal objects and bundle them into lists in your preferred order. Then, you create one or more IPsec rules that reference these sets. The benefit of this model is that programmatic access to the information in the rules is much easier. See the following sections for clarifying examples. -![object model for creating a single ipsec rule](images/createipsecrule.gif) +![object model for creating a single ipsec rule.](images/createipsecrule.gif) ### Create IPsec rules @@ -353,7 +353,7 @@ If you want to create a custom set of quick-mode proposals that includes both AH You can then use the newly created custom quick-mode policies when you create IPsec rules. The cryptography set object is linked to an IPsec rule object. -![crypto set object](images/qmcryptoset.gif) +![crypto set object.](images/qmcryptoset.gif) In this example, we build on the previously created IPsec rule by specifying a custom quick-mode crypto set. The final IPsec rule requires outbound traffic to be authenticated by the specified cryptography method. diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md index f18a5180db..8e719f1364 100644 --- a/windows/security/threat-protection/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-baselines.md @@ -61,12 +61,12 @@ You can download the security baselines from the [Microsoft Download Center](htt The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. -[![Security Compliance Toolkit](images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) -[![Get Support](images/get-support.png)](get-support-for-security-baselines.md) +[![Security Compliance Toolkit.](images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) +[![Get Support.](images/get-support.png)](get-support-for-security-baselines.md) ## Community -[![Microsoft Security Guidance Blog](images/community.png)](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bd-p/Security-Baselines) +[![Microsoft Security Guidance Blog.](images/community.png)](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bd-p/Security-Baselines) ## Related Videos diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index cfb7427cbc..170918a4fa 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -60,12 +60,12 @@ You can download the security baselines from the [Microsoft Download Center](htt The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. -[![Security Compliance Toolkit](./../images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) -[![Get Support](./../images/get-support.png)](get-support-for-security-baselines.md) +[![Security Compliance Toolkit.](./../images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) +[![Get Support.](./../images/get-support.png)](get-support-for-security-baselines.md) ## Community -[![Microsoft Security Guidance Blog](./../images/community.png)](/archive/blogs/secguide/) +[![Microsoft Security Guidance Blog.](./../images/community.png)](/archive/blogs/secguide/) ## Related Videos diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md index 1387997652..b99b7a48ad 100644 --- a/windows/whats-new/contribute-to-a-topic.md +++ b/windows/whats-new/contribute-to-a-topic.md @@ -38,7 +38,7 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner 1. Go to the article that you want to update, and then click **Edit**. - ![GitHub Web, showing the Edit link](images/contribute-link.png) + ![GitHub Web, showing the Edit link.](images/contribute-link.png) 2. Sign into (or sign up for) a GitHub account. @@ -46,7 +46,7 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner 3. Click the **Pencil** icon (in the red box) to edit the content. - ![GitHub Web, showing the Pencil icon in the red box](images/pencil-icon.png) + ![GitHub Web, showing the Pencil icon in the red box.](images/pencil-icon.png) 4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see: - **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring) @@ -55,11 +55,11 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner 5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct. - ![GitHub Web, showing the Preview Changes tab](images/preview-changes.png) + ![GitHub Web, showing the Preview Changes tab.](images/preview-changes.png) 6. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change**. - ![GitHub Web, showing the Propose file change button](images/propose-file-change.png) + ![GitHub Web, showing the Propose file change button.](images/propose-file-change.png) The **Comparing changes** screen shows the changes between your version of the article and the original content. @@ -67,7 +67,7 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner If there are no problems, you’ll see the message, **Able to merge**. - ![GitHub Web, showing the Comparing changes screen](images/compare-changes.png) + ![GitHub Web, showing the Comparing changes screen.](images/compare-changes.png) 8. Click **Create pull request**. diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 83e1c6b032..256dad7a3a 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -48,7 +48,7 @@ This version of Window 10 includes security improvements for threat protection, The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) platform includes the security pillars shown in the following diagram. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. -![Microsoft Defender for Endpoint](../images/wdatp.png) +![Microsoft Defender for Endpoint.](../images/wdatp.png) ##### Attack surface reduction @@ -275,7 +275,7 @@ The WSC service now requires antivirus products to run as a protected process to WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. -![Security at a glance](../images/defender.png "Windows Security Center") +![Security at a glance.](../images/defender.png "Windows Security Center") #### Group Policy Security Options @@ -288,7 +288,7 @@ A new security policy setting We’ve continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: -![S mode settings](../images/virus-and-threat-protection.png "Virus & threat protection settings") +![S mode settings.](../images/virus-and-threat-protection.png "Virus & threat protection settings") ## Deployment @@ -387,7 +387,7 @@ If you have shared devices deployed in your work place, **Fast sign-in** enables 3. Sign-in to a shared PC with your account. You'll notice the difference! - ![fast sign-in](../images/fastsignin.png "fast sign-in") + ![fast sign-in.](../images/fastsignin.png "fast sign-in") ### Web sign-in to Windows 10 @@ -402,7 +402,7 @@ Until now, Windows logon only supported the use of identities federated to ADFS 3. On the lock screen, select web sign-in under sign-in options. 4. Click the “Sign in” button to continue. -![Sign-in option](../images/websignin.png "web sign-in") +![Sign-in option.](../images/websignin.png "web sign-in") ## Windows Analytics @@ -470,7 +470,7 @@ The OS uninstall period is a length of time that users are given when they can o Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. -![get bulk token action in wizard](../images/bulk-token.png) +![get bulk token action in wizard.](../images/bulk-token.png) ### Windows Spotlight @@ -636,7 +636,7 @@ If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, t We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. -![Reg editor](../images/regeditor.png "Registry editor dropdown") +![Reg editor.](../images/regeditor.png "Registry editor dropdown") ## Remote Desktop with Biometrics @@ -650,9 +650,9 @@ To get started, sign into your device using Windows Hello for Business. Bring up See the following example: -![Enter your credentials](../images/RDPwBioTime.png "Windows Hello") -![Provide credentials](../images/RDPwBio2.png "Windows Hello personal") -![Microsoft Hyper-V Server 2016](../images/hyper-v.png "Microsoft Hyper-V Server 2016") +![Enter your credentials.](../images/RDPwBioTime.png "Windows Hello") +![Provide credentials.](../images/RDPwBio2.png "Windows Hello personal") +![Microsoft Hyper-V Server 2016.](../images/hyper-v.png "Microsoft Hyper-V Server 2016") ## See Also diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index b05bba2289..48bf6b509b 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -31,11 +31,11 @@ Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool Windows Configuration Designer in Windows 10, version 1703, includes several new wizards to make it easier to create provisioning packages. -![wizards for desktop, mobile, kiosk, Surface Hub](images/wcd-options.png) +![wizards for desktop, mobile, kiosk, Surface Hub.](images/wcd-options.png) Both the desktop and kiosk wizards include an option to remove pre-installed software, based on the new [CleanPC configuration service provider (CSP)](/windows/client-management/mdm/cleanpc-csp). -![remove pre-installed software option](images/wcd-cleanpc.png) +![remove pre-installed software option.](images/wcd-cleanpc.png) [Learn more about Windows Configuration Designer.](/windows/configuration/provisioning-packages/provisioning-packages) @@ -44,7 +44,7 @@ Both the desktop and kiosk wizards include an option to remove pre-installed sof Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. -![get bulk token action in wizard](images/bulk-token.png) +![get bulk token action in wizard.](images/bulk-token.png) ### Windows Spotlight @@ -279,7 +279,7 @@ Learn about the new Group Policies that were added in Windows 10, version 1703. The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](/windows/configuration/mobile-devices/lockdown-xml). -![Lockdown Designer app in Store](images/ldstore.png) +![Lockdown Designer app in Store.](images/ldstore.png) [Learn more about the Lockdown Designer app.](/windows/configuration/mobile-devices/mobile-lockdown-designer) diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index e73c5af9bc..6410248ff6 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -46,7 +46,7 @@ To learn more about Autopilot self-deploying mode and to see step-by-step instru We’ve continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: > [!div class="mx-imgBorder"] -> ![Virus & threat protection settings](images/virus-and-threat-protection.png "Virus & threat protection settings") +> ![Virus & threat protection settings.](images/virus-and-threat-protection.png "Virus & threat protection settings") With controlled folder access you can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. @@ -109,16 +109,16 @@ To try this: See the following example: > [!div class="mx-imgBorder"] -> ![Security at a glance](images/1_AppBrowser.png "app and browser control") +> ![Security at a glance.](images/1_AppBrowser.png "app and browser control") > [!div class="mx-imgBorder"] -> ![Isolated browser](images/2_InstallWDAG.png "isolated browsing") +> ![Isolated browser.](images/2_InstallWDAG.png "isolated browsing") > [!div class="mx-imgBorder"] -> ![change WDAG settings](images/3_ChangeSettings.png "change settings") +> ![change WDAG settings.](images/3_ChangeSettings.png "change settings") > [!div class="mx-imgBorder"] -> ![view WDAG settings](images/4_ViewSettings.jpg "view settings") +> ![view WDAG settings.](images/4_ViewSettings.jpg "view settings") ### Windows Security Center @@ -130,7 +130,7 @@ The WSC service now requires antivirus products to run as a protected process to WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. -![alt text](images/defender.png "Windows Security Center") +![alt text.](images/defender.png "Windows Security Center") ### Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes @@ -195,7 +195,7 @@ We introduced a simplified assigned access configuration experience in **Setting To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page. -![set up a kiosk](images/kiosk-mode.png "set up a kiosk") +![set up a kiosk.](images/kiosk-mode.png "set up a kiosk") Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types. @@ -203,7 +203,7 @@ Microsoft Edge kiosk mode running in single-app assigned access has two kiosk ty 2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity. -![single app assigned access](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access") +![single app assigned access.](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access") Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types. @@ -212,11 +212,11 @@ Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk typ **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows. -![multi-app assigned access](images/Multi-app_kiosk_inFrame.png "multi-app assigned access") +![multi-app assigned access.](images/Multi-app_kiosk_inFrame.png "multi-app assigned access") **Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books. -![normal mode](images/Normal_inFrame.png "normal mode") +![normal mode.](images/Normal_inFrame.png "normal mode") Learn more about [Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy). @@ -224,7 +224,7 @@ Learn more about [Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-ed We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. -![Registry editor dropdown](images/regeditor.png "Registry editor dropdown") +![Registry editor dropdown.](images/regeditor.png "Registry editor dropdown") ## Faster sign-in to a Windows 10 shared pc @@ -237,7 +237,7 @@ Do you have shared devices deployed in your work place? **Fast sign-in** enables 3. Sign-in to a shared PC with your account. You'll notice the difference! - ![fast sign-in](images/fastsignin.png "fast sign-in") + ![fast sign-in.](images/fastsignin.png "fast sign-in") >[!NOTE] >This is a private preview feature and therefore not meant or recommended for production purposes. @@ -259,7 +259,7 @@ Until now, Windows logon only supported the use of identities federated to ADFS 4. Click the **Sign in** button to continue. > [!div class="mx-imgBorder"] - > ![Web sign-in](images/websignin.png "web sign-in") + > ![Web sign-in.](images/websignin.png "web sign-in") >[!NOTE] >This is a private preview feature and therefore not meant or recommended for production purposes. @@ -271,7 +271,7 @@ Android phone users, you can finally stop emailing yourself photos. With Your Ph For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing–-read, watch, or browse-- with all the benefits of a bigger screen. > [!div class="mx-imgBorder"] -> ![your phone](images/your-phone.png "your phone") +> ![your phone.](images/your-phone.png "your phone") The desktop pin takes you directly to the **Your Phone** app for quicker access to your phone’s content. You can also go through the all apps list in Start, or use the Windows key and search for **Your Phone**. @@ -283,7 +283,7 @@ One of the things we’ve heard from you is that it’s hard to know when you’ * Video mode increases the screen-to-screen latency to ensure the video on the big screen plays back smoothly * Productivity modes strikes a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos don’t glitch as often. -![wireless projection banner](images/beaming.png "wireless projection banner") +![wireless projection banner.](images/beaming.png "wireless projection banner") ## Remote Desktop with Biometrics @@ -293,6 +293,6 @@ To get started, sign into your device using Windows Hello for Business. Bring up See the following example: -![Enter your credentials](images/RDPwBioTime.png "Windows Hello") -![Enter your credentials](images/RDPwBio2.png "Windows Hello personal") -![Microsoft Hyper-V Server 2016](images/hyper-v.png "Microsoft Hyper-V Server 2016") +![Enter your credentials.](images/RDPwBioTime.png "Windows Hello") +![Enter your credentials.](images/RDPwBio2.png "Windows Hello personal") +![Microsoft Hyper-V Server 2016.](images/hyper-v.png "Microsoft Hyper-V Server 2016") diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index 371bf97c95..74eb1725e2 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -125,7 +125,7 @@ The draft release of the [security configuration baseline settings](/archive/blo This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly: -![System Guard](images/system-guard.png "SMM Firmware Measurement") +![System Guard.](images/system-guard.png "SMM Firmware Measurement") ### Identity Protection diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md index ac0d4984f2..692871b1c3 100644 --- a/windows/whats-new/whats-new-windows-10-version-2004.md +++ b/windows/whats-new/whats-new-windows-10-version-2004.md @@ -43,7 +43,7 @@ In this release, [Windows Defender System Guard](/windows/security/threat-prote With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon. - ![System Guard](images/system-guard2.png) + ![System Guard.](images/system-guard2.png) ### Windows Defender Application Guard From 211e1eb553c1e1f0ab815612fd6ee081ead7da7a Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 27 Aug 2021 10:16:06 -0700 Subject: [PATCH 29/41] Update policy-csp-settings.md --- windows/client-management/mdm/policy-csp-settings.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 4a109d3361..75491097c1 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -177,6 +177,9 @@ The following list shows the supported values: Allows the user to change Data Sense settings. +> [!NOTE] +> This policy is not supported on Windows 10, version 2004 and later. + The following list shows the supported values: From cabc06b7e02f04c2b5084b17f0ef8d70ae064c06 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 27 Aug 2021 10:18:43 -0700 Subject: [PATCH 30/41] Update policy-csp-settings.md --- windows/client-management/mdm/policy-csp-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 75491097c1..7152934f2d 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -178,7 +178,7 @@ The following list shows the supported values: Allows the user to change Data Sense settings. > [!NOTE] -> This policy is not supported on Windows 10, version 2004 and later. +> The **AllowDataSense** policy is not supported on Windows 10, version 2004 and later. From 075cbe27a52e03b16f96d6b0c27e22bb2645ebc6 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 27 Aug 2021 11:34:25 -0700 Subject: [PATCH 31/41] Update quick-fixes.md --- windows/deployment/upgrade/quick-fixes.md | 71 ----------------------- 1 file changed, 71 deletions(-) diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md index 8aafc8f67d..d9c4e34fd7 100644 --- a/windows/deployment/upgrade/quick-fixes.md +++ b/windows/deployment/upgrade/quick-fixes.md @@ -39,7 +39,6 @@ The Microsoft Virtual Agent provided by [Microsoft Support](https://support.micr
  • Check the system drive for errors and attempt repairs. More information.
  • Run the Windows Update troubleshooter. More information.
  • Attempt to restore and repair system files. More information.
    • -
  • Check for unsigned drivers and update or repair them. More information.
  • Update Windows so that all available recommended updates are installed, and ensure the computer is rebooted if this is necessary to complete installation of an update. More information.
  • Temporarily uninstall non-Microsoft antivirus software. More information.
    • @@ -156,76 +155,6 @@ To check and repair system files: > [!NOTE] > It may take several minutes for the command operations to be completed. For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) and [Use the System File Checker tool](https://support.microsoft.com/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system). - -### Repair unsigned drivers - -[Drivers](/windows-hardware/drivers/gettingstarted/what-is-a-driver-) are files ending in *.dll or *.sys that are used to communicate with hardware components. Because drivers are so important, they are cryptographically signed to ensure they are genuine. Drivers with a *.sys extension that are not properly signed frequently block the upgrade process. Drivers might not be properly signed if you: -- Disabled driver signature verification (highly not recommended). -- A catalog file used to sign a driver is corrupt or missing. - - Catalog files (files with a *.cat extension) are used to sign drivers. If a catalog file is corrupt or missing, the driver will appear to be unsigned, even though it should be signed. To restore the catalog file, reinstall the driver or copy the catalog file from another device. You might need to analyze another device to determine the catalog file that is associated with the unsigned driver. All drivers should be signed to ensure the upgrade process works. - -To check your system for unsigned drivers: - -1. Click **Start**. -2. Type **command**. -3. Right-click **Command Prompt** and then left-click **Run as administrator**. -4. If you are prompted by UAC, click **Yes**. -5. Type **sigverif** and press ENTER. -6. The File Signature Verification tool will open. Click **Start**. - - ![File Signature Verification.](../images/sigverif.png) - -7. After the scanning process is complete, if you see **Your files have been scanned and verified as digitally signed** then you have no unsigned drivers. Otherwise, you will see **The following files have not been digitally signed** and a list will be provided with name, location, and version of all unsigned drivers. -8. To view and save a log file, click **Advanced**, and then click **View Log**. Save the log file if desired. -9. Locate drivers in the log file that are unsigned, write down the location and file names. Also write down the catalog that is associated to the driver if it is provided. If the name of a catalog file is not provided you might need to analyze another device that has the same driver with sigverif and sigcheck (described below). -10. The next step is to check that the driver reported as unsigned by sigverif.exe has a problem. In some cases, sigverif.exe might not be successful at locating the catalog file used to sign a driver, even though the catalog file exists. To perform a detailed driver check, download [sigcheck.zip](https://download.sysinternals.com/files/Sigcheck.zip) and extract the tool to a directory on your computer, for example: **C:\sigcheck**. - - [Sigcheck](/sysinternals/downloads/sigcheck) is a tool that you can download and use to review digital signature details of a file. To use sigcheck: - -11. In the command window, use the **cd** command to switch to the directory where you extracted sigcheck, for example **cd c:\sigcheck**. -12. Using the list of unsigned drivers and their associated paths that you obtained from the File Signature Verification tool, run sigcheck to obtain details about the driver, including the catalog file used for signing. Type **sigcheck64 -i \** and press ENTER (or sigcheck -i for a 32 bit OS). See the following example: - ``` - C:\Sigcheck>sigcheck64.exe -i c:\windows\system32\drivers\afd.sys - - Sigcheck v2.80 - File version and signature viewer - Copyright (C) 2004-2020 Mark Russinovich - Sysinternals - www.sysinternals.com - - c:\windows\system32\drivers\afd.sys: - Verified: Signed - Signing date: 6:18 PM 11/29/2017 - Signing date: 6:18 PM 11/29/2017 - Catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_163_for_KB4054518~31bf3856ad364e35~x86~~6.1.1.2.cat - Signers: - Microsoft Windows - Cert Status: This certificate or one of the certificates in the certificate chain is not time valid. - Valid Usage: NT5 Crypto, Code Signing - Cert Issuer: Microsoft Windows Verification PCA - Serial Number: 33 00 00 00 4B 76 63 2D 24 A2 39 9A 8B 00 01 00 00 00 4B - Thumbprint: B8037C46D0DB7A8CEE502407469B0EE3234D3365 - Algorithm: sha1RSA - Valid from: 11:46 AM 3/1/2017 - Valid to: 11:46 AM 5/9/2018 - (output truncated) - ``` - In the example above, the afd.sys driver is properly signed by the catalog file Package_163_for_KB4054518~31bf3856ad364e35~x86~~6.1.1.2.cat. - - -13. Optionally, you can generate a list of drivers using driverquery.exe, which is included with Windows. To save a list of signed and unsigned drivers with driverquery, type **driverquery /si > c:\drivers.txt** and press ENTER. See the following example: - - ```cmd - C:\>Driverquery /si - - DeviceName InfName IsSigned Manufacturer - ============================== ============= ======== ========================= - Microsoft ISATAP Adapter nettun.inf TRUE Microsoft - Generic volume shadow copy volsnap.inf TRUE Microsoft - Generic volume volume.inf TRUE Microsoft - (truncated) - ``` - For more information about using driverquery, see [Two Minute Drill: DriverQuery.exe](https://techcommunity.microsoft.com/t5/ask-the-performance-team/two-minute-drill-driverquery-exe/ba-p/374977) and [driverquery](/windows-server/administration/windows-commands/driverquery). - ### Update Windows You should ensure that all important updates are installed before attempting to upgrade. This includes updates to hardware drivers on your computer. From 6e52b7eeecd44c49dc03fab2bd3c0b842d68e7ab Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 27 Aug 2021 11:41:32 -0700 Subject: [PATCH 32/41] remove link --- windows/deployment/upgrade/resolution-procedures.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index 926355e4cc..9752ac670c 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -36,7 +36,7 @@ A frequently observed [result code](upgrade-error-codes.md#result-codes) is 0xC1 The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018). -To resolve a rollback that was caused by driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/kb/929135) before initiating the upgrade process. Also check to be sure that your drivers are properly signed. For more information, see [Remove unsigned drivers](quick-fixes.md#repair-unsigned-drivers). +To resolve a rollback that was caused by driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/kb/929135) before initiating the upgrade process. See the following general troubleshooting procedures associated with a result code of 0xC1900101:

    @@ -49,7 +49,7 @@ See the following general troubleshooting procedures associated with a result co | 0xC1900101 - 0x30018 | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
    Contact your hardware vendor to obtain updated device drivers.
    Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. | A device driver has stopped responding to setup.exe during the upgrade process. | | 0xC1900101 - 0x3000D | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
    Update or uninstall the display driver. | Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation.
    This can occur due to a problem with a display driver. | | 0xC1900101 - 0x4000D | Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.
    Review the rollback log and determine the stop code.
    The rollback log is located in the $Windows.~BT\Sources\Rollback folder. An example analysis is shown below. This example is not representative of all cases:
     
    Info SP Crash 0x0000007E detected
    Info SP Module name :
    Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005
    Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A
    Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728
    Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40
    Info SP Cannot recover the system.
    Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.
     
    Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:
     
    1. Make sure you have enough disk space.
    2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.
    3. Try changing video adapters.
    4. Check with your hardware vendor for any BIOS updates.
    5. Disable BIOS memory options such as caching or shadowing. | A rollback occurred due to a driver configuration issue.
    Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
    This can occur because of incompatible drivers. | -| 0xC1900101 - 0x40017 | Clean boot into Windows, and then attempt the upgrade to Windows 10. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).
     
    Ensure that you select the option to "Download and install updates (recommended)." Also be sure to [remove unsigned drivers](quick-fixes.md#repair-unsigned-drivers).
     
    Computers that run Citrix VDA
    You may see this message after you upgrade a computer from Windows 10, version 1511 to Windows 10, version 1607. After the second system restart, the system generates this error and then rolls back to the previous version. This problem has also been observed in upgrades to Windows 8.1 and Windows 8.
     
    This problem occurs because the computer has Citrix Virtual Delivery Agent (VDA) installed. Citrix VDA installs device drivers and a file system filter driver (CtxMcsWbc). This Citrix filter driver prevents the upgrade from writing changes to the disk, so the upgrade cannot complete and the system rolls back.
     
    **Resolution**
     
    To resolve this problem, install [Cumulative update for Windows 10 Version 1607 and Windows Server 2016: November 8, 2016](https://support.microsoft.com/help/3200970/cumulative-update-for-windows-10-version-1607-and-windows-server-2016).
     
    You can work around this problem in two ways:
     
    **Workaround 1**
     
    1. Use the VDA setup application (VDAWorkstationSetup_7.11) to uninstall Citrix VDA.
    2. Run the Windows upgrade again.
    3. Reinstall Citrix VDA.
     
    **Workaround 2**
     
    If you cannot uninstall Citrix VDA, follow these steps to work around this problem:
     
    1. In Registry Editor, go to the following subkey:
    **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\CtxMcsWbc**
    2. Change the value of the **Start** entry from **0** to **4**. This change disables the Citrix MCS cache service.
    3. Go to the following subkey:
    **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}**
    4. Delete the **CtxMcsWbc** entry.
    5. Restart the computer, and then try the upgrade again.
     
    **Non-Microsoft information disclaimer**
    The non-Microsoft products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. | Windows 10 upgrade failed after the second reboot.
    This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers. | +| 0xC1900101 - 0x40017 | Clean boot into Windows, and then attempt the upgrade to Windows 10. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).
    Ensure that you select the option to "Download and install updates (recommended)."
     
    Computers that run Citrix VDA
    You may see this message after you upgrade a computer from Windows 10, version 1511 to Windows 10, version 1607. After the second system restart, the system generates this error and then rolls back to the previous version. This problem has also been observed in upgrades to Windows 8.1 and Windows 8.
     
    This problem occurs because the computer has Citrix Virtual Delivery Agent (VDA) installed. Citrix VDA installs device drivers and a file system filter driver (CtxMcsWbc). This Citrix filter driver prevents the upgrade from writing changes to the disk, so the upgrade cannot complete and the system rolls back.
     
    **Resolution**
     
    To resolve this problem, install [Cumulative update for Windows 10 Version 1607 and Windows Server 2016: November 8, 2016](https://support.microsoft.com/help/3200970/cumulative-update-for-windows-10-version-1607-and-windows-server-2016).
     
    You can work around this problem in two ways:
     
    **Workaround 1**
     
    1. Use the VDA setup application (VDAWorkstationSetup_7.11) to uninstall Citrix VDA.
    2. Run the Windows upgrade again.
    3. Reinstall Citrix VDA.
     
    **Workaround 2**
     
    If you cannot uninstall Citrix VDA, follow these steps to work around this problem:
     
    1. In Registry Editor, go to the following subkey:
    **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\CtxMcsWbc**
    2. Change the value of the **Start** entry from **0** to **4**. This change disables the Citrix MCS cache service.
    3. Go to the following subkey:
    **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}**
    4. Delete the **CtxMcsWbc** entry.
    5. Restart the computer, and then try the upgrade again.
     
    **Non-Microsoft information disclaimer**
    The non-Microsoft products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. | Windows 10 upgrade failed after the second reboot.
    This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers. | ## 0x800xxxxx From e290767023c698f17082d5fdda56953c4d7fd112 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 27 Aug 2021 12:01:19 -0700 Subject: [PATCH 33/41] tweaks --- .../upgrade/resolve-windows-10-upgrade-errors.md | 2 +- .../deployment/upgrade/troubleshoot-upgrade-errors.md | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md index b22dd3682c..24ed5c4e2b 100644 --- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md @@ -25,7 +25,7 @@ ms.topic: article This article contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. -The article was originally one page, but has been divided into sub-topics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods. +The article has been divided into sub-topics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods. The following four levels are assigned: diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md index bdb7e4814a..aa3ccead81 100644 --- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md +++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md @@ -20,12 +20,15 @@ ms.topic: article **Applies to** - Windows 10 ->[!NOTE] ->This is a 300 level topic (moderately advanced).
    ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. +> [!NOTE] +> This is a 300 level topic (moderately advanced).
    +> See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process. +> [!IMPORTANT] +> Use the [SetupDiag](setupdiag.md) tool before you begin manually troubleshooting an upgrade error. SetupDiag automates log file analysis, detecting and reporting details on many different types of known upgrade issues. + Briefly, the upgrade process consists of four phases that are controlled by [Windows Setup](/windows-hardware/manufacture/desktop/windows-setup-technical-reference): **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. Note: Progress is tracked in the registry during the upgrade process using the following key: **HKLM\System\Setup\mosetup\volatile\SetupProgress**. This key is volatile and only present during the upgrade process; it contains a binary value in the range 0-100. These phases are explained in greater detail [below](#the-windows-10-upgrade-process). First, let's summarize the actions performed during each phase because this affects the type of errors that can be encountered. From ccda6e6778f7ad2a143995ff58cd58798d418273 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 27 Aug 2021 12:05:07 -0700 Subject: [PATCH 34/41] alt text --- windows/deployment/upgrade/troubleshoot-upgrade-errors.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md index aa3ccead81..d8183e1f62 100644 --- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md +++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md @@ -76,11 +76,11 @@ When performing an operating system upgrade, Windows Setup uses phases described At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed. - ![second boot phase.](../images/secondboot.png) + ![second boot phase 1](../images/secondboot.png) - ![second boot phase.](../images/secondboot2.png) + ![second boot phase 2](../images/secondboot2.png) - ![second boot phase.](../images/secondboot3.png) + ![second boot phase 3](../images/secondboot3.png) 5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015. From 7c48aa5062c1c8c73e0d1f79034975a7d86de068 Mon Sep 17 00:00:00 2001 From: David Strome Date: Fri, 27 Aug 2021 15:09:49 -0700 Subject: [PATCH 35/41] remove disallowed html attributes --- .../ie11-deploy-guide/img-ie11-docmode-lg.md | 2 +- .../educator-tib-get-started.md | 2 +- education/trial-in-a-box/index.md | 2 +- .../trial-in-a-box/itadmin-tib-get-started.md | 2 +- .../windows/chromebook-migration-guide.md | 2 +- ...e-active-directory-integration-with-mdm.md | 440 +++++++-------- .../mdm/cellularsettings-csp.md | 4 +- .../change-history-for-mdm-documentation.md | 304 +++++------ windows/client-management/mdm/cleanpc-csp.md | 10 +- .../mdm/cm-cellularentries-csp.md | 78 +-- .../mdm/developersetup-csp.md | 34 +- .../mdm/device-update-management.md | 266 +++++----- .../mdm/dmprocessconfigxmlfiltered.md | 52 +- .../mdm/dmsessionactions-csp.md | 34 +- .../mdm/dynamicmanagement-csp.md | 44 +- .../mdm/enterpriseapn-csp.md | 70 +-- .../mdm/enterpriseappvmanagement-csp.md | 80 +-- .../mdm/enterpriseextfilessystem-csp.md | 20 +- windows/client-management/mdm/firewall-csp.md | 260 ++++----- .../mdm/healthattestation-csp.md | 500 +++++++++--------- ...ent-tool-for-windows-store-for-business.md | 8 +- .../client-management/mdm/messaging-csp.md | 28 +- .../mdm/mobile-device-enrollment.md | 126 ++--- .../mdm/networkqospolicy-csp.md | 56 +- .../mdm/oma-dm-protocol-support.md | 138 ++--- .../mdm/personalization-csp.md | 18 +- .../policy-configuration-service-provider.md | 58 +- .../mdm/policy-csp-devicelock.md | 26 +- .../mdm/policy-csp-system.md | 18 +- .../mdm/policy-csp-update.md | 26 +- windows/client-management/mdm/reboot-csp.md | 22 +- .../client-management/mdm/remotelock-csp.md | 2 +- .../client-management/mdm/surfacehub-csp.md | 214 ++++---- .../client-management/mdm/tpmpolicy-csp.md | 4 +- windows/client-management/mdm/update-csp.md | 96 ++-- .../windowsadvancedthreatprotection-csp.md | 68 +-- windows/configuration/kiosk-single-app.md | 16 +- .../provisioning-configure-mobile.md | 8 +- .../provision-pcs-for-initial-deployment.md | 12 +- ...anging-the-frequency-of-scheduled-tasks.md | 2 +- windows/deployment/mbr-to-gpt.md | 2 +- windows/deployment/upgrade/log-files.md | 8 +- .../deployment/upgrade/upgrade-error-codes.md | 84 +-- .../usmt/offline-migration-reference.md | 4 +- .../usmt/understanding-migration-xml-files.md | 6 +- .../usmt/usmt-conflicts-and-precedence.md | 6 +- .../usmt/usmt-custom-xml-examples.md | 14 +- .../usmt/usmt-xml-elements-library.md | 2 +- .../windows-10-deployment-scenarios.md | 58 +- windows/deployment/windows-10-poc-mdt.md | 6 +- windows/deployment/windows-10-poc.md | 122 ++--- .../demonstrate-deployment-on-vm.md | 2 +- .../threat-protection/fips-140-validation.md | 288 +++++----- .../document-your-applocker-rules.md | 2 +- .../plan-for-applocker-policy-management.md | 2 +- ...ements-for-deploying-applocker-policies.md | 2 +- 56 files changed, 1880 insertions(+), 1880 deletions(-) diff --git a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md index 30de0a2c97..a285c99103 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md +++ b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md @@ -16,7 +16,7 @@ ms.author: dansimp Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)
    -

    +

    Full-sized flowchart detailing how document modes are chosen in IE11

    diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md index bbf1be6015..92cf989109 100644 --- a/education/trial-in-a-box/educator-tib-get-started.md +++ b/education/trial-in-a-box/educator-tib-get-started.md @@ -20,7 +20,7 @@ manager: dansimp ![Welcome, Educators!](images/Welocme-Educators.png) -This guide shows you how to quickly and easily try a few transformational tools from Microsoft Education in 5 quick steps. +This guide shows you how to quickly and easily try a few transformational tools from Microsoft Education in 5 quick steps. | Tool | Description | | :---: |:--- | diff --git a/education/trial-in-a-box/index.md b/education/trial-in-a-box/index.md index 5f1c865bce..2ea43581c9 100644 --- a/education/trial-in-a-box/index.md +++ b/education/trial-in-a-box/index.md @@ -30,7 +30,7 @@ Welcome to Microsoft Education Trial in a Box. We built this trial to make it ea | [![Get started for Educators.](images/teacher_rotated_resized.png)](educator-tib-get-started.md) | [![Get started for IT Admins](images/itadmin_rotated_resized.png)](itadmin-tib-get-started.md) | | :---: | :---: | -| **Educator**
    Enhance students of all abilities by unleashing their creativity, collaboration, and improving problem-solving skills.
    [Get started](educator-tib-get-started.md) | **IT Admin**
    Quickly implement and deploy a full cloud infrastructure that's secure and easy to manage.
    [Get started](itadmin-tib-get-started.md) | +| **Educator**
    Enhance students of all abilities by unleashing their creativity, collaboration, and improving problem-solving skills.
    [Get started](educator-tib-get-started.md) | **IT Admin**
    Quickly implement and deploy a full cloud infrastructure that's secure and easy to manage.
    [Get started](itadmin-tib-get-started.md) | diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md index d0ba6a05b3..911f893986 100644 --- a/education/trial-in-a-box/itadmin-tib-get-started.md +++ b/education/trial-in-a-box/itadmin-tib-get-started.md @@ -20,7 +20,7 @@ manager: dansimp ![Welcome, IT Admins!](images/Welcome-IT-Admins.png) -Learn how to quickly deploy and manage devices for your school in 5 quick steps. +Learn how to quickly deploy and manage devices for your school in 5 quick steps. |  |  | | :---: |:--- | diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index d927aef072..2fb2324ddc 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -497,7 +497,7 @@ Table 6 is a decision matrix that lists the device, user, and app management pro Table 6. Device, user, and app management products and technologies -
    +
    diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 97f22aae88..a65935c948 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -195,24 +195,24 @@ The following table shows the required information to create an entry in the Azu - - + + - - + + - - + + - - + + - - + +

    Application ID

    The client ID of your MDM app that is configured within your tenant. This is the unique identifier for your multi-tenant app.

    Application ID

    The client ID of your MDM app that is configured within your tenant. This is the unique identifier for your multi-tenant app.

    Publisher

    A string that identifies the publisher of the app.

    Publisher

    A string that identifies the publisher of the app.

    Application URL

    A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL is not used for the actual enrollment.

    Application URL

    A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL is not used for the actual enrollment.

    Description

    A brief description of your MDM app, which must be under 255 characters.

    Description

    A brief description of your MDM app, which must be under 255 characters.

    Icons

    A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215

    Icons

    A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215
    @@ -261,19 +261,19 @@ An MDM page must adhere to a predefined theme depending on the scenario that is -FRX -OOBE -Dark theme + blue background color -Filename: Ui-dark.css -Filename: oobe-dekstop.css +FRX +OOBE +Dark theme + blue background color +Filename: Ui-dark.css +Filename: oobe-dekstop.css -MOSET -Settings/ +MOSET +Settings/

    Post OOBE

    -Light theme -Filename: Ui-light.css -Filename: settings-desktop.css +Light theme +Filename: Ui-light.css +Filename: settings-desktop.css @@ -302,20 +302,20 @@ The following parameters are passed in the query string: -

    redirect_uri

    -

    After the user accepts or rejects the Terms of Use, the user is redirected to this URL.

    +

    redirect_uri

    +

    After the user accepts or rejects the Terms of Use, the user is redirected to this URL.

    -

    client-request-id

    -

    A GUID that is used to correlate logs for diagnostic and debugging purposes. You use this parameter to log or trace the state of the enrollment request to help find the root cause in case of failures.

    +

    client-request-id

    +

    A GUID that is used to correlate logs for diagnostic and debugging purposes. You use this parameter to log or trace the state of the enrollment request to help find the root cause in case of failures.

    -

    api-version

    -

    Specifies the version of the protocol requested by the client. This provides a mechanism to support version revisions of the protocol.

    +

    api-version

    +

    Specifies the version of the protocol requested by the client. This provides a mechanism to support version revisions of the protocol.

    -

    mode

    -

    Specifies that the device is corporate owned when mode=azureadjoin. This parameter is not present for BYOD devices.

    +

    mode

    +

    Specifies that the device is corporate owned when mode=azureadjoin. This parameter is not present for BYOD devices.

    @@ -342,20 +342,20 @@ The following claims are expected in the access token passed by Windows to the T -

    Object ID

    -

    Identifier of the user object corresponding to the authenticated user.

    +

    Object ID

    +

    Identifier of the user object corresponding to the authenticated user.

    -

    UPN

    -

    A claim containing the user principal name (UPN) of the authenticated user.

    +

    UPN

    +

    A claim containing the user principal name (UPN) of the authenticated user.

    -

    TID

    -

    A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.

    +

    TID

    +

    A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.

    -

    Resource

    -

    A sanitized URL representing the MDM application. Example, https://fabrikam.contosomdm.com.

    +

    Resource

    +

    A sanitized URL representing the MDM application. Example, https://fabrikam.contosomdm.com.

    @@ -438,28 +438,28 @@ The following table shows the error codes. -

    api-version

    -

    302

    -

    invalid_request

    -

    unsupported version

    +

    api-version

    +

    302

    +

    invalid_request

    +

    unsupported version

    -

    Tenant or user data are missing or other required prerequisites for device enrollment are not met

    -

    302

    -

    unauthorized_client

    -

    unauthorized user or tenant

    +

    Tenant or user data are missing or other required prerequisites for device enrollment are not met

    +

    302

    +

    unauthorized_client

    +

    unauthorized user or tenant

    -

    Azure AD token validation failed

    -

    302

    -

    unauthorized_client

    -

    unauthorized_client

    +

    Azure AD token validation failed

    +

    302

    +

    unauthorized_client

    +

    unauthorized_client

    -

    internal service error

    -

    302

    -

    server_error

    -

    internal service error

    +

    internal service error

    +

    302

    +

    server_error

    +

    internal service error

    @@ -486,104 +486,104 @@ With Azure integrated MDM enrollment, there is no discovery phase and the discov -

    MDM auto-discovery using email address to retrieve MDM discovery URL

    -

    Enrollment

    -

    Not applicable

    +

    MDM auto-discovery using email address to retrieve MDM discovery URL

    +

    Enrollment

    +

    Not applicable

    Discovery URL provisioned in Azure

    -

    +

    -

    Uses MDM discovery URL

    -

    Enrollment

    +

    Uses MDM discovery URL

    +

    Enrollment

    Enrollment renewal

    ROBO

    -

    Enrollment

    +

    Enrollment

    Enrollment renewal

    ROBO

    -

    Enrollment

    +

    Enrollment

    Enrollment renewal

    ROBO

    -

    Is MDM enrollment required?

    -

    Yes

    -

    Yes

    -

    No

    +

    Is MDM enrollment required?

    +

    Yes

    +

    Yes

    +

    No

    User can decline.

    -

    Authentication type

    -

    OnPremise

    +

    Authentication type

    +

    OnPremise

    Federated

    Certificate

    -

    Federated

    -

    Federated

    +

    Federated

    +

    Federated

    -

    EnrollmentPolicyServiceURL

    -

    Optional (all auth)

    -

    Optional (all auth)

    +

    EnrollmentPolicyServiceURL

    +

    Optional (all auth)

    +

    Optional (all auth)

    -

    Optional (all auth)

    +

    Optional (all auth)

    -

    EnrollmentServiceURL

    -

    Required (all auth)

    -

    Used (all auth)

    -

    Used (all auth)

    +

    EnrollmentServiceURL

    +

    Required (all auth)

    +

    Used (all auth)

    +

    Used (all auth)

    -

    EnrollmentServiceURL includes OS Version, OS Platform, and other attributes provided by MDM discovery URL

    -

    Highly recommended

    -

    Highly recommended

    -

    Highly recommended

    +

    EnrollmentServiceURL includes OS Version, OS Platform, and other attributes provided by MDM discovery URL

    +

    Highly recommended

    +

    Highly recommended

    +

    Highly recommended

    -

    AuthenticationServiceURL used

    -

    Used (Federated auth)

    -

    Skipped

    -

    Skipped

    +

    AuthenticationServiceURL used

    +

    Used (Federated auth)

    +

    Skipped

    +

    Skipped

    -

    BinarySecurityToken

    -

    Custom per MDM

    -

    Azure AD issued token

    -

    Azure AD issued token

    +

    BinarySecurityToken

    +

    Custom per MDM

    +

    Azure AD issued token

    +

    Azure AD issued token

    -

    EnrollmentType

    -

    Full

    -

    Device

    -

    Full

    +

    EnrollmentType

    +

    Full

    +

    Device

    +

    Full

    -

    Enrolled certificate type

    -

    User certificate

    -

    Device certificate

    -

    User certificate

    +

    Enrolled certificate type

    +

    User certificate

    +

    Device certificate

    +

    User certificate

    -

    Enrolled certificate store

    -

    My/User

    -

    My/System

    -

    My/User

    +

    Enrolled certificate store

    +

    My/User

    +

    My/System

    +

    My/User

    -

    CSR subject name

    -

    User Principal Name

    -

    Device ID

    -

    User Principal Name

    +

    CSR subject name

    +

    User Principal Name

    +

    Device ID

    +

    User Principal Name

    -

    EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL

    -

    Not supported

    -

    Supported

    -

    Supported

    +

    EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL

    +

    Not supported

    +

    Supported

    +

    Supported

    -

    CSPs accessible during enrollment

    -

    Windows 10 support:

    +

    CSPs accessible during enrollment

    +

    Windows 10 support:

    • DMClient
    • CertificateStore
      • @@ -598,8 +598,8 @@ With Azure integrated MDM enrollment, there is no discovery phase and the discov
      • EnterpriseAppManagement (Windows Phone 8.1)
      -

      same as traditional MDM enrollment

      -

      same as traditional MDM enrollment

      +

      same as traditional MDM enrollment

      +

      same as traditional MDM enrollment

      @@ -751,184 +751,184 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di -0x80180001 -"idErrorServerConnectivity", // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR -

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      +0x80180001 +"idErrorServerConnectivity", // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR +

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      -0x80180002 -"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_AUTHENTICATION_ERROR -

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      +0x80180002 +"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_AUTHENTICATION_ERROR +

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      -0x80180003 -"idErrorAuthorizationFailure", // MENROLL_E_DEVICE_AUTHORIZATION_ERROR -

      This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.

      +0x80180003 +"idErrorAuthorizationFailure", // MENROLL_E_DEVICE_AUTHORIZATION_ERROR +

      This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.

      -0x80180004 -"idErrorMDMCertificateError", // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR -

      There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.

      +0x80180004 +"idErrorMDMCertificateError", // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR +

      There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.

      -0x80180005 -"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR -

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      +0x80180005 +"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR +

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      -0x80180006 -"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR -

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      +0x80180006 +"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR +

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      -0x80180007 -"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR -

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      +0x80180007 +"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR +

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      -0x80180008 -"idErrorServerConnectivity", // MENROLL_E_DEVICE_UNKNOWN_ERROR -

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      +0x80180008 +"idErrorServerConnectivity", // MENROLL_E_DEVICE_UNKNOWN_ERROR +

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      -0x80180009 -"idErrorAlreadyInProgress", // MENROLL_E_ENROLLMENT_IN_PROGRESS -

      Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.

      +0x80180009 +"idErrorAlreadyInProgress", // MENROLL_E_ENROLLMENT_IN_PROGRESS +

      Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.

      -0x8018000A -"idErrorMDMAlreadyEnrolled", // MENROLL_E_DEVICE_ALREADY_ENROLLED -

      This device is already enrolled. You can contact your system administrator with the error code {0}.

      +0x8018000A +"idErrorMDMAlreadyEnrolled", // MENROLL_E_DEVICE_ALREADY_ENROLLED +

      This device is already enrolled. You can contact your system administrator with the error code {0}.

      -0x8018000D -"idErrorMDMCertificateError", // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID -

      There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.

      +0x8018000D +"idErrorMDMCertificateError", // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID +

      There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.

      -0x8018000E -"idErrorAuthenticationFailure", // MENROLL_E_PASSWORD_NEEDED -

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      +0x8018000E +"idErrorAuthenticationFailure", // MENROLL_E_PASSWORD_NEEDED +

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      -0x8018000F -"idErrorAuthenticationFailure", // MENROLL_E_WAB_ERROR -

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      +0x8018000F +"idErrorAuthenticationFailure", // MENROLL_E_WAB_ERROR +

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      -0x80180010 -"idErrorServerConnectivity", // MENROLL_E_CONNECTIVITY -

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      +0x80180010 +"idErrorServerConnectivity", // MENROLL_E_CONNECTIVITY +

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      -0x80180012 -"idErrorMDMCertificateError", // MENROLL_E_INVALIDSSLCERT -

      There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.

      +0x80180012 +"idErrorMDMCertificateError", // MENROLL_E_INVALIDSSLCERT +

      There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.

      -0x80180013 -"idErrorDeviceLimit", // MENROLL_E_DEVICECAPREACHED -

      Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.

      +0x80180013 +"idErrorDeviceLimit", // MENROLL_E_DEVICECAPREACHED +

      Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.

      -0x80180014 -"idErrorMDMNotSupported", // MENROLL_E_DEVICENOTSUPPORTED -

      This feature is not supported. Contact your system administrator with the error code {0}.

      +0x80180014 +"idErrorMDMNotSupported", // MENROLL_E_DEVICENOTSUPPORTED +

      This feature is not supported. Contact your system administrator with the error code {0}.

      -0x80180015 -"idErrorMDMNotSupported", // MENROLL_E_NOTSUPPORTED -

      This feature is not supported. Contact your system administrator with the error code {0}.

      +0x80180015 +"idErrorMDMNotSupported", // MENROLL_E_NOTSUPPORTED +

      This feature is not supported. Contact your system administrator with the error code {0}.

      -0x80180016 -"idErrorMDMRenewalRejected", // MENROLL_E_NOTELIGIBLETORENEW -

      The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.

      +0x80180016 +"idErrorMDMRenewalRejected", // MENROLL_E_NOTELIGIBLETORENEW +

      The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.

      -0x80180017 -"idErrorMDMAccountMaintenance", // MENROLL_E_INMAINTENANCE -

      The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.

      +0x80180017 +"idErrorMDMAccountMaintenance", // MENROLL_E_INMAINTENANCE +

      The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.

      -0x80180018 -"idErrorMDMLicenseError", // MENROLL_E_USERLICENSE -

      There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.

      +0x80180018 +"idErrorMDMLicenseError", // MENROLL_E_USERLICENSE +

      There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.

      -0x80180019 -"idErrorInvalidServerConfig", // MENROLL_E_ENROLLMENTDATAINVALID -

      Looks like the server is not correctly configured. You can try to do this again or contact your system administrator with the error code {0}.

      +0x80180019 +"idErrorInvalidServerConfig", // MENROLL_E_ENROLLMENTDATAINVALID +

      Looks like the server is not correctly configured. You can try to do this again or contact your system administrator with the error code {0}.

      -"rejectedTermsOfUse" -"idErrorRejectedTermsOfUse" -

      Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.

      +"rejectedTermsOfUse" +"idErrorRejectedTermsOfUse" +

      Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.

      -0x801c0001 -"idErrorServerConnectivity", // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR -

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      +0x801c0001 +"idErrorServerConnectivity", // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR +

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      -0x801c0002 -"idErrorAuthenticationFailure", // DSREG_E_DEVICE_AUTHENTICATION_ERROR -

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      +0x801c0002 +"idErrorAuthenticationFailure", // DSREG_E_DEVICE_AUTHENTICATION_ERROR +

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      -0x801c0003 -"idErrorAuthorizationFailure", // DSREG_E_DEVICE_AUTHORIZATION_ERROR -

      This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.

      +0x801c0003 +"idErrorAuthorizationFailure", // DSREG_E_DEVICE_AUTHORIZATION_ERROR +

      This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.

      -0x801c0006 -"idErrorServerConnectivity", // DSREG_E_DEVICE_INTERNALSERVICE_ERROR -

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      +0x801c0006 +"idErrorServerConnectivity", // DSREG_E_DEVICE_INTERNALSERVICE_ERROR +

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      -0x801c000B -"idErrorUntrustedServer", // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED -The server being contacted is not trusted. Contact your system administrator with the error code {0}. +0x801c000B +"idErrorUntrustedServer", // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED +The server being contacted is not trusted. Contact your system administrator with the error code {0}. -0x801c000C -"idErrorServerConnectivity", // DSREG_E_DISCOVERY_FAILED -

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      +0x801c000C +"idErrorServerConnectivity", // DSREG_E_DISCOVERY_FAILED +

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      -0x801c000E -"idErrorDeviceLimit", // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED -

      Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.

      +0x801c000E +"idErrorDeviceLimit", // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED +

      Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.

      -0x801c000F -"idErrorDeviceRequiresReboot", // DSREG_E_DEVICE_REQUIRES_REBOOT -

      A reboot is required to complete device registration.

      +0x801c000F +"idErrorDeviceRequiresReboot", // DSREG_E_DEVICE_REQUIRES_REBOOT +

      A reboot is required to complete device registration.

      -0x801c0010 -"idErrorInvalidCertificate", // DSREG_E_DEVICE_AIK_VALIDATION_ERROR -

      Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.

      +0x801c0010 +"idErrorInvalidCertificate", // DSREG_E_DEVICE_AIK_VALIDATION_ERROR +

      Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.

      -0x801c0011 -"idErrorAuthenticationFailure", // DSREG_E_DEVICE_ATTESTATION_ERROR -

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      +0x801c0011 +"idErrorAuthenticationFailure", // DSREG_E_DEVICE_ATTESTATION_ERROR +

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      -0x801c0012 -"idErrorServerConnectivity", // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR -

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      +0x801c0012 +"idErrorServerConnectivity", // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR +

      There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

      -0x801c0013 -"idErrorAuthenticationFailure", // DSREG_E_TENANTID_NOT_FOUND -

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      +0x801c0013 +"idErrorAuthenticationFailure", // DSREG_E_TENANTID_NOT_FOUND +

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      -0x801c0014 -"idErrorAuthenticationFailure", // DSREG_E_USERSID_NOT_FOUND -

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      +0x801c0014 +"idErrorAuthenticationFailure", // DSREG_E_USERSID_NOT_FOUND +

      There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

      diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md index ab4cb97c8f..e493bf16e1 100644 --- a/windows/client-management/mdm/cellularsettings-csp.md +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -24,9 +24,9 @@ The following image shows the CellularSettings CSP in tree format as used by Ope ![provisioning for cellular settings.](images/provisioning-csp-cellularsettings.png) **DataRoam** -

      Optional. Integer. Specifies the default roaming value. Valid values are:

      +

      Optional. Integer. Specifies the default roaming value. Valid values are:

      -
      +
      diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md index 5f319c9900..9a5f7e4425 100644 --- a/windows/client-management/mdm/change-history-for-mdm-documentation.md +++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md @@ -192,32 +192,32 @@ This article lists new and updated articles for the Mobile Device Management (MD - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - +
      BitLocker CSP

      Added support for Windows 10 Pro starting in the version 1809.

      +      		BitLocker CSP

      Added support for Windows 10 Pro starting in the version 1809.

      Office CSP

      Added FinalStatus setting in Windows 10, version 1809.

      +      		Office CSP

      Added FinalStatus setting in Windows 10, version 1809.

      RemoteWipe CSP

      Added new settings in Windows 10, version 1809.

      +      		RemoteWipe CSP

      Added new settings in Windows 10, version 1809.

      TenantLockdown CSP

      Added new CSP in Windows 10, version 1809.

      +      		TenantLockdown CSP

      Added new CSP in Windows 10, version 1809.

      WindowsDefenderApplicationGuard CSP

      Added new settings in Windows 10, version 1809.

      +      		WindowsDefenderApplicationGuard CSP

      Added new settings in Windows 10, version 1809.

      Policy DDF file

      Posted an updated version of the Policy DDF for Windows 10, version 1809.

      +      		Policy DDF file

      Posted an updated version of the Policy DDF for Windows 10, version 1809.

      Policy CSP

      Added the following new policies in Windows 10, version 1809:

      +      		Policy CSP

      Added the following new policies in Windows 10, version 1809:

      • Browser/AllowFullScreenMode
      • Browser/AllowPrelaunch
        • @@ -270,47 +270,47 @@ This article lists new and updated articles for the Mobile Device Management (MD
      AssignedAccess CSP

      Added the following note:

      +      		AssignedAccess CSP

      Added the following note:

      • You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
      PassportForWork CSP

      Added new settings in Windows 10, version 1809.

      +      		PassportForWork CSP

      Added new settings in Windows 10, version 1809.

      EnterpriseModernAppManagement CSP

      Added NonRemovable setting under AppManagement node in Windows 10, version 1809.

      +      		EnterpriseModernAppManagement CSP

      Added NonRemovable setting under AppManagement node in Windows 10, version 1809.

      Win32CompatibilityAppraiser CSP

      Added new configuration service provider in Windows 10, version 1809.

      +      		Win32CompatibilityAppraiser CSP

      Added new configuration service provider in Windows 10, version 1809.

      WindowsLicensing CSP

      Added S mode settings and SyncML examples in Windows 10, version 1809.

      +      		WindowsLicensing CSP

      Added S mode settings and SyncML examples in Windows 10, version 1809.

      SUPL CSP

      Added 3 new certificate nodes in Windows 10, version 1809.

      +      		SUPL CSP

      Added 3 new certificate nodes in Windows 10, version 1809.

      Defender CSP

      Added a new node Health/ProductStatus in Windows 10, version 1809.

      +      		Defender CSP

      Added a new node Health/ProductStatus in Windows 10, version 1809.

      BitLocker CSP

      Added a new node AllowStandardUserEncryption in Windows 10, version 1809.

      +      		BitLocker CSP

      Added a new node AllowStandardUserEncryption in Windows 10, version 1809.

      DevDetail CSP

      Added a new node SMBIOSSerialNumber in Windows 10, version 1809.

      +      		DevDetail CSP

      Added a new node SMBIOSSerialNumber in Windows 10, version 1809.

      Policy CSP

      Added the following new policies in Windows 10, version 1809:

      +      		Policy CSP

      Added the following new policies in Windows 10, version 1809:

      • ApplicationManagement/LaunchAppAfterLogOn
      • ApplicationManagement/ScheduleForceRestartForUpdateFailures
        • @@ -360,24 +360,24 @@ This article lists new and updated articles for the Mobile Device Management (MD
      Wifi CSP

      Added a new node WifiCost in Windows 10, version 1809.

      +      		Wifi CSP

      Added a new node WifiCost in Windows 10, version 1809.

      Diagnose MDM failures in Windows 10

      Recent changes:

      +      		Diagnose MDM failures in Windows 10

      Recent changes:

      • Added procedure for collecting logs remotely from Windows 10 Holographic.
      • Added procedure for downloading the MDM Diagnostic Information log.
      BitLocker CSP

      Added new node AllowStandardUserEncryption in Windows 10, version 1809.

      +      		BitLocker CSP

      Added new node AllowStandardUserEncryption in Windows 10, version 1809.

      Policy CSP

      Recent changes:

      +      		Policy CSP

      Recent changes:

      • AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration - removed from docs. Not supported.
      • AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold - removed from docs. Not supported.
        • @@ -398,8 +398,8 @@ This article lists new and updated articles for the Mobile Device Management (MD
      WiredNetwork CSPNew CSP added in Windows 10, version 1809. +WiredNetwork CSPNew CSP added in Windows 10, version 1809.
      @@ -419,8 +419,8 @@ This article lists new and updated articles for the Mobile Device Management (MD -Policy DDF file -

      Updated the DDF files in the Windows 10 version 1703 and 1709.

      +Policy DDF file +

      Updated the DDF files in the Windows 10 version 1703 and 1709.

      • Download the Policy DDF file for Windows 10, version 1709
      • Download the Policy DDF file for Windows 10, version 1703
        • @@ -444,35 +444,35 @@ This article lists new and updated articles for the Mobile Device Management (MD -WindowsDefenderApplicationGuard CSP -

        Added the following node in Windows 10, version 1803:

        +WindowsDefenderApplicationGuard CSP +

        Added the following node in Windows 10, version 1803:

        • Settings/AllowVirtualGPU
        • Settings/SaveFilesToHost
        -NetworkProxy CSP -

        Added the following node in Windows 10, version 1803:

        +NetworkProxy CSP +

        Added the following node in Windows 10, version 1803:

        • ProxySettingsPerUser
        -Accounts CSP -

        Added a new CSP in Windows 10, version 1803.

        +Accounts CSP +

        Added a new CSP in Windows 10, version 1803.

        -MDM Migration Analysis Tool (MMAT) -

        Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.

        +MDM Migration Analysis Tool (MMAT) +

        Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.

        -CSP DDF files download -

        Added the DDF download of Windows 10, version 1803 configuration service providers.

        +CSP DDF files download +

        Added the DDF download of Windows 10, version 1803 configuration service providers.

        -Policy CSP -

        Added the following new policies for Windows 10, version 1803:

        +Policy CSP +

        Added the following new policies for Windows 10, version 1803:

        • Bluetooth/AllowPromptedProximalConnections
        • KioskBrowser/EnableEndSessionButton
          • @@ -500,41 +500,41 @@ This article lists new and updated articles for the Mobile Device Management (MD -eUICCs CSP -

          Added the following node in Windows 10, version 1803:

          +eUICCs CSP +

          Added the following node in Windows 10, version 1803:

          • IsEnabled
          -DeviceStatus CSP -

          Added the following node in Windows 10, version 1803:

          +DeviceStatus CSP +

          Added the following node in Windows 10, version 1803:

          • OS/Mode
          -Understanding ADMX-backed policies -

          Added the following videos:

          +Understanding ADMX-backed policies +

          Added the following videos:

          -AccountManagement CSP -

          Added a new CSP in Windows 10, version 1803.

          +AccountManagement CSP +

          Added a new CSP in Windows 10, version 1803.

          -RootCATrustedCertificates CSP -

          Added the following node in Windows 10, version 1803:

          +RootCATrustedCertificates CSP +

          Added the following node in Windows 10, version 1803:

          • UntrustedCertificates
          -Policy CSP -

          Added the following new policies for Windows 10, version 1803:

          +Policy CSP +

          Added the following new policies for Windows 10, version 1803:

          • ApplicationDefaults/EnableAppUriHandlers
          • ApplicationManagement/MSIAllowUserControlOverInstall
            • @@ -556,16 +556,16 @@ This article lists new and updated articles for the Mobile Device Management (MD
          -Policy CSP - Bluetooth -

          Added new section ServicesAllowedList usage guide.

          +Policy CSP - Bluetooth +

          Added new section ServicesAllowedList usage guide.

          -MultiSIM CSP -

          Added SyncML examples and updated the settings descriptions.

          +MultiSIM CSP +

          Added SyncML examples and updated the settings descriptions.

          -RemoteWipe CSP -

          Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.

          +RemoteWipe CSP +

          Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.

          @@ -585,8 +585,8 @@ This article lists new and updated articles for the Mobile Device Management (MD -Policy CSP -

          Added the following new policies for Windows 10, version 1803:

          +Policy CSP +

          Added the following new policies for Windows 10, version 1803:

          • Display/DisablePerProcessDpiForApps
          • Display/EnablePerProcessDpi
            • @@ -603,12 +603,12 @@ This article lists new and updated articles for the Mobile Device Management (MD
              -VPNv2 ProfileXML XSD -

              Updated the XSD and Plug-in profile example for VPNv2 CSP.

              +VPNv2 ProfileXML XSD +

              Updated the XSD and Plug-in profile example for VPNv2 CSP.

              -AssignedAccess CSP -

              Added the following nodes in Windows 10, version 1803:

              +AssignedAccess CSP +

              Added the following nodes in Windows 10, version 1803:

              • Status
              • ShellLauncher
                • @@ -617,12 +617,12 @@ This article lists new and updated articles for the Mobile Device Management (MD

                Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite.

                -MultiSIM CSP -

                Added a new CSP in Windows 10, version 1803.

                +MultiSIM CSP +

                Added a new CSP in Windows 10, version 1803.

                -EnterpriseModernAppManagement CSP -

                Added the following node in Windows 10, version 1803:

                +EnterpriseModernAppManagement CSP +

                Added the following node in Windows 10, version 1803:

                • MaintainProcessorArchitectureOnUpdate
                @@ -645,8 +645,8 @@ This article lists new and updated articles for the Mobile Device Management (MD -Policy CSP -

                Added the following new policies for Windows 10, version 1803:

                +Policy CSP +

                Added the following new policies for Windows 10, version 1803:

                • Browser/AllowConfigurationUpdateForBooksLibrary
                • Browser/AlwaysEnableBooksLibrary
                  • @@ -744,16 +744,16 @@ This article lists new and updated articles for the Mobile Device Management (MD

                  Security/RequireDeviceEncryption - updated to show it is supported in desktop.

                  -BitLocker CSP -

                  Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.

                  +BitLocker CSP +

                  Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.

                  -EnterpriseModernAppManagement CSP -

                  Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.

                  +EnterpriseModernAppManagement CSP +

                  Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.

                  -DMClient CSP -

                  Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:

                  +DMClient CSP +

                  Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:

                  • AADSendDeviceToken
                  • BlockInStatusPage
                    • @@ -764,16 +764,16 @@ This article lists new and updated articles for the Mobile Device Management (MD
                  -Defender CSP -

                  Added new node (OfflineScan) in Windows 10, version 1803.

                  +Defender CSP +

                  Added new node (OfflineScan) in Windows 10, version 1803.

                  -UEFI CSP -

                  Added a new CSP in Windows 10, version 1803.

                  +UEFI CSP +

                  Added a new CSP in Windows 10, version 1803.

                  -Update CSP -

                  Added the following nodes in Windows 10, version 1803:

                  +Update CSP +

                  Added the following nodes in Windows 10, version 1803:

                  • Rollback
                  • Rollback/FeatureUpdate
                    • @@ -799,8 +799,8 @@ This article lists new and updated articles for the Mobile Device Management (MD -Configuration service provider reference -

                    Added new section CSP DDF files download

                    +Configuration service provider reference +

                    Added new section CSP DDF files download

                    @@ -820,8 +820,8 @@ This article lists new and updated articles for the Mobile Device Management (MD -Policy CSP -

                    Added the following policies for Windows 10, version 1709:

                    +Policy CSP +

                    Added the following policies for Windows 10, version 1709:

                    • Authentication/AllowFidoDeviceSignon
                    • Cellular/LetAppsAccessCellularData
                      • @@ -858,28 +858,28 @@ This article lists new and updated articles for the Mobile Device Management (MD -Policy DDF file -

                      Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709.

                      +Policy DDF file +

                      Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709.

                      -Policy CSP -

                      Updated the following policies:

                      +Policy CSP +

                      Updated the following policies:

                      • Defender/ControlledFolderAccessAllowedApplications - string separator is |.
                      • Defender/ControlledFolderAccessProtectedFolders - string separator is |.
                      -eUICCs CSP -

                      Added new CSP in Windows 10, version 1709.

                      +eUICCs CSP +

                      Added new CSP in Windows 10, version 1709.

                      -AssignedAccess CSP -

                      Added SyncML examples for the new Configuration node.

                      +AssignedAccess CSP +

                      Added SyncML examples for the new Configuration node.

                      -DMClient CSP -

                      Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.

                      +DMClient CSP +

                      Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.

                      @@ -899,8 +899,8 @@ This article lists new and updated articles for the Mobile Device Management (MD -Policy CSP -

                      Added the following new policies for Windows 10, version 1709:

                      +Policy CSP +

                      Added the following new policies for Windows 10, version 1709:

                      • Authentication/AllowAadPasswordReset
                      • Handwriting/PanelDefaultModeDocked
                        • @@ -910,16 +910,16 @@ This article lists new and updated articles for the Mobile Device Management (MD

                        Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.

                        -AssignedAccess CSP -

                        Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.

                        +AssignedAccess CSP +

                        Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.

                        -Microsoft Store for Business and Microsoft Store -

                        Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.

                        +Microsoft Store for Business and Microsoft Store +

                        Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.

                        -The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2 -

                        The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:

                        +The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2 +

                        The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:

                        • UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
                        • ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
                          • @@ -928,20 +928,20 @@ This article lists new and updated articles for the Mobile Device Management (MD

                          For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.

                          -EnterpriseAPN CSP -

                          Added a SyncML example.

                          +EnterpriseAPN CSP +

                          Added a SyncML example.

                          -VPNv2 CSP -

                          Added RegisterDNS setting in Windows 10, version 1709.

                          +VPNv2 CSP +

                          Added RegisterDNS setting in Windows 10, version 1709.

                          -Enroll a Windows 10 device automatically using Group Policy -

                          Added new topic to introduce a new Group Policy for automatic MDM enrollment.

                          +Enroll a Windows 10 device automatically using Group Policy +

                          Added new topic to introduce a new Group Policy for automatic MDM enrollment.

                          -MDM enrollment of Windows-based devices -

                          New features in the Settings app:

                          +MDM enrollment of Windows-based devices +

                          New features in the Settings app:

                          • User sees installation progress of critical policies during MDM enrollment.
                          • User knows what policies, profiles, apps MDM has configured
                            • @@ -967,23 +967,23 @@ This article lists new and updated articles for the Mobile Device Management (MD -Enable ADMX-backed policies in MDM -

                            Added new step-by-step guide to enable ADMX-backed policies.

                            +Enable ADMX-backed policies in MDM +

                            Added new step-by-step guide to enable ADMX-backed policies.

                            -Mobile device enrollment -

                            Added the following statement:

                            +Mobile device enrollment +

                            Added the following statement:

                            • Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
                            -CM_CellularEntries CSP -

                            Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.

                            +CM_CellularEntries CSP +

                            Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.

                            -EnterpriseDataProtection CSP -

                            Updated the Settings/EDPEnforcementLevel values to the following:

                            +EnterpriseDataProtection CSP +

                            Updated the Settings/EDPEnforcementLevel values to the following:

                            • 0 (default) – Off / No protection (decrypts previously protected data).
                            • 1 – Silent mode (encrypt and audit only).
                              • @@ -992,31 +992,31 @@ This article lists new and updated articles for the Mobile Device Management (MD
                            -AppLocker CSP -

                            Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in Allow list examples.

                            +AppLocker CSP +

                            Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in Allow list examples.

                            -DeviceManageability CSP -

                            Added the following settings in Windows 10, version 1709:

                            +DeviceManageability CSP +

                            Added the following settings in Windows 10, version 1709:

                            • Provider/ProviderID/ConfigInfo
                            • Provider/ProviderID/EnrollmentInfo
                            -Office CSP -

                            Added the following setting in Windows 10, version 1709:

                            +Office CSP +

                            Added the following setting in Windows 10, version 1709:

                            • Installation/CurrentStatus
                            -BitLocker CSP -Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709. +BitLocker CSP +Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709. -Firewall CSP -Updated the CSP and DDF topics. Here are the changes: +Firewall CSP +Updated the CSP and DDF topics. Here are the changes:
                            • Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.
                            • Changed some data types from integer to bool.
                              • @@ -1025,8 +1025,8 @@ This article lists new and updated articles for the Mobile Device Management (MD
                            -Policy DDF file -Added another Policy DDF file download for the 8C release of Windows 10, version 1607, which added the following policies: +Policy DDF file +Added another Policy DDF file download for the 8C release of Windows 10, version 1607, which added the following policies:
                            • Browser/AllowMicrosoftCompatibilityList
                            • Update/DisableDualScan
                              • @@ -1034,8 +1034,8 @@ This article lists new and updated articles for the Mobile Device Management (MD
                            -Policy CSP -

                            Added the following new policies for Windows 10, version 1709:

                            +Policy CSP +

                            Added the following new policies for Windows 10, version 1709:

                            • Browser/ProvisionFavorites
                            • Browser/LockdownFavorites
                              • diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md index a4433c6dcf..437a1a48c2 100644 --- a/windows/client-management/mdm/cleanpc-csp.md +++ b/windows/client-management/mdm/cleanpc-csp.md @@ -23,14 +23,14 @@ CleanPC ----CleanPCRetainingUserData ``` **./Device/Vendor/MSFT/CleanPC** -

                              The root node for the CleanPC configuration service provider.

                              +

                              The root node for the CleanPC configuration service provider.

                              **CleanPCWithoutRetainingUserData** -

                              An integer specifying a CleanPC operation without any retention of user data. +

                              An integer specifying a CleanPC operation without any retention of user data. -

                              The only supported operation is Execute. +

                              The only supported operation is Execute. **CleanPCRetainingUserData** -

                              An integer specifying a CleanPC operation with retention of user data. +

                              An integer specifying a CleanPC operation with retention of user data. -

                              The only supported operation is Execute. +

                              The only supported operation is Execute. diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 1d42413872..44886adee0 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -23,28 +23,28 @@ The following diagram shows the CM\_CellularEntries configuration service provid ![cm\-cellularentries csp.](images/provisioning-csp-cm-cellularentries.png) ***entryname*** -

                              Defines the name of the connection.

                              +

                              Defines the name of the connection.

                              -

                              The CMPolicy configuration service provider uses the value of entryname to identify the connection that is associated with a policy and CM_ProxyEntries configuration service provider uses the value of entryname to identify the connection that is associated with a proxy.

                              +

                              The CMPolicy configuration service provider uses the value of entryname to identify the connection that is associated with a policy and CM_ProxyEntries configuration service provider uses the value of entryname to identify the connection that is associated with a proxy.

                              **AlwaysOn** -

                              Type: Int. Specifies if the Connection Manager will automatically attempt to connect to the APN when a connection is available. +

                              Type: Int. Specifies if the Connection Manager will automatically attempt to connect to the APN when a connection is available. -

                              A value of "0" specifies that AlwaysOn is not supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS. +

                              A value of "0" specifies that AlwaysOn is not supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS. -

                              A value of "1" specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it is available. This setting is recommended for general purpose Internet APNs. +

                              A value of "1" specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it is available. This setting is recommended for general purpose Internet APNs. -

                              There must be at least one AlwaysOn Internet connection provisioned for the mobile operator. +

                              There must be at least one AlwaysOn Internet connection provisioned for the mobile operator. **AuthType** -

                              Optional. Type: String. Specifies the method of authentication used for a connection. +

                              Optional. Type: String. Specifies the method of authentication used for a connection. -

                              A value of "CHAP" specifies the Challenge Handshake Application Protocol. A value of "PAP" specifies the Password Authentication Protocol. A value of "None" specifies that the UserName and Password parameters are ignored. The default value is "None". +

                              A value of "CHAP" specifies the Challenge Handshake Application Protocol. A value of "PAP" specifies the Password Authentication Protocol. A value of "None" specifies that the UserName and Password parameters are ignored. The default value is "None". **ConnectionType** -

                              Optional. Type: String. Specifies the type of connection used for the APN. The following connection types are available: +

                              Optional. Type: String. Specifies the type of connection used for the APN. The following connection types are available: -
                              +
                              @@ -80,48 +80,48 @@ The following diagram shows the CM\_CellularEntries configuration service provid **Desc.langid** -

                              Optional. Specifies the UI display string used by the defined language ID. +

                              Optional. Specifies the UI display string used by the defined language ID. -

                              A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as Desc.0409 with a value of "GPRS Connection" will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no Desc parameter is provisioned for a given language, the system will default to the name used to create the entry. +

                              A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as Desc.0409 with a value of "GPRS Connection" will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no Desc parameter is provisioned for a given language, the system will default to the name used to create the entry. **Enabled** -

                              Specifies if the connection is enabled. +

                              Specifies if the connection is enabled. -

                              A value of "0" specifies that the connection is disabled. A value of "1" specifies that the connection is enabled. +

                              A value of "0" specifies that the connection is disabled. A value of "1" specifies that the connection is enabled. **IpHeaderCompression** -

                              Optional. Specifies if IP header compression is enabled. +

                              Optional. Specifies if IP header compression is enabled. -

                              A value of "0" specifies that IP header compression for the connection is disabled. A value of "1" specifies that IP header compression for the connection is enabled. +

                              A value of "0" specifies that IP header compression for the connection is disabled. A value of "1" specifies that IP header compression for the connection is enabled. **Password** -

                              Required if AuthType is set to a value other than "None". Specifies the password used to connect to the APN. +

                              Required if AuthType is set to a value other than "None". Specifies the password used to connect to the APN. **SwCompression** -

                              Optional. Specifies if software compression is enabled. +

                              Optional. Specifies if software compression is enabled. -

                              A value of "0" specifies that software compression for the connection is disabled. A value of "1" specifies that software compression for the connection is enabled. +

                              A value of "0" specifies that software compression for the connection is disabled. A value of "1" specifies that software compression for the connection is enabled. **UserName** -

                              Required if AuthType is set to a value other than "None". Specifies the user name used to connect to the APN. +

                              Required if AuthType is set to a value other than "None". Specifies the user name used to connect to the APN. **UseRequiresMappingsPolicy** -

                              Optional. Specifies if the connection requires a corresponding mappings policy. +

                              Optional. Specifies if the connection requires a corresponding mappings policy. -

                              A value of "0" specifies that the connection can be used for any general Internet communications. A value of "1" specifies that the connection is only used if a mapping policy is present. +

                              A value of "0" specifies that the connection can be used for any general Internet communications. A value of "1" specifies that the connection is only used if a mapping policy is present. -

                              For example, if the multimedia messaging service (MMS) APN should not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic. +

                              For example, if the multimedia messaging service (MMS) APN should not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic. **Version** -

                              Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager's configuration service provider. +

                              Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager's configuration service provider. -

                              This value must be "1" if included. +

                              This value must be "1" if included. **GPRSInfoAccessPointName** -

                              Specifies the logical name to select the GPRS gateway. For more information about allowable values, see GSM specification 07.07 "10.1.1 Define PDP Context +CGDCONT". +

                              Specifies the logical name to select the GPRS gateway. For more information about allowable values, see GSM specification 07.07 "10.1.1 Define PDP Context +CGDCONT". **Roaming** -

                              Optional. Type: Int. This parameter specifies the roaming conditions under which the connection should be activated. The following conditions are available: +

                              Optional. Type: Int. This parameter specifies the roaming conditions under which the connection should be activated. The following conditions are available: - 0 - Home network only. - 1 (default)- All roaming conditions (home and roaming). @@ -131,13 +131,13 @@ The following diagram shows the CM\_CellularEntries configuration service provid - 5 - Roaming only. **OEMConnectionID** -

                              Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value is not specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices. +

                              Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value is not specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices. **ApnId** -

                              Optional. Type: Int. Specifies the purpose of the APN. If a value is not specified, the default value is "0" (none). This parameter is only used on LTE devices. +

                              Optional. Type: Int. Specifies the purpose of the APN. If a value is not specified, the default value is "0" (none). This parameter is only used on LTE devices. **IPType** -

                              Optional. Type: String. Specifies the network protocol of the connection. Available values are "IPv4", "IPv6", "IPv4v6", and "IPv4v6xlat". If a value is not specified, the default value is "IPv4". +

                              Optional. Type: String. Specifies the network protocol of the connection. Available values are "IPv4", "IPv6", "IPv4v6", and "IPv4v6xlat". If a value is not specified, the default value is "IPv4". > [!WARNING] > Do not use IPv6 or IPv4v6xlat on a device or network that does not support IPv6. Data functionality will not work. In addition, the device will not be able to connect to a roaming network that does not support IPv6 unless you configure roaming connections with an IPType of IPv4v6. @@ -145,14 +145,14 @@ The following diagram shows the CM\_CellularEntries configuration service provid **ExemptFromDisablePolicy** -

                              Added back in Windows 10, version 1511. Optional. Type: Int. This should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value is not specified, the default value is "0" (not exempt). +

                              Added back in Windows 10, version 1511. Optional. Type: Int. This should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value is not specified, the default value is "0" (not exempt). -

                              To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it should not be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. Note that sending MMS while roaming is still not allowed. +

                              To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it should not be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. Note that sending MMS while roaming is still not allowed. > [!IMPORTANT] > Do not set ExemptFromDisablePolicy to "1", ExemptFromRoaming to "1", or UseRequiresMappingsPolicy to "1" for general purpose connections. -

                              To avoid UX inconsistency with certain value combinations of ExemptFromDisablePolicy and AllowMmsIfDataIsOff, when you do not set ExemptFromDisablePolicy to 1 (default is 0), you should: +

                              To avoid UX inconsistency with certain value combinations of ExemptFromDisablePolicy and AllowMmsIfDataIsOff, when you do not set ExemptFromDisablePolicy to 1 (default is 0), you should: - Hide the toggle for AllowMmsIfDataIsOff by setting AllowMmsIfDataIsOffEnabled to 0 (default is 1) - Set AllowMMSIfDataIsOff to 1 (default is 0) @@ -160,16 +160,16 @@ The following diagram shows the CM\_CellularEntries configuration service provid **ExemptFromRoaming** -

                              Added back in Windows 10, version 1511. Optional. Type: Int. This should be specified only for special purpose connections whose applications directly manage their roaming state. It should never be used with general purpose connections. A value of "0" specifies that the connection is subject to the roaming policy (not exempt). A value of "1" specifies that the connection is exempt (unaffected by the roaming policy). If a value is not specified, the default value is "0" (not exempt). +

                              Added back in Windows 10, version 1511. Optional. Type: Int. This should be specified only for special purpose connections whose applications directly manage their roaming state. It should never be used with general purpose connections. A value of "0" specifies that the connection is subject to the roaming policy (not exempt). A value of "1" specifies that the connection is exempt (unaffected by the roaming policy). If a value is not specified, the default value is "0" (not exempt). **TetheringNAI** -

                              Optional. Type: Int. CDMA only. Specifies if the connection is a tethering connection. A value of "0" specifies that the connection is not a tethering connection. A value of "1" specifies that the connection is a tethering connection. If a value is not specified, the default value is "0". +

                              Optional. Type: Int. CDMA only. Specifies if the connection is a tethering connection. A value of "0" specifies that the connection is not a tethering connection. A value of "1" specifies that the connection is a tethering connection. If a value is not specified, the default value is "0". **IdleDisconnectTimeout** -

                              Optional. Type: Int. Specifies how long an on-demand connection can be unused before Connection Manager tears the connection down. This value is specified in seconds. Valid value range is 5 to 60 seconds. If not specified, the default is 30 seconds. +

                              Optional. Type: Int. Specifies how long an on-demand connection can be unused before Connection Manager tears the connection down. This value is specified in seconds. Valid value range is 5 to 60 seconds. If not specified, the default is 30 seconds. > [!IMPORTANT] ->

                              You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it is not specified, the default value of 30 seconds may be used. +>

                              You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it is not specified, the default value of 30 seconds may be used. > [!NOTE] @@ -178,10 +178,10 @@ The following diagram shows the CM\_CellularEntries configuration service provid **SimIccId** -

                              For single SIM phones, this parm is optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection. +

                              For single SIM phones, this parm is optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection. **PurposeGroups** -

                              Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available: +

                              Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available: - Internet - 3E5545D2-1137-4DC8-A198-33F1C657515F - LTE attach - 11A6FE68-5B47-4859-9CB6-1EAC96A8F0BD diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md index 2f1ccdb53c..f36f744684 100644 --- a/windows/client-management/mdm/developersetup-csp.md +++ b/windows/client-management/mdm/developersetup-csp.md @@ -35,48 +35,48 @@ DeveloperSetup ------------HttpsPort ``` **DeveloperSetup** -

                              The root node for the DeveloperSetup configuration service provider. +

                              The root node for the DeveloperSetup configuration service provider. **EnableDeveloperMode** -

                              A Boolean value that is used to enable Developer Mode on the device. The default value is false. +

                              A Boolean value that is used to enable Developer Mode on the device. The default value is false. -

                              The only supported operation is Replace. +

                              The only supported operation is Replace. **DevicePortal** -

                              The node for the Windows Device Portal. +

                              The node for the Windows Device Portal. **DevicePortal/Authentication** -

                              The node that describes the characteristics of the authentication mechanism that is used for the Windows Device Portal. +

                              The node that describes the characteristics of the authentication mechanism that is used for the Windows Device Portal. **DevicePortal/Authentication/Mode** -

                              An integer value that specifies the mode of authentication that is used when making requests to the Windows Device Portal. +

                              An integer value that specifies the mode of authentication that is used when making requests to the Windows Device Portal. -

                              The only supported operation is Replace. +

                              The only supported operation is Replace. **DevicePortal/Authentication/BasicAuth** -

                              The node that describes the credentials that are used for basic authentication with the Windows Device Portal. +

                              The node that describes the credentials that are used for basic authentication with the Windows Device Portal. **DevicePortal/Authentication/BasicAuth/Username** -

                              A string value that specifies the user name to use when performing basic authentication with the Windows Device Portal. +

                              A string value that specifies the user name to use when performing basic authentication with the Windows Device Portal. The user name must contain only ASCII characters and cannot contain a colon (:). -

                              The only supported operation is Replace. +

                              The only supported operation is Replace. **DevicePortal/Authentication/BasicAuth/Password** -

                              A string value that specifies the password to use when authenticating requests against the Windows Device Portal. +

                              A string value that specifies the password to use when authenticating requests against the Windows Device Portal. -

                              The only supported operation is Replace. +

                              The only supported operation is Replace. **DevicePortal/Connection** -

                              The node for configuring connections to the Windows Device Portal service. +

                              The node for configuring connections to the Windows Device Portal service. **DevicePortal/Connection/HttpPort** -

                              An integer value that is used to configure the HTTP port for incoming connections to the Windows Device Portal service. +

                              An integer value that is used to configure the HTTP port for incoming connections to the Windows Device Portal service. If authentication is enabled, HttpPort will redirect the user to the (required) HttpsPort. -

                              The only supported operation is Replace. +

                              The only supported operation is Replace. **DevicePortal/Connection/HttpsPort** -

                              An integer value that is used to configure the HTTPS port for incoming connections to the Windows Device Portal service. +

                              An integer value that is used to configure the HTTPS port for incoming connections to the Windows Device Portal service. -

                              The only supported operation is Replace. \ No newline at end of file +

                              The only supported operation is Replace. \ No newline at end of file diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index cc589f1f13..bd80931f74 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -147,49 +147,49 @@ The following diagram shows the Update policies in a tree format. > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. +

                              Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. > [!NOTE] > The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. -

                              Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. +

                              Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. -

                              The default is 17 (5 PM). +

                              The default is 17 (5 PM). **Update/ActiveHoursMaxRange** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. -

                              Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. +

                              Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. -

                              Supported values are 8-18. +

                              Supported values are 8-18. -

                              The default value is 18 (hours). +

                              The default value is 18 (hours). **Update/ActiveHoursStart** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. -

                              Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. +

                              Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. > [!NOTE] > The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. -

                              Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. +

                              Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. -

                              The default value is 8 (8 AM). +

                              The default value is 8 (8 AM). **Update/AllowAutoUpdate** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. -

                              Enables the IT admin to manage automatic update behavior to scan, download, and install updates. +

                              Enables the IT admin to manage automatic update behavior to scan, download, and install updates. -

                              Supported operations are Get and Replace. +

                              Supported operations are Get and Replace. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. - 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. @@ -202,16 +202,16 @@ The following diagram shows the Update policies in a tree format. > This option should be used only for systems under regulatory compliance, as you will not get security updates as well. -

                              If the policy is not configured, end-users get the default behavior (Auto install and restart). +

                              If the policy is not configured, end-users get the default behavior (Auto install and restart). **Update/AllowMUUpdateService** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update. +

                              Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 – Not allowed or not configured. - 1 – Allowed. Accepts updates received through Microsoft Update. @@ -221,29 +221,29 @@ The following diagram shows the Update policies in a tree format. > This policy is available on Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education. -

                              Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third party software and patch distribution. +

                              Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third party software and patch distribution. -

                              Supported operations are Get and Replace. +

                              Supported operations are Get and Replace. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. - 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. -

                              This policy is specific to desktop and local publishing via WSUS for third party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. +

                              This policy is specific to desktop and local publishing via WSUS for third party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. **Update/AllowUpdateService** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft. +

                              Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft. -

                              Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft +

                              Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft -

                              Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft to stop working. +

                              Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft to stop working. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 – Update service is not allowed. - 1 (default) – Update service is allowed. @@ -257,20 +257,20 @@ The following diagram shows the Update policies in a tree format. > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. +

                              Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. -

                              Supported values are 15, 30, 60, 120, and 240 (minutes). +

                              Supported values are 15, 30, 60, 120, and 240 (minutes). -

                              The default value is 15 (minutes). +

                              The default value is 15 (minutes). **Update/AutoRestartRequiredNotificationDismissal** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed. +

                              Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 1 (default) – Auto Dismissal. - 2 – User Dismissal. @@ -280,9 +280,9 @@ The following diagram shows the Update policies in a tree format. > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. +

                              Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 16 (default) – User gets all applicable upgrades from Current Branch (CB). - 32 – User gets upgrades from Current Branch for Business (CBB). @@ -291,18 +291,18 @@ The following diagram shows the Update policies in a tree format. > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. -

                              Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. +

                              Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. -

                              Supported values are 0-180. +

                              Supported values are 0-180. **Update/DeferQualityUpdatesPeriodInDays** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days. +

                              Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days. -

                              Supported values are 0-30. +

                              Supported values are 0-30. **Update/DeferUpdatePeriod** > [!NOTE] @@ -311,15 +311,15 @@ The following diagram shows the Update policies in a tree format. > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. -

                              Allows IT Admins to specify update delays for up to four weeks. +

                              Allows IT Admins to specify update delays for up to four weeks. -

                              Supported values are 0-4, which refers to the number of weeks to defer updates. +

                              Supported values are 0-4, which refers to the number of weeks to defer updates. -

                              If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +

                              If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. -

                              If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +

                              If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. -

                              +
                              @@ -336,16 +336,16 @@ The following diagram shows the Update policies in a tree format. - - - - + + + + - - - - + + + - - - - + + + @@ -380,71 +380,71 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. -

                              Allows IT Admins to specify additional upgrade delays for up to eight months. +

                              Allows IT Admins to specify additional upgrade delays for up to eight months. -

                              Supported values are 0-8, which refers to the number of months to defer upgrades. +

                              Supported values are 0-8, which refers to the number of months to defer upgrades. -

                              If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +

                              If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. -

                              If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +

                              If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. **Update/EngagedRestartDeadline** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling). +

                              Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling). -

                              Supported values are 2-30 days. +

                              Supported values are 2-30 days. -

                              The default value is 0 days (not specified). +

                              The default value is 0 days (not specified). **Update/EngagedRestartSnoozeSchedule** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications. +

                              Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications. -

                              Supported values are 1-3 days. +

                              Supported values are 1-3 days. -

                              The default value is three days. +

                              The default value is three days. **Update/EngagedRestartTransitionSchedule** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. +

                              Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. -

                              Supported values are 2-30 days. +

                              Supported values are 2-30 days. -

                              The default value is seven days. +

                              The default value is seven days. **Update/ExcludeWUDriversInQualityUpdate** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. > Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. -

                              Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates. +

                              Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 (default) – Allow Windows Update drivers. - 1 – Exclude Windows Update drivers. **Update/IgnoreMOAppDownloadLimit** -

                              Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. +

                              Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. > [!WARNING] > Setting this policy might cause devices to incur costs from MO operators. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 (default) – Do not ignore MO download limit for apps and their updates. - 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates. -

                              To validate this policy: +

                              To validate this policy: 1. Enable the policy ensure the device is on a cellular network. 2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: @@ -456,17 +456,17 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/IgnoreMOUpdateDownloadLimit** -

                              Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. +

                              Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. > [!WARNING] > Setting this policy might cause devices to incur costs from MO operators. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 (default) – Do not ignore MO download limit for OS updates. - 1 – Ignore MO download limit (allow unlimited downloading) for OS updates. -

                              To validate this policy: +

                              To validate this policy: 1. Enable the policy and ensure the device is on a cellular network. 2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell: @@ -482,24 +482,24 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. -

                              Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks. +

                              Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 (default) – Deferrals are not paused. - 1 – Deferrals are paused. -

                              If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +

                              If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. -

                              If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +

                              If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. **Update/PauseFeatureUpdates** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. -

                              Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days. +

                              Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 (default) – Feature Updates are not paused. - 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. @@ -509,9 +509,9 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. +

                              Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 (default) – Quality Updates are not paused. - 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. @@ -523,9 +523,9 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. -

                              Allows the IT admin to set a device to CBB train. +

                              Allows the IT admin to set a device to CBB train. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 (default) – User gets upgrades from Current Branch. - 1 – User gets upgrades from Current Branch for Business. @@ -541,11 +541,11 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. -

                              Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. +

                              Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. -

                              Supported operations are Get and Replace. +

                              Supported operations are Get and Replace. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 – Not configured. The device installs all applicable updates. - 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. @@ -555,24 +555,24 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. +

                              Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. -

                              Supported values are 15, 30, or 60 (minutes). +

                              Supported values are 15, 30, or 60 (minutes). -

                              The default value is 15 (minutes). +

                              The default value is 15 (minutes). **Update/ScheduledInstallDay** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Enables the IT admin to schedule the day of the update installation. +

                              Enables the IT admin to schedule the day of the update installation. -

                              The data type is a string. +

                              The data type is a string. -

                              Supported operations are Add, Delete, Get, and Replace. +

                              Supported operations are Add, Delete, Get, and Replace. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 (default) – Every day - 1 – Sunday @@ -588,35 +588,35 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Enables the IT admin to schedule the time of the update installation. +

                              Enables the IT admin to schedule the time of the update installation. -

                              The data type is a string. +

                              The data type is a string. -

                              Supported operations are Add, Delete, Get, and Replace. +

                              Supported operations are Add, Delete, Get, and Replace. -

                              Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. +

                              Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. -

                              The default value is 3. +

                              The default value is 3. **Update/ScheduleRestartWarning** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications. +

                              Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications. -

                              Supported values are 2, 4, 8, 12, or 24 (hours). +

                              Supported values are 2, 4, 8, 12, or 24 (hours). -

                              The default value is 4 (hours). +

                              The default value is 4 (hours). **Update/SetAutoRestartNotificationDisable** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

                              Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations. +

                              Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - 0 (default) – Enabled - 1 – Disabled @@ -628,11 +628,11 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > [!Important] > Starting in Windows 10, version 1703 this policy is not supported in IoT Enterprise. -

                              Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. +

                              Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. -

                              Supported operations are Get and Replace. +

                              Supported operations are Get and Replace. -

                              The following list shows the supported values: +

                              The following list shows the supported values: - Not configured. The device checks for updates from Microsoft Update. - Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL. @@ -659,13 +659,13 @@ Example > **Note**  This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. -

                              Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. +

                              Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. -

                              This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. +

                              This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. -

                              To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. +

                              To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. -

                              Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. +

                              Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. > [!Note] > If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. @@ -827,50 +827,50 @@ Here's the list of corresponding Group Policy settings in HKLM\\Software\\Polici

                              - - - + + - - - + + - - - + + + - - - + + - - - + + - - - + + + - - - + + - - - + + diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md index 46dd29b427..8290fa7eea 100644 --- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md +++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md @@ -62,25 +62,25 @@ HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered( ## Parameters *pszXmlIn* -
                                +
                                • [in] The null–terminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. DMProcessConfigXMLFiltered accepts only OMA Client Provisioning XML (also known as WAP provisioning). It does not accept OMA DM SyncML XML (also known as SyncML).

                                *rgszAllowedCspNode* -
                                  +
                                  • [in] Array of WCHAR\* that specify which configuration service provider nodes are allowed to be invoked.

                                  *dwNumAllowedCspNodes* -
                                    +
                                    • [in] Number of elements passed in rgszAllowedCspNode.

                                    *pbstrXmlOut* -
                                      +
                                      • [out] The resulting null–terminated XML from configuration. The caller of DMProcessConfigXMLFiltered is responsible for cleanup of the output buffer that the pbstrXmlOut parameter references. Use SysFreeString to free the memory.

                                      @@ -104,24 +104,24 @@ Returns the standard **HRESULT** value **S\_OK** to indicate success. The follow
                              - - + + - - + + - - + + - - + + - - + +

                              OS upgrade

                              8 months

                              1 month

                              Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5

                              OS upgrade

                              8 months

                              1 month

                              Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5

                              Update

                              1 month

                              1 week

                              +

                              Update

                              1 month

                              1 week

                              Note If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic.
                              @@ -361,10 +361,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

                              Other/cannot defer

                              No deferral

                              No deferral

                              Any update category not enumerated above falls into this category.

                              +

                              Other/cannot defer

                              No deferral

                              No deferral

                              Any update category not enumerated above falls into this category.

                              Definition Update - E0789628-CE08-4437-BE74-2495B842F43B

                              BranchReadinessLevel

                              REG_DWORD

                              16: systems take Feature Updates on the Current Branch (CB) train

                              +

                              BranchReadinessLevel

                              REG_DWORD

                              16: systems take Feature Updates on the Current Branch (CB) train

                              32: systems take Feature Updates on the Current Branch for Business

                              Other value or absent: receive all applicable updates (CB)

                              DeferQualityUpdates

                              REG_DWORD

                              1: defer quality updates

                              +

                              DeferQualityUpdates

                              REG_DWORD

                              1: defer quality updates

                              Other value or absent: don’t defer quality updates

                              DeferQualityUpdatesPeriodInDays

                              REG_DWORD

                              0-30: days to defer quality updates

                              DeferQualityUpdatesPeriodInDays

                              REG_DWORD

                              0-30: days to defer quality updates

                              PauseQualityUpdates

                              REG_DWORD

                              1: pause quality updates

                              +

                              PauseQualityUpdates

                              REG_DWORD

                              1: pause quality updates

                              Other value or absent: don’t pause quality updates

                              DeferFeatureUpdates

                              REG_DWORD

                              1: defer feature updates

                              +

                              DeferFeatureUpdates

                              REG_DWORD

                              1: defer feature updates

                              Other value or absent: don’t defer feature updates

                              DeferFeatureUpdatesPeriodInDays

                              REG_DWORD

                              0-180: days to defer feature updates

                              DeferFeatureUpdatesPeriodInDays

                              REG_DWORD

                              0-180: days to defer feature updates

                              PauseFeatureUpdates

                              REG_DWORD

                              1: pause feature updates

                              +

                              PauseFeatureUpdates

                              REG_DWORD

                              1: pause feature updates

                              Other value or absent: don’t pause feature updates

                              ExcludeWUDriversInQualityUpdate

                              REG_DWORD

                              1: exclude WU drivers

                              +

                              ExcludeWUDriversInQualityUpdate

                              REG_DWORD

                              1: exclude WU drivers

                              Other value or absent: offer WU drivers

                              CONFIG_E_OBJECTBUSY

                              Another instance of the configuration management service is currently running.

                              CONFIG_E_OBJECTBUSY

                              Another instance of the configuration management service is currently running.

                              CONFIG_E_ENTRYNOTFOUND

                              No metabase entry was found.

                              CONFIG_E_ENTRYNOTFOUND

                              No metabase entry was found.

                              CONFIG_E_CSPEXCEPTION

                              An exception occurred in one of the configuration service providers.

                              CONFIG_E_CSPEXCEPTION

                              An exception occurred in one of the configuration service providers.

                              CONFIG_E_TRANSACTIONINGFAILURE

                              A configuration service provider failed to roll back properly. The affected settings might be in an unknown state.

                              CONFIG_E_TRANSACTIONINGFAILURE

                              A configuration service provider failed to roll back properly. The affected settings might be in an unknown state.

                              CONFIG_E_BAD_XML

                              The XML input is invalid or malformed.

                              CONFIG_E_BAD_XML

                              The XML input is invalid or malformed.
                              @@ -196,28 +196,28 @@ if ( bstr != NULL ) -

                              Minimum supported client

                              -

                              None supported

                              +

                              Minimum supported client

                              +

                              None supported

                              -

                              Minimum supported server

                              -

                              None supported

                              +

                              Minimum supported server

                              +

                              None supported

                              -

                              Minimum supported phone

                              -

                              Windows Phone 8.1

                              +

                              Minimum supported phone

                              +

                              Windows Phone 8.1

                              -

                              Header

                              -

                              Dmprocessxmlfiltered.h

                              +

                              Header

                              +

                              Dmprocessxmlfiltered.h

                              -

                              Library

                              -

                              Dmprocessxmlfiltered.lib

                              +

                              Library

                              +

                              Dmprocessxmlfiltered.lib

                              -

                              DLL

                              -

                              Dmprocessxmlfiltered.dll

                              +

                              DLL

                              +

                              Dmprocessxmlfiltered.dll

                              diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md index 8c5772b29c..ffdfc3e2b7 100644 --- a/windows/client-management/mdm/dmsessionactions-csp.md +++ b/windows/client-management/mdm/dmsessionactions-csp.md @@ -63,41 +63,41 @@ DMSessionActions ------------MaxTimeSessionsSkippedInLowPowerState ``` **./Device/Vendor/MSFT/DMSessionActions or ./User/Vendor/MSFT/DMSessionActions** -

                              Defines the root node for the DMSessionActions configuration service provider.

                              +

                              Defines the root node for the DMSessionActions configuration service provider.

                              ***ProviderID*** -

                              Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache.

                              +

                              Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache.

                              -

                              Scope is dynamic. Supported operations are Get, Add, and Delete.

                              +

                              Scope is dynamic. Supported operations are Get, Add, and Delete.

                              ***ProviderID*/CheckinAlertConfiguration** -

                              Node for the custom configuration of alerts to be sent during MDM sync session.

                              +

                              Node for the custom configuration of alerts to be sent during MDM sync session.

                              ***ProviderID*/CheckinAlertConfiguration/Nodes** -

                              Required. Root node for URIs to be queried. Scope is dynamic.

                              +

                              Required. Root node for URIs to be queried. Scope is dynamic.

                              -

                              Supported operation is Get.

                              +

                              Supported operation is Get.

                              ***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID*** -

                              Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.

                              +

                              Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.

                              -

                              Supported operations are Get, Add, and Delete.

                              +

                              Supported operations are Get, Add, and Delete.

                              ***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID*/NodeURI** -

                              Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              **AlertData** -

                              Node to query the custom alert per server configuration

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Node to query the custom alert per server configuration

                              +

                              Value type is string. Supported operation is Get.

                              **PowerSettings** -

                              Node for power-related configrations

                              +

                              Node for power-related configrations

                              **PowerSettings/MaxSkippedSessionsInLowPowerState** -

                              Maximum number of continuous skipped sync sessions when the device is in low-power state.

                              -

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Maximum number of continuous skipped sync sessions when the device is in low-power state.

                              +

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              **PowerSettings/MaxTimeSessionsSkippedInLowPowerState** -

                              Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state.

                              -

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state.

                              +

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index 3716a1c54a..3b59ea0c12 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -33,12 +33,12 @@ DynamicManagement ----AlertsEnabled ``` **DynamicManagement** -

                              The root node for the DynamicManagement configuration service provider.

                              +

                              The root node for the DynamicManagement configuration service provider.

                              **NotificationsEnabled** -

                              Boolean value for sending notification to the user of a context change.

                              -

                              Default value is False. Supported operations are Get and Replace.

                              -

                              Example to turn on NotificationsEnabled:

                              +

                              Boolean value for sending notification to the user of a context change.

                              +

                              Default value is False. Supported operations are Get and Replace.

                              +

                              Example to turn on NotificationsEnabled:

                              ```xml @@ -56,40 +56,40 @@ DynamicManagement ``` **ActiveList** -

                              A string containing the list of all active ContextIDs on the device. Delimeter is unicode character 0xF000..

                              -

                              Supported operation is Get.

                              +

                              A string containing the list of all active ContextIDs on the device. Delimeter is unicode character 0xF000..

                              +

                              Supported operation is Get.

                              **Contexts** -

                              Node for context information.

                              -

                              Supported operation is Get.

                              +

                              Node for context information.

                              +

                              Supported operation is Get.

                              ***ContextID*** -

                              Node created by the server to define a context. Maximum number of characters allowed is 38.

                              -

                              Supported operations are Add, Get, and Delete.

                              +

                              Node created by the server to define a context. Maximum number of characters allowed is 38.

                              +

                              Supported operations are Add, Get, and Delete.

                              **SignalDefinition** -

                              Signal Definition XML.

                              -

                              Value type is string. Supported operations are Add, Get, Delete, and Replace.

                              +

                              Signal Definition XML.

                              +

                              Value type is string. Supported operations are Add, Get, Delete, and Replace.

                              **SettingsPack** -

                              Settings that get applied when the Context is active.

                              -

                              Value type is string. Supported operations are Add, Get, Delete, and Replace.

                              +

                              Settings that get applied when the Context is active.

                              +

                              Value type is string. Supported operations are Add, Get, Delete, and Replace.

                              **SettingsPackResponse** -

                              Response from applying a Settings Pack that contains information on each individual action.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Response from applying a Settings Pack that contains information on each individual action.

                              +

                              Value type is string. Supported operation is Get.

                              **ContextStatus** -

                              Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed.

                              -

                              Value type is integer. Supported operation is Get.

                              +

                              Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed.

                              +

                              Value type is integer. Supported operation is Get.

                              **Altitude** -

                              A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.

                              -

                              Value type is integer. Supported operations are Add, Get, Delete, and Replace.

                              +

                              A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.

                              +

                              Value type is integer. Supported operations are Add, Get, Delete, and Replace.

                              **AlertsEnabled** -

                              A Boolean value for sending an alert to the server when a context fails.

                              -

                              Supported operations are Get and Replace.

                              +

                              A Boolean value for sending an alert to the server when a context fails.

                              +

                              Supported operations are Get and Replace.

                              ## Examples diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md index c271c1dbe6..f82e763f75 100644 --- a/windows/client-management/mdm/enterpriseapn-csp.md +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -39,40 +39,40 @@ EnterpriseAPN --------HideView ``` **EnterpriseAPN** -

                              The root node for the EnterpriseAPN configuration service provider.

                              +

                              The root node for the EnterpriseAPN configuration service provider.

                              **EnterpriseAPN/***ConnectionName* -

                              Name of the connection as seen by Windows Connection Manager.

                              +

                              Name of the connection as seen by Windows Connection Manager.

                              -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/APNName** -

                              Enterprise APN name.

                              +

                              Enterprise APN name.

                              -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/IPType** -

                              This value can be one of the following:

                              +

                              This value can be one of the following:

                              - IPv4 - only IPV4 connection type - IPv6 - only IPv6 connection type - IPv4v6 (default)- IPv4 and IPv6 concurrently. - IPv4v6xlat - IPv6 with IPv4 provided by 46xlat -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/IsAttachAPN** -

                              Boolean value that indicates whether this APN should be requested as part of an LTE Attach. Default value is false.

                              +

                              Boolean value that indicates whether this APN should be requested as part of an LTE Attach. Default value is false.

                              -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/ClassId** -

                              GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting is not present. It is only required when IsAttachAPN is true and the attach APN is not only used as the Internet APN.

                              +

                              GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting is not present. It is only required when IsAttachAPN is true and the attach APN is not only used as the Internet APN.

                              -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/AuthType** -

                              Authentication type. This value can be one of the following:

                              +

                              Authentication type. This value can be one of the following:

                              - None (default) - Auto @@ -80,39 +80,39 @@ EnterpriseAPN - CHAP - MSCHAPv2 -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/UserName** -

                              User name for use with PAP, CHAP, or MSCHAPv2 authentication.

                              +

                              User name for use with PAP, CHAP, or MSCHAPv2 authentication.

                              -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/Password** -

                              Password corresponding to the username.

                              +

                              Password corresponding to the username.

                              -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/IccId** -

                              Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node is not present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.

                              +

                              Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node is not present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.

                              -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/AlwaysOn** -

                              Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.

                              +

                              Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.

                              -

                              The default value is true.

                              +

                              The default value is true.

                              -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/Enabled** -

                              Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.

                              +

                              Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.

                              -

                              The default value is true.

                              +

                              The default value is true.

                              -

                              Supported operations are Add, Get, Delete, and Replace.

                              +

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/Roaming** -

                              Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values:

                              +

                              Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values:

                              • 0 - Disallowed
                                • @@ -123,27 +123,27 @@ EnterpriseAPN
                              • 5 - UseOnlyForRoaming
                              -

                              Default is 1 (all roaming allowed).

                              +

                              Default is 1 (all roaming allowed).

                              -

                              Value type is string. Supported operations are Add, Get, Delete, and Replace.

                              +

                              Value type is string. Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/Settings** -

                              Added in Windows 10, version 1607. Node that contains global settings.

                              +

                              Added in Windows 10, version 1607. Node that contains global settings.

                              **EnterpriseAPN/Settings/AllowUserControl** -

                              Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.

                              +

                              Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.

                              -

                              The default value is false.

                              +

                              The default value is false.

                              -

                              Supported operations are Get and Replace.

                              +

                              Supported operations are Get and Replace.

                              **EnterpriseAPN/Settings/HideView** -

                              Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.

                              +

                              Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.

                              -

                              The default value is false.

                              +

                              The default value is false.

                              -

                              Supported operations are Get and Replace.

                              +

                              Supported operations are Get and Replace.

                              ## Examples diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index 9a0893f98e..cb948488da 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -45,68 +45,68 @@ EnterpriseAppVManagement ------------Policy ``` **./Vendor/MSFT/EnterpriseAppVManagement** -

                              Root node for the EnterpriseAppVManagement configuration service provider.

                              +

                              Root node for the EnterpriseAppVManagement configuration service provider.

                              **AppVPackageManagement** -

                              Used to query App-V package information (post-publish).

                              +

                              Used to query App-V package information (post-publish).

                              **AppVPackageManagement/EnterpriseID** -

                              Used to query package information. Value is always "HostedInstall".

                              +

                              Used to query package information. Value is always "HostedInstall".

                              **AppVPackageManagement/EnterpriseID/PackageFamilyName** -

                              Package ID of the published App-V package.

                              +

                              Package ID of the published App-V package.

                              **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*** -

                              Version ID of the published App-V package.

                              +

                              Version ID of the published App-V package.

                              **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Name** -

                              Name specified in the published AppV package.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Name specified in the published AppV package.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Version** -

                              Version specified in the published AppV package.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Version specified in the published AppV package.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Publisher** -

                              Publisher as specified in the published asset information of the AppV package.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Publisher as specified in the published asset information of the AppV package.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallLocation** -

                              Local package path specified in the published asset information of the AppV package.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Local package path specified in the published asset information of the AppV package.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallDate** -

                              Date the app was installed, as specified in the published asset information of the AppV package.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Date the app was installed, as specified in the published asset information of the AppV package.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Users** -

                              Registered users for app, as specified in the published asset information of the AppV package.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Registered users for app, as specified in the published asset information of the AppV package.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageId** -

                              Package ID of the published App-V package.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Package ID of the published App-V package.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVVersionId** -

                              Version ID of the published App-V package.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Version ID of the published App-V package.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageUri** -

                              Package URI of the published App-V package.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Package URI of the published App-V package.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPublishing** -

                              Used to monitor publishing operations on App-V.

                              +

                              Used to monitor publishing operations on App-V.

                              **AppVPublishing/LastSync** -

                              Used to monitor publishing status of last sync operation.

                              +

                              Used to monitor publishing status of last sync operation.

                              **AppVPublishing/LastSync/LastError** -

                              Error code and error description of last sync operation.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Error code and error description of last sync operation.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPublishing/LastSync/LastErrorDescription** -

                              Last sync error status. One of the following values may be returned:

                              +

                              Last sync error status. One of the following values may be returned:

                              - SYNC\_ERR_NONE (0) - No errors during publish. - SYNC\_ERR\_UNPUBLISH_GROUPS (1) - Unpublish groups failed during publish. @@ -116,10 +116,10 @@ EnterpriseAppVManagement - SYNC\_ERR\_NEW_POLICY_WRITE (5) - New policy write failed during publish. - SYNC\_ERR\_MULTIPLE\_DURING_PUBLISH (6) - Multiple non-fatal errors occurred during publish. -

                              Value type is string. Supported operation is Get.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPublishing/LastSync/SyncStatusDescription** -

                              Latest sync in-progress stage. One of the following values may be returned:

                              +

                              Latest sync in-progress stage. One of the following values may be returned:

                              - SYNC\_PROGRESS_IDLE (0) - App-V publishing is idle. - SYNC\_PROGRESS\_UNPUBLISH_GROUPS (1) - App-V connection groups publish in progress. @@ -127,9 +127,9 @@ EnterpriseAppVManagement - SYNC\_PROGRESS\_PUBLISH\_GROUP_PACKAGES (3) - App-V packages (connection group) publish in progress. - SYN\C_PROGRESS_UNPUBLISH_PACKAGES (4) - App-V packages unpublish in progress. -

                              Value type is string. Supported operation is Get.

                              +

                              Value type is string. Supported operation is Get.

                              -AppVPublishing/LastSync/SyncProgress

                              Latest sync state. One of the following values may be returned:

                              +AppVPublishing/LastSync/SyncProgress

                              Latest sync state. One of the following values may be returned:

                              - SYNC\_STATUS_IDLE (0) - App-V Sync is idle. - SYNC\_STATUS\_PUBLISH_STARTED (1) - App-V Sync is initializing. @@ -137,22 +137,22 @@ EnterpriseAppVManagement - SYNC\_STATUS\_PUBLISH\_COMPLETED (3) - App-V Sync is complete. - SYNC\_STATUS\_PUBLISH\_REBOOT_REQUIRED (4) - App-V Sync requires device reboot. -

                              Value type is string. Supported operation is Get.

                              +

                              Value type is string. Supported operation is Get.

                              **AppVPublishing/Sync** -

                              Used to perform App-V synchronization.

                              +

                              Used to perform App-V synchronization.

                              **AppVPublishing/Sync/PublishXML** -

                              Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol.

                              -

                              Supported operations are Get, Delete, and Execute.

                              +

                              Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol.

                              +

                              Supported operations are Get, Delete, and Execute.

                              **AppVDynamicPolicy** -

                              Used to set App-V Policy Configuration documents for publishing packages.

                              +

                              Used to set App-V Policy Configuration documents for publishing packages.

                              **AppVDynamicPolicy/*ConfigurationId*** -

                              ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).

                              +

                              ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).

                              **AppVDynamicPolicy/*ConfigurationId*/Policy** -

                              XML for App-V Policy Configuration documents for publishing packages.

                              -

                              Value type is xml. Supported operations are Add, Get, Delete, and Replace.

                              \ No newline at end of file +

                              XML for App-V Policy Configuration documents for publishing packages.

                              +

                              Value type is xml. Supported operations are Add, Get, Delete, and Replace.

                              \ No newline at end of file diff --git a/windows/client-management/mdm/enterpriseextfilessystem-csp.md b/windows/client-management/mdm/enterpriseextfilessystem-csp.md index 12f02b683f..58fdde76ab 100644 --- a/windows/client-management/mdm/enterpriseextfilessystem-csp.md +++ b/windows/client-management/mdm/enterpriseextfilessystem-csp.md @@ -40,10 +40,10 @@ EnterpriseExtFileSystem The following list describes the characteristics and parameters. **./Vendor/MSFT/EnterpriseExtFileSystem** -

                              The root node for the EnterpriseExtFileSystem configuration service provider. Supported operations are Add and Get.

                              +

                              The root node for the EnterpriseExtFileSystem configuration service provider. Supported operations are Add and Get.

                              **Persistent** -

                              The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Persistent folder, it accesses that data from the EnterpriseExtFileSystem\Persistent node. Files written to the Persistent folder persists over ordinary power cycles.

                              +

                              The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Persistent folder, it accesses that data from the EnterpriseExtFileSystem\Persistent node. Files written to the Persistent folder persists over ordinary power cycles.

                              > **Important**  There is a limit to the amount of data that can be persisted, which varies depending on how much disk space is available on one of the partitions. This data cap amount (that can be persisted) varies by manufacturer. > @@ -54,24 +54,24 @@ The following list describes the characteristics and parameters. **NonPersistent** -

                              The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Non-Persistent folder, it accesses that data from the EnterpriseExtFileSystem\NonPersistent node. Files written to the NonPersistent folder will persist over ordinary power cycles.

                              +

                              The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Non-Persistent folder, it accesses that data from the EnterpriseExtFileSystem\NonPersistent node. Files written to the NonPersistent folder will persist over ordinary power cycles.

                              -

                              When the device is wiped, any data stored in the NonPersistent folder is deleted.

                              +

                              When the device is wiped, any data stored in the NonPersistent folder is deleted.

                              **OemProfile** -

                              Added in Windows 10, version 1511. The EnterpriseExtFileSystem CSP allows an enterprise to deploy an OEM profile on the device, such as a barcode scanner profile then can be consumed by the OEM barcode scanner driver. The file is placed into the \data\shareddata\oem\public\profile\ folder of the device.

                              +

                              Added in Windows 10, version 1511. The EnterpriseExtFileSystem CSP allows an enterprise to deploy an OEM profile on the device, such as a barcode scanner profile then can be consumed by the OEM barcode scanner driver. The file is placed into the \data\shareddata\oem\public\profile\ folder of the device.

                              ***Directory*** -

                              The name of a directory in the device file system. Any Directory node can have directories and files as child nodes.

                              +

                              The name of a directory in the device file system. Any Directory node can have directories and files as child nodes.

                              -

                              Use the Add command to create a new directory. You cannot use it to add a new directory under a file system root.

                              +

                              Use the Add command to create a new directory. You cannot use it to add a new directory under a file system root.

                              -

                              Use the Get command to return the list of child node names under Directory.

                              +

                              Use the Get command to return the list of child node names under Directory.

                              -

                              Use the Get command with ?List=Struct to recursively return all child node names, including subdirectory names, under Directory.

                              +

                              Use the Get command with ?List=Struct to recursively return all child node names, including subdirectory names, under Directory.

                              ***Filename*** -

                              The name of a file in the device file system.

                              +

                              The name of a file in the device file system.

                              Supported operations is Get. diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 19fbe15c22..2d9fbf4570 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -103,68 +103,68 @@ Firewall ----------------Name ``` **./Vendor/MSFT/Firewall** -

                              Root node for the Firewall configuration service provider.

                              +

                              Root node for the Firewall configuration service provider.

                              **MdmStore** -

                              Interior node.

                              -

                              Supported operation is Get.

                              +

                              Interior node.

                              +

                              Supported operation is Get.

                              **MdmStore/Global** -

                              Interior node.

                              -

                              Supported operations are Get.

                              +

                              Interior node.

                              +

                              Supported operations are Get.

                              **MdmStore/Global/PolicyVersionSupported** -

                              Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.

                              -

                              Value type in integer. Supported operation is Get.

                              +

                              Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.

                              +

                              Value type in integer. Supported operation is Get.

                              **MdmStore/Global/CurrentProfiles** -

                              Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.

                              -

                              Value type in integer. Supported operation is Get.

                              +

                              Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.

                              +

                              Value type in integer. Supported operation is Get.

                              **MdmStore/Global/DisableStatefulFtp** -

                              Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.

                              -

                              Default value is false.

                              -

                              Data type is bool. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.

                              +

                              Default value is false.

                              +

                              Data type is bool. Supported operations are Add, Get, Replace, and Delete.

                              **MdmStore/Global/SaIdleTime** -

                              This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

                              -

                              Default value is 300.

                              -

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              +

                              This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

                              +

                              Default value is 300.

                              +

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              **MdmStore/Global/PresharedKeyEncoding** -

                              Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

                              -

                              Default value is 1.

                              -

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

                              +

                              Default value is 1.

                              +

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              **MdmStore/Global/IPsecExempt** -

                              This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

                              -

                              Default value is 0.

                              -

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              +

                              This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

                              +

                              Default value is 0.

                              +

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              **MdmStore/Global/CRLcheck** -

                              This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Valid valued:

                              +

                              This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Valid valued:

                              • 0 disables CRL checking
                              • 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail.
                              • 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing
                              -

                              Default value is 0.

                              -

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Default value is 0.

                              +

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              **MdmStore/Global/PolicyVersion** -

                              This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.

                              +

                              Value type is string. Supported operation is Get.

                              **MdmStore/Global/BinaryVersionSupported** -

                              This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.

                              +

                              Value type is string. Supported operation is Get.

                              **MdmStore/Global/OpportunisticallyMatchAuthSetPerKM** -

                              This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

                              -

                              Boolean value. Supported operations are Add, Get, Replace, and Delete.

                              +

                              This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

                              +

                              Boolean value. Supported operations are Add, Get, Replace, and Delete.

                              **MdmStore/Global/EnablePacketQueue** -

                              This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:

                              +

                              This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:

                              • 0x00 indicates that all queuing is to be disabled
                                • @@ -172,71 +172,71 @@ Firewall
                              • 0x02 specifies that packets are to be queued after decryption is performed for forwarding
                              -

                              Default value is 0.

                              -

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Default value is 0.

                              +

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              **MdmStore/DomainProfile** -

                              Interior node. Supported operation is Get.

                              +

                              Interior node. Supported operation is Get.

                              **MdmStore/PrivateProfile** -

                              Interior node. Supported operation is Get.

                              +

                              Interior node. Supported operation is Get.

                              **MdmStore/PublicProfile** -

                              Interior node. Supported operation is Get.

                              +

                              Interior node. Supported operation is Get.

                              **/EnableFirewall** -

                              Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              -

                              Default value is true.

                              -

                              Value type is bool. Supported operations are Add, Get and Replace.

                              +

                              Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              +

                              Default value is true.

                              +

                              Value type is bool. Supported operations are Add, Get and Replace.

                              **/DisableStealthMode** -

                              Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              -

                              Default value is false.

                              -

                              Value type is bool. Supported operations are Add, Get and Replace.

                              +

                              Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              +

                              Default value is false.

                              +

                              Value type is bool. Supported operations are Add, Get and Replace.

                              **/Shielded** -

                              Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.

                              -

                              Default value is false.

                              -

                              Value type is bool. Supported operations are Get and Replace.

                              +

                              Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.

                              +

                              Default value is false.

                              +

                              Value type is bool. Supported operations are Get and Replace.

                              **/DisableUnicastResponsesToMulticastBroadcast** -

                              Boolean value. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              -

                              Default value is false.

                              -

                              Value type is bool. Supported operations are Add, Get and Replace.

                              +

                              Boolean value. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              +

                              Default value is false.

                              +

                              Value type is bool. Supported operations are Add, Get and Replace.

                              **/DisableInboundNotifications** -

                              Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              -

                              Default value is false.

                              -

                              Value type is bool. Supported operations are Add, Get and Replace.

                              +

                              Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              +

                              Default value is false.

                              +

                              Value type is bool. Supported operations are Add, Get and Replace.

                              **/AuthAppsAllowUserPrefMerge** -

                              Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              -

                              Default value is true.

                              -

                              Value type is bool. Supported operations are Add, Get and Replace.

                              +

                              Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              +

                              Default value is true.

                              +

                              Value type is bool. Supported operations are Add, Get and Replace.

                              **/GlobalPortsAllowUserPrefMerge** -

                              Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              -

                              Default value is true.

                              -

                              Value type is bool. Supported operations are Add, Get and Replace.

                              +

                              Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                              +

                              Default value is true.

                              +

                              Value type is bool. Supported operations are Add, Get and Replace.

                              **/AllowLocalPolicyMerge** -

                              Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.

                              -

                              Default value is true.

                              -

                              Value type is bool. Supported operations are Add, Get and Replace.

                              +

                              Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.

                              +

                              Default value is true.

                              +

                              Value type is bool. Supported operations are Add, Get and Replace.

                              **/AllowLocalIpsecPolicyMerge** -

                              Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.

                              -

                              Default value is true.

                              -

                              Value type is bool. Supported operations are Add, Get and Replace.

                              +

                              Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.

                              +

                              Default value is true.

                              +

                              Value type is bool. Supported operations are Add, Get and Replace.

                              **/DefaultOutboundAction** -

                              This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it is explicitly specified not to block.

                              +

                              This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it is explicitly specified not to block.

                              • 0x00000000 - allow
                              • 0x00000001 - block
                              -

                              Default value is 0 (allow).

                              -

                              Value type is integer. Supported operations are Add, Get and Replace.

                              +

                              Default value is 0 (allow).

                              +

                              Value type is integer. Supported operations are Add, Get and Replace.

                              Sample syncxml to provision the firewall settings to evaluate @@ -263,70 +263,70 @@ Sample syncxml to provision the firewall settings to evaluate ``` **/DefaultInboundAction** -

                              This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.

                              +

                              This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.

                              • 0x00000000 - allow
                              • 0x00000001 - block
                              -

                              Default value is 1 (block).

                              -

                              Value type is integer. Supported operations are Add, Get and Replace.

                              +

                              Default value is 1 (block).

                              +

                              Value type is integer. Supported operations are Add, Get and Replace.

                              **/DisableStealthModeIpsecSecuredPacketExemption** -

                              Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

                              -

                              Default value is true.

                              -

                              Value type is bool. Supported operations are Add, Get and Replace.

                              +

                              Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

                              +

                              Default value is true.

                              +

                              Value type is bool. Supported operations are Add, Get and Replace.

                              **FirewallRules** -

                              A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.

                              +

                              A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.

                              **FirewallRules/_FirewallRuleName_** -

                              Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).

                              -

                              Supported operations are Add, Get, Replace, and Delete.

                              +

                              Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).

                              +

                              Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/_FirewallRuleName_/App** -

                              Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:

                              +

                              Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:

                              • PackageFamilyName
                              • FilePath
                              • FQBN
                              • ServiceName
                              -

                              If not specified, the default is All.

                              -

                              Supported operation is Get.

                              +

                              If not specified, the default is All.

                              +

                              Supported operation is Get.

                              **FirewallRules/_FirewallRuleName_/App/PackageFamilyName** -

                              This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/_FirewallRuleName_/App/FilePath** -

                              This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/_FirewallRuleName_/App/Fqbn** -

                              Fully Qualified Binary Name

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Fully Qualified Binary Name

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/_FirewallRuleName_/App/ServiceName** -

                              This is a service name used in cases when a service, not an application, is sending or receiving traffic.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              This is a service name used in cases when a service, not an application, is sending or receiving traffic.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/_FirewallRuleName_/Protocol** -

                              0-255 number representing the ip protocol (TCP = 6, UDP = 17)

                              -

                              If not specified, the default is All.

                              -

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              +

                              0-255 number representing the ip protocol (TCP = 6, UDP = 17)

                              +

                              If not specified, the default is All.

                              +

                              Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/_FirewallRuleName_/LocalPortRanges** -

                              Comma separated list of ranges. For example, 100-120,200,300-320.

                              -

                              If not specified, the default is All.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Comma separated list of ranges. For example, 100-120,200,300-320.

                              +

                              If not specified, the default is All.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/_FirewallRuleName_/RemotePortRanges** -

                              Comma separated list of ranges, For example, 100-120,200,300-320.

                              -

                              If not specified, the default is All.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Comma separated list of ranges, For example, 100-120,200,300-320.

                              +

                              If not specified, the default is All.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/*FirewallRuleName*/LocalAddressRanges** -

                              Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:

                              +

                              Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:

                              • "*" indicates any local address. If present, this must be the only token included.
                              • A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.
                                • @@ -334,11 +334,11 @@ Sample syncxml to provision the firewall settings to evaluate
                              • An IPv4 address range in the format of "start address - end address" with no spaces included.
                              • An IPv6 address range in the format of "start address - end address" with no spaces included.
                              -

                              If not specified, the default is All.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              If not specified, the default is All.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/*FirewallRuleName*/RemoteAddressRanges** -

                              List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:

                              +

                              List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:

                              • "*" indicates any remote address. If present, this must be the only token included.
                              • "Defaultgateway"
                                • @@ -355,70 +355,70 @@ Sample syncxml to provision the firewall settings to evaluate
                              • An IPv4 address range in the format of "start address - end address" with no spaces included.
                              • An IPv6 address range in the format of "start address - end address" with no spaces included.
                              -

                              If not specified, the default is All.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              -

                              The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later.

                              +

                              If not specified, the default is All.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later.

                              **FirewallRules/_FirewallRuleName_/Description** -

                              Specifies the description of the rule.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Specifies the description of the rule.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/_FirewallRuleName_/Enabled** -

                              Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. -

                              If not specified - a new rule is enabled by default.

                              -

                              Boolean value. Supported operations are Get and Replace.

                              +

                              Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. +

                              If not specified - a new rule is enabled by default.

                              +

                              Boolean value. Supported operations are Get and Replace.

                              **FirewallRules/_FirewallRuleName_/Profiles** -

                              Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.

                              -

                              If not specified, the default is All.

                              -

                              Value type is integer. Supported operations are Get and Replace.

                              +

                              Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.

                              +

                              If not specified, the default is All.

                              +

                              Value type is integer. Supported operations are Get and Replace.

                              **FirewallRules/_FirewallRuleName_/Action** -

                              Specifies the action for the rule.

                              -

                              Supported operation is Get.

                              +

                              Specifies the action for the rule.

                              +

                              Supported operation is Get.

                              **FirewallRules/_FirewallRuleName_/Action/Type** -

                              Specifies the action the rule enforces. Supported values:

                              +

                              Specifies the action the rule enforces. Supported values:

                              • 0 - Block
                              • 1 - Allow
                              -

                              If not specified, the default is allow.

                              -

                              Value type is integer. Supported operations are Get and Replace.

                              +

                              If not specified, the default is allow.

                              +

                              Value type is integer. Supported operations are Get and Replace.

                              **FirewallRules/_FirewallRuleName_/Direction** -

                              The rule is enabled based on the traffic direction as following. Supported values:

                              +

                              The rule is enabled based on the traffic direction as following. Supported values:

                              • IN - the rule applies to inbound traffic.
                              • OUT - the rule applies to outbound traffic.
                              • If not specified, the default is Out.
                              -

                              Value type is string. Supported operations are Get and Replace.

                              +

                              Value type is string. Supported operations are Get and Replace.

                              **FirewallRules/_FirewallRuleName_/InterfaceTypes** -

                              Comma separated list of interface types. Valid values:

                              +

                              Comma separated list of interface types. Valid values:

                              • RemoteAccess
                              • Wireless
                              • Lan
                              -

                              If not specified, the default is All.

                              -

                              Value type is string. Supported operations are Get and Replace.

                              +

                              If not specified, the default is All.

                              +

                              Value type is string. Supported operations are Get and Replace.

                              **FirewallRules/_FirewallRuleName_/EdgeTraversal** -

                              Indicates whether edge traversal is enabled or disabled for this rule.

                              -

                              The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.

                              -

                              New rules have the EdgeTraversal property disabled by default.

                              -

                              Value type is bool. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Indicates whether edge traversal is enabled or disabled for this rule.

                              +

                              The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.

                              +

                              New rules have the EdgeTraversal property disabled by default.

                              +

                              Value type is bool. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/_FirewallRuleName_/LocalUserAuthorizationList** -

                              Specifies the list of authorized local users for this rule. This is a string in Security Descriptor Definition Language (SDDL) format.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Specifies the list of authorized local users for this rule. This is a string in Security Descriptor Definition Language (SDDL) format.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              **FirewallRules/_FirewallRuleName_/Status** -

                              Provides information about the specific version of the rule in deployment for monitoring purposes.

                              -

                              Value type is string. Supported operation is Get.

                              +

                              Provides information about the specific version of the rule in deployment for monitoring purposes.

                              +

                              Value type is string. Supported operation is Get.

                              **FirewallRules/_FirewallRuleName_/Name** -

                              Name of the rule.

                              -

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              +

                              Name of the rule.

                              +

                              Value type is string. Supported operations are Add, Get, Replace, and Delete.

                              diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 03fb5b432d..e570b9890d 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -26,18 +26,18 @@ The following is a list of functions performed by the Device HealthAttestation C ## Terms **TPM (Trusted Platform Module)** -

                              TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption and signing.

                              +

                              TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption and signing.

                              **DHA (Device HealthAttestation) feature** -

                              The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.

                              +

                              The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.

                              **DHA-Enabled device (Device HealthAttestation enabled device)** -

                              A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0.

                              +

                              A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0.

                              **DHA-Session (Device HealthAttestation session)** -

                              The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.

                              +

                              The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.

                              -

                              The following list of transactions is performed in one DHA-Session:

                              +

                              The following list of transactions is performed in one DHA-Session:

                              • DHA-CSP and DHA-Service communication:
                                • DHA-CSP forwards device boot data (DHA-BootData) to DHA-Service
                                  • @@ -57,7 +57,7 @@ The following is a list of functions performed by the Device HealthAttestation C healthattestation session diagram
                                  DHA session data (Device HealthAttestation session data) -

                                  The following list of data is produced or consumed in one DHA-Transaction:

                                  +

                                  The following list of data is produced or consumed in one DHA-Transaction:

                                  • DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot and TPM counters) that are required for validating device boot health.
                                  • DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices.
                                    • @@ -73,9 +73,9 @@ The following is a list of functions performed by the Device HealthAttestation C
                                  DHA-Enabled MDM (Device HealthAttestation enabled device management solution) -

                                  Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.

                                  -

                                  DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.

                                  -

                                  The following list of operations is performed by DHA-Enabled-MDM

                                  +

                                  Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.

                                  +

                                  DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.

                                  +

                                  The following list of operations is performed by DHA-Enabled-MDM

                                  • Enables the DHA feature on a DHA-Enabled device
                                  • Issues device health attestation requests to enrolled/managed devices
                                    • @@ -84,8 +84,8 @@ The following is a list of functions performed by the Device HealthAttestation C
                                  DHA-CSP (Device HealthAttestation Configuration Service Provider) -

                                  The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.

                                  -

                                  The following list of operations is performed by DHA-CSP:

                                  +

                                  The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.

                                  +

                                  The following list of operations is performed by DHA-CSP:

                                  • Collects device boot data (DHA-BootData) from a managed device
                                  • Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
                                    • @@ -94,10 +94,10 @@ The following is a list of functions performed by the Device HealthAttestation C
                                  DHA-Service (Device HealthAttestation Service) -

                                  Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.

                                  +

                                  Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.

                                  -

                                  DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.

                                  -

                                  The following list of operations is performed by DHA-Service:

                                  +

                                  DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.

                                  +

                                  The following list of operations is performed by DHA-Service:

                                  - Receives device boot data (DHA-BootData) from a DHA-Enabled device - Forwards DHA-BootData to Device Health Attestation Service (DHA-Service) @@ -120,8 +120,8 @@ The following is a list of functions performed by the Device HealthAttestation C -Device Health Attestation – Cloud

                                  (DHA-Cloud)

                                  -

                                  DHA-Cloud is a Microsoft owned and operated DHA-Service that is:

                                  +Device Health Attestation – Cloud

                                  (DHA-Cloud)

                                  +

                                  DHA-Cloud is a Microsoft owned and operated DHA-Service that is:

                                  • Available in Windows for free
                                  • Running on a high-availability and geo-balanced cloud infrastructure
                                    • @@ -134,12 +134,12 @@ The following is a list of functions performed by the Device HealthAttestation C
                                -No cost +No cost -Device Health Attestation – On Premise

                                (DHA-OnPrem)

                                -

                                DHA-OnPrem refers to DHA-Service that is running on premises:

                                +Device Health Attestation – On Premise

                                (DHA-OnPrem)

                                +

                                DHA-OnPrem refers to DHA-Service that is running on premises:

                                • Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
                                • Hosted on an enterprise owned and managed server device/hardware
                                  • @@ -152,11 +152,11 @@ The following is a list of functions performed by the Device HealthAttestation C
                              -The operation cost of running one or more instances of Server 2016 on-premises. +The operation cost of running one or more instances of Server 2016 on-premises. -Device Health Attestation - Enterprise-Managed Cloud

                              (DHA-EMC)

                              -

                              DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.

                              +Device Health Attestation - Enterprise-Managed Cloud

                              (DHA-EMC)

                              +

                              DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.

                              • Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)
                              • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
                                • @@ -168,7 +168,7 @@ The following is a list of functions performed by the Device HealthAttestation C
                            -The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure. +The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure. @@ -193,19 +193,19 @@ HealthAttestation ----MaxSupportedProtocolVersion ``` **./Vendor/MSFT/HealthAttestation** -

                            The root node for the device HealthAttestation configuration service provider.

                            +

                            The root node for the device HealthAttestation configuration service provider.

                            **VerifyHealth** (Required) -

                            Notifies the device to prepare a device health verification request.

                            +

                            Notifies the device to prepare a device health verification request.

                            -

                            The supported operation is Execute.

                            +

                            The supported operation is Execute.

                            **Status** (Required) -

                            Provides the current status of the device health request.

                            +

                            Provides the current status of the device health request.

                            -

                            The supported operation is Get.

                            +

                            The supported operation is Get.

                            -

                            The following list shows some examples of supported values. For the complete list of status see Device HealthAttestation CSP status and error codes.

                            +

                            The following list shows some examples of supported values. For the complete list of status see Device HealthAttestation CSP status and error codes.

                            - 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service - 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device @@ -213,35 +213,35 @@ HealthAttestation - 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pick up **ForceRetrieve** (Optional) -

                            Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.

                            +

                            Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.

                            -

                            Boolean value. The supported operation is Replace.

                            +

                            Boolean value. The supported operation is Replace.

                            **Certificate** (Required) -

                            Instructs the DHA-CSP to forward DHA-Data to the MDM server.

                            +

                            Instructs the DHA-CSP to forward DHA-Data to the MDM server.

                            -

                            Value type is b64.The supported operation is Get.

                            +

                            Value type is b64.The supported operation is Get.

                            **Nonce** (Required) -

                            Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.

                            +

                            Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.

                            -

                            The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.

                            +

                            The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.

                            -

                            The supported operations are Get and Replace.

                            +

                            The supported operations are Get and Replace.

                            **CorrelationId** (Required) -

                            Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.

                            +

                            Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.

                            -

                            Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.

                            +

                            Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.

                            **HASEndpoint** (Optional) -

                            Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.

                            +

                            Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.

                            -

                            Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com.

                            +

                            Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com.

                            **TpmReadyStatus** (Required) -

                            Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.

                            -

                            Value type is integer. The supported operation is Get.

                            +

                            Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.

                            +

                            Value type is integer. The supported operation is Get.

                            ## **DHA-CSP integration steps** @@ -508,14 +508,14 @@ The following list of data points are verified by the DHA-Service in DHA-Report Each of these are described in further detail in the following sections, along with the recommended actions to take. **Issued** -

                            The date and time DHA-report was evaluated or issued to MDM.

                            +

                            The date and time DHA-report was evaluated or issued to MDM.

                            **AIKPresent** -

                            When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate.

                            +

                            When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate.

                            -

                            If AIKPresent = True (1), then allow access.

                            +

                            If AIKPresent = True (1), then allow access.

                            -

                            If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:

                            +

                            If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI assets @@ -523,24 +523,24 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **ResetCount** (Reported only for devices that support TPM 2.0) -

                            This attribute reports the number of times a PC device has hibernated or resumed.

                            +

                            This attribute reports the number of times a PC device has hibernated or resumed.

                            **RestartCount** (Reported only for devices that support TPM 2.0) -

                            This attribute reports the number of times a PC device has rebooted

                            +

                            This attribute reports the number of times a PC device has rebooted

                            **DEPPolicy** -

                            A device can be trusted more if the DEP Policy is enabled on the device.

                            +

                            A device can be trusted more if the DEP Policy is enabled on the device.

                            -

                            Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.

                            +

                            Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.

                            -

                            DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:

                            +

                            DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:

                            - To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff** - To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn** -

                            If DEPPolicy = 1 (On), then allow access.

                            +

                            If DEPPolicy = 1 (On), then allow access.

                            -

                            If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:

                            +

                            If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI assets @@ -548,15 +548,15 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BitLockerStatus** (at boot time) -

                            When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.

                            +

                            When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.

                            -

                            Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.

                            +

                            Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.

                            -

                            If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer.

                            +

                            If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer.

                            -

                            If BitLockerStatus = 1 (On), then allow access.

                            +

                            If BitLockerStatus = 1 (On), then allow access.

                            -

                            If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:

                            +

                            If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI assets @@ -564,11 +564,11 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootManagerRevListVersion** -

                            This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment.

                            +

                            This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment.

                            -

                            If BootManagerRevListVersion = [CurrentVersion], then allow access.

                            +

                            If BootManagerRevListVersion = [CurrentVersion], then allow access.

                            -

                            If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:

                            +

                            If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI and MBI assets @@ -576,11 +576,11 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityRevListVersion** -

                            This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.

                            +

                            This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.

                            -

                            If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.

                            +

                            If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.

                            -

                            If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:

                            +

                            If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI and MBI assets @@ -588,11 +588,11 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. **SecureBootEnabled** -

                            When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.

                            +

                            When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.

                            -

                            If SecureBootEnabled = 1 (True), then allow access.

                            +

                            If SecureBootEnabled = 1 (True), then allow access.

                            -

                            If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:

                            +

                            If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI assets @@ -600,16 +600,16 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootDebuggingEnabled** -

                            Boot debug enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.

                            +

                            Boot debug enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.

                            -

                            Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:

                            +

                            Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:

                            - To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off** - To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on** -

                            If BootdebuggingEnabled = 0 (False), then allow access.

                            +

                            If BootdebuggingEnabled = 0 (False), then allow access.

                            -

                            If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:

                            +

                            If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI assets @@ -617,11 +617,11 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script. **OSKernelDebuggingEnabled** -

                            OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.

                            +

                            OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.

                            -

                            If OSKernelDebuggingEnabled = 0 (False), then allow access.

                            +

                            If OSKernelDebuggingEnabled = 0 (False), then allow access.

                            -

                            If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:

                            +

                            If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI assets @@ -629,15 +629,15 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityEnabled** -

                            When code integrity is enabled, code execution is restricted to integrity verified code.

                            +

                            When code integrity is enabled, code execution is restricted to integrity verified code.

                            -

                            Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.

                            +

                            Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.

                            -

                            On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.

                            +

                            On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.

                            -

                            If CodeIntegrityEnabled = 1 (True), then allow access.

                            +

                            If CodeIntegrityEnabled = 1 (True), then allow access.

                            -

                            If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:

                            +

                            If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI assets @@ -645,16 +645,16 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **TestSigningEnabled** -

                            When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.

                            +

                            When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.

                            -

                            Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:

                            +

                            Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:

                            - To disable boot debugging, type **bcdedit.exe /set {current} testsigning off** - To enable boot debugging, type **bcdedit.exe /set {current} testsigning on** -

                            If TestSigningEnabled = 0 (False), then allow access.

                            +

                            If TestSigningEnabled = 0 (False), then allow access.

                            -

                            If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:

                            +

                            If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI and MBI assets @@ -662,33 +662,33 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script. **SafeMode** -

                            Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.

                            +

                            Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.

                            -

                            If SafeMode = 0 (False), then allow access.

                            +

                            If SafeMode = 0 (False), then allow access.

                            -

                            If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:

                            +

                            If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI assets - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **WinPE** -

                            Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup.

                            +

                            Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup.

                            -

                            If WinPE = 0 (False), then allow access.

                            +

                            If WinPE = 0 (False), then allow access.

                            -

                            If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.

                            +

                            If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.

                            **ELAMDriverLoaded** (Windows Defender) -

                            To use this reporting feature you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.

                            +

                            To use this reporting feature you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.

                            -

                            In the current release, this attribute only monitors/reports if a Microsoft 1st party ELAM (Windows Defender) was loaded during initial boot.

                            +

                            In the current release, this attribute only monitors/reports if a Microsoft 1st party ELAM (Windows Defender) was loaded during initial boot.

                            -

                            If a device is expected to use a 3rd party antivirus program, ignore the reported state.

                            +

                            If a device is expected to use a 3rd party antivirus program, ignore the reported state.

                            -

                            If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.

                            +

                            If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.

                            -

                            If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device:

                            +

                            If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device:

                            - Disallow all access - Disallow access to HBI assets @@ -696,61 +696,61 @@ Each of these are described in further detail in the following sections, along w **Bcdedit.exe /set {current} vsmlaunchtype auto** -

                            If ELAMDriverLoaded = 1 (True), then allow access.

                            +

                            If ELAMDriverLoaded = 1 (True), then allow access.

                            -

                            If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:

                            +

                            If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI assets - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **VSMEnabled** -

                            Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1GB of memory – it has just enough capability to run the LSA service that is used for all authentication brokering.

                            +

                            Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1GB of memory – it has just enough capability to run the LSA service that is used for all authentication brokering.

                            -

                            VSM can be enabled by using the following command in WMI or a PowerShell script:

                            +

                            VSM can be enabled by using the following command in WMI or a PowerShell script:

                            -

                            bcdedit.exe /set {current} vsmlaunchtype auto

                            +

                            bcdedit.exe /set {current} vsmlaunchtype auto

                            -

                            If VSMEnabled = 1 (True), then allow access.

                            -

                            If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:

                            +

                            If VSMEnabled = 1 (True), then allow access.

                            +

                            If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Disallow access to HBI assets - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue **PCRHashAlgorithmID** -

                            This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required.

                            +

                            This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required.

                            **BootAppSVN** -

                            This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device

                            +

                            This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device

                            -

                            If reported BootAppSVN equals an accepted value, then allow access.

                            +

                            If reported BootAppSVN equals an accepted value, then allow access.

                            -

                            If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

                            +

                            If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **BootManagerSVN** -

                            This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device.

                            +

                            This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device.

                            -

                            If reported BootManagerSVN equals an accepted value, then allow access.

                            +

                            If reported BootManagerSVN equals an accepted value, then allow access.

                            -

                            If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

                            +

                            If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **TPMVersion** -

                            This attribute identifies the version of the TPM that is running on the attested device.

                            -

                            TPMVersion node provides to replies "1" and "2":

                            +

                            This attribute identifies the version of the TPM that is running on the attested device.

                            +

                            TPMVersion node provides to replies "1" and "2":

                            • 1 means TPM specification version 1.2
                            • 2 means TPM specification version 2.0
                            -

                            Based on the reply you receive from TPMVersion node:

                            +

                            Based on the reply you receive from TPMVersion node:

                            - If reported TPMVersion equals an accepted value, then allow access. - If reported TPMVersion does not equal an accepted value, then take one of the following actions that align with your enterprise policies: @@ -758,63 +758,63 @@ Each of these are described in further detail in the following sections, along w - Direct the device to an enterprise honeypot, to further monitor the device's activities. **PCR0** -

                            The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.

                            +

                            The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.

                            -

                            Enterprise managers can create a allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.

                            +

                            Enterprise managers can create a allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.

                            -

                            If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.

                            +

                            If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.

                            -

                            If PCR[0] equals an accepted allow list value, then allow access.

                            +

                            If PCR[0] equals an accepted allow list value, then allow access.

                            -

                            If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies:

                            +

                            If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **SBCPHash** -

                            SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.

                            +

                            SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.

                            -

                            If SBCPHash is not present, or is an accepted allow-listed value, then allow access. +

                            If SBCPHash is not present, or is an accepted allow-listed value, then allow access. -

                            If SBCPHash is present in DHA-Report, and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:

                            +

                            If SBCPHash is present in DHA-Report, and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Place the device in a watch list to monitor the device more closely for potential risks. **CIPolicy** -

                            This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.

                            +

                            This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.

                            -

                            If CIPolicy is not present, or is an accepted allow-listed value, then allow access.

                            +

                            If CIPolicy is not present, or is an accepted allow-listed value, then allow access.

                            -

                            If CIPolicy is present and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:

                            +

                            If CIPolicy is present and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Place the device in a watch list to monitor the device more closely for potential risks. **BootRevListInfo** -

                            This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device.

                            +

                            This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device.

                            -

                            If reported BootRevListInfo version equals an accepted value, then allow access.

                            +

                            If reported BootRevListInfo version equals an accepted value, then allow access.

                            -

                            If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

                            +

                            If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **OSRevListInfo** -

                            This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device.

                            +

                            This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device.

                            -

                            If reported OSRevListInfo version equals an accepted value, then allow access.

                            +

                            If reported OSRevListInfo version equals an accepted value, then allow access.

                            -

                            If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

                            +

                            If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

                            - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **HealthStatusMismatchFlags** -

                            HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation.

                            +

                            HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation.

                            -

                            In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.

                            +

                            In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.

                            ## **Device HealthAttestation CSP status and error codes** @@ -825,204 +825,204 @@ Each of these are described in further detail in the following sections, along w Description - 0 - HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED - This is the initial state for devices that have never participated in a DHA-Session. + 0 + HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED + This is the initial state for devices that have never participated in a DHA-Session. - 1 - HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED - This state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server. + 1 + HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED + This state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server. - 2 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED - This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server. + 2 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED + This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server. - 3 - HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE - This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server. + 3 + HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE + This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server. - 4 - HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL - Deprecated in Windows 10, version 1607. + 4 + HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL + Deprecated in Windows 10, version 1607. - 5 - HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL - DHA-CSP failed to get a claim quote. + 5 + HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL + DHA-CSP failed to get a claim quote. - 6 - HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY - DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider. + 6 + HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY + DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider. - 7 - HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL - DHA-CSP failed in retrieving Windows AIK + 7 + HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL + DHA-CSP failed in retrieving Windows AIK - 8 - HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL - Deprecated in Windows 10, version 1607. + 8 + HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL + Deprecated in Windows 10, version 1607. - 9 - HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION - Invalid TPM version (TPM version is not 1.2 or 2.0) + 9 + HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION + Invalid TPM version (TPM version is not 1.2 or 2.0) - 10 - HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL - Nonce was not found in the registry. + 10 + HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL + Nonce was not found in the registry. - 11 - HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL - Correlation ID was not found in the registry. + 11 + HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL + Correlation ID was not found in the registry. - 12 - HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL - Deprecated in Windows 10, version 1607. + 12 + HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL + Deprecated in Windows 10, version 1607. - 13 - HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL - Deprecated in Windows 10, version 1607. + 13 + HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL + Deprecated in Windows 10, version 1607. - 14 - HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL - Failure in Encoding functions. (Extremely unlikely scenario) + 14 + HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL + Failure in Encoding functions. (Extremely unlikely scenario) - 15 - HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL - Deprecated in Windows 10, version 1607. + 15 + HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL + Deprecated in Windows 10, version 1607. - 16 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML - DHA-CSP failed to load the payload it received from DHA-Service + 16 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML + DHA-CSP failed to load the payload it received from DHA-Service - 17 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML - DHA-CSP received a corrupted response from DHA-Service. + 17 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML + DHA-CSP received a corrupted response from DHA-Service. - 18 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XML - DHA-CSP received an empty response from DHA-Service. + 18 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XML + DHA-CSP received an empty response from DHA-Service. - 19 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK - DHA-CSP failed in decrypting the AES key from the EK challenge. + 19 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK + DHA-CSP failed in decrypting the AES key from the EK challenge. - 20 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK - DHA-CSP failed in decrypting the health cert with the AES key. + 20 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK + DHA-CSP failed in decrypting the health cert with the AES key. - 21 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB - DHA-CSP failed in exporting the AIK Public Key. + 21 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB + DHA-CSP failed in exporting the AIK Public Key. - 22 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLY - DHA-CSP failed in trying to create a claim with AIK attestation data. + 22 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLY + DHA-CSP failed in trying to create a claim with AIK attestation data. - 23 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUB - DHA-CSP failed in appending the AIK Pub to the request blob. + 23 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUB + DHA-CSP failed in appending the AIK Pub to the request blob. - 24 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERT - DHA-CSP failed in appending the AIK Cert to the request blob. + 24 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERT + DHA-CSP failed in appending the AIK Cert to the request blob. - 25 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLE - DHA-CSP failed to obtain a Session handle. + 25 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLE + DHA-CSP failed to obtain a Session handle. - 26 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLE - DHA-CSP failed to connect to the DHA-Service. + 26 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLE + DHA-CSP failed to connect to the DHA-Service. - 27 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLE - DHA-CSP failed to create a HTTP request handle. + 27 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLE + DHA-CSP failed to create a HTTP request handle. - 28 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTION - DHA-CSP failed to set options. + 28 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTION + DHA-CSP failed to set options. - 29 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERS - DHA-CSP failed to add request headers. + 29 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERS + DHA-CSP failed to add request headers. - 30 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUEST - DHA-CSP failed to send the HTTP request. + 30 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUEST + DHA-CSP failed to send the HTTP request. - 31 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSE - DHA-CSP failed to receive a response from the DHA-Service. + 31 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSE + DHA-CSP failed to receive a response from the DHA-Service. - 32 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERS - DHA-CSP failed to query headers when trying to get HTTP status code. + 32 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERS + DHA-CSP failed to query headers when trying to get HTTP status code. - 33 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSE - DHA-CSP received an empty response from DHA-Service even though HTTP status was OK. + 33 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSE + DHA-CSP received an empty response from DHA-Service even though HTTP status was OK. - 34 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE - DHA-CSP received an empty response along with a HTTP error code from DHA-Service. + 34 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE + DHA-CSP received an empty response along with a HTTP error code from DHA-Service. - 35 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USER - DHA-CSP failed to impersonate user. + 35 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USER + DHA-CSP failed to impersonate user. - 36 - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATOR - DHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode. + 36 + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATOR + DHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode. - 0xFFFF - HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWN - DHA-CSP failed due to an unknown reason, this error is highly unlikely to occur. + 0xFFFF + HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWN + DHA-CSP failed due to an unknown reason, this error is highly unlikely to occur. - 400 - Bad_Request_From_Client - DHA-CSP has received a bad (malformed) attestation request. + 400 + Bad_Request_From_Client + DHA-CSP has received a bad (malformed) attestation request. - 404 - Endpoint_Not_Reachable - DHA-Service is not reachable by DHA-CSP + 404 + Endpoint_Not_Reachable + DHA-Service is not reachable by DHA-CSP diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index 875c7d0ded..f2da07d4e2 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -41,12 +41,12 @@ The Store for Business provides services that enable a management tool to synchr -

                            Application data

                            -

                            The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications.

                            +

                            Application data

                            +

                            The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications.

                            -

                            Licensing models

                            -

                            Offline vs. Online

                            +

                            Licensing models

                            +

                            Offline vs. Online

                            Online-licensed applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.

                            Offline-licensed applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store.

                            diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md index ad2d4edddc..69893ff362 100644 --- a/windows/client-management/mdm/messaging-csp.md +++ b/windows/client-management/mdm/messaging-csp.md @@ -21,36 +21,36 @@ The following diagram shows the Messaging configuration service provider in tree **./User/Vendor/MSFT/Messaging** -

                            Root node for the Messaging configuration service provider.

                            +

                            Root node for the Messaging configuration service provider.

                            **AuditingLevel** -

                            Turns on the "Text" auditing feature.

                            -

                            The following list shows the supported values:

                            +

                            Turns on the "Text" auditing feature.

                            +

                            The following list shows the supported values:

                            • 0 (Default) - Off
                            • 1 - On
                            -

                            Supported operations are Get and Replace.

                            +

                            Supported operations are Get and Replace.

                            **Auditing** -

                            Node for auditing.

                            -

                            Supported operation is Get.

                            +

                            Node for auditing.

                            +

                            Supported operation is Get.

                            **Messages** -

                            Node for messages.

                            -

                            Supported operation is Get.

                            +

                            Node for messages.

                            +

                            Supported operation is Get.

                            **Count** -

                            The number of messages to return in the Data setting. The default is 100.

                            -

                            Supported operations are Get and Replace.

                            +

                            The number of messages to return in the Data setting. The default is 100.

                            +

                            Supported operations are Get and Replace.

                            **RevisionId** -

                            Retrieves messages whose revision ID is greater than RevisionId.

                            -

                            Supported operations are Get and Replace.

                            +

                            Retrieves messages whose revision ID is greater than RevisionId.

                            +

                            Supported operations are Get and Replace.

                            **Data** -

                            The JSON string of text messages on the device.

                            -

                            Supported operations are Get and Replace.

                            +

                            The JSON string of text messages on the device.

                            +

                            Supported operations are Get and Replace.

                            **SyncML example** diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index 6c898afe02..ceacdde6dd 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -140,53 +140,53 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma -

                            s:

                            -

                            MessageFormat

                            -

                            MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR

                            -

                            Message format is bad

                            -

                            80180001

                            +

                            s:

                            +

                            MessageFormat

                            +

                            MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR

                            +

                            Message format is bad

                            +

                            80180001

                            -

                            s:

                            -

                            Authentication

                            -

                            MENROLL_E_DEVICE_AUTHENTICATION_ERROR

                            -

                            User not recognized

                            -

                            80180002

                            +

                            s:

                            +

                            Authentication

                            +

                            MENROLL_E_DEVICE_AUTHENTICATION_ERROR

                            +

                            User not recognized

                            +

                            80180002

                            -

                            s:

                            -

                            Authorization

                            -

                            MENROLL_E_DEVICE_AUTHORIZATION_ERROR

                            -

                            User not allowed to enroll

                            -

                            80180003

                            +

                            s:

                            +

                            Authorization

                            +

                            MENROLL_E_DEVICE_AUTHORIZATION_ERROR

                            +

                            User not allowed to enroll

                            +

                            80180003

                            -

                            s:

                            -

                            CertificateRequest

                            -

                            MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR

                            -

                            Failed to get certificate

                            -

                            80180004

                            +

                            s:

                            +

                            CertificateRequest

                            +

                            MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR

                            +

                            Failed to get certificate

                            +

                            80180004

                            -

                            s:

                            -

                            EnrollmentServer

                            -

                            MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR

                            - -

                            80180005

                            +

                            s:

                            +

                            EnrollmentServer

                            +

                            MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR

                            + +

                            80180005

                            -

                            a:

                            -

                            InternalServiceFault

                            -

                            MENROLL_E_DEVICE_INTERNALSERVICE_ERROR

                            -

                            The server hit an unexpected issue

                            -

                            80180006

                            +

                            a:

                            +

                            InternalServiceFault

                            +

                            MENROLL_E_DEVICE_INTERNALSERVICE_ERROR

                            +

                            The server hit an unexpected issue

                            +

                            80180006

                            -

                            a:

                            -

                            InvalidSecurity

                            -

                            MENROLL_E_DEVICE_INVALIDSECURITY_ERROR

                            -

                            Cannot parse the security header

                            -

                            80180007

                            +

                            a:

                            +

                            InvalidSecurity

                            +

                            MENROLL_E_DEVICE_INVALIDSECURITY_ERROR

                            +

                            Cannot parse the security header

                            +

                            80180007

                            @@ -240,46 +240,46 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. -

                            DeviceCapReached

                            -

                            MENROLL_E_DEVICECAPREACHED

                            -

                            User already enrolled in too many devices. Delete or unenroll old ones to fix this error. The user can fix it without admin help.

                            -

                            80180013

                            +

                            DeviceCapReached

                            +

                            MENROLL_E_DEVICECAPREACHED

                            +

                            User already enrolled in too many devices. Delete or unenroll old ones to fix this error. The user can fix it without admin help.

                            +

                            80180013

                            -

                            DeviceNotSupported

                            -

                            MENROLL_E_DEVICENOTSUPPORTED

                            -

                            Specific platform (e.g. Windows) or version is not supported. There is no point retrying or calling admin. User could upgrade device.

                            -

                            80180014

                            +

                            DeviceNotSupported

                            +

                            MENROLL_E_DEVICENOTSUPPORTED

                            +

                            Specific platform (e.g. Windows) or version is not supported. There is no point retrying or calling admin. User could upgrade device.

                            +

                            80180014

                            -

                            NotSupported

                            -

                            MENROLL_E_NOTSUPPORTED

                            -

                            Mobile device management generally not supported (would save an admin call)

                            -

                            80180015

                            +

                            NotSupported

                            +

                            MENROLL_E_NOTSUPPORTED

                            +

                            Mobile device management generally not supported (would save an admin call)

                            +

                            80180015

                            -

                            NotEligibleToRenew

                            -

                            MENROLL_E_NOTELIGIBLETORENEW

                            -

                            Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device. The user can fix it by re-enrolling.

                            -

                            80180016

                            +

                            NotEligibleToRenew

                            +

                            MENROLL_E_NOTELIGIBLETORENEW

                            +

                            Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device. The user can fix it by re-enrolling.

                            +

                            80180016

                            -

                            InMaintenance

                            -

                            MENROLL_E_INMAINTENANCE

                            -

                            Account is in maintenance, retry later. The user can retry later, but they may need to contact the admin because they would not know when problem is solved.

                            -

                            80180017

                            +

                            InMaintenance

                            +

                            MENROLL_E_INMAINTENANCE

                            +

                            Account is in maintenance, retry later. The user can retry later, but they may need to contact the admin because they would not know when problem is solved.

                            +

                            80180017

                            -

                            UserLicense

                            -

                            MENROLL_E_USERLICENSE

                            -

                            License of user is in bad state and blocking the enrollment. The user needs to call the admin.

                            -

                            80180018

                            +

                            UserLicense

                            +

                            MENROLL_E_USERLICENSE

                            +

                            License of user is in bad state and blocking the enrollment. The user needs to call the admin.

                            +

                            80180018

                            -

                            InvalidEnrollmentData

                            -

                            MENROLL_E_ENROLLMENTDATAINVALID

                            -

                            The server rejected the enrollment data. The server may not be configured correctly.

                            -

                            80180019

                            +

                            InvalidEnrollmentData

                            +

                            MENROLL_E_ENROLLMENTDATAINVALID

                            +

                            The server rejected the enrollment data. The server may not be configured correctly.

                            +

                            80180019

                            diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md index f0fadc3fe5..19462512ee 100644 --- a/windows/client-management/mdm/networkqospolicy-csp.md +++ b/windows/client-management/mdm/networkqospolicy-csp.md @@ -45,79 +45,79 @@ NetworkQoSPolicy --------DSCPAction ``` **NetworkQoSPolicy** -

                            The root node for the NetworkQoSPolicy configuration service provider.

                            +

                            The root node for the NetworkQoSPolicy configuration service provider.

                            **Version** -

                            Specifies the version information. +

                            Specifies the version information. -

                            The data type is int. +

                            The data type is int. -

                            The only supported operation is Get. +

                            The only supported operation is Get. ***Name*** -

                            Node for the QoS policy name. +

                            Node for the QoS policy name. ***Name*/IPProtocolMatchCondition** -

                            Specifies the IP protocol used to match the network traffic. +

                            Specifies the IP protocol used to match the network traffic. -

                            Valid values are: +

                            Valid values are: - 0 (default) - Both TCP and UDP - 1 - TCP - 2 - UDP -

                            The data type is int. +

                            The data type is int. -

                            The supported operations are Add, Get, Delete, and Replace. +

                            The supported operations are Add, Get, Delete, and Replace. ***Name*/AppPathNameMatchCondition** -

                            Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe. +

                            Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe. -

                            The data type is char. +

                            The data type is char. -

                            The supported operations are Add, Get, Delete, and Replace. +

                            The supported operations are Add, Get, Delete, and Replace. ***Name*/SourcePortMatchCondition** -

                            Specifies a single port or a range of ports to be used to match the network traffic source. +

                            Specifies a single port or a range of ports to be used to match the network traffic source. -

                            Valid values are: +

                            Valid values are: - A range of source ports: _[first port number]_-_[last port number]_ - A single source port: _[port number]_ -

                            The data type is char. +

                            The data type is char. -

                            The supported operations are Add, Get, Delete, and Replace. +

                            The supported operations are Add, Get, Delete, and Replace. ***Name*/DestinationPortMatchCondition** -

                            Specifies a single source port or a range of ports to be used to match the network traffic destination. +

                            Specifies a single source port or a range of ports to be used to match the network traffic destination. -

                            Valid values are: +

                            Valid values are: - A range of destination ports: _[first port number]_-_[last port number]_ - A single destination port: _[port number]_ -

                            The data type is char. +

                            The data type is char. -

                            The supported operations are Add, Get, Delete, and Replace. +

                            The supported operations are Add, Get, Delete, and Replace. ***Name*/PriorityValue8021Action** -

                            Specifies the IEEE 802.1p priority value to apply to matching network traffic. +

                            Specifies the IEEE 802.1p priority value to apply to matching network traffic. -

                            Valid values are 0-7. +

                            Valid values are 0-7. -

                            The data type is int. +

                            The data type is int. -

                            The supported operations are Add, Get, Delete, and Replace. +

                            The supported operations are Add, Get, Delete, and Replace. ***Name*/DSCPAction** -

                            The differentiated services code point (DSCP) value to apply to matching network traffic. +

                            The differentiated services code point (DSCP) value to apply to matching network traffic. -

                            Valid values are 0-63. +

                            Valid values are 0-63. -

                            The data type is int. +

                            The data type is int. -

                            The supported operations are Add, Get, Delete, and Replace. +

                            The supported operations are Add, Get, Delete, and Replace. ## Related topics diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index 40757af748..5e8ad6957f 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -48,8 +48,8 @@ The following table shows the OMA DM standards that Windows uses. -

                            Data transport and session

                            -
                              +

                              Data transport and session

                              +

                              • Client-initiated remote HTTPS DM session over SSL.

                              • Remote HTTPS DM session over SSL.

                              • Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.

                                • @@ -57,14 +57,14 @@ The following table shows the OMA DM standards that Windows uses.
                              -

                              Bootstrap XML

                              -
                                +

                                Bootstrap XML

                                +

                                • OMA Client Provisioning XML.

                                -

                                DM protocol commands

                                -

                                The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the OMA website.

                                +

                                DM protocol commands

                                +

                                The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the OMA website.

                                • Add (Implicit Add supported)

                                • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.

                                  • @@ -95,16 +95,16 @@ The following table shows the OMA DM standards that Windows uses.

                                  Meta XML tag in SyncHdr is ignored by the device.

                                  -

                                  OMA DM standard objects

                                  -
                                    +

                                    OMA DM standard objects

                                    +

                                    • DevInfo

                                    • DevDetail

                                    • OMA DM DMS account objects (OMA DM version 1.2)

                                    -

                                    Security

                                    -
                                      +

                                      Security

                                      +

                                      • Authenticate DM server initiation notification SMS message (not used by enterprise management)

                                      • Application layer Basic and MD5 client authentication

                                      • Authenticate server with MD5 credential at application level

                                        • @@ -113,8 +113,8 @@ The following table shows the OMA DM standards that Windows uses.
                                      -

                                      Nodes

                                      -

                                      In the OMA DM tree, the following rules apply for the node name:

                                      +

                                      Nodes

                                      +

                                      In the OMA DM tree, the following rules apply for the node name:

                                      • "." can be part of the node name.

                                      • The node name cannot be empty.

                                        • @@ -122,8 +122,8 @@ The following table shows the OMA DM standards that Windows uses.
                                      -

                                      Provisioning Files

                                      -

                                      Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol specification.

                                      +

                                      Provisioning Files

                                      +

                                      Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol specification.

                                      If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.

                                      Note

                                      To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.

                                      @@ -133,12 +133,12 @@ The following table shows the OMA DM standards that Windows uses.
                                      -

                                      WBXML support

                                      -

                                      Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the SyncML Representation Protocol specification.

                                      +

                                      WBXML support

                                      +

                                      Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the SyncML Representation Protocol specification.

                                      -

                                      Handling of large objects

                                      -

                                      In Windows 10, version 1511, client support for uploading large objects to the server was added.

                                      +

                                      Handling of large objects

                                      +

                                      In Windows 10, version 1511, client support for uploading large objects to the server was added.

                                      @@ -162,52 +162,52 @@ Common elements are used by other OMA DM element types. The following table list -

                                      Chal

                                      -

                                      Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.

                                      +

                                      Chal

                                      +

                                      Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.

                                      -

                                      Cmd

                                      -

                                      Specifies the name of an OMA DM command referenced in a Status element.

                                      +

                                      Cmd

                                      +

                                      Specifies the name of an OMA DM command referenced in a Status element.

                                      -

                                      CmdID

                                      -

                                      Specifies the unique identifier for an OMA DM command.

                                      +

                                      CmdID

                                      +

                                      Specifies the unique identifier for an OMA DM command.

                                      -

                                      CmdRef

                                      -

                                      Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.

                                      +

                                      CmdRef

                                      +

                                      Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.

                                      -

                                      Cred

                                      -

                                      Specifies the authentication credential for the originator of the message.

                                      +

                                      Cred

                                      +

                                      Specifies the authentication credential for the originator of the message.

                                      -

                                      Final

                                      -

                                      Indicates that the current message is the last message in the package.

                                      +

                                      Final

                                      +

                                      Indicates that the current message is the last message in the package.

                                      -

                                      LocName

                                      -

                                      Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.

                                      +

                                      LocName

                                      +

                                      Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.

                                      -

                                      LocURI

                                      -

                                      Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.

                                      +

                                      LocURI

                                      +

                                      Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.

                                      -

                                      MsgID

                                      -

                                      Specifies a unique identifier for an OMA DM session message.

                                      +

                                      MsgID

                                      +

                                      Specifies a unique identifier for an OMA DM session message.

                                      -

                                      MsgRef

                                      -

                                      Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.

                                      +

                                      MsgRef

                                      +

                                      Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.

                                      -

                                      RespURI

                                      -

                                      Specifies the URI that the recipient must use when sending a response to this message.

                                      +

                                      RespURI

                                      +

                                      Specifies the URI that the recipient must use when sending a response to this message.

                                      -

                                      SessionID

                                      -

                                      Specifies the identifier of the OMA DM session associated with the containing message.

                                      +

                                      SessionID

                                      +

                                      Specifies the identifier of the OMA DM session associated with the containing message.

                                      Note If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes.
                                      @@ -216,28 +216,28 @@ Common elements are used by other OMA DM element types. The following table list
    -

    Source

    -

    Specifies the message source address.

    +

    Source

    +

    Specifies the message source address.

    -

    SourceRef

    -

    Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.

    +

    SourceRef

    +

    Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.

    -

    Target

    -

    Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.

    +

    Target

    +

    Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.

    -

    TargetRef

    -

    Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.

    +

    TargetRef

    +

    Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.

    -

    VerDTD

    -

    Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.

    +

    VerDTD

    +

    Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.

    -

    VerProto

    -

    Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.

    +

    VerProto

    +

    Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.

    @@ -272,32 +272,32 @@ The following table shows the sequence of events during a typical DM session. -

    1

    -

    DM client is invoked to call back to the management server

    +

    1

    +

    DM client is invoked to call back to the management server

    Enterprise scenario – The device task schedule invokes the DM client.

    -

    The MO server sends a server trigger message to invoke the DM client.

    +

    The MO server sends a server trigger message to invoke the DM client.

    The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.

    Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.

    -

    2

    -

    The device sends a message, over an IP connection, to initiate the session.

    -

    This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.

    +

    2

    +

    The device sends a message, over an IP connection, to initiate the session.

    +

    This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.

    -

    3

    -

    The DM server responds, over an IP connection (HTTPS).

    -

    The server sends initial device management commands, if any.

    +

    3

    +

    The DM server responds, over an IP connection (HTTPS).

    +

    The server sends initial device management commands, if any.

    -

    4

    -

    The device responds to server management commands.

    -

    This message includes the results of performing the specified device management operations.

    +

    4

    +

    The device responds to server management commands.

    +

    This message includes the results of performing the specified device management operations.

    -

    5

    -

    The DM server terminates the session or sends another command.

    -

    The DM session ends, or Step 4 is repeated.

    +

    5

    +

    The DM server terminates the session or sends another command.

    +

    The DM session ends, or Step 4 is repeated.

    diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md index bf3d84f0f4..7a1a41565d 100644 --- a/windows/client-management/mdm/personalization-csp.md +++ b/windows/client-management/mdm/personalization-csp.md @@ -30,14 +30,14 @@ Personalization ----LockScreenImageStatus ``` **./Vendor/MSFT/Personalization** -

    Defines the root node for the Personalization configuration service provider.

    +

    Defines the root node for the Personalization configuration service provider.

    **DesktopImageUrl** -

    Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.

    -

    Value type is string. Supported operations are Add, Get, Delete, and Replace.

    +

    Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.

    +

    Value type is string. Supported operations are Add, Get, Delete, and Replace.

    **DesktopImageStatus** -

    Represents the status of the desktop image. Valid values:

    +

    Represents the status of the desktop image. Valid values:

    • 1 - Successfully downloaded or copied.
    • 2 - Download or copy in progress.
      • @@ -47,18 +47,18 @@ Personalization
    • 6 - Max retry failed.
    • 7 - Blocked, SKU not allowed
    -

    Supporter operation is Get.

    +

    Supporter operation is Get.

    > [!Note] > This setting is only used to query status. To set the image, use the DesktopImageUrl setting. **LockScreenImageUrl** -

    Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.

    -

    Value type is string. Supported operations are Add, Get, Delete, and Replace.

    +

    Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.

    +

    Value type is string. Supported operations are Add, Get, Delete, and Replace.

    **LockScreenImageStatus** -

    Represents the status of the lock screen image. Valid values:

    +

    Represents the status of the lock screen image. Valid values:

    • 1 - Successfully downloaded or copied.
    • 2 - Download or copy in progress.
      • @@ -68,7 +68,7 @@ Personalization
    • 6 - Max retry failed.
    • 7 - Blocked, SKU not allowed
    -

    Supporter operation is Get.

    +

    Supporter operation is Get.

    > [!Note] > This setting is only used to query status. To set the image, use the LockScreenImageUrl setting. diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index da0f0543dc..a03f3f09f7 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -48,24 +48,24 @@ The following diagram shows the Policy configuration service provider in tree fo **./Vendor/MSFT/Policy** -

    The root node for the Policy configuration service provider. +

    The root node for the Policy configuration service provider. -

    Supported operation is Get. +

    Supported operation is Get. **Policy/Config** -

    Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. +

    Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. -

    Supported operation is Get. +

    Supported operation is Get. **Policy/Config/_AreaName_** -

    The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. +

    The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. -

    Supported operations are Add, Get, and Delete. +

    Supported operations are Add, Get, and Delete. **Policy/Config/_AreaName/PolicyName_** -

    Specifies the name/value pair used in the policy. +

    Specifies the name/value pair used in the policy. -

    The following list shows some tips to help you when configuring policies: +

    The following list shows some tips to help you when configuring policies: - Separate substring values by the Unicode &\#xF000; in the XML file. @@ -77,59 +77,59 @@ The following diagram shows the Policy configuration service provider in tree fo - Value type is string. **Policy/Result** -

    Groups the evaluated policies from all providers that can be configured. +

    Groups the evaluated policies from all providers that can be configured. -

    Supported operation is Get. +

    Supported operation is Get. **Policy/Result/_AreaName_** -

    The area group that can be configured by a single technology independent of the providers. +

    The area group that can be configured by a single technology independent of the providers. -

    Supported operation is Get. +

    Supported operation is Get. **Policy/Result/_AreaName/PolicyName_** -

    Specifies the name/value pair used in the policy. +

    Specifies the name/value pair used in the policy. -

    Supported operation is Get. +

    Supported operation is Get. **Policy/ConfigOperations** -

    Added in Windows 10, version 1703. The root node for grouping different configuration operations. +

    Added in Windows 10, version 1703. The root node for grouping different configuration operations. -

    Supported operations are Add, Get, and Delete. +

    Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall** -

    Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see Win32 and Desktop Bridge app policy configuration. +

    Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see Win32 and Desktop Bridge app policy configuration. > [!NOTE] > The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](/previous-versions/office/office-2013-resource-kit/cc179097(v=office.15)). -

    ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}. +

    ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}. -

    Supported operations are Add, Get, and Delete. +

    Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_** -

    Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. +

    Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. -

    Supported operations are Add, Get, and Delete. +

    Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Policy** -

    Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported. +

    Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported. -

    Supported operations are Add, Get, and Delete. +

    Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Policy/_UniqueID_** -

    Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import. +

    Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import. -

    Supported operations are Add and Get. Does not support Delete. +

    Supported operations are Add and Get. Does not support Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Preference** -

    Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported. +

    Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported. -

    Supported operations are Add, Get, and Delete. +

    Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Preference/_UniqueID_** -

    Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import. +

    Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import. -

    Supported operations are Add and Get. Does not support Delete. +

    Supported operations are Add and Get. Does not support Delete. ## Policies diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index b394ffb753..3df3e81293 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -761,7 +761,7 @@ PIN enforces the following behavior for desktop and mobile devices: The default value is 1. The following list shows the supported values and actual enforced values: - +
    @@ -777,24 +777,24 @@ The default value is 1. The following list shows the supported values and actual - - - + + + - - - + + + - - - + + + - - - + + +

    Mobile

    1,2,3,4

    Same as the value set

    Mobile

    1,2,3,4

    Same as the value set

    Desktop Local Accounts

    1,2,3

    3

    Desktop Local Accounts

    1,2,3

    3

    Desktop Microsoft Accounts

    1,2

    		<p2

    Desktop Microsoft Accounts

    1,2

    		<p2

    Desktop Domain Accounts

    Not supported

    		Not supported

    Desktop Domain Accounts

    Not supported

    		Not supported
    diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index d627137d97..b033f662cc 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -747,7 +747,7 @@ The following list shows the supported values for Windows 8.1: - 1 – Allowed, except for Secondary Data Requests. - 2 (default) – Allowed. - @@ -790,7 +790,7 @@ The following list shows the supported values for Windows 10 version 1809 and ol Most restrictive value is 0. - diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 1813782b4c..1fe9517d3d 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1747,7 +1747,7 @@ Other/cannot defer: Any update category not specifically enumerated above falls into this category. - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B -