For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. | Disable setting (default) | Any added search engines are removed from the employee’s device. |
-| Do not configure | The search engine list is set to what is specified in App settings. |
+## Always Enable book library
+>*Supporteded versions: Windows 10*
-### Configure Autofill
+This policy settings specifies whether to always show the Books Library in Microsoft Edge. By default, this setting is disabled, which means the library is only visible in countries or regions where available. if enabled, the Books Library is always shown regardless of countries or region of activation.
+
+**Microsoft Intune to manage your MDM settings**
+| | |
+|---|---|
+|MDM name |[AlwaysEnableBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) |
+|Supported devices |Desktop
Mobile |
+|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary |
+|Data type | Integer |
+|Allowed values |
- **0 (default)** - Disable. Use default visibility of the Books Library. The Library will be only visible in countries or regions where it’s available.
- **1** - Enable. Always show the Books Library, regardless of countries or region of activation.
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/ConfigureAdditionalSearchEngines | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Additional search engines are not allowed.
- **1** - Additional search engines are allowed.
- **0** - Employees cannot use Autofill to complete form fields.
- **1 (default)** - Employees can use Autofill to complete form fields.
- **Allow all cookies (default)** from all websites.
- **Block all cookies** from all websites.
- **Block only 3rd-party cookies** from 3rd-party websites.
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowCookies | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Allows all cookies from all sites.
- **1** - Blocks only cookies from 3rd party websites.
- **2** - Blocks all cookies from all sites.
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Stops you from sending Do Not Track headers to websites requesting tracking info.
- **1** - Employees can send Do Not Track headers to websites requesting tracking info.
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites | +|Data type | String | + + +## Configure Password Manager +>*Supported versions: Windows 10* + +This policy setting specifies whether saving and managing passwords locally on the device is allowed. By default, this setting is enabled allowing you to save their passwords locally. If not configured, you can choose whether or not to save and manage passwords locally. If disabled, saving and managing passwords locally is turned off. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | +|Supported devices |Desktop
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Employees cannot use Password Manager to save passwords locally.
- **1** - Employees can use Password Manager to save passwords locally.
- **0 (default)** - Turns off Pop-up Blocker, allowing pop-up windows.
- **1** - Turns on Pop-up Blocker, stopping pop-up windows.
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Employees cannot see search suggestions in the Address bar of Microsoft Edge.
- **1** - Employees can see search suggestions in the Address bar of Microsoft Edge.
- **0** - Adobe Flash content is automatically loaded and run by Microsoft Edge.
- **1 (default)** - An employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.
`
>If you already use a site list, enterprise mode continues to work during the 65-second wait; it just uses the existing site list instead of the new one. -### Configure Windows Defender SmartScreen +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[EnterpriseModeSiteList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) | +|Supported devices |Desktop | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList | +|Data type | String | +|Allowed values |
- Not configured.
- **1 (default)** - Use the Enterprise Mode Site List, if configured.
- **2** - Specify the location to the site list.
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Turns off Windows Defender SmartScreen.
- **1** - Turns on Windows Defender SmartScreen, providing warning messages to your you about potential phishing scams and malicious software.
- **0 (default)** - Enable lockdown of the Start pages according to the settings specified in the Browser/HomePages policy. Users cannot change the Start pages.
- **1** - Disable lockdown of the Start pages and allow users to modify them.
Enabling this setting stops Microsoft Edge favorites from syncing between connected Windows 10 devices. | -| Disable or do not configure | Employees cannot sync their favorites between Internet Explorer and Microsoft Edge. | +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) | +|Supported devices |Desktop | +|URI full path |./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings | +|Location |Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync | +|Data type | Integer | +|Allowed values |
- **0** - Employees cannot sync settings between PCs.
- **1 (default)** - Employees can sync between PCs.
- **0 (default)** - Synchronization is turned off.
- **1** - Synchronization is turned on.
- **0 (default)** - Employees can access the about:flags page in Microsoft Edge.
- **1** - Employees cannot access the about:flags page in Microsoft Edge.
Mobile | +|URI full path | ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Lets you ignore the Windows Defender SmartScreen warnings about unverified files and lets them continue the download process.
- **1** - Stops you from ignoring the Windows Defender SmartScreen warnings about unverified files.
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Turns off Windows Defender SmartScreen.
- **1** - Turns on Windows Defender SmartScreen.
`https://fabrikam.com/opensearch.xml` | -| Disable | The policy-set default search engine is removed. If this is also the current in-use default, the search engine changes to the Microsoft Edge specified engine for the market . | -| Do not configure | The default search engine is set to the one specified in App settings. | +This policy setting specifies whether you can add, import, sort, or edit the Favorites list in Microsoft Edge. By default, this setting is disabled or not configured (turned on), which means the Favorites list is not locked down and you can make changes to the Favorites list. If enabled, you cannot make changes to the Favorites list. Also, the Save a Favorite, Import settings, and the context menu items, such as Create a new folder, are turned off. >[!Important] ->If you'd like your employees to use the default Microsoft Edge settings for each market , you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine, you can set the string to EDGEBING. +>Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops you from syncing their favorites between Internet Explorer and Microsoft Edge. -### Show message when opening sites in Internet Explorer +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[LockdownFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | +|Supported devices |Desktop
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/LockdownFavorites | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Disabled. Do not lockdown Favorites.
- **1** - Enabled. Lockdown Favorites.
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Microsoft servers will be contacted if a site is pinned to Start from Microsoft Edge.
- **1** - Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge.
Mobile | +|URI full path | ./Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Employees see the First Run webpage.
- **1** - Employees do not see the First Run webpage.
- **0 (default)** - Shows an employee's LocalHost IP address while using the WebRTC protocol.
- **1** - Does not show an employee's LocalHost IP address while using the WebRTC protocol.
- **0 (default)** - Automatically opens all websites, including intranet sites, using Microsoft Edge.
- **1** - Automatically opens all intranet sites using Internet Explorer 11.
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine | +|Data type | Integer | +|Allowed values |
- **0 (default)** - The default search engine is set to the one specified in App settings.
- **1** - Allows you to configure the default search engine for your you.
- **0 (default)** - Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
- **1** - Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
- **0** - No shared folder.
- **1** - Use as shared folder.
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
-
-### Favorites
-- **Supported versions:** Windows 10, version 1511 or later
-
-- **Supported devices:** Both
-
-- **Details:**
-
- - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/Favorites
-
- - **Data type:** String
-
- - **Allowed values:**
-
- - Configure the **Favorite** URLs for your employees.
-
- **Example:**
-
- Accounts: Block Microsoft accounts **Note** Microsoft accounts can still be used in apps. Enabled Interactive logon: Do not display last user name Enabled Interactive logon: Sign-in last interactive user automatically after a system-initiated restart Disabled Interactive logon: Sign-in last interactive user automatically after a system-initiated restart Disabled User Account Control: Behavior of the elevation prompt for standard users Auto deny ASP.NET MVC 4.0 [ASP.NET MVC 4 download](https://go.microsoft.com/fwlink/?LinkId=392271) Service Principal Name (SPN) The web applications require an SPN for the virtual host name under the domain account that you use for the web application pools. If your administrative rights permit you to create SPNs in Active Directory Domain Services, MBAM creates the SPN for you. See [Setspn](http://technet.microsoft.com/library/cc731241.aspx) for information about the rights required to create SPNs. **In Windows 10, version 1511** **In Windows 10, version 1607 and later** Use this setting if you only want to support Azure AD in your organization.|
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location|Search/AllowSearchToUseLocation|Specifies whether Cortana can use your current location during searches and for location reminders.|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required. **Note** **Note** **In Windows 10 Pro edition** **In Windows 10 Enterprise edition** **Important**
-
+
+
diff --git a/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md b/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md
index 79fac92aba..b5cd982105 100644
--- a/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md
+++ b/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md
@@ -286,6 +286,10 @@ The following table lists the installation prerequisites for the MBAM Administra
+
+
@@ -85,7 +86,7 @@ These policies only apply to kiosk browser.
Added in Windows 10, version 1803. List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
> [!Note]
-> This policy only applies to kiosk browser.
+> This policy only applies to the Kiosk Browser app in Microsoft Store.
@@ -132,7 +133,7 @@ Added in Windows 10, version 1803. List of exceptions to the blocked website URL
Added in Windows 10, version 1803. List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to.
> [!Note]
-> This policy only applies to kiosk browser.
+> This policy only applies to the Kiosk Browser app in Microsoft Store.
@@ -179,7 +180,7 @@ Added in Windows 10, version 1803. List of blocked website URLs (with wildcard s
Added in Windows 10, version 1803. Configures the default URL kiosk browsers to navigate on launch and restart.
> [!Note]
-> This policy only applies to kiosk browser.
+> This policy only applies to the Kiosk Browser app in Microsoft Store.
@@ -226,7 +227,7 @@ Added in Windows 10, version 1803. Configures the default URL kiosk browsers to
Added in Windows 10, version 1803. Enable/disable kiosk browser's home button.
> [!Note]
-> This policy only applies to kiosk browser.
+> This policy only applies to the Kiosk Browser app in Microsoft Store.
@@ -273,7 +274,7 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's home button.
Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation buttons (forward/back).
> [!Note]
-> This policy only applies to kiosk browser.
+> This policy only applies to the Kiosk Browser app in Microsoft Store.
@@ -322,7 +323,7 @@ Added in Windows 10, version 1803. Amount of time in minutes the session is idle
The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser.
> [!Note]
-> This policy only applies to kiosk browser.
+> This policy only applies to the Kiosk Browser app in Microsoft Store.
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 327397bc54..34c61a2c31 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 03/16/2018
+ms.date: 04/06/2018
---
# Policy CSP - LocalPoliciesSecurityOptions
@@ -51,6 +51,15 @@ ms.date: 03/16/2018
+
+**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways**
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ Mobile Enterprise
+
+
+
4
+
+
+
+Domain member: Digitally encrypt or sign secure channel data (always)
+
+This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
+
+Domain member: Digitally encrypt secure channel data (when possible)
+Domain member: Digitally sign secure channel data (when possible)
+
+Default: Enabled.
+
+Notes:
+
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
+
+
+
+GP Info:
+- GP English name: *Domain member: Digitally encrypt or sign secure channel data (always)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible**
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ Mobile Enterprise
+
+
+
+
+
+
+Domain member: Digitally encrypt secure channel data (when possible)
+
+This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.
+
+Default: Enabled.
+
+Important
+
+There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
+
+Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
+
+
+
+GP Info:
+- GP English name: *Domain member: Digitally encrypt secure channel data (when possible)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges**
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ Mobile Enterprise
+
+
+
+
+
+
+Domain member: Disable machine account password changes
+
+Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.
+
+Default: Disabled.
+
+Notes
+
+This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.
+This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
+
+
+
+GP Info:
+- GP English name: *Domain member: Disable machine account password changes*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**
@@ -2122,6 +2357,282 @@ GP Info:
+
+**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication**
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ Mobile Enterprise
+
+
+
+
+
+
+Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
+
+This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured.
+
+If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication.
+
+If you do not configure this policy setting, no exceptions will be applied.
+
+The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character.
+
+
+
+GP Info:
+- GP English name: *Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic**
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ Mobile Enterprise
+
+
+
+
+
+
+Network security: Restrict NTLM: Audit Incoming NTLM Traffic
+
+This policy setting allows you to audit incoming NTLM traffic.
+
+If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic.
+
+If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option.
+
+If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option.
+
+This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+
+Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+
+
+
+GP Info:
+- GP English name: *Network security: Restrict NTLM: Audit Incoming NTLM Traffic*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic**
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ Mobile Enterprise
+
+
+
+
+
+
+Network security: Restrict NTLM: Incoming NTLM traffic
+
+This policy setting allows you to deny or allow incoming NTLM traffic.
+
+If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests.
+
+If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon.
+
+If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error.
+
+This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+
+Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+
+
+
+GP Info:
+- GP English name: *Network security: Restrict NTLM: Incoming NTLM traffic*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers**
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ Mobile Enterprise
+
+
+
+
+
+
+Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
+
+This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server.
+
+If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication.
+
+If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer.
+
+If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication.
+
+This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+
+Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+
+
+
+GP Info:
+- GP English name: *Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon**
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index dfdf82afa1..12b9c8386e 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -834,7 +834,7 @@ The following list shows the supported values:
> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. Desktop users should use Search/DoNotUseWebResults.
Specifies what level of safe search (filtering adult content) is required.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
index f411b5bc5e..7e48ef64a7 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
@@ -26,7 +26,7 @@ ms.date: 10/05/2017
|None|System/AllowLocation|Specifies whether to allow app access to the Location service.
Cortana won’t work if this setting is turned off (disabled).
Cortana still works if this setting is turned off (disabled).|
|None|Accounts/AllowMicrosoftAccountConnection|Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.
This setting only applies to Windows 10 Mobile.|
+|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required.
This setting only applies to Windows 10 Mobile. Other versions of Windows should use Don't search the web or display web results. |
|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box|None|Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.|
|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results|None|Specifies whether search can perform queries on the web and if the web results are displayed in search.
This setting can’t be managed.
Cortana won't work if this setting is turned off (disabled).|
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Experience/AllowCortana|Specifies whether employees can use Cortana.
Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off.|
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index 94f70ce62d..81fe4b5d61 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -230,6 +230,7 @@
### [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md)
### [Manage device restarts after updates](update/waas-restart.md)
### [Manage additional Windows Update settings](update/waas-wu-settings.md)
+### [Determine the source of Windows updates](update/windows-update-sources.md)
### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md)
#### [Introduction to the Windows Insider Program for Business](update/WIP4Biz-intro.md)
#### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md)
diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md
index a9805be280..0cd39373d7 100644
--- a/windows/deployment/update/index.md
+++ b/windows/deployment/update/index.md
@@ -1,16 +1,16 @@
---
-title: Update Windows 10 in the enterprise (Windows 10)
+title: Update Windows 10 in enterprise deployments (Windows 10)
description: Windows as a service provides an all-new way to think about building, deploying, and servicing Windows 10.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: DaniHalfin
+author: Jaimeo
ms.localizationpriority: high
-ms.author: daniha
-ms.date: 11/17/2017
+ms.author: jaimeo
+ms.date: 04/06/2018
---
-# Update Windows 10 in the enterprise
+# Update Windows 10 in enterprise deployments
**Applies to**
diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md
index 24c89c24be..0967178c16 100644
--- a/windows/deployment/update/waas-integrate-wufb.md
+++ b/windows/deployment/update/waas-integrate-wufb.md
@@ -90,7 +90,7 @@ For Windows 10, version 1607, organizations already managing their systems with
-
+For more information, see [Integration with Windows Update for Business in Windows 10](https://docs.microsoft.com/en-us/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10).
## Related topics
diff --git a/windows/deployment/update/windows-update-sources.md b/windows/deployment/update/windows-update-sources.md
new file mode 100644
index 0000000000..2fd8f9c79a
--- /dev/null
+++ b/windows/deployment/update/windows-update-sources.md
@@ -0,0 +1,37 @@
+---
+title: Determine the source of Windows updates
+description: Determine the source that Windows Update service is currently using.
+ms.prod: w10
+ms.mktglfcycl:
+ms.sitesec: library
+author: kaushika-msft
+ms.localizationpriority: high
+ms.author: jaimeo
+ms.date: 04/05/2018
+---
+
+# Determine the source of Windows updates
+
+Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps:
+
+1. Start Windows PowerShell as an administrator
+2. Run `\$MUSM = New-Object -ComObject “Microsoft.Update.ServiceManager”`.
+3. Run `\$MUSM.Services`. Check the resulting output for the **Name** and **OffersWindowsUPdates** parameters, which you can intepret according to this table:
+
+| Output | Interpretation |
+|-----------------------------------------------------|-----------------------------------|
+| - Name: **Microsoft Update**
-OffersWindowsUpdates: **True** | - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
- Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.)|
+|- Name: **DCat Flighting Prod**
- OffersWindowsUpdates: **False**|- The update source is the Windows Insider Program.
- Indicates that the client will not receive or is not configured to receive these updates. |
+| - Name: **Windows Store (DCat Prod)**
- OffersWindowsUpdates: **False** |-The update source is Insider Updates for Store Apps.
- Indicates that the client will not receive or is not configured to receive these updates.|
+|- Name: **Windows Server Update Service**
- OffersWindowsUpdates: **True** |- The source is a Windows Server Updates Services server.
- The client is configured to receive updates from WSUS.|
+|- Name: **Windows Update**
- OffersWindowsUpdates: **True** |- The source is Windows Update.
- The client is configured to receive updates from Windows Update Online.|
+
+
+
+See also:
+
+[Understanding the Windowsupdate.log file for advanced users](https://support.microsoft.com/help/4035760)
+
+[You can't install updates on a Windows-based computer](https://support.microsoft.com/help/2509997/you-can-t-install-updates-on-a-windows-based-computer)
+
+[How to read the Windowsupdate.log file on Windows 7 and earlier OS versions](https://support.microsoft.com/help/902093/how-to-read-the-windowsupdate-log-file)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index d3be3e2ba8..0e81b79e6d 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -20,7 +20,7 @@ Prefer video? See
[Windows Defender Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
in the Deep Dive into Windows Defender Credential Guard video series.
-For Windows Defender Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
+For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
## Hardware and software requirements
diff --git a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
index 2d66a5c847..3cdfa39794 100644
--- a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
@@ -799,7 +799,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi
2. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) to create a new WDAC policy by scanning the system for installed applications:
- ` New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt `
+ ` New-CIPolicy -Level FilePublisher -FilePath $InitialCIPolicy –UserPEs -FallBack Hash 3> CIPolicyLog.txt `
> [!Note]
@@ -841,7 +841,7 @@ When WDAC policies are run in audit mode, it allows administrators to discover a
> - An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it by using the Local Group Policy Editor.
-3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Windows Defender Device Guard**, and then select **Deploy Windows Defender Application Control**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1.
+3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Device Guard**, and then select **Deploy Windows Defender Application Control**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1.
> [!Note]
@@ -889,7 +889,7 @@ Use the following procedure after you have been running a computer with a WDAC p
3. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) to generate a new WDAC policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
- ` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt`
+ ` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3 -FallBack Hash > CIPolicylog.txt`
> [!Note]
> When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy.