diff --git a/bcs/images/icon_video.svg b/bcs/images/icon_video.svg new file mode 100644 index 0000000000..76aebcbd5b --- /dev/null +++ b/bcs/images/icon_video.svg @@ -0,0 +1,59 @@ + + + + + 5 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/bcs/index.md b/bcs/index.md index ba65b5d1ac..b662e42d74 100644 --- a/bcs/index.md +++ b/bcs/index.md @@ -20,7 +20,7 @@ description: Learn about the product documentation and resources available for M
- Learn about Microsoft 365 Business + Learn about Microsoft 365 Business
@@ -38,7 +38,7 @@ description: Learn about the product documentation and resources available for M
- Get started using Microsoft 365 Business + Get started using Microsoft 365 Business
@@ -786,7 +786,7 @@ description: Learn about the product documentation and resources available for M
- Set up Microsoft 365 Business + Set up Microsoft 365 Business
@@ -805,7 +805,7 @@ description: Learn about the product documentation and resources available for M
- Secure Windows 10 devices with Microsoft 365 Business + Secure Windows 10 devices with Microsoft 365 Business
@@ -824,7 +824,7 @@ description: Learn about the product documentation and resources available for M
- Secure Microsoft Office apps on iOS devices with Microsoft 365 Business + Secure Microsoft Office apps on iOS devices with Microsoft 365 Business
@@ -843,7 +843,7 @@ description: Learn about the product documentation and resources available for M
- Set up Windows devices for Microsoft 365 Business + Set up Windows devices for Microsoft 365 Business
@@ -862,7 +862,7 @@ description: Learn about the product documentation and resources available for M
- Demo: Microsoft 365 Business first run experience + Demo: Microsoft 365 Business first run experience
@@ -881,7 +881,7 @@ description: Learn about the product documentation and resources available for M
- Demo: Secure data and end user devices with Microsoft 365 Business + Demo: Secure data and end user devices with Microsoft 365 Business
diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md index 308ce30051..03fe635e2e 100644 --- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md +++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker -ms.date: 08/16/2017 +ms.date: 09/25/2017 ms.localizationpriority: medium --- @@ -298,11 +298,6 @@ PrintSuccess "Connected to Lync Server Remote PowerShell" Import-PSSession $sessExchange -AllowClobber -WarningAction SilentlyContinue Import-PSSession $sessLync -AllowClobber -WarningAction SilentlyContinue -# In case there was any uncaught errors -ExitIfError("Remote connections failed. Please check your credentials and try again.") - - - ## Create the Exchange mailbox ## # Note: These exchange commandlets do not always throw their errors as exceptions @@ -669,11 +664,6 @@ catch Import-PSSession $sessExchange -AllowClobber -WarningAction SilentlyContinue Import-PSSession $sessCS -AllowClobber -WarningAction SilentlyContinue - -# In case there was any uncaught errors -ExitIfError "Remote connection failed. Please check your credentials and try again." - - ## Create the Exchange mailbox ## # Note: These exchange commandlets do not always throw their errors as exceptions @@ -1571,8 +1561,7 @@ catch Import-PSSession $sessCS -AllowClobber -# In case there was any uncaught errors -ExitIfError("Remote connection failed. Please check your credentials and try again.") + Write-Host "--------------------------------------------------------------." -foregroundcolor "magenta" # Getting registrar pool diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index fc50a8188d..6aeb77daa5 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker -ms.date: 08/17/2017 +ms.date: 10/05/2017 ms.localizationpriority: medium --- @@ -16,11 +16,18 @@ ms.localizationpriority: medium This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md). +## Octoboer 2017 + +New or changed topic | Description | +--- | --- +[Install apps on your Microsoft Surface Hub](install-apps-on-surface-hub.md) | Updated instructions to use Windows Team device family + ## September 2017 New or changed topic | Description --- | --- [Top support solutions for Surface Hub](support-solutions-surface-hub.md) | New +[PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) | Updated account creation scripts ## August 2017 diff --git a/devices/surface-hub/images/device-family.png b/devices/surface-hub/images/device-family.png new file mode 100644 index 0000000000..1efe12fc57 Binary files /dev/null and b/devices/surface-hub/images/device-family.png differ diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md index cf999ceac8..6a29b16f19 100644 --- a/devices/surface-hub/install-apps-on-surface-hub.md +++ b/devices/surface-hub/install-apps-on-surface-hub.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: surfacehub, store author: jdeckerms ms.author: jdecker -ms.date: 06/19/2017 +ms.date: 10/05/2017 ms.localizationpriority: medium --- @@ -18,8 +18,8 @@ ms.localizationpriority: medium You can install additional apps on your Surface Hub to fit your team or organization's needs. There are different methods for installing apps depending on whether you are developing and testing an app, or deploying a released app. This topic describes methods for installing apps for either scenario. A few things to know about apps on Surface Hub: -- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp). Apps created using the [Desktop App Converter](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) will not run on Surface Hub. See a [list of apps that work with Surface Hub](https://www.microsoft.com/surface/support/surface-hub/surface-hub-apps). -- Apps must be targeted for the [Universal device family](https://msdn.microsoft.com/library/windows/apps/dn894631). +- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp). Apps created using the [Desktop App Converter](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) will not run on Surface Hub. See a [list of apps that work with Surface Hub](https://support.microsoft.com/help/4040382/surface-Apps-that-work-with-Microsoft-Surface-Hub). +- Apps must be targeted for the [Universal device family](https://msdn.microsoft.com/library/windows/apps/dn894631) or Windows Team device family. - By default, apps must be Store-signed to be installed. During testing and development, you can also choose to run developer-signed UWP apps by placing the device in developer mode.- When submitting an app to the Microsoft Store, developers need to set Device family availability and Organizational licensing options to make sure an app will be available to run on Surface Hub. - You need admin credentials to install apps on your Surface Hub. Since the device is designed to be used in communal spaces like meeting rooms, people can't access the Microsoft Store to download and install apps. @@ -56,11 +56,12 @@ During app submission, developers need to set **Device family availability** and **To set device family availability** 1. On the [Windows Dev Center](https://developer.microsoft.com), navigate to your app submission page. 2. Select **Packages**. -3. Under Device family availability, select these options: - - **Windows 10 Desktop** (other device families are optional) +3. Under **Device family availability**, select these options: + + - **Windows 10 Team** - **Let Microsoft decide whether to make the app available to any future device families** -![Image showing Device family availability page - part of Microsoft Store app submission process.](images/sh-device-family-availability.png) +![Image showing Device family availability page - part of Microsoft Store app submission process.](images/device-family.png) For more information, see [Device family availability](https://msdn.microsoft.com/windows/uwp/publish/upload-app-packages#device-family-availability). @@ -126,7 +127,7 @@ To deploy apps to a large number of Surface Hubs in your organization, use a sup |-----------------------------|----------------------------------------| | On-premises MDM with System Center Configuration Manager (beginning in version 1602) | Yes | | Hybrid MDM with System Center Configuration Manager and Microsoft Intune | Yes | -| Microsoft Intune standalone | No | +| Microsoft Intune standalone | Yes | | Third-party MDM provider | Check to make sure your MDM provider supports deploying offline-licensed app packages. | **To deploy apps remotely using System Center Configuration Manager (either on-prem MDM or hybrid MDM)** diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index b7993ada90..00d3409f91 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -34,7 +34,7 @@ Compatible Surface devices include: - Surface Pro 4 -- Surface Pro3 +- Surface Pro 3 - Surface 3 diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md index 51de907eef..899c7aa79e 100644 --- a/education/get-started/get-started-with-microsoft-education.md +++ b/education/get-started/get-started-with-microsoft-education.md @@ -10,7 +10,7 @@ ms.localizationpriority: high ms.pagetype: edu author: CelesteDG ms.author: celested -ms.date: 08/29/2017 +ms.date: 10/04/2017 --- # Get started: Deploy and manage a full cloud IT solution with Microsoft Education @@ -146,6 +146,15 @@ To learn more about the services and tools mentioned in this walkthrough, and le - Deployment using PowerSchool Sync: How to deploy School Data Sync by using PowerSchool Sync and School Data Sync required attributes for PowerSchool Sync - Deployment using Clever Sync: How to deploy School Data Sync by using Clever Sync and School Data Sync required attributes for Clever sync - Deployment using OneRoster CSV files: How to deploy School Data Sync by using OneRoster CSV files +- Azure Active Directory features used by Intune for Education, including: + - Single Sign-On (SSO) - Allow your Azure AD users to access SSO-enabled apps, so they don’t need to type in their credentials to access these apps. + - MDM auto-enrollment - Devices are automatically enrolled with Intune upon being joined with Azure AD join. +- Enterprise state roaming - Keep school data and personal data separate on your devices. + - Dynamic groups - You can use dynamic groups to create rules that populate your groups (for example, a group with all 9th graders) instead of having to manually add or remove members of the groups. The group stays updated by continually staying populated with members that fit the rules you pick. + - Password write-back - Allows you to configure Azure AD to write passwords back to your on-premises Active Directory. It removes the need to set up and manage a complicated on-premises self-service password reset solution, and it provides a convenient cloud-based way for your users to reset their on-premises passwords wherever they are. + - Administrative units + - Additional local administrators + - Self-service BitLocker recovery - A self-service portal that allows your employees to retrieve their BitLocker recovery key and avoid support calls. **For teachers** diff --git a/education/images/M365-education.svg b/education/images/M365-education.svg new file mode 100644 index 0000000000..7f83629296 --- /dev/null +++ b/education/images/M365-education.svg @@ -0,0 +1,171 @@ + + + + + M365-education + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/education/index.md b/education/index.md index bb44bf632a..34502750df 100644 --- a/education/index.md +++ b/education/index.md @@ -1,7 +1,7 @@ --- layout: HubPage hide_bc: true -title: Microsoft Education documentation and resources | Microsoft Docs +title: Microsoft 365 Education documentation and resources | Microsoft Docs description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers. author: CelesteDG ms.author: celested @@ -10,7 +10,7 @@ ms.author: celested
  • - +
    @@ -28,7 +28,7 @@ ms.author: celested
  • - +
    @@ -46,7 +46,7 @@ ms.author: celested
  • - +
    @@ -74,8 +74,32 @@ ms.author: celested
    • +
    • +
      +

      Get started with deploying and managing a full cloud IT solution for your school, and follow the links for in-depth information about the technologies and features.

      +
      +
    • - + +
      +
      +
      +
      +
      + Learn about Microsoft 365 Education +
      +
      +
      +

      Microsoft 365 Education

      +

      Find out how to empower educators to unlock creativity, promote teamwork, and provide a simple and safe experience in a single, affordable solution built for education.

      +
      +
      +
      +
      +       +
      • +
    • +
      @@ -94,7 +118,7 @@ ms.author: celested
    • - +
      @@ -113,7 +137,7 @@ ms.author: celested
    • - +
      @@ -132,7 +156,7 @@ ms.author: celested
    • - +
      @@ -151,7 +175,7 @@ ms.author: celested
    • - +
      @@ -170,7 +194,7 @@ ms.author: celested
    • - +
      @@ -189,7 +213,7 @@ ms.author: celested
    • - +
      @@ -208,7 +232,7 @@ ms.author: celested
    • - +
      @@ -227,7 +251,7 @@ ms.author: celested
    • - +
      @@ -246,7 +270,7 @@ ms.author: celested
    • - +
      @@ -274,8 +298,13 @@ ms.author: celested
      • +
      • +
        +

        Looking for information and resources for teachers about Microsoft Education products? Start here.

        +
        +
      • - +
        @@ -294,7 +323,7 @@ ms.author: celested
      • - +
        @@ -313,7 +342,7 @@ ms.author: celested
      • - +
        @@ -332,7 +361,7 @@ ms.author: celested
      • - +
        @@ -351,7 +380,7 @@ ms.author: celested
      • - +
        @@ -370,7 +399,7 @@ ms.author: celested
      • - +
        @@ -389,7 +418,7 @@ ms.author: celested
      • - +
        @@ -408,7 +437,7 @@ ms.author: celested
      • - +
        @@ -436,8 +465,13 @@ ms.author: celested
      • diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md index 0b9807c98b..e92eeae78c 100644 --- a/store-for-business/TOC.md +++ b/store-for-business/TOC.md @@ -1,4 +1,5 @@ # [Microsoft Store for Business](index.md) +## [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) ## [Sign up and get started](sign-up-windows-store-for-business-overview.md) ###[Microsoft Store for Business and Microsoft Store for Education overview](windows-store-for-business-overview.md) ### [Prerequisites for Microsoft Store for Business and Education](prerequisites-windows-store-for-business.md) diff --git a/store-for-business/acquire-apps-windows-store-for-business.md b/store-for-business/acquire-apps-windows-store-for-business.md index aa700ada3e..42ad5a517d 100644 --- a/store-for-business/acquire-apps-windows-store-for-business.md +++ b/store-for-business/acquire-apps-windows-store-for-business.md @@ -6,6 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa +ms.date: 10/01/2017 ms.localizationpriority: high --- @@ -30,18 +31,17 @@ There are a couple of things we need to know when you pay for apps. You can add - Legal business address - Payment option (credit card) - ## Acquire apps **To acquire an app** -1. Log in to http://businessstore.microsoft.com -2. Click Shop, or use Search to find an app. +1. Sign in to http://businessstore.microsoft.com +2. Click **Shop**, or use Search to find an app. 3. Click the app you want to purchase. 4. On the product description page, choose your license type - either online or offline. -5. Free apps will be added to **Inventory** or **Apps & software**. For apps with a price, you can set the quantity you want to buy. Type the quantity and click **Next**. -6. If you don’t have a payment method saved in **Account Information** or **Payments & billing**, we will prompt you for one. -7. Add your credit card or debit card info, and click **Next**. Your card info is saved as a payment option on **Account information** or **Payments & billing**. +5. Free apps will be added to **Products & services**. For apps with a price, you can set the quantity you want to buy. Type the quantity and click **Next**. +6. If you don’t have a payment method saved in **Billing - Payment methods**, we will prompt you for one. +7. Add your credit card or debit card info, and click **Next**. Your card info is saved as a payment option on **Billing - Payment methods**. -You’ll also need to have your business address saved on **Account information** or **Payments & billing**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#organization-tax-information). +You’ll also need to have your business address saved on ****Billing - Account profile***. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#organization-tax-information). Microsoft Store adds the app to your inventory. From **Inventory** or **Apps & software**, you can: - Distribute the app: add to private store, or assign licenses @@ -51,3 +51,11 @@ Microsoft Store adds the app to your inventory. From **Inventory** or **Apps & s For info on distributing apps, see [Distribute apps to your employees from the Microsoft Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md). For info on offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md). + +## Request apps +People in your org can request additional licenses for apps that are in your organization's private store. When **Allow app requests** is turned on, people in your org can respond to a notification about app license availability. Admins for your tenant will receive an email with the request, and can decide about making the purchase. + +**To manage Allow app requests** +1. Sign in to http://businessstore.microsoft.com +2. Click **Manage**, click **Settings**, and then click **Distribute**. +3. Under **Private store** turn on, or turn off **Allow app requests**. diff --git a/store-for-business/app-inventory-management-windows-store-for-business.md b/store-for-business/app-inventory-management-windows-store-for-business.md index 062c2dbeef..9eebbb170e 100644 --- a/store-for-business/app-inventory-management-windows-store-for-business.md +++ b/store-for-business/app-inventory-management-windows-store-for-business.md @@ -22,7 +22,7 @@ You can manage all apps that you've acquired on your **Apps & software** page. T All of these apps are treated the same once they are in your inventory and you can perform app lifecycle tasks for them: distribute apps, add apps to private store, review license details, and reclaim app licenses. - + Microsoft Store for Business and Education shows this info for each app in your inventory: - Name @@ -84,7 +84,7 @@ Once an app is in your private store, people in your org can install the app on 3. Use **Refine results** to search for online-licensed apps under **License type**. 4. From the list of online-licensed apps, click the ellipses for the app you want, and then choose **Add to private store**. -The value under **Private store** for the app will change to pending. It will take approximately twelve hours before the app is available in the private store. +The value under **Private store** for the app will change to pending. It will take approximately thirty-six hours before the app is available in the private store. Employees can claim apps that admins added to the private store by doing the following. **To claim an app from the private store** diff --git a/store-for-business/configure-mdm-provider-windows-store-for-business.md b/store-for-business/configure-mdm-provider-windows-store-for-business.md index 2074e51990..1948662653 100644 --- a/store-for-business/configure-mdm-provider-windows-store-for-business.md +++ b/store-for-business/configure-mdm-provider-windows-store-for-business.md @@ -1,6 +1,6 @@ --- title: Configure an MDM provider (Windows 10) -description: For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Windows Store for Business inventory to manage apps with offline licenses. +description: For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. ms.assetid: B3A45C8C-A96C-4254-9659-A9B364784673 ms.prod: w10 ms.mktglfcycl: manage @@ -16,7 +16,7 @@ ms.localizationpriority: high - Windows 10 - Windows 10 Mobile -For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Windows Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content. +For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content. Your management tool needs to be installed and configured with Azure AD, in the same directory that you are using for Store for Business. Once that's done, you can configure it to work with Store for Business @@ -35,7 +35,7 @@ After your management tool is added to your Azure AD directory, you can configur 3. From the list of MDM tools, select the one you want to synchronize with Microsoft Store, and then click **Activate.** Your MDM tool is ready to use with Microsoft Store. To learn how to configure synchronization and deploy apps, see these topics: -- [Manage apps you purchased from Windows Store for Business with Microsoft Intune](https://technet.microsoft.com/library/mt676514.aspx) -- [Manage apps from Windows Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- [Manage apps you purchased from Microsoft Store for Business with Microsoft Intune](https://technet.microsoft.com/library/mt676514.aspx) +- [Manage apps from Microsoft Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) For third-party MDM providers or management servers, check your product documentation. \ No newline at end of file diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md index 1b56b97f4b..73c7ff9a4c 100644 --- a/store-for-business/distribute-apps-from-your-private-store.md +++ b/store-for-business/distribute-apps-from-your-private-store.md @@ -28,7 +28,7 @@ You can make an app available in your private store when you acquire the app, or 2. Click an app, choose the license type, and then click **Get the app** to acquire the app for your organization. - + Microsoft Store adds the app to **Apps & software**. Click **Manage**, **Apps & software** for app distribution options. @@ -37,14 +37,14 @@ Microsoft Store adds the app to **Apps & software**. Click **Manage**, **Apps & 1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then choose **Apps & software**. - + 3. Use **Refine results** to search for online-licensed apps under **License type**. 4. From the list of online-licensed apps, click the ellipses for the app you want, and then choose **Add to private store**. -The value under **Private store** for the app will change to pending. It will take approximately twelve hours before the app is available in the private store. +The value under **Private store** for the app will change to pending. It will take approximately thirty-six hours before the app is available in the private store. Employees can claim apps that admins added to the private store by doing the following. diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md index 557c355557..7c5ff2adbd 100644 --- a/store-for-business/distribute-apps-with-management-tool.md +++ b/store-for-business/distribute-apps-with-management-tool.md @@ -22,7 +22,7 @@ You can configure a mobile device management (MDM) tool to synchronize your Micr Your MDM tool needs to be installed and configured in Azure AD, in the same Azure AD directory used with Microsoft Store. -In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Microsoft Store for Business or Microsoft Store for Education. This allows the MDM tool to call Microsoft Store management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md) and [Manage apps you purchased from the Windows Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune). +In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Microsoft Store for Business or Microsoft Store for Education. This allows the MDM tool to call Microsoft Store management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md) and [Manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune). Microsoft Store services provide: @@ -44,11 +44,11 @@ MDM tool requirements: ## Distribute offline-licensed apps -If your vendor doesn’t support the ability to synchronize applications from the management tool services, or can't connect to the management tool services, your vendor may support the ability to deploy offline licensed applications by downloading the application and license from the store and then deploying the app through your MDM. For more information on online and offline licensing with Store for Business, see [Apps in the Windows Store for Business.](apps-in-windows-store-for-business.md#licensing-model) +If your vendor doesn’t support the ability to synchronize applications from the management tool services, or can't connect to the management tool services, your vendor may support the ability to deploy offline licensed applications by downloading the application and license from the store and then deploying the app through your MDM. For more information on online and offline licensing with Store for Business, see [Apps in the Microsoft Store for Business.](apps-in-windows-store-for-business.md#licensing-model) This diagram shows how you can use a management tool to distribute offline-licensed app to employees in your organization. Once synchronized from Store for Business, management tools can use the Windows Management framework to distribute applications to devices. -![Image showing flow for distributing offline-licensed app from Windows Store for Business to employees in your organization.](images/wsfb-offline-distribute-mdm.png) +![Image showing flow for distributing offline-licensed app from Microsoft Store for Business to employees in your organization.](images/wsfb-offline-distribute-mdm.png) ## Distribute online-licensed apps @@ -59,13 +59,4 @@ This diagram shows how you can use a management tool to distribute an online-lic ## Related topics [Configure MDM Provider](configure-mdm-provider-windows-store-for-business.md) -[Manage apps you purchased from the Microsoft Store for Business and Education with Microsoft Intune](https://technet.microsoft.com/library/mt676514.aspx) - -  - -  - - - - - +[Manage apps you purchased from the Microsoft Store for Business and Education with Microsoft Intune](https://technet.microsoft.com/library/mt676514.aspx) \ No newline at end of file diff --git a/store-for-business/images/msfb-wn-1709-app-request.png b/store-for-business/images/msfb-wn-1709-app-request.png new file mode 100644 index 0000000000..e454aca9a9 Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-app-request.png differ diff --git a/store-for-business/images/msfb-wn-1709-edge-ext.png b/store-for-business/images/msfb-wn-1709-edge-ext.png new file mode 100644 index 0000000000..15170ecfc3 Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-edge-ext.png differ diff --git a/store-for-business/images/msfb-wn-1709-my-org.png b/store-for-business/images/msfb-wn-1709-my-org.png new file mode 100644 index 0000000000..ecb47b6e8a Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-my-org.png differ diff --git a/store-for-business/images/msfb-wn-1709-o365-csp.png b/store-for-business/images/msfb-wn-1709-o365-csp.png new file mode 100644 index 0000000000..b51d32923a Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-o365-csp.png differ diff --git a/store-for-business/images/msfb-wn-1709-o365-prepaid.png b/store-for-business/images/msfb-wn-1709-o365-prepaid.png new file mode 100644 index 0000000000..9bdb360a31 Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-o365-prepaid.png differ diff --git a/store-for-business/images/msfb-wn-1709-search-result-sub-cat.png b/store-for-business/images/msfb-wn-1709-search-result-sub-cat.png new file mode 100644 index 0000000000..de246824f5 Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-search-result-sub-cat.png differ diff --git a/store-for-business/images/wsfb-wsappprivatestore.png b/store-for-business/images/wsfb-wsappprivatestore.png index 9c29e7604c..48d9f79892 100644 Binary files a/store-for-business/images/wsfb-wsappprivatestore.png and b/store-for-business/images/wsfb-wsappprivatestore.png differ diff --git a/store-for-business/manage-settings-windows-store-for-business.md b/store-for-business/manage-settings-windows-store-for-business.md index f9592cd92e..e30487958f 100644 --- a/store-for-business/manage-settings-windows-store-for-business.md +++ b/store-for-business/manage-settings-windows-store-for-business.md @@ -12,7 +12,6 @@ ms.localizationpriority: high # Manage settings for Microsoft Store for Business and Education - **Applies to** - Windows 10 @@ -24,7 +23,7 @@ You can add users and groups, as well as update some of the settings associated | Topic | Description | | ----- | ----------- | -| [Update Microsoft Store for Business and Education account settings](update-windows-store-for-business-account-settings.md) | The **Account information** page in Microsoft Store for Business shows information about your organization that you can update, including: organization information, payment options, and offline licensing settings. | +| [Update Microsoft Store for Business and Education account settings](update-windows-store-for-business-account-settings.md) | **Billing - Account profile** in Microsoft Store for Business shows information about your organization that you can update. Payment options can be managed on **Billing - Payment methods**, and offline license settings can be managed on **Settings - Shop**. | | [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md) | Microsoft Store for Business manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-windows-store-for-business.md), but not to groups. | diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md new file mode 100644 index 0000000000..869d8d89db --- /dev/null +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -0,0 +1,22 @@ +--- +title: Whats new in Microsoft Store for Business and Education +description: Learn about newest features in Microsoft Store for Business and Microsoft Store for Education. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: store +author: TrudyHa +ms.date: 09/21/2017 +--- + +# Microsoft Store for Business and Education release history + +Microsoft Store for Business and Education regularly releases new and improved feaures. Here's a summary of new or updated features in previous releases. + +Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) + +## August 2017 +These items were released or updated in August, 2017. + +- **Pellentesque habitant morbi tristique** - Lorem ipsum dolor sit amet, consectetuer adipiscing elit. [Learn more](distribute-apps-from-your-private-store.md) +- **Aenean nec lorem** - Lorem ipsum dolor sit amet, consectetuer adipiscing elit. [Learn more](distribute-apps-from-your-private-store.md) \ No newline at end of file diff --git a/store-for-business/roles-and-permissions-windows-store-for-business.md b/store-for-business/roles-and-permissions-windows-store-for-business.md index 8b3a7e74a3..00de7300ea 100644 --- a/store-for-business/roles-and-permissions-windows-store-for-business.md +++ b/store-for-business/roles-and-permissions-windows-store-for-business.md @@ -89,7 +89,7 @@ These permissions allow people to: 3. Click **Add people**, type a name, choose the role you want to assign, and click **Save** . - + 4. If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md). diff --git a/store-for-business/settings-reference-windows-store-for-business.md b/store-for-business/settings-reference-windows-store-for-business.md index 09fbf09a41..6d5922b831 100644 --- a/store-for-business/settings-reference-windows-store-for-business.md +++ b/store-for-business/settings-reference-windows-store-for-business.md @@ -22,13 +22,15 @@ The Microsoft Store for Business and Education has a group of settings that admi | Setting | Description | Location under **Manage** | | ------- | ----------- | ------------------------------ | -| Account information and payment options | Manage organization and payment option information. For more information, see [Manage settings for the Microsoft Store for Business and Education](manage-settings-windows-store-for-business.md).| **Payments & billing** | -| Private store | Update the name for your private store. The new name will be displayed on a tab in the Store. For more information, see [Manage private store settings](manage-private-store-settings.md). | **Store settings** | -| Offline licensing | Configure whether or not to make offline-licensed apps available in the Microsoft Store for Business and Education. For more information, see [Distribute offline apps](distribute-offline-apps.md). | **Store settings** (Private store tab) | -| Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md). | **Store settings** | -| Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | **Store settings** | -| Permissions | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-windows-store-for-business.md). | **Permissions** | -| Line-of-business (LOB) publishers | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). | **Permissions** | +| Account information | Manage organization information. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-windows-store-for-business-account-settings.md).| **Billing - Account profile** | +| Payment options | Manage payment options. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-windows-store-for-business-account-settings.md#payment-options).| **Billing - Payment methods** | +| Private store | Update the name for your private store. The new name will be displayed on a tab in the Store. For more information, see [Manage private store settings](manage-private-store-settings.md). | **Settings - Distribute** | +| Offline licensing | Configure whether or not to make offline-licensed apps available in the Microsoft Store for Business and Education. For more information, see [Distribute offline apps](distribute-offline-apps.md). | **Settings - Shop** | +| App request | Configure whether or not people in your organization can request apps for admins to purchase. For more information, see [Distribute offline apps](acquire-apps-windows-store-for-business.md). | **Settings - Distribute** | +| Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md). | **Settings - Distribute** | +| Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | **Settings - Devices** | +| Permissions | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-windows-store-for-business.md). | **Permissions - Roles** and **Permissions - Blocked basic purchasers** | +| Line-of-business (LOB) publishers | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). | **Permissions - Line-of-business apps** | diff --git a/store-for-business/update-windows-store-for-business-account-settings.md b/store-for-business/update-windows-store-for-business-account-settings.md index f88eec0840..951212afbd 100644 --- a/store-for-business/update-windows-store-for-business-account-settings.md +++ b/store-for-business/update-windows-store-for-business-account-settings.md @@ -32,7 +32,7 @@ We need an email address in case we need to contact you about your Microsoft Sto **To update Organization information** 1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com) -2. Click **Manage**, click **Payments & billing**, and then click **Edit**. +2. Click **Manage**, click **Billing**, **Account profile**, and then click **Edit**. ## Organization tax information Taxes for Microsoft Store for Business purchases are determined by your business address. Businesses in these countries can provide their VAT number or local equivalent: @@ -87,7 +87,7 @@ If you qualify for tax-exempt status in your market, start a service request to **To start a service request** 1. Sign in to the [Store for Business](http://businessstore.microsoft.com). -2. Click **Support**, and then under **Store or account support** click **Start a service request**. +2. Click **Manage**, click **Support**, and then under **Store settings & configuration** click **Create technical support ticket**. You’ll need this documentation: @@ -124,8 +124,8 @@ You can purchase apps from Microsoft Store for Business using your credit card. **To add a new payment option** 1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, and then click **Payments & billing**. -3. Under **Payment options**, click **Show my payment options**, and then select the type of credit card that you want to add. +2. Click **Manage**, click **Billing**, and then click **Payments methods**. +3. Click **Add a payment options**, and then select the type of credit card that you want to add. 4. Add information to any required fields, and then click **Next**. Once you click Next, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems. @@ -136,10 +136,10 @@ Once you click Next, the information you provided will be validated with a tes **To update a payment option** 1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, and then click **Payments & billng**. -3. Under **Payment options** > **Show my payment options**, select the payment option that you want to update, and then click **Update**. +2. Click **Manage**, click **Billing**, and then click **Payments methods**. +3. Select the payment option that you want to update, and then click **Update**. 4. Enter any updated information in the appropriate fields, and then click **Next**. -Once you click **Next**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise,you will be prompted for additional information or notified if there are any problems. +Once you click **Next**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems. > [!NOTE] > Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time, or have a low balance. @@ -153,8 +153,8 @@ Admins can decide whether or not offline licenses are shown for apps in Microsof **To set offline license visibility** 1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, and then click **Payments & billing**. -3. Under **Offline licensing**, click **Show offline licensed apps to people shopping in the store** to show availability for both online and offline licenses. +2. Click **Manage**, and then click **Settings - Shop**. +3. Under **Shopping experience** turn on or turn off **Show offline apps**,to show availability for offline-licensed apps. You have the following distribution options for offline-licensed apps: - Include the app in a provisioning package, and then use it as part of imaging a device. diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md new file mode 100644 index 0000000000..573f0a34c6 --- /dev/null +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -0,0 +1,35 @@ +--- +title: Whats new in Microsoft Store for Business and Education +description: Learn about newest features in Microsoft Store for Business and Microsoft Store for Education. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: store +author: TrudyHa +ms.date: 10/04/2017 +--- + +# What's new in Microsoft Store for Business and Education + +Microsoft Store for Business and Education regularly releases new and improved feaures. Take a look below to see what's available to you today. + +## Latest updates for Store for Business and Education + +| | | +|-----------------------|---------------------------------| +| | **Manage Windows device deployment with Windows AutoPilot Deployment**

        In Microsoft Store for Business, you can manage devices for your organization and apply an AutoPilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the AutoPilot deployment profile you applied to the device.

        [Get more info](add-profile-to-devices.md)

        **Applies to**:
        Microsoft Store for Business
        Microsoft Store for Education | +| ![Microsoft Store for Business Settings page, Distribute tab showing app requests setting.](images/msfb-wn-1709-app-request.png) |**Request an app**

        People in your organization can reqest additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases.

        [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-windows-store-for-business#request-apps)

        **Applies to**:
        Microsoft Store for Business
        Microsoft Store for Education | +| ![Microsoft Store for Business My organization page, showing Agreements tab.](images/msfb-wn-1709-my-org.png) |**My organization**

        **My organization** shows you all Agreements that apply to your organization. You can also update profile info for you org, such as mailing address and email associated with your account.

        **Applies to**:
        Microsoft Store for Business
        Microsoft Store for Education | +| ![Microsoft Store for Business Products and Services page, Subscription tab with prepaid Office 365 subscription.](images/msfb-wn-1709-o365-prepaid.png) |**Manage prepaid Office 365 subscriptions**

        Office 365 prepaid subscriptions can be redeemed using a prepaid token. Tokens are available through 3rd-party businesses, outside of Microsoft Store for Business or the Office 365 Admin portal. After redemming prepaid subscriptions, Admins can add more licenses or extend the subscription's expiration date. 

        **Applies to**:
        Microsoft Store for Business
        Microsoft Store for Education | +| ![Microsoft Store for Business Products and Services page, Subscription tab with Office 365 subscription acquired by reseller.](images/msfb-wn-1709-o365-csp.png) |**Manage Office 365 subscriptions acquired by partners**

        Office 365 subscriptions purchased for your organization by a partner or reseller can be managed in Microsoft Store for Business. Admins can assign and manage licenses for these subscriptions. 

        **Applies to**:
        Microsoft Store for Business
        Microsoft Store for Education | +| ![Microsoft Store for Business shop page.](images/msfb-wn-1709-edge-ext.png) |**Edge extensions in Microsoft Store**

        Edge Extensions are now available from Microsoft Store! You can acquire and distribute them from Microsoft Store for Business just like any other app.

        **Applies to**:
        Microsoft Store for Business
        Microsoft Store for Education | +| ![Search results in Microsoft Store for Business showing sub categories.](images/msfb-wn-1709-search-result-sub-cat.png) |**Search results in Microsoft Store for Business**

        Search results now have sub categories to help you refine search results.

        **Applies to**:
        Microsoft Store for Business
        Microsoft Store for Education | + + \ No newline at end of file diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md index 1c683c1be0..87dc16ae0e 100644 --- a/store-for-business/working-with-line-of-business-apps.md +++ b/store-for-business/working-with-line-of-business-apps.md @@ -49,7 +49,7 @@ Admins need to invite developer or ISVs to become an LOB publisher. **To invite a developer to become an LOB publisher** -1. Sign in to the [Windows Store for Business]( https://go.microsoft.com/fwlink/p/?LinkId=623531). +1. Sign in to the [Microsoft Store for Business]( https://go.microsoft.com/fwlink/p/?LinkId=623531). 2. Click **Manage**, click **Permissions**, and then choose **Line-of-business publishers**. 3. On the Line-of business publishers page, click **Invite** to send an email invitation to a developer. >[!Note] @@ -98,7 +98,7 @@ After an ISV submits the LOB app for your company or school, someone with Micros After you add the app to your inventory, you can choose how to distribute the app. For more information, see: -- [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md) +- [Distribute apps to your employees from the Microsoft Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md) - [Distribute apps from your private store](distribute-apps-from-your-private-store.md) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 51d3af12b8..084999e656 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -25,7 +25,7 @@ ms.date: 09/08/2017 >[!IMPORTANT] >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. -In hybrid deployments, users register the public portion of their Windows Hello for Business crednetial with Azure. Azure AD Connect syncrhonizes the Windows Hello for Business public key to Active Directory. +In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. diff --git a/windows/access-protection/hello-for-business/hello-identity-verification.md b/windows/access-protection/hello-for-business/hello-identity-verification.md index 59a9bb791e..68f001e2f3 100644 --- a/windows/access-protection/hello-for-business/hello-identity-verification.md +++ b/windows/access-protection/hello-for-business/hello-identity-verification.md @@ -71,6 +71,23 @@ The table shows the minimum requirements for each deployment. ## Frequently Asked Questions +### What is the user experience for Windows Hello for Business? +The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment. + +> [!VIDEO https://www.youtube.com/embed/FJqHPTZTpNM] + +
        + +> [!VIDEO https://www.youtube.com/embed/etXJsZb8Fso] + +### What happens when my user forgets their PIN? + +If the user can sign-in with a password, they can reset their PIN by clicking the "I forgot my PIN" link in settings. Beginning with the Fall Creators Update, users can reset their PIN above the lock screen by clicking the "I forgot my PIN" link on the PIN credential provider. + +> [!VIDEO https://www.youtube.com/embed/KcVTq8lTlkI] + +For on-premises deployments, devices must be well connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can onboard their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network. + ### Do I need Windows Server 2016 domain controllers? There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you have deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment diff --git a/windows/access-protection/hello-for-business/hello-manage-in-organization.md b/windows/access-protection/hello-for-business/hello-manage-in-organization.md index 52c93015e2..bd3429561c 100644 --- a/windows/access-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/access-protection/hello-for-business/hello-manage-in-organization.md @@ -314,4 +314,6 @@ If you want to use Windows Hello for Business with certificates, you’ll need a - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) - [Event ID 300 - Windows Hello successfully created](hello-event-300.md) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md index d3f89032e3..1d95c44fb4 100644 --- a/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -107,4 +107,6 @@ If you only had a biometric sign-in configured and, for any reason, were unable - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) - [Event ID 300 - Windows Hello successfully created](hello-event-300.md) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). \ No newline at end of file diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md index 3f1e9a5aaa..35f3b14372 100644 --- a/windows/application-management/TOC.md +++ b/windows/application-management/TOC.md @@ -1,5 +1,6 @@ # [Manage applications in Windows 10](index.md) ## [Sideload apps](sideload-apps-in-windows-10.md) +## [Remove background task resource restrictions](enterprise-background-activity-controls.md) ## [Application Virtualization (App-V) for Windows](app-v/appv-for-windows.md) ### [Getting Started with App-V](app-v/appv-getting-started.md) #### [What's new in App-V for Windows 10, version 1703 and earlier](app-v/appv-about-appv.md) @@ -101,6 +102,7 @@ #### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md) ## [Service Host process refactoring](svchost-service-refactoring.md) ## [Per-user services in Windows](per-user-services-in-windows.md) +## [Disabling System Services in Windows Server](https://docs.microsoft.com/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server) ## [Understand apps in Windows 10](apps-in-windows-10.md) ## [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) ## [Change history for Application management](change-history-for-application-management.md) diff --git a/windows/application-management/change-history-for-application-management.md b/windows/application-management/change-history-for-application-management.md index 5178cf9050..3aca385415 100644 --- a/windows/application-management/change-history-for-application-management.md +++ b/windows/application-management/change-history-for-application-management.md @@ -19,6 +19,7 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md) | New or changed topic | Description | | --- | --- | | [Per-user services in Windows 10](per-user-services-in-windows.md) | New | +| [Remove background task resource restrictions](enterprise-background-activity-controls.md) | New | | [Understand the different apps included in Windows 10](apps-in-windows-10.md) | New | ## July 2017 diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md new file mode 100644 index 0000000000..48e61b947d --- /dev/null +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -0,0 +1,64 @@ +--- +author: TylerMSFT +title: Remove background task resource restrictions +description: Allow enterprise background tasks unrestricted access to computer resources. +ms.author: twhitney +ms.date: 09/26/2017 +ms.topic: article +ms.prod: windows +ms.technology: uwp +keywords: windows 10, uwp, enterprise, background task, resources +--- + +# Remove background task resource restrictions + +To provide the best experience for consumers, Windows provides controls that give users the choice of which experiences may run in the background. + +By default, resource limits are imposed on applications. Foreground apps are given the most memory and execution time; background apps get less. Users are thus protected from poor foreground app performance and heavy battery drain. + +Enterprise users want the same ability to enable or limit background activity. In Windows 10, version 1703 (also known as the Creators Update), enterprises can now configure settings via policy and provisioning that control background activity. + +## Background activity controls + +Users have the ability to control background activity for their device through two interfaces in the **Settings** app: the **Background apps** page and the **Battery usage by app** page. The **Background apps** page has a master switch to turn background activity on or off for all apps, and provides individual switches to control each app's ability to run in the background.  + +![Background apps settings page](images/backgroundapps-setting.png) + +The **Battery usage by app** page allows fine-grained tuning of background activity. Users have the ability to set background activity to by **Managed By Windows**, as well as turning it on or off for each app. Only devices with a battery have this page available in the **Settings** app. Here is the set of available controls on desktop:  + +![Battery usage by app on desktop](images/battery-usage-by-app-desktop.png) + +Here is the set of available controls for mobile devices:  + +![Battery usage by app on mobile](images/battery-usage-by-app-mobile.png) + +Although the user interface differs across editions of the operating system, the policy and developer interface is consistent across Windows 10. For more information about these controls, see [Optimize background activity](https://docs.microsoft.com/windows/uwp/debug-test-perf/optimize-background-activity). + +## Enterprise background activity controls  + +Starting with Windows 10, version 1703, enterprises can control background activity through mobile device management (MDM) or Group Policy. The user controls discussed above can be controlled with the following policies:  + +`./Vendor/Microsoft/Policy/Config/Privacy/LetAppsRunInBackground`  +`./Vendor/Microsoft/Policy/Config/Privacy/LetAppsRunInBackground_ForceAllowTheseApps` +`./Vendor/Microsoft/Policy/Config/Privacy/LetAppsRunInBackground_ForceDenyTheseApps`  +`./Vendor/Microsoft/Policy/Config/Privacy/LetAppsRunInBackground_UserInControlOfTheseApps` + +These policies control the background activity battery settings for Universal Windows Platform (UWP) apps. They enable apps to not be managed by the Windows system policies and not be restricted when battery saver is active. Applying these policies to a device will disable the user controls for the applications specified in the policies in the **Settings** app. See [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsruninbackground) for more information about these policies. + +An app can determine which settings are in place for itself by using [BackgroundExecutionManager.RequestAccessAsync](https://docs.microsoft.com/uwp/api/Windows.ApplicationModel.Background.BackgroundAccessStatus) before any background activity is attempted, and then examining the returned [BackgroundAccessStatus](https://docs.microsoft.com/uwp/api/windows.applicationmodel.background.backgroundaccessstatus) enumeration. The values of this enumeration correspond to settings in the **battery usage by App** settings page:  +   +- **AlwaysAllowed**: Corresponds to **Always Allowed in Background** and **Managed By User**. This enables apps to run as much as possible in the background, including while the device is in battery saver mode. +   +- **AllowedSubjectToSystemPolicy**: This is the default value. It corresponds to **Managed by Windows**. This enables apps to run in the background as determined by Windows. If the device is currently in the battery saver state then background activities do not run.  +   +- **DeniedDueToSystemPolicy**: Corresponds to **Managed by Windows** and indicates that the system has determined that the app cannot currently run in the background.  +   +- **DeniedByUser**: Corresponds to **Never Allowed in the Background**. The app cannot run in the background. Either the configuration in the settings app, or enterprise policy, has defined that this app is not allowed to run in the background.  + +The Universal Windows Platform ensures that consumers will have great battery life and that foreground apps will perform well. Enterprises have the ability to change settings to enable scenarios specific to their business needs. Administrators can use the **Background apps** policies to enable or disable whether a UWP app can run in the background. + +## See also + +- [Run in the background indefinitely](https://docs.microsoft.com/windows/uwp/launch-resume/run-in-the-background-indefinetly) +- [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsruninbackground) +[Optimize background activity](https://docs.microsoft.com/windows/uwp/debug-test-perf/optimize-background-activity) diff --git a/windows/application-management/images/backgroundapps-setting.png b/windows/application-management/images/backgroundapps-setting.png new file mode 100644 index 0000000000..ffa7af0ccf Binary files /dev/null and b/windows/application-management/images/backgroundapps-setting.png differ diff --git a/windows/application-management/images/battery-usage-by-app-desktop.png b/windows/application-management/images/battery-usage-by-app-desktop.png new file mode 100644 index 0000000000..00f7d51136 Binary files /dev/null and b/windows/application-management/images/battery-usage-by-app-desktop.png differ diff --git a/windows/application-management/images/battery-usage-by-app-mobile.png b/windows/application-management/images/battery-usage-by-app-mobile.png new file mode 100644 index 0000000000..cb920d0d02 Binary files /dev/null and b/windows/application-management/images/battery-usage-by-app-mobile.png differ diff --git a/windows/application-management/index.md b/windows/application-management/index.md index 17767877fd..b42c674d12 100644 --- a/windows/application-management/index.md +++ b/windows/application-management/index.md @@ -19,9 +19,12 @@ Learn about managing applications in Windows 10 and Windows 10 Mobile clients. | Topic | Description | |---|---| -|[App-V](app-v/appv-getting-started.md)| Microsoft Application Virtualization (App-V) for Windows 10 enables organizations to deliver Win32 applications to users as virtual applications| |[Sideload apps in Windows 10](sideload-apps-in-windows-10.md)| Requirements and instructions for side-loading LOB applications on Windows 10 and Windows 10 Mobile clients| -|[Per User services in Windows 10](sideload-apps-in-windows-10.md)| Overview of per user services and instructions for viewing and disabling them in Windows 10 and Windows 2016| -|[Understand apps in Windows 10](apps-in-windows-10.md)| Overview of the different apps included by default in Windows 10 Enterprise| +| [Remove background task resource restrictions](enterprise-background-activity-controls.md) | Windows provides controls to manage which experiences may run in the background. | +|[App-V](app-v/appv-getting-started.md)| Microsoft Application Virtualization (App-V) for Windows 10 enables organizations to deliver Win32 applications to users as virtual applications| | [Service Host process refactoring](svchost-service-refactoring.md) | Changes to Service Host grouping in Windows 10 | +|[Per User services in Windows 10](sideload-apps-in-windows-10.md)| Overview of per user services and instructions for viewing and disabling them in Windows 10 and Windows 2016| +[Disabling System Services in Windows Server](https://docs.microsoft.com/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server) | Security guidelines for disabling services in Windows Server 2016 with Desktop Experience +|[Understand apps in Windows 10](apps-in-windows-10.md)| Overview of the different apps included by default in Windows 10 Enterprise| | [Deploy app updgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | How to upgrade apps on Windows 10 Mobile | +[Change history for Application management](change-history-for-application-management.md) | This topic lists new and updated topics in the Application management documentation for Windows 10 and Windows 10 Mobile. diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 2d1385d654..6b56d24b8f 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -25,7 +25,7 @@ From its release, Windows 10 has supported remote connections to PCs that are jo ## Set up -- Both PCs (local and remote) must be running Windows 10, version 1607. Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported. +- Both PCs (local and remote) must be running Windows 10, version 1607 (or later). Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported. - Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC. - On the PC that you want to connect to: 1. Open system properties for the remote PC. diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index e9a60b1ed6..e02d2d3e65 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -168,4 +168,4 @@ When a user is configured with a mandatory profile, Windows 10 starts as though - [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight) - [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm) - +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 947ffa3bac..623210a376 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -2,6 +2,7 @@ ## [What's new in MDM enrollment and management](new-in-windows-mdm-enrollment-management.md) ## [Mobile device enrollment](mobile-device-enrollment.md) ### [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md) +### [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md) ### [Federated authentication device enrollment](federated-authentication-device-enrollment.md) ### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) ### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 2e6580c656..bd4a538872 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/19/2017 +ms.date: 10/03/2017 --- # AssignedAccess CSP @@ -19,16 +19,17 @@ The AssignedAccess configuration service provider (CSP) is used set the device t For step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211) -> **Note**  The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting in Windows 10, version 1709 it is also supported in Windows 10 Pro. +> [!Note] +> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting in Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. The following diagram shows the AssignedAccess configuration service provider in tree format ![assignedaccess csp diagram](images/provisioning-csp-assignedaccess.png) -**./Vendor/MSFT/AssignedAccess** +**./Device/Vendor/MSFT/AssignedAccess** Root node for the CSP. -**AssignedAccess/KioskModeApp** +**./Device/Vendor/MSFT/AssignedAccess/KioskModeApp** A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, follow the information in [this Microsoft website](http://go.microsoft.com/fwlink/p/?LinkId=404220). In Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md). @@ -49,7 +50,7 @@ For a local account, the domain name should be the device name. When Get is exec The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same. -**AssignedAccess/Configuration** +**./Device/Vendor/MSFT/AssignedAccess/Configuration** Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Overview of the AssignedAccessConfiguration XML](#overview-of-the-assignedaccessconfiguration-xml). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). Enterprises can use this to easily configure and manage the curated lockdown experience. diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index ff8c33aa7e..fd5460395b 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2537,6 +2537,7 @@ The CSPs supported in Windows 10 S is the same as in Windows 10 Pro except that - [ActiveSync CSP](activesync-csp.md) - [APPLICATION CSP](application-csp.md) - [AppLocker CSP](applocker-csp.md) +- [AssignedAccess CSP](assignedaccess-csp.md) - [BOOTSTRAP CSP](bootstrap-csp.md) - [CellularSettings CSP](cellularsettings-csp.md) - [CertificateStore CSP](certificatestore-csp.md) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md new file mode 100644 index 0000000000..268ff5b5ee --- /dev/null +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -0,0 +1,121 @@ +--- +title: Enroll a Windows 10 device automatically using Group Policy +description: Enroll a Windows 10 device automatically using Group Policy +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 10/02/2017 +--- + +# Enroll a Windows 10 device automatically using Group Policy + +Starting in Windows 10, version 1709 you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain joined devices. + +Requirements: +- AD-joined PC running Windows 10, version 1709 +- Enterprise has MDM service already configured +- Enterprise AD must be registered with Azure AD + +> [!Tip] +> [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup) + +To verify if the device is Azure AD registered, run `dsregcmd /status` from the command line. + +Here is a partial screenshot of the result: + +![device status result](images/autoenrollment-device-status.png) + +The auto-enrollment relies of the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered. + +> [!Note] +> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation. + +When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. + +In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy is take precedence over MDM). In the future release of Windows 10, we are considering a feature that allows the admin to control which policy takes precedence. + +For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices. + +## Configure the auto-enrollment Group Policy for a single PC + +This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices). + +Requirements: +- AD-joined PC running Windows 10, version 1709 +- Enterprise has MDM service already configured +- Enterprise AD must be registered with Azure AD + +1. Run GPEdit.msc + + Click Start, then in the text box type gpedit. + + ![GPEdit desktop app search result](images/autoenrollment-gpedit.png) + +2. Under **Best match**, click **Edit group policy** to launch it. + +3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**. + + ![MDM policies](images/autoenrollment-mdm-policies.png) + +4. Double-click **Auto MDM Enrollment with AAD Token**. + + ![MDM autoenrollment policy](images/autoenrollment-policy.png) + +5. Click **Enable**, then click **OK**. + + A task is created and scheduled to run every 5 minutes for the duration of 1 day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." + + To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). + + If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot. + + ![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png) + +6. To verify successful enrollment to MDM , click **Start > Settings > Accounts > Access work or school**, then select your domain account. + +7. Click **Info** to see the MDM enrollment information. + + ![Work School Settings](images/autoenrollment-settings-work-school.png) + + If you do not see the **Info** button or the enrollment information, it is possible that the enrollment failed. Check the status in [Task Scheduler app](#task-scheduler-app). + + +### Task Scheduler app + +1. Click **Start**, then in the text box type **task scheduler**. + + ![Task Scheduler search result](images/autoenrollment-task-schedulerapp.png) + +2. Under **Best match**, click **Task Scheduler** to launch it. + +3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**. + + ![Auto-enrollment scheduled task](images/autoenrollment-scheduled-task.png) + + To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab. + + If the device enrollment is blocked, your IT admin may have enabled the **Disable MDM Enrollment** policy. Note that the GPEdit console does not reflect the status of policies set by your IT admin on your device. It is only used by the user to set policies. + +## Configure the auto-enrollment for a group of devices + +Requirements: +- AD-joined PC running Windows 10, version 1709 +- Enterprise has MDM service already configured (with Intune or a third party service provider) +- Enterprise AD must be integrated with Azure AD. +- Ensure that PCs belong to same computer group. + +1. Create a Group Policy Object (GPO) and enable the Group Policy **Auto MDM enrollment with AAD token**. +2. Create a Security Group for the PCs. +3. Link the GPO. +4. Filter using Security Groups. +5. Enforce a GPO link + +### Related topics + +- [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx) +- [Create and Edit a Group Policy Object](https://technet.microsoft.com/en-us/library/cc754740(v=ws.11).aspx) +- [Link a Group Policy Object](https://technet.microsoft.com/en-us/library/cc732979(v=ws.11).aspx) +- [Filter Using Security Groups](https://technet.microsoft.com/en-us/library/cc752992(v=ws.11).aspx) +- [Enforce a Group Policy Object Link](https://technet.microsoft.com/en-us/library/cc753909(v=ws.11).aspx) diff --git a/windows/client-management/mdm/images/autoenrollment-2-factor-auth.png b/windows/client-management/mdm/images/autoenrollment-2-factor-auth.png new file mode 100644 index 0000000000..ba16fbcd27 Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-2-factor-auth.png differ diff --git a/windows/client-management/mdm/images/autoenrollment-device-status.png b/windows/client-management/mdm/images/autoenrollment-device-status.png new file mode 100644 index 0000000000..67072b0da7 Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-device-status.png differ diff --git a/windows/client-management/mdm/images/autoenrollment-gpedit.png b/windows/client-management/mdm/images/autoenrollment-gpedit.png new file mode 100644 index 0000000000..e863dfc945 Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-gpedit.png differ diff --git a/windows/client-management/mdm/images/autoenrollment-mdm-policies.png b/windows/client-management/mdm/images/autoenrollment-mdm-policies.png new file mode 100644 index 0000000000..29cb6d14da Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-mdm-policies.png differ diff --git a/windows/client-management/mdm/images/autoenrollment-policy.png b/windows/client-management/mdm/images/autoenrollment-policy.png new file mode 100644 index 0000000000..f9bb009514 Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-policy.png differ diff --git a/windows/client-management/mdm/images/autoenrollment-scheduled-task.png b/windows/client-management/mdm/images/autoenrollment-scheduled-task.png new file mode 100644 index 0000000000..bfa805bfbd Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-scheduled-task.png differ diff --git a/windows/client-management/mdm/images/autoenrollment-settings-work-school.png b/windows/client-management/mdm/images/autoenrollment-settings-work-school.png new file mode 100644 index 0000000000..31fb7a400a Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-settings-work-school.png differ diff --git a/windows/client-management/mdm/images/autoenrollment-task-schedulerapp.png b/windows/client-management/mdm/images/autoenrollment-task-schedulerapp.png new file mode 100644 index 0000000000..56f071dcda Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-task-schedulerapp.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png index df8aa48b95..c8db9ee059 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png and b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-21-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-21-b.png new file mode 100644 index 0000000000..c75d6ca38f Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-21-b.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-23-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-23-b.png new file mode 100644 index 0000000000..bf44fb2d97 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-23-b.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-24-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-24-b.png new file mode 100644 index 0000000000..66c6b0ee19 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-24-b.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-25-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-25-b.png new file mode 100644 index 0000000000..cd28d561d8 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-25-b.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-33-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-33-b.png new file mode 100644 index 0000000000..48025064e0 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-33-b.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-34-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-34-b.png new file mode 100644 index 0000000000..8fbb961540 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-34-b.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-35-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-35-b.png new file mode 100644 index 0000000000..a3e3fe20d2 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-35-b.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-37-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-37-b.png new file mode 100644 index 0000000000..304bf8aa0b Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-37-b.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-37-c.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-37-c.png new file mode 100644 index 0000000000..5ed04fb4a2 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-37-c.png differ diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index af2ac59df8..2066c8391f 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 09/19/2017 --- # MDM enrollment of Windows-based devices @@ -178,35 +178,33 @@ All Windows 10-based devices can be connected to a work or school account. You ### Using the Settings app -1. Launch the Settings app. +1. Launch the Settings app and then click **Accounts**. Click **Start**, then the Settings icon, and then select **Accounts** - ![windows settings page](images/unifiedenrollment-rs1-21.png) + ![windows settings page](images/unifiedenrollment-rs1-21-b.png) -2. Next, navigate to **Accounts**. +2. Navigate to **Access work or school**. - ![windows settings accounts select](images/unifiedenrollment-rs1-22.png) + ![select access work or school](images/unifiedenrollment-rs1-23-b.png) -3. Navigate to **Access work or school**. +3. Click **Connect**. - ![select access work or school](images/unifiedenrollment-rs1-23.png) + ![connect to work or school](images/unifiedenrollment-rs1-24-b.png) -4. Click **Connect**. +4. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services. - ![connect to work or school](images/unifiedenrollment-rs1-24.png) + ![join work or school account to azure ad](images/unifiedenrollment-rs1-25-b.png) -5. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services. - - ![join work or school account to azure ad](images/unifiedenrollment-rs1-25.png) - -6. If the tenant is a cloud only tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly into the page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as AD FS, for authentication. +5. If the tenant is a cloud only tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly into the page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as AD FS, for authentication. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. + Starting in Windows 10, version 1709, you will see the status page that shows the progress of your device being set up. + ![corporate sign in](images/unifiedenrollment-rs1-26.png) -7. After you complete the flow, your Microsoft account will be connected to your work or school account. +6. After you complete the flow, your Microsoft account will be connected to your work or school account. ![account successfully added](images/unifiedenrollment-rs1-27.png) @@ -238,11 +236,12 @@ All Windows 10-based devices can be connected to an MDM. You can connect to an 6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you will see the enrollment progress on screen. + + ![corporate sign in](images/unifiedenrollment-rs1-33-b.png) After you complete the flow, your device will be connected to your organization’s MDM. - - ![corporate sign in](images/unifiedenrollment-rs1-33.png) + ### Connecting to MDM on a phone (Enrolling in device management) @@ -343,16 +342,7 @@ The following procedure describes how users can connect their devices to MDM usi Your work or school connections can be managed on the **Settings** > **Accounts** > **Access work or school** page. Your connections will show on this page and clicking on one will expand options for that connection. -![managing work or school account](images/unifiedenrollment-rs1-34.png) - -### Manage - -The **Manage** button can be found on work or school connections involving Azure AD. This includes the following scenarios: - -- Connecting your device to an Azure AD domain -- Connecting to a work or school account. - -Clicking on the manage button will open the Azure AD portal associated with that connection in your default browser. +![managing work or school account](images/unifiedenrollment-rs1-34-b.png) ### Info @@ -364,7 +354,12 @@ The **Info** button can be found on work or school connections involving MDM. Th Clicking the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You’ll be able to view your organization’s support information (if configured) on this page. You’ll also be able to start a sync session which will force your device to communicate to the MDM server and fetch any updates to policies if needed. -![work or school info](images/unifiedenrollment-rs1-35.png) +Starting in Windows 10, version 1709, clicking the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screehshot. + +![work or school info](images/unifiedenrollment-rs1-35-b.png) + +> [!Note] +> Starting in Windows 10, version 1709, the **Manage** button is no longer available. ### Disconnect @@ -375,16 +370,14 @@ The **Disconnect** button can be found on all work connections. Generally, click > **Warning**  Disconnecting might result in the loss of data on the device. -  - -![disconnect work or school account](images/unifiedenrollment-rs1-36.png) - ## Collecting diagnostic logs You can collect diagnostic logs around your work connections by going to **Settings** > **Accounts** > **Access work or school**, and clicking the **Export your management logs** link under **Related Settings**. After you click the link, click **Export** and follow the path displayed to retrieve your management log files. -![collecting enrollment management log files](images/unifiedenrollment-rs1-37.png) +Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and clicking the **Info** button. At the bottom of the Settings page you will see the button to create a report. Here is an example screenshot. + +![collecting enrollment management log files](images/unifiedenrollment-rs1-37-c.png)   @@ -392,4 +385,3 @@ You can collect diagnostic logs around your work connections by going to **Setti - diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 239445ade8..e9c457174a 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/19/2017 +ms.date: 10/02/2017 --- # What's new in MDM enrollment and management @@ -1000,8 +1000,21 @@ For details about Microsoft mobile device management protocols for Windows 10 s

        Added new policies.

        -Microsoft Store for Business -

        Windows Store for Business name changed to Microsoft Store for Business.

        +Microsoft Store for Business and Microsoft Store +

        Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.

        + +[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) +

        New features in the Settings app:

        +
          +
        • User sees installation progress of critical policies during MDM enrollment.
          • +
        • User knows what policies, profiles, apps MDM has configured
          • +
        • IT helpdesk can get detailed MDM diagnostic information using client tools
          • +
        +

        For details, see [Managing connection](mdm-enrollment-of-windows-devices.md#managing-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)

        + + +[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md) +

        Added new topic to introduce a new Group Policy for automatic MDM enrollment.

        [Policy CSP](policy-configuration-service-provider.md) @@ -1384,8 +1397,8 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware

        Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.

        -Microsoft Store for Business -

        Windows Store for Business name changed to Microsoft Store for Business.

        +Microsoft Store for Business and Microsoft Store +

        Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.

        The [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx) @@ -1401,9 +1414,24 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware [EntepriseAPN CSP](enterpriseapn-csp.md)

        Added a SyncML example.

        + [VPNv2 CSP](vpnv2-csp.md)

        Added RegisterDNS setting in Windows 10, version 1709.

        + +[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md) +

        Added new topic to introduce a new Group Policy for automatic MDM enrollment.

        + + +[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) +

        New features in the Settings app:

        +
          +
        • User sees installation progress of critical policies during MDM enrollment.
          • +
        • User knows what policies, profiles, apps MDM has configured
          • +
        • IT helpdesk can get detailed MDM diagnostic information using client tools
          • +
        +

        For details, see [Managing connections](mdm-enrollment-of-windows-devices.md#managing-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)

        + diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 121d77fdb7..f0b176f45a 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/25/2017 +ms.date: 09/29/2017 --- # Policy CSP @@ -22,6 +22,26 @@ The Policy configuration service provider has the following sub-categories: - Policy/Config/*AreaName* – Handles the policy configuration request from the server. - Policy/Result/*AreaName* – Provides a read-only path to policies enforced on the device. + + +> [!Important] +> Policy scope is the level at which a policy can be configured. Some policies can only be configured at the device level, meaning the policy will take effect independent of who is logged into the device. Other policies can be configured at the user level, meaning the policy will only take effect for that user. +> +> The allowed scope of a specific policy is represented below its table of supported Windows editions. To configure a policy under a specific scope (user vs. device), please use the following paths: +> +> User scope: +> - **./User/Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy. +> - **./User/Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result. +> +> Device scope: +> - **./Device/Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy. +> - **./Device/Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result. +> +> For device wide configuration the **_Device/_** portion may be omitted from the path, deeming the following paths respectively equivalent: +> +> - **./Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy. +> - **./Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result. + The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. ![policy csp diagram](images/provisioning-csp-policy.png) diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 2268695665..64f921aac1 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - AboveLock @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
        + ## AboveLock policies +
        +
        + AboveLock/AllowActionCenterNotifications +
        +
        + AboveLock/AllowCortanaAboveLock +
        +
        + AboveLock/AllowToasts +
        +
        + +
        **AboveLock/AllowActionCenterNotifications** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -60,6 +82,7 @@ ms.date: 08/30/2017 +
        **AboveLock/AllowCortanaAboveLock** @@ -86,6 +109,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech. @@ -96,6 +128,7 @@ ms.date: 08/30/2017 +

        **AboveLock/AllowToasts** @@ -122,6 +155,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Specifies whether to allow toast notifications above the device lock screen. diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index f2e678427b..cbec351d99 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Accounts @@ -14,11 +14,27 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

        + ## Accounts policies +
        +
        + Accounts/AllowAddingNonMicrosoftAccountsManually +
        +
        + Accounts/AllowMicrosoftAccountConnection +
        +
        + Accounts/AllowMicrosoftAccountSignInAssistant +
        +
        + Accounts/DomainNamesForEmailSync +
        +
        + +
        **Accounts/AllowAddingNonMicrosoftAccountsManually** @@ -45,6 +61,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Specifies whether user is allowed to add non-MSA email accounts. @@ -60,6 +85,7 @@ ms.date: 08/30/2017 +

        **Accounts/AllowMicrosoftAccountConnection** @@ -86,6 +112,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. @@ -98,6 +133,7 @@ ms.date: 08/30/2017 +

        **Accounts/AllowMicrosoftAccountSignInAssistant** @@ -124,6 +160,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service. @@ -134,6 +179,7 @@ ms.date: 08/30/2017 +

        **Accounts/DomainNamesForEmailSync** @@ -160,6 +206,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Specifies a list of the domains that are allowed to sync email on the device. diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index 755aeb5a2e..d01ca2a458 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - ActiveXControls @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

        + ## ActiveXControls policies +
        +
        + ActiveXControls/ApprovedInstallationSites +
        +
        + +
        **ActiveXControls/ApprovedInstallationSites** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL. diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 838ad9fbc8..4e71e25975 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - ApplicationDefaults @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
        + ## ApplicationDefaults policies +
        +
        + ApplicationDefaults/DefaultAssociationsConfiguration +
        +
        + +
        **ApplicationDefaults/DefaultAssociationsConfiguration** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML. diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index bb72e071a6..7690c7eb20 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - ApplicationManagement @@ -14,11 +14,48 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

        + ## ApplicationManagement policies +
        +
        + ApplicationManagement/AllowAllTrustedApps +
        +
        + ApplicationManagement/AllowAppStoreAutoUpdate +
        +
        + ApplicationManagement/AllowDeveloperUnlock +
        +
        + ApplicationManagement/AllowGameDVR +
        +
        + ApplicationManagement/AllowSharedUserAppData +
        +
        + ApplicationManagement/AllowStore +
        +
        + ApplicationManagement/ApplicationRestrictions +
        +
        + ApplicationManagement/DisableStoreOriginatedApps +
        +
        + ApplicationManagement/RequirePrivateStoreOnly +
        +
        + ApplicationManagement/RestrictAppDataToSystemVolume +
        +
        + ApplicationManagement/RestrictAppToSystemVolume +
        +
        + +
        **ApplicationManagement/AllowAllTrustedApps** @@ -45,6 +82,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Specifies whether non Microsoft Store apps are allowed. @@ -58,6 +104,7 @@ ms.date: 08/30/2017 +

        **ApplicationManagement/AllowAppStoreAutoUpdate** @@ -84,6 +131,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Specifies whether automatic update of apps from Microsoft Store are allowed. @@ -96,6 +152,7 @@ ms.date: 08/30/2017 +

        **ApplicationManagement/AllowDeveloperUnlock** @@ -122,6 +179,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Specifies whether developer unlock is allowed. @@ -135,6 +201,7 @@ ms.date: 08/30/2017 +

        **ApplicationManagement/AllowGameDVR** @@ -161,6 +228,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -176,6 +252,7 @@ ms.date: 08/30/2017 +
        **ApplicationManagement/AllowSharedUserAppData** @@ -202,6 +279,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Specifies whether multiple users of the same app can share data. @@ -214,6 +300,7 @@ ms.date: 08/30/2017 +

        **ApplicationManagement/AllowStore** @@ -240,6 +327,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Specifies whether app store is allowed at the device. @@ -252,6 +348,7 @@ ms.date: 08/30/2017 +

        **ApplicationManagement/ApplicationRestrictions** @@ -278,6 +375,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead. @@ -305,6 +411,7 @@ ms.date: 08/30/2017 +
        **ApplicationManagement/DisableStoreOriginatedApps** @@ -331,6 +438,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. @@ -341,6 +457,7 @@ ms.date: 08/30/2017 +

        **ApplicationManagement/RequirePrivateStoreOnly** @@ -367,6 +484,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
        + +

        Allows disabling of the retail catalog and only enables the Private store. @@ -388,6 +514,7 @@ ms.date: 08/30/2017 +

        **ApplicationManagement/RestrictAppDataToSystemVolume** @@ -414,6 +541,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Specifies whether application data is restricted to the system drive. @@ -426,6 +562,7 @@ ms.date: 08/30/2017 +

        **ApplicationManagement/RestrictAppToSystemVolume** @@ -452,6 +589,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Specifies whether the installation of applications is restricted to the system drive. diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index e44fda0b34..512cbecf60 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - AppVirtualization @@ -14,11 +14,99 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

        + ## AppVirtualization policies +
        +
        + AppVirtualization/AllowAppVClient +
        +
        + AppVirtualization/AllowDynamicVirtualization +
        +
        + AppVirtualization/AllowPackageCleanup +
        +
        + AppVirtualization/AllowPackageScripts +
        +
        + AppVirtualization/AllowPublishingRefreshUX +
        +
        + AppVirtualization/AllowReportingServer +
        +
        + AppVirtualization/AllowRoamingFileExclusions +
        +
        + AppVirtualization/AllowRoamingRegistryExclusions +
        +
        + AppVirtualization/AllowStreamingAutoload +
        +
        + AppVirtualization/ClientCoexistenceAllowMigrationmode +
        +
        + AppVirtualization/IntegrationAllowRootGlobal +
        +
        + AppVirtualization/IntegrationAllowRootUser +
        +
        + AppVirtualization/PublishingAllowServer1 +
        +
        + AppVirtualization/PublishingAllowServer2 +
        +
        + AppVirtualization/PublishingAllowServer3 +
        +
        + AppVirtualization/PublishingAllowServer4 +
        +
        + AppVirtualization/PublishingAllowServer5 +
        +
        + AppVirtualization/StreamingAllowCertificateFilterForClient_SSL +
        +
        + AppVirtualization/StreamingAllowHighCostLaunch +
        +
        + AppVirtualization/StreamingAllowLocationProvider +
        +
        + AppVirtualization/StreamingAllowPackageInstallationRoot +
        +
        + AppVirtualization/StreamingAllowPackageSourceRoot +
        +
        + AppVirtualization/StreamingAllowReestablishmentInterval +
        +
        + AppVirtualization/StreamingAllowReestablishmentRetries +
        +
        + AppVirtualization/StreamingSharedContentStoreMode +
        +
        + AppVirtualization/StreamingSupportBranchCache +
        +
        + AppVirtualization/StreamingVerifyCertificateRevocationList +
        +
        + AppVirtualization/VirtualComponentsAllowList +
        +
        + +
        **AppVirtualization/AllowAppVClient** @@ -45,6 +133,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect. @@ -65,6 +162,7 @@ ADMX Info: +
        **AppVirtualization/AllowDynamicVirtualization** @@ -91,6 +189,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls. @@ -111,6 +218,7 @@ ADMX Info: +
        **AppVirtualization/AllowPackageCleanup** @@ -137,6 +245,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Enables automatic cleanup of appv packages that were added after Windows10 anniversary release. @@ -157,6 +274,7 @@ ADMX Info: +
        **AppVirtualization/AllowPackageScripts** @@ -183,6 +301,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Enables scripts defined in the package manifest of configuration files that should run. @@ -203,6 +330,7 @@ ADMX Info: +
        **AppVirtualization/AllowPublishingRefreshUX** @@ -229,6 +357,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Enables a UX to display to the user when a publishing refresh is performed on the client. @@ -249,6 +386,7 @@ ADMX Info: +
        **AppVirtualization/AllowReportingServer** @@ -275,6 +413,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Reporting Server URL: Displays the URL of reporting server. @@ -305,6 +452,7 @@ ADMX Info: +
        **AppVirtualization/AllowRoamingFileExclusions** @@ -331,6 +479,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'. @@ -351,6 +508,7 @@ ADMX Info: +
        **AppVirtualization/AllowRoamingRegistryExclusions** @@ -377,6 +535,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients. @@ -397,6 +564,7 @@ ADMX Info: +
        **AppVirtualization/AllowStreamingAutoload** @@ -423,6 +591,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Specifies how new packages should be loaded automatically by App-V on a specific computer. @@ -443,6 +620,7 @@ ADMX Info: +
        **AppVirtualization/ClientCoexistenceAllowMigrationmode** @@ -469,6 +647,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V. @@ -489,6 +676,7 @@ ADMX Info: +
        **AppVirtualization/IntegrationAllowRootGlobal** @@ -515,6 +703,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration. @@ -535,6 +732,7 @@ ADMX Info: +
        **AppVirtualization/IntegrationAllowRootUser** @@ -561,6 +759,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration. @@ -581,6 +788,7 @@ ADMX Info: +
        **AppVirtualization/PublishingAllowServer1** @@ -607,6 +815,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Publishing Server Display Name: Displays the name of publishing server. @@ -645,6 +862,7 @@ ADMX Info: +
        **AppVirtualization/PublishingAllowServer2** @@ -671,6 +889,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Publishing Server Display Name: Displays the name of publishing server. @@ -709,6 +936,7 @@ ADMX Info: +
        **AppVirtualization/PublishingAllowServer3** @@ -735,6 +963,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Publishing Server Display Name: Displays the name of publishing server. @@ -773,6 +1010,7 @@ ADMX Info: +
        **AppVirtualization/PublishingAllowServer4** @@ -799,6 +1037,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Publishing Server Display Name: Displays the name of publishing server. @@ -837,6 +1084,7 @@ ADMX Info: +
        **AppVirtualization/PublishingAllowServer5** @@ -863,6 +1111,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Publishing Server Display Name: Displays the name of publishing server. @@ -901,6 +1158,7 @@ ADMX Info: +
        **AppVirtualization/StreamingAllowCertificateFilterForClient_SSL** @@ -927,6 +1185,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Specifies the path to a valid certificate in the certificate store. @@ -947,6 +1214,7 @@ ADMX Info: +
        **AppVirtualization/StreamingAllowHighCostLaunch** @@ -973,6 +1241,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G). @@ -993,6 +1270,7 @@ ADMX Info: +
        **AppVirtualization/StreamingAllowLocationProvider** @@ -1019,6 +1297,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. @@ -1039,6 +1326,7 @@ ADMX Info: +
        **AppVirtualization/StreamingAllowPackageInstallationRoot** @@ -1065,6 +1353,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Specifies directory where all new applications and updates will be installed. @@ -1085,6 +1382,7 @@ ADMX Info: +
        **AppVirtualization/StreamingAllowPackageSourceRoot** @@ -1111,6 +1409,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Overrides source location for downloading package content. @@ -1131,6 +1438,7 @@ ADMX Info: +
        **AppVirtualization/StreamingAllowReestablishmentInterval** @@ -1157,6 +1465,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Specifies the number of seconds between attempts to reestablish a dropped session. @@ -1177,6 +1494,7 @@ ADMX Info: +
        **AppVirtualization/StreamingAllowReestablishmentRetries** @@ -1203,6 +1521,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Specifies the number of times to retry a dropped session. @@ -1223,6 +1550,7 @@ ADMX Info: +
        **AppVirtualization/StreamingSharedContentStoreMode** @@ -1249,6 +1577,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Specifies that streamed package contents will be not be saved to the local hard disk. @@ -1269,6 +1606,7 @@ ADMX Info: +
        **AppVirtualization/StreamingSupportBranchCache** @@ -1295,6 +1633,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache @@ -1315,6 +1662,7 @@ ADMX Info: +
        **AppVirtualization/StreamingVerifyCertificateRevocationList** @@ -1341,6 +1689,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Verifies Server certificate revocation status before streaming using HTTPS. @@ -1361,6 +1718,7 @@ ADMX Info: +
        **AppVirtualization/VirtualComponentsAllowList** @@ -1387,6 +1745,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components. diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md index 202f7f324a..19b60c53f6 100644 --- a/windows/client-management/mdm/policy-csp-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - AttachmentManager @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
        + ## AttachmentManager policies +
        +
        + AttachmentManager/DoNotPreserveZoneInformation +
        +
        + AttachmentManager/HideZoneInfoMechanism +
        +
        + AttachmentManager/NotifyAntivirusPrograms +
        +
        + +
        **AttachmentManager/DoNotPreserveZoneInformation** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
        + + This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments. @@ -71,6 +93,7 @@ ADMX Info: +
        **AttachmentManager/HideZoneInfoMechanism** @@ -97,6 +120,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
        + + This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening. @@ -123,6 +155,7 @@ ADMX Info: +
        **AttachmentManager/NotifyAntivirusPrograms** @@ -149,6 +182,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
        + + This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant. diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 3c483fb097..d33bbd648c 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/06/2017 +ms.date: 09/29/2017 --- # Policy CSP - Authentication @@ -14,11 +14,27 @@ ms.date: 09/06/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
        + ## Authentication policies +
        +
        + Authentication/AllowAadPasswordReset +
        +
        + Authentication/AllowEAPCertSSO +
        +
        + Authentication/AllowFastReconnect +
        +
        + Authentication/AllowSecondaryAuthenticationDevice +
        +
        + +
        **Authentication/AllowAadPasswordReset** @@ -45,6 +61,15 @@ ms.date: 09/06/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Added in Windows 10, version 1709. Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the windows logon screen.  @@ -55,6 +80,7 @@ ms.date: 09/06/2017 +

        **Authentication/AllowEAPCertSSO** @@ -81,6 +107,15 @@ ms.date: 09/06/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
        + +

        Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources. @@ -98,6 +133,7 @@ ms.date: 09/06/2017 +

        **Authentication/AllowFastReconnect** @@ -124,6 +160,15 @@ ms.date: 09/06/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Allows EAP Fast Reconnect from being attempted for EAP Method TLS. @@ -136,6 +181,7 @@ ms.date: 09/06/2017 +

        **Authentication/AllowSecondaryAuthenticationDevice** @@ -162,6 +208,15 @@ ms.date: 09/06/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows. diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md index daac26b55d..f63666cdc6 100644 --- a/windows/client-management/mdm/policy-csp-autoplay.md +++ b/windows/client-management/mdm/policy-csp-autoplay.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Autoplay @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

        + ## Autoplay policies +
        +
        + Autoplay/DisallowAutoplayForNonVolumeDevices +
        +
        + Autoplay/SetDefaultAutoRunBehavior +
        +
        + Autoplay/TurnOffAutoPlay +
        +
        + +
        **Autoplay/DisallowAutoplayForNonVolumeDevices** @@ -45,6 +58,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + + This policy setting disallows AutoPlay for MTP devices like cameras or phones. @@ -69,6 +92,7 @@ ADMX Info: +
        **Autoplay/SetDefaultAutoRunBehavior** @@ -95,6 +119,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + + This policy setting sets the default behavior for Autorun commands. @@ -128,6 +162,7 @@ ADMX Info: +
        **Autoplay/TurnOffAutoPlay** @@ -154,6 +189,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + + This policy setting allows you to turn off the Autoplay feature. diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index 1220f63607..3d4c5bac81 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Bitlocker @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
        + ## Bitlocker policies +
        +
        + Bitlocker/EncryptionMethod +
        +
        + +
        **Bitlocker/EncryptionMethod** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Specifies the BitLocker Drive Encryption method and cipher strength. diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 7bd2ea4992..d874f9ffa2 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Bluetooth @@ -14,11 +14,30 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

        + ## Bluetooth policies +
        +
        + Bluetooth/AllowAdvertising +
        +
        + Bluetooth/AllowDiscoverableMode +
        +
        + Bluetooth/AllowPrepairing +
        +
        + Bluetooth/LocalDeviceName +
        +
        + Bluetooth/ServicesAllowedList +
        +
        + +
        **Bluetooth/AllowAdvertising** @@ -45,6 +64,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Specifies whether the device can send out Bluetooth advertisements. @@ -59,6 +87,7 @@ ms.date: 08/30/2017 +

        **Bluetooth/AllowDiscoverableMode** @@ -85,6 +114,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Specifies whether other Bluetooth-enabled devices can discover the device. @@ -99,6 +137,7 @@ ms.date: 08/30/2017 +

        **Bluetooth/AllowPrepairing** @@ -125,6 +164,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device. @@ -135,6 +183,7 @@ ms.date: 08/30/2017 +

        **Bluetooth/LocalDeviceName** @@ -161,6 +210,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Sets the local Bluetooth device name. @@ -170,6 +228,7 @@ ms.date: 08/30/2017 +

        **Bluetooth/ServicesAllowedList** @@ -196,6 +255,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}. diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 82c992e8eb..2c7f399858 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Browser @@ -14,11 +14,123 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

        + ## Browser policies +
        +
        + Browser/AllowAddressBarDropdown +
        +
        + Browser/AllowAutofill +
        +
        + Browser/AllowBrowser +
        +
        + Browser/AllowCookies +
        +
        + Browser/AllowDeveloperTools +
        +
        + Browser/AllowDoNotTrack +
        +
        + Browser/AllowExtensions +
        +
        + Browser/AllowFlash +
        +
        + Browser/AllowFlashClickToRun +
        +
        + Browser/AllowInPrivate +
        +
        + Browser/AllowMicrosoftCompatibilityList +
        +
        + Browser/AllowPasswordManager +
        +
        + Browser/AllowPopups +
        +
        + Browser/AllowSearchEngineCustomization +
        +
        + Browser/AllowSearchSuggestionsinAddressBar +
        +
        + Browser/AllowSmartScreen +
        +
        + Browser/AlwaysEnableBooksLibrary +
        +
        + Browser/ClearBrowsingDataOnExit +
        +
        + Browser/ConfigureAdditionalSearchEngines +
        +
        + Browser/DisableLockdownOfStartPages +
        +
        + Browser/EnterpriseModeSiteList +
        +
        + Browser/EnterpriseSiteListServiceUrl +
        +
        + Browser/FirstRunURL +
        +
        + Browser/HomePages +
        +
        + Browser/LockdownFavorites +
        +
        + Browser/PreventAccessToAboutFlagsInMicrosoftEdge +
        +
        + Browser/PreventFirstRunPage +
        +
        + Browser/PreventLiveTileDataCollection +
        +
        + Browser/PreventSmartScreenPromptOverride +
        +
        + Browser/PreventSmartScreenPromptOverrideForFiles +
        +
        + Browser/PreventUsingLocalHostIPAddressForWebRTC +
        +
        + Browser/ProvisionFavorites +
        +
        + Browser/SendIntranetTraffictoInternetExplorer +
        +
        + Browser/SetDefaultSearchEngine +
        +
        + Browser/ShowMessageWhenOpeningSitesInInternetExplorer +
        +
        + Browser/SyncFavoritesBetweenIEAndMicrosoftEdge +
        +
        + +
        **Browser/AllowAddressBarDropdown** @@ -45,6 +157,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality.  @@ -60,6 +182,7 @@ ms.date: 08/30/2017 +

        **Browser/AllowAutofill** @@ -86,6 +209,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Specifies whether autofill on websites is allowed. @@ -105,6 +238,7 @@ ms.date: 08/30/2017 +

        **Browser/AllowBrowser** @@ -131,6 +265,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead. @@ -149,6 +293,7 @@ ms.date: 08/30/2017 +
        **Browser/AllowCookies** @@ -175,6 +320,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Specifies whether cookies are allowed. @@ -194,6 +349,7 @@ ms.date: 08/30/2017 +

        **Browser/AllowDeveloperTools** @@ -220,6 +376,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -236,6 +402,7 @@ ms.date: 08/30/2017 +
        **Browser/AllowDoNotTrack** @@ -262,6 +429,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Specifies whether Do Not Track headers are allowed. @@ -281,6 +458,7 @@ ms.date: 08/30/2017 +

        **Browser/AllowExtensions** @@ -307,6 +485,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed. @@ -317,6 +505,7 @@ ms.date: 08/30/2017 +

        **Browser/AllowFlash** @@ -343,6 +532,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge. @@ -353,6 +552,7 @@ ms.date: 08/30/2017 +

        **Browser/AllowFlashClickToRun** @@ -379,6 +579,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. @@ -389,6 +599,7 @@ ms.date: 08/30/2017 +

        **Browser/AllowInPrivate** @@ -415,6 +626,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Specifies whether InPrivate browsing is allowed on corporate networks. @@ -427,6 +648,7 @@ ms.date: 08/30/2017 +

        **Browser/AllowMicrosoftCompatibilityList** @@ -453,6 +675,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly. By default, the Microsoft compatibility list is enabled and can be viewed by visiting "about:compat". @@ -468,6 +700,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +

        **Browser/AllowPasswordManager** @@ -494,6 +727,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Specifies whether saving and managing passwords locally on the device is allowed. @@ -513,6 +756,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +

        **Browser/AllowPopups** @@ -539,6 +783,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Specifies whether pop-up blocker is allowed or enabled. @@ -558,6 +812,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +

        **Browser/AllowSearchEngineCustomization** @@ -584,6 +839,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine.     @@ -598,6 +863,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +

        **Browser/AllowSearchSuggestionsinAddressBar** @@ -624,6 +890,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Specifies whether search suggestions are allowed in the address bar. @@ -636,6 +912,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +

        **Browser/AllowSmartScreen** @@ -662,6 +939,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Specifies whether Windows Defender SmartScreen is allowed. @@ -681,9 +968,20 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +

        **Browser/AlwaysEnableBooksLibrary** + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        @@ -691,6 +989,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +

        **Browser/ClearBrowsingDataOnExit** @@ -717,6 +1016,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge. @@ -735,6 +1044,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +

        **Browser/ConfigureAdditionalSearchEngines** @@ -761,6 +1071,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices.    @@ -781,6 +1101,7 @@ Employees cannot remove these search engines, but they can set any one as the de +

        **Browser/DisableLockdownOfStartPages** @@ -807,6 +1128,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect.     @@ -825,6 +1156,7 @@ Employees cannot remove these search engines, but they can set any one as the de +

        **Browser/EnterpriseModeSiteList** @@ -851,6 +1183,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -865,6 +1207,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
        **Browser/EnterpriseSiteListServiceUrl** @@ -891,12 +1234,23 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + + > [!IMPORTANT] > This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist). +
        **Browser/FirstRunURL** @@ -923,6 +1277,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -936,6 +1300,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
        **Browser/HomePages** @@ -962,6 +1327,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + + > [!NOTE] > This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -977,6 +1352,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
        **Browser/LockdownFavorites** @@ -1003,6 +1379,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Added in Windows 10, version 1709. This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. @@ -1022,6 +1408,7 @@ Employees cannot remove these search engines, but they can set any one as the de +

        **Browser/PreventAccessToAboutFlagsInMicrosoftEdge** @@ -1048,6 +1435,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features. @@ -1058,6 +1455,7 @@ Employees cannot remove these search engines, but they can set any one as the de +

        **Browser/PreventFirstRunPage** @@ -1084,6 +1482,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening. @@ -1096,6 +1504,7 @@ Employees cannot remove these search engines, but they can set any one as the de +

        **Browser/PreventLiveTileDataCollection** @@ -1122,6 +1531,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. @@ -1134,6 +1553,7 @@ Employees cannot remove these search engines, but they can set any one as the de +

        **Browser/PreventSmartScreenPromptOverride** @@ -1160,6 +1580,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. @@ -1172,6 +1602,7 @@ Employees cannot remove these search engines, but they can set any one as the de +

        **Browser/PreventSmartScreenPromptOverrideForFiles** @@ -1198,6 +1629,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process. @@ -1208,6 +1649,7 @@ Employees cannot remove these search engines, but they can set any one as the de +

        **Browser/PreventUsingLocalHostIPAddressForWebRTC** @@ -1234,6 +1676,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -1248,6 +1700,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
        **Browser/ProvisionFavorites** @@ -1274,6 +1727,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Added in Windows 10, version 1709. This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Edge and use that html file for provisioning user machines.   @@ -1292,6 +1755,7 @@ Employees cannot remove these search engines, but they can set any one as the de +

        **Browser/SendIntranetTraffictoInternetExplorer** @@ -1318,6 +1782,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -1334,6 +1808,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
        **Browser/SetDefaultSearchEngine** @@ -1360,6 +1835,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy. @@ -1379,6 +1864,7 @@ Employees cannot remove these search engines, but they can set any one as the de +

        **Browser/ShowMessageWhenOpeningSitesInInternetExplorer** @@ -1405,6 +1891,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -1421,6 +1917,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
        **Browser/SyncFavoritesBetweenIEAndMicrosoftEdge** @@ -1447,6 +1944,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + +

        Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md index ca7b98ecc5..ce33fa4faa 100644 --- a/windows/client-management/mdm/policy-csp-camera.md +++ b/windows/client-management/mdm/policy-csp-camera.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Camera @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

        + ## Camera policies +
        +
        + Camera/AllowCamera +
        +
        + +
        **Camera/AllowCamera** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Disables or enables the camera. diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index b1c206e118..183748ec41 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Cellular @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

        + ## Cellular policies +
        +
        + Cellular/ShowAppCellularAccessUI +
        +
        + +
        **Cellular/ShowAppCellularAccessUI** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 5ffa503ab6..415ebf1eac 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Connectivity @@ -14,11 +14,54 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
        + ## Connectivity policies +
        +
        + Connectivity/AllowBluetooth +
        +
        + Connectivity/AllowCellularData +
        +
        + Connectivity/AllowCellularDataRoaming +
        +
        + Connectivity/AllowConnectedDevices +
        +
        + Connectivity/AllowNFC +
        +
        + Connectivity/AllowUSBConnection +
        +
        + Connectivity/AllowVPNOverCellular +
        +
        + Connectivity/AllowVPNRoamingOverCellular +
        +
        + Connectivity/DiablePrintingOverHTTP +
        +
        + Connectivity/DisableDownloadingOfPrintDriversOverHTTP +
        +
        + Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards +
        +
        + Connectivity/HardenedUNCPaths +
        +
        + Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge +
        +
        + +
        **Connectivity/AllowBluetooth** @@ -45,6 +88,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Allows the user to enable Bluetooth or restrict access. @@ -64,6 +116,7 @@ ms.date: 08/30/2017 +

        **Connectivity/AllowCellularData** @@ -90,6 +143,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Allows the cellular data channel on the device. Device reboot is not required to enforce the policy. @@ -101,6 +163,7 @@ ms.date: 08/30/2017 +

        **Connectivity/AllowCellularDataRoaming** @@ -127,6 +190,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy. @@ -148,6 +220,7 @@ ms.date: 08/30/2017 +

        **Connectivity/AllowConnectedDevices** @@ -174,6 +247,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy requires reboot to take effect. @@ -187,6 +269,7 @@ ms.date: 08/30/2017 +
        **Connectivity/AllowNFC** @@ -213,6 +296,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -229,6 +321,7 @@ ms.date: 08/30/2017 +
        **Connectivity/AllowUSBConnection** @@ -255,6 +348,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -273,6 +375,7 @@ ms.date: 08/30/2017 +
        **Connectivity/AllowVPNOverCellular** @@ -299,6 +402,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Specifies what type of underlying connections VPN is allowed to use. @@ -311,6 +423,7 @@ ms.date: 08/30/2017 +

        **Connectivity/AllowVPNRoamingOverCellular** @@ -337,6 +450,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Prevents the device from connecting to VPN when the device roams over cellular networks. @@ -349,6 +471,7 @@ ms.date: 08/30/2017 +

        **Connectivity/DiablePrintingOverHTTP** @@ -375,6 +498,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!TIP] @@ -393,6 +525,7 @@ ADMX Info: +
        **Connectivity/DisableDownloadingOfPrintDriversOverHTTP** @@ -419,6 +552,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!TIP] @@ -437,6 +579,7 @@ ADMX Info: +
        **Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards** @@ -463,6 +606,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!TIP] @@ -481,6 +633,7 @@ ADMX Info: +
        **Connectivity/HardenedUNCPaths** @@ -507,6 +660,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + This policy setting configures secure access to UNC paths. @@ -529,6 +691,7 @@ ADMX Info: +
        **Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge** @@ -555,6 +718,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index e253febdf8..5274de917b 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - CredentialProviders @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
        + ## CredentialProviders policies +
        +
        + CredentialProviders/AllowPINLogon +
        +
        + CredentialProviders/BlockPicturePassword +
        +
        + CredentialProviders/DisableAutomaticReDeploymentCredentials +
        +
        + +
        **CredentialProviders/AllowPINLogon** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + This policy setting allows you to control whether a domain user can sign in using a convenience PIN. @@ -73,6 +95,7 @@ ADMX Info: +
        **CredentialProviders/BlockPicturePassword** @@ -99,6 +122,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + This policy setting allows you to control whether a domain user can sign in using a picture password. @@ -125,6 +157,7 @@ ADMX Info: +
        **CredentialProviders/DisableAutomaticReDeploymentCredentials** @@ -151,6 +184,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Added in Windows 10, version 1709. Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md index 15d68cf69e..1b7955f4e5 100644 --- a/windows/client-management/mdm/policy-csp-credentialsui.md +++ b/windows/client-management/mdm/policy-csp-credentialsui.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - CredentialsUI @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
        + ## CredentialsUI policies +
        +
        + CredentialsUI/DisablePasswordReveal +
        +
        + CredentialsUI/EnumerateAdministrators +
        +
        + +
        **CredentialsUI/DisablePasswordReveal** @@ -45,6 +55,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
        + + This policy setting allows you to configure the display of the password reveal button in password entry user experiences. @@ -73,6 +93,7 @@ ADMX Info: +
        **CredentialsUI/EnumerateAdministrators** @@ -99,6 +120,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md index eef7cdeba4..9c5f328c19 100644 --- a/windows/client-management/mdm/policy-csp-cryptography.md +++ b/windows/client-management/mdm/policy-csp-cryptography.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Cryptography @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
        + ## Cryptography policies +
        +
        + Cryptography/AllowFipsAlgorithmPolicy +
        +
        + Cryptography/TLSCipherSuites +
        +
        + +
        **Cryptography/AllowFipsAlgorithmPolicy** @@ -45,6 +55,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Allows or disallows the Federal Information Processing Standard (FIPS) policy. @@ -55,6 +74,7 @@ ms.date: 08/30/2017 +

        **Cryptography/TLSCipherSuites** @@ -81,6 +101,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index edba750722..1261f2c311 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - DataProtection @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

        + ## DataProtection policies +
        +
        + DataProtection/AllowDirectMemoryAccess +
        +
        + DataProtection/LegacySelectiveWipeID +
        +
        + +
        **DataProtection/AllowDirectMemoryAccess** @@ -45,6 +55,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +

        This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled. @@ -57,6 +76,7 @@ ms.date: 08/30/2017 +

        **DataProtection/LegacySelectiveWipeID** @@ -83,6 +103,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!IMPORTANT] > This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time. diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index a8724cc2f6..540a7d26a6 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - DataUsage @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
        + ## DataUsage policies +
        +
        + DataUsage/SetCost3G +
        +
        + DataUsage/SetCost4G +
        +
        + +
        **DataUsage/SetCost3G** @@ -45,6 +55,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + This policy setting configures the cost of 3G connections on the local machine. @@ -75,6 +94,7 @@ ADMX Info: +
        **DataUsage/SetCost4G** @@ -101,6 +121,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + This policy setting configures the cost of 4G connections on the local machine. diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 3f35e2d4eb..9d75a9f6fa 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Defender @@ -14,11 +14,120 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
        + ## Defender policies +
        +
        + Defender/AllowArchiveScanning +
        +
        + Defender/AllowBehaviorMonitoring +
        +
        + Defender/AllowCloudProtection +
        +
        + Defender/AllowEmailScanning +
        +
        + Defender/AllowFullScanOnMappedNetworkDrives +
        +
        + Defender/AllowFullScanRemovableDriveScanning +
        +
        + Defender/AllowIOAVProtection +
        +
        + Defender/AllowIntrusionPreventionSystem +
        +
        + Defender/AllowOnAccessProtection +
        +
        + Defender/AllowRealtimeMonitoring +
        +
        + Defender/AllowScanningNetworkFiles +
        +
        + Defender/AllowScriptScanning +
        +
        + Defender/AllowUserUIAccess +
        +
        + Defender/AttackSurfaceReductionOnlyExclusions +
        +
        + Defender/AttackSurfaceReductionRules +
        +
        + Defender/AvgCPULoadFactor +
        +
        + Defender/CloudBlockLevel +
        +
        + Defender/CloudExtendedTimeout +
        +
        + Defender/ControlledFolderAccessAllowedApplications +
        +
        + Defender/ControlledFolderAccessProtectedFolders +
        +
        + Defender/DaysToRetainCleanedMalware +
        +
        + Defender/EnableControlledFolderAccess +
        +
        + Defender/EnableNetworkProtection +
        +
        + Defender/ExcludedExtensions +
        +
        + Defender/ExcludedPaths +
        +
        + Defender/ExcludedProcesses +
        +
        + Defender/PUAProtection +
        +
        + Defender/RealTimeScanDirection +
        +
        + Defender/ScanParameter +
        +
        + Defender/ScheduleQuickScanTime +
        +
        + Defender/ScheduleScanDay +
        +
        + Defender/ScheduleScanTime +
        +
        + Defender/SignatureUpdateInterval +
        +
        + Defender/SubmitSamplesConsent +
        +
        + Defender/ThreatSeverityDefaultAction +
        +
        + +
        **Defender/AllowArchiveScanning** @@ -45,6 +154,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -59,6 +177,7 @@ ms.date: 08/30/2017 +
        **Defender/AllowBehaviorMonitoring** @@ -85,6 +204,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -99,6 +227,7 @@ ms.date: 08/30/2017 +
        **Defender/AllowCloudProtection** @@ -125,6 +254,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -139,6 +277,7 @@ ms.date: 08/30/2017 +
        **Defender/AllowEmailScanning** @@ -165,6 +304,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -179,6 +327,7 @@ ms.date: 08/30/2017 +
        **Defender/AllowFullScanOnMappedNetworkDrives** @@ -205,6 +354,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -219,6 +377,7 @@ ms.date: 08/30/2017 +
        **Defender/AllowFullScanRemovableDriveScanning** @@ -245,6 +404,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -259,6 +427,7 @@ ms.date: 08/30/2017 +
        **Defender/AllowIOAVProtection** @@ -285,6 +454,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -299,6 +477,7 @@ ms.date: 08/30/2017 +
        **Defender/AllowIntrusionPreventionSystem** @@ -325,6 +504,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -339,6 +527,7 @@ ms.date: 08/30/2017 +
        **Defender/AllowOnAccessProtection** @@ -365,6 +554,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -379,6 +577,7 @@ ms.date: 08/30/2017 +
        **Defender/AllowRealtimeMonitoring** @@ -405,6 +604,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -419,6 +627,7 @@ ms.date: 08/30/2017 +
        **Defender/AllowScanningNetworkFiles** @@ -445,6 +654,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -459,6 +677,7 @@ ms.date: 08/30/2017 +
        **Defender/AllowScriptScanning** @@ -485,6 +704,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -499,6 +727,7 @@ ms.date: 08/30/2017 +
        **Defender/AllowUserUIAccess** @@ -525,6 +754,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -539,6 +777,7 @@ ms.date: 08/30/2017 +
        **Defender/AttackSurfaceReductionOnlyExclusions** @@ -565,6 +804,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -576,6 +824,7 @@ ms.date: 08/30/2017 +
        **Defender/AttackSurfaceReductionRules** @@ -602,6 +851,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -615,6 +873,7 @@ ms.date: 08/30/2017 +
        **Defender/AvgCPULoadFactor** @@ -641,6 +900,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -654,6 +922,7 @@ ms.date: 08/30/2017 +
        **Defender/CloudBlockLevel** @@ -680,6 +949,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -703,6 +981,7 @@ ms.date: 08/30/2017 +
        **Defender/CloudExtendedTimeout** @@ -729,6 +1008,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -744,6 +1032,7 @@ ms.date: 08/30/2017 +
        **Defender/ControlledFolderAccessAllowedApplications** @@ -770,6 +1059,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications. @@ -778,6 +1076,7 @@ ms.date: 08/30/2017 +
        **Defender/ControlledFolderAccessProtectedFolders** @@ -804,6 +1103,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders. @@ -812,6 +1120,7 @@ ms.date: 08/30/2017 +
        **Defender/DaysToRetainCleanedMalware** @@ -838,6 +1147,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -851,6 +1169,7 @@ ms.date: 08/30/2017 +
        **Defender/EnableControlledFolderAccess** @@ -877,6 +1196,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess. @@ -889,6 +1217,7 @@ ms.date: 08/30/2017 +
        **Defender/EnableNetworkProtection** @@ -915,6 +1244,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -935,6 +1273,7 @@ ms.date: 08/30/2017 +
        **Defender/ExcludedExtensions** @@ -961,6 +1300,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -970,6 +1318,7 @@ ms.date: 08/30/2017 +
        **Defender/ExcludedPaths** @@ -996,6 +1345,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1005,6 +1363,7 @@ ms.date: 08/30/2017 +
        **Defender/ExcludedProcesses** @@ -1031,6 +1390,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1046,6 +1414,7 @@ ms.date: 08/30/2017 +
        **Defender/PUAProtection** @@ -1072,6 +1441,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1087,6 +1465,7 @@ ms.date: 08/30/2017 +
        **Defender/RealTimeScanDirection** @@ -1113,6 +1492,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1132,6 +1520,7 @@ ms.date: 08/30/2017 +
        **Defender/ScanParameter** @@ -1158,6 +1547,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1172,6 +1570,7 @@ ms.date: 08/30/2017 +
        **Defender/ScheduleQuickScanTime** @@ -1198,6 +1597,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1217,6 +1625,7 @@ ms.date: 08/30/2017 +
        **Defender/ScheduleScanDay** @@ -1243,6 +1652,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1268,6 +1686,7 @@ ms.date: 08/30/2017 +
        **Defender/ScheduleScanTime** @@ -1294,6 +1713,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1313,6 +1741,7 @@ ms.date: 08/30/2017 +
        **Defender/SignatureUpdateInterval** @@ -1339,6 +1768,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1354,6 +1792,7 @@ ms.date: 08/30/2017 +
        **Defender/SubmitSamplesConsent** @@ -1380,6 +1819,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1396,6 +1844,7 @@ ms.date: 08/30/2017 +
        **Defender/ThreatSeverityDefaultAction** @@ -1422,6 +1871,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index e352718a5d..f001c4ea3e 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - DeliveryOptimization @@ -14,11 +14,63 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
        + ## DeliveryOptimization policies +
        +
        + DeliveryOptimization/DOAbsoluteMaxCacheSize +
        +
        + DeliveryOptimization/DOAllowVPNPeerCaching +
        +
        + DeliveryOptimization/DODownloadMode +
        +
        + DeliveryOptimization/DOGroupId +
        +
        + DeliveryOptimization/DOMaxCacheAge +
        +
        + DeliveryOptimization/DOMaxCacheSize +
        +
        + DeliveryOptimization/DOMaxDownloadBandwidth +
        +
        + DeliveryOptimization/DOMaxUploadBandwidth +
        +
        + DeliveryOptimization/DOMinBackgroundQos +
        +
        + DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload +
        +
        + DeliveryOptimization/DOMinDiskSizeAllowedToPeer +
        +
        + DeliveryOptimization/DOMinFileSizeToCache +
        +
        + DeliveryOptimization/DOMinRAMAllowedToPeer +
        +
        + DeliveryOptimization/DOModifyCacheDrive +
        +
        + DeliveryOptimization/DOMonthlyUploadDataCap +
        +
        + DeliveryOptimization/DOPercentageMaxDownloadBandwidth +
        +
        + +
        **DeliveryOptimization/DOAbsoluteMaxCacheSize** @@ -45,6 +97,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -56,6 +117,7 @@ ms.date: 08/30/2017 +
        **DeliveryOptimization/DOAllowVPNPeerCaching** @@ -82,6 +144,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -93,6 +164,7 @@ ms.date: 08/30/2017 +
        **DeliveryOptimization/DODownloadMode** @@ -119,6 +191,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -137,6 +218,7 @@ ms.date: 08/30/2017 +
        **DeliveryOptimization/DOGroupId** @@ -163,6 +245,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -175,6 +266,7 @@ ms.date: 08/30/2017 +
        **DeliveryOptimization/DOMaxCacheAge** @@ -201,6 +293,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -212,6 +313,7 @@ ms.date: 08/30/2017 +
        **DeliveryOptimization/DOMaxCacheSize** @@ -238,6 +340,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -249,6 +360,7 @@ ms.date: 08/30/2017 +
        **DeliveryOptimization/DOMaxDownloadBandwidth** @@ -275,6 +387,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -286,6 +407,7 @@ ms.date: 08/30/2017 +
        **DeliveryOptimization/DOMaxUploadBandwidth** @@ -312,6 +434,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -323,6 +454,7 @@ ms.date: 08/30/2017 +
        **DeliveryOptimization/DOMinBackgroundQos** @@ -349,6 +481,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -360,6 +501,7 @@ ms.date: 08/30/2017 +
        **DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload** @@ -386,6 +528,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -396,6 +547,7 @@ ms.date: 08/30/2017 +
        **DeliveryOptimization/DOMinDiskSizeAllowedToPeer** @@ -422,6 +574,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -436,6 +597,7 @@ ms.date: 08/30/2017 +
        **DeliveryOptimization/DOMinFileSizeToCache** @@ -462,6 +624,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -473,6 +644,7 @@ ms.date: 08/30/2017 +
        **DeliveryOptimization/DOMinRAMAllowedToPeer** @@ -499,6 +671,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -510,6 +691,7 @@ ms.date: 08/30/2017 +
        **DeliveryOptimization/DOModifyCacheDrive** @@ -536,6 +718,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -547,6 +738,7 @@ ms.date: 08/30/2017 +
        **DeliveryOptimization/DOMonthlyUploadDataCap** @@ -573,6 +765,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -586,6 +787,7 @@ ms.date: 08/30/2017 +
        **DeliveryOptimization/DOPercentageMaxDownloadBandwidth** @@ -612,6 +814,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md index 8a3b89d0f5..8d89bebfb5 100644 --- a/windows/client-management/mdm/policy-csp-desktop.md +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Desktop @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
        + ## Desktop policies +
        +
        + Desktop/PreventUserRedirectionOfProfileFolders +
        +
        + +
        **Desktop/PreventUserRedirectionOfProfileFolders** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
        + + Prevents users from changing the path to their profile folders. diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index df77a218e7..b45125a146 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - DeviceGuard @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
        + ## DeviceGuard policies +
        +
        + DeviceGuard/EnableVirtualizationBasedSecurity +
        +
        + DeviceGuard/LsaCfgFlags +
        +
        + DeviceGuard/RequirePlatformSecurityFeatures +
        +
        + +
        **DeviceGuard/EnableVirtualizationBasedSecurity** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +  

        Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer. Supported values: @@ -55,6 +77,7 @@ ms.date: 08/30/2017 +

        **DeviceGuard/LsaCfgFlags** @@ -81,6 +104,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + +  

        Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. Supported values: @@ -93,6 +125,7 @@ ms.date: 08/30/2017 +

        **DeviceGuard/RequirePlatformSecurityFeatures** @@ -119,6 +152,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
        + + Added in Windows 10, version 1709. Specifies the platform security level at the next reboot. Value type is integer. Supported values:
          diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 4b04c4567d..c57bc0a0a1 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - DeviceInstallation @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          + ## DeviceInstallation policies +
          +
          + DeviceInstallation/PreventInstallationOfMatchingDeviceIDs +
          +
          + DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses +
          +
          + +
          **DeviceInstallation/PreventInstallationOfMatchingDeviceIDs** @@ -45,6 +55,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. @@ -69,6 +88,7 @@ ADMX Info: +
          **DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses** @@ -95,6 +115,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index dcfc34f488..4767db8c6f 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - DeviceLock @@ -14,11 +14,63 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          + ## DeviceLock policies +
          +
          + DeviceLock/AllowIdleReturnWithoutPassword +
          +
          + DeviceLock/AllowScreenTimeoutWhileLockedUserConfig +
          +
          + DeviceLock/AllowSimpleDevicePassword +
          +
          + DeviceLock/AlphanumericDevicePasswordRequired +
          +
          + DeviceLock/DevicePasswordEnabled +
          +
          + DeviceLock/DevicePasswordExpiration +
          +
          + DeviceLock/DevicePasswordHistory +
          +
          + DeviceLock/EnforceLockScreenAndLogonImage +
          +
          + DeviceLock/EnforceLockScreenProvider +
          +
          + DeviceLock/MaxDevicePasswordFailedAttempts +
          +
          + DeviceLock/MaxInactivityTimeDeviceLock +
          +
          + DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay +
          +
          + DeviceLock/MinDevicePasswordComplexCharacters +
          +
          + DeviceLock/MinDevicePasswordLength +
          +
          + DeviceLock/PreventLockScreenSlideShow +
          +
          + DeviceLock/ScreenTimeoutWhileLocked +
          +
          + +
          **DeviceLock/AllowIdleReturnWithoutPassword** @@ -45,6 +97,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -63,6 +124,7 @@ ms.date: 08/30/2017 +
          **DeviceLock/AllowScreenTimeoutWhileLockedUserConfig** @@ -89,6 +151,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -110,6 +181,7 @@ ms.date: 08/30/2017 +
          **DeviceLock/AllowSimpleDevicePassword** @@ -136,6 +208,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. @@ -152,6 +233,7 @@ ms.date: 08/30/2017 +

          **DeviceLock/AlphanumericDevicePasswordRequired** @@ -178,6 +260,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required). @@ -202,6 +293,7 @@ ms.date: 08/30/2017 +

          **DeviceLock/DevicePasswordEnabled** @@ -228,6 +320,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Specifies whether device lock is enabled. @@ -278,6 +379,7 @@ ms.date: 08/30/2017 +

          **DeviceLock/DevicePasswordExpiration** @@ -304,6 +406,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Specifies when the password expires (in days). @@ -322,6 +433,7 @@ ms.date: 08/30/2017 +

          **DeviceLock/DevicePasswordHistory** @@ -348,6 +460,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Specifies how many passwords can be stored in the history that can’t be used. @@ -368,6 +489,7 @@ ms.date: 08/30/2017 +

          **DeviceLock/EnforceLockScreenAndLogonImage** @@ -394,6 +516,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image. @@ -405,6 +536,7 @@ ms.date: 08/30/2017 +

          **DeviceLock/EnforceLockScreenProvider** @@ -431,6 +563,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider. @@ -442,6 +583,7 @@ ms.date: 08/30/2017 +

          **DeviceLock/MaxDevicePasswordFailedAttempts** @@ -468,6 +610,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. @@ -493,6 +644,7 @@ The number of authentication failures allowed before the device will be wiped. A +
          **DeviceLock/MaxInactivityTimeDeviceLock** @@ -519,6 +671,15 @@ The number of authentication failures allowed before the device will be wiped. A + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy. @@ -535,6 +696,7 @@ The number of authentication failures allowed before the device will be wiped. A +

          **DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay** @@ -561,6 +723,15 @@ The number of authentication failures allowed before the device will be wiped. A + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display. @@ -575,6 +746,7 @@ The number of authentication failures allowed before the device will be wiped. A +

          **DeviceLock/MinDevicePasswordComplexCharacters** @@ -601,6 +773,15 @@ The number of authentication failures allowed before the device will be wiped. A + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. @@ -677,6 +858,7 @@ The number of authentication failures allowed before the device will be wiped. A +

          **DeviceLock/MinDevicePasswordLength** @@ -703,6 +885,15 @@ The number of authentication failures allowed before the device will be wiped. A + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Specifies the minimum number or characters required in the PIN or password. @@ -724,6 +915,7 @@ The number of authentication failures allowed before the device will be wiped. A +

          **DeviceLock/PreventLockScreenSlideShow** @@ -750,6 +942,15 @@ The number of authentication failures allowed before the device will be wiped. A + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. @@ -774,6 +975,7 @@ ADMX Info: +
          **DeviceLock/ScreenTimeoutWhileLocked** @@ -800,6 +1002,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index 7af8189ba0..43c616c9a7 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Display @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          + ## Display policies +
          +
          + Display/TurnOffGdiDPIScalingForApps +
          +
          + Display/TurnOnGdiDPIScalingForApps +
          +
          + +
          **Display/TurnOffGdiDPIScalingForApps** @@ -45,6 +55,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware. @@ -63,6 +82,7 @@ ms.date: 08/30/2017 +

          **Display/TurnOnGdiDPIScalingForApps** @@ -89,6 +109,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware. diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index 6be666c341..dcb33c8647 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Education @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

          + ## Education policies +
          +
          + Education/DefaultPrinterName +
          +
          + Education/PreventAddingNewPrinters +
          +
          + Education/PrinterNames +
          +
          + +
          **Education/DefaultPrinterName** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
          + + Added in Windows 10, version 1709. This policy allows IT Admins to set the user's default printer. @@ -52,6 +74,7 @@ The policy value is expected to be the name (network host name) of an installed +
          **Education/PreventAddingNewPrinters** @@ -78,6 +101,15 @@ The policy value is expected to be the name (network host name) of an installed + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
          + + Added in Windows 10, version 1709. Allows IT Admins to prevent user installation of additional printers from the printers settings. @@ -88,6 +120,7 @@ The following list shows the supported values: +
          **Education/PrinterNames** @@ -114,6 +147,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
          + + Added in Windows 10, version 1709. Allows IT Admins to automatically provision printers based on their names (network host names). diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md index c11c6d066d..6f3068b82d 100644 --- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md +++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - EnterpriseCloudPrint @@ -14,11 +14,33 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          + ## EnterpriseCloudPrint policies +
          +
          + EnterpriseCloudPrint/CloudPrintOAuthAuthority +
          +
          + EnterpriseCloudPrint/CloudPrintOAuthClientId +
          +
          + EnterpriseCloudPrint/CloudPrintResourceId +
          +
          + EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint +
          +
          + EnterpriseCloudPrint/DiscoveryMaxPrinterLimit +
          +
          + EnterpriseCloudPrint/MopriaDiscoveryResourceId +
          +
          + +
          **EnterpriseCloudPrint/CloudPrintOAuthAuthority** @@ -45,6 +67,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
          + +

          Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails. @@ -54,6 +85,7 @@ ms.date: 08/30/2017 +

          **EnterpriseCloudPrint/CloudPrintOAuthClientId** @@ -80,6 +112,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
          + +

          Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails. @@ -89,6 +130,7 @@ ms.date: 08/30/2017 +

          **EnterpriseCloudPrint/CloudPrintResourceId** @@ -115,6 +157,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
          + +

          Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails. @@ -124,6 +175,7 @@ ms.date: 08/30/2017 +

          **EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint** @@ -150,6 +202,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
          + +

          Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails. @@ -159,6 +220,7 @@ ms.date: 08/30/2017 +

          **EnterpriseCloudPrint/DiscoveryMaxPrinterLimit** @@ -185,6 +247,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
          + +

          Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails. @@ -194,6 +265,7 @@ ms.date: 08/30/2017 +

          **EnterpriseCloudPrint/MopriaDiscoveryResourceId** @@ -220,6 +292,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
          + +

          Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails. diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md index 98c03c6579..c86f76ed58 100644 --- a/windows/client-management/mdm/policy-csp-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-errorreporting.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - ErrorReporting @@ -14,11 +14,30 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

          + ## ErrorReporting policies +
          +
          + ErrorReporting/CustomizeConsentSettings +
          +
          + ErrorReporting/DisableWindowsErrorReporting +
          +
          + ErrorReporting/DisplayErrorNotification +
          +
          + ErrorReporting/DoNotSendAdditionalData +
          +
          + ErrorReporting/PreventCriticalErrorDisplay +
          +
          + +
          **ErrorReporting/CustomizeConsentSettings** @@ -45,6 +64,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting determines the consent behavior of Windows Error Reporting for specific event types. @@ -79,6 +107,7 @@ ADMX Info: +
          **ErrorReporting/DisableWindowsErrorReporting** @@ -105,6 +134,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. @@ -129,6 +167,7 @@ ADMX Info: +
          **ErrorReporting/DisplayErrorNotification** @@ -155,6 +194,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting controls whether users are shown an error dialog box that lets them report an error. @@ -183,6 +231,7 @@ ADMX Info: +
          **ErrorReporting/DoNotSendAdditionalData** @@ -209,6 +258,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. @@ -233,6 +291,7 @@ ADMX Info: +
          **ErrorReporting/PreventCriticalErrorDisplay** @@ -259,6 +318,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting prevents the display of the user interface for critical errors. diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md index a73f5c2b18..60434439fa 100644 --- a/windows/client-management/mdm/policy-csp-eventlogservice.md +++ b/windows/client-management/mdm/policy-csp-eventlogservice.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - EventLogService @@ -14,11 +14,27 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          + ## EventLogService policies +
          +
          + EventLogService/ControlEventLogBehavior +
          +
          + EventLogService/SpecifyMaximumFileSizeApplicationLog +
          +
          + EventLogService/SpecifyMaximumFileSizeSecurityLog +
          +
          + EventLogService/SpecifyMaximumFileSizeSystemLog +
          +
          + +
          **EventLogService/ControlEventLogBehavior** @@ -45,6 +61,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting controls Event Log behavior when the log file reaches its maximum size. @@ -71,6 +96,7 @@ ADMX Info: +
          **EventLogService/SpecifyMaximumFileSizeApplicationLog** @@ -97,6 +123,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting specifies the maximum size of the log file in kilobytes. @@ -121,6 +156,7 @@ ADMX Info: +
          **EventLogService/SpecifyMaximumFileSizeSecurityLog** @@ -147,6 +183,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting specifies the maximum size of the log file in kilobytes. @@ -171,6 +216,7 @@ ADMX Info: +
          **EventLogService/SpecifyMaximumFileSizeSystemLog** @@ -197,6 +243,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting specifies the maximum size of the log file in kilobytes. diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index b5e7a8bfe2..4dfcea0e83 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Experience @@ -14,11 +14,72 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          + ## Experience policies +
          +
          + Experience/AllowCopyPaste +
          +
          + Experience/AllowCortana +
          +
          + Experience/AllowDeviceDiscovery +
          +
          + Experience/AllowFindMyDevice +
          +
          + Experience/AllowManualMDMUnenrollment +
          +
          + Experience/AllowSIMErrorDialogPromptWhenNoSIM +
          +
          + Experience/AllowScreenCapture +
          +
          + Experience/AllowSyncMySettings +
          +
          + Experience/AllowTailoredExperiencesWithDiagnosticData +
          +
          + Experience/AllowTaskSwitcher +
          +
          + Experience/AllowThirdPartySuggestionsInWindowsSpotlight +
          +
          + Experience/AllowVoiceRecording +
          +
          + Experience/AllowWindowsConsumerFeatures +
          +
          + Experience/AllowWindowsSpotlight +
          +
          + Experience/AllowWindowsSpotlightOnActionCenter +
          +
          + Experience/AllowWindowsSpotlightWindowsWelcomeExperience +
          +
          + Experience/AllowWindowsTips +
          +
          + Experience/ConfigureWindowsSpotlightOnLockScreen +
          +
          + Experience/DoNotShowFeedbackNotifications +
          +
          + +
          **Experience/AllowCopyPaste** @@ -45,6 +106,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -60,6 +130,7 @@ ms.date: 08/30/2017 +
          **Experience/AllowCortana** @@ -86,6 +157,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device. @@ -106,6 +186,7 @@ ms.date: 08/30/2017 +

          **Experience/AllowDeviceDiscovery** @@ -132,6 +213,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Allows users to turn on/off device discovery UX. @@ -146,6 +236,7 @@ ms.date: 08/30/2017 +

          **Experience/AllowFindMyDevice** @@ -172,6 +263,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. This policy turns on Find My Device. @@ -186,6 +286,7 @@ ms.date: 08/30/2017 +

          **Experience/AllowManualMDMUnenrollment** @@ -212,6 +313,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Specifies whether to allow the user to delete the workplace account using the workplace control panel. @@ -228,6 +338,7 @@ ms.date: 08/30/2017 +

          **Experience/AllowSIMErrorDialogPromptWhenNoSIM** @@ -254,6 +365,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -268,6 +388,7 @@ ms.date: 08/30/2017 +
          **Experience/AllowScreenCapture** @@ -294,6 +415,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -310,6 +440,7 @@ ms.date: 08/30/2017 +
          **Experience/AllowSyncMySettings** @@ -336,6 +467,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices). @@ -346,6 +486,7 @@ ms.date: 08/30/2017 +

          **Experience/AllowTailoredExperiencesWithDiagnosticData** @@ -372,6 +513,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -391,6 +541,7 @@ ms.date: 08/30/2017 +
          **Experience/AllowTaskSwitcher** @@ -417,6 +568,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -431,6 +591,7 @@ ms.date: 08/30/2017 +
          **Experience/AllowThirdPartySuggestionsInWindowsSpotlight** @@ -457,6 +618,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
          + + > [!NOTE] > This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. @@ -471,6 +641,7 @@ ms.date: 08/30/2017 +
          **Experience/AllowVoiceRecording** @@ -497,6 +668,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -513,6 +693,7 @@ ms.date: 08/30/2017 +
          **Experience/AllowWindowsConsumerFeatures** @@ -539,6 +720,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -562,6 +752,7 @@ ms.date: 08/30/2017 +
          **Experience/AllowWindowsSpotlight** @@ -588,6 +779,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
          + + > [!NOTE] > This policy is only available for Windows 10 Enterprise and Windows 10 Education. @@ -604,6 +804,7 @@ ms.date: 08/30/2017 +
          **Experience/AllowWindowsSpotlightOnActionCenter** @@ -630,6 +831,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -645,6 +855,7 @@ ms.date: 08/30/2017 +
          **Experience/AllowWindowsSpotlightWindowsWelcomeExperience** @@ -671,6 +882,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -687,6 +907,7 @@ The Windows welcome experience feature introduces onboard users to Windows; for +
          **Experience/AllowWindowsTips** @@ -713,6 +934,15 @@ The Windows welcome experience feature introduces onboard users to Windows; for + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Enables or disables Windows Tips / soft landing. @@ -723,6 +953,7 @@ Enables or disables Windows Tips / soft landing. +
          **Experience/ConfigureWindowsSpotlightOnLockScreen** @@ -749,6 +980,15 @@ Enables or disables Windows Tips / soft landing. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
          + + > [!NOTE] > This policy is only available for Windows 10 Enterprise and Windows 10 Education. @@ -764,6 +1004,7 @@ Enables or disables Windows Tips / soft landing. +
          **Experience/DoNotShowFeedbackNotifications** @@ -790,6 +1031,15 @@ Enables or disables Windows Tips / soft landing. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Prevents devices from showing feedback questions from Microsoft. diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md index 292dfa31bc..f408206e83 100644 --- a/windows/client-management/mdm/policy-csp-exploitguard.md +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - ExploitGuard @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

          + ## ExploitGuard policies +
          +
          + ExploitGuard/ExploitProtectionSettings +
          +
          + +
          **ExploitGuard/ExploitProtectionSettings** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits with Windows Defender Exploit Guard](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml). diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md index f6fc32cc9f..868f23aa8e 100644 --- a/windows/client-management/mdm/policy-csp-games.md +++ b/windows/client-management/mdm/policy-csp-games.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/31/2017 +ms.date: 09/29/2017 --- # Policy CSP - Games @@ -14,11 +14,18 @@ ms.date: 08/31/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

          + ## Games policies +
          +
          + Games/AllowAdvancedGamingServices +
          +
          + +
          **Games/AllowAdvancedGamingServices** @@ -45,6 +52,15 @@ ms.date: 08/31/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1709. Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. Value type is integer. @@ -52,6 +68,7 @@ ms.date: 08/31/2017 - 1 (default) - Allowed

          This policy can only be turned off in Windows 10 Education and Enterprise editions. +

          diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md index b2cdcd1ae0..e00909e922 100644 --- a/windows/client-management/mdm/policy-csp-handwriting.md +++ b/windows/client-management/mdm/policy-csp-handwriting.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/07/2017 +ms.date: 09/29/2017 --- # Policy CSP - Handwriting @@ -14,11 +14,18 @@ ms.date: 09/07/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          -## Handwriting policies + +## Handwriting policies +
          +
          + Handwriting/PanelDefaultModeDocked +
          +
          + +
          **Handwriting/PanelDefaultModeDocked** @@ -45,6 +52,15 @@ ms.date: 09/07/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10. version 1709. This policy allows an enterprise to configure the default mode for the handwriting panel. @@ -69,4 +85,5 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - \ No newline at end of file + + diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 7be92bcfc1..1a97e52c6c 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - InternetExplorer @@ -14,11 +14,771 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

          + ## InternetExplorer policies +
          +
          + InternetExplorer/AddSearchProvider +
          +
          + InternetExplorer/AllowActiveXFiltering +
          +
          + InternetExplorer/AllowAddOnList +
          +
          + InternetExplorer/AllowAutoComplete +
          +
          + InternetExplorer/AllowCertificateAddressMismatchWarning +
          +
          + InternetExplorer/AllowDeletingBrowsingHistoryOnExit +
          +
          + InternetExplorer/AllowEnhancedProtectedMode +
          +
          + InternetExplorer/AllowEnterpriseModeFromToolsMenu +
          +
          + InternetExplorer/AllowEnterpriseModeSiteList +
          +
          + InternetExplorer/AllowFallbackToSSL3 +
          +
          + InternetExplorer/AllowInternetExplorer7PolicyList +
          +
          + InternetExplorer/AllowInternetExplorerStandardsMode +
          +
          + InternetExplorer/AllowInternetZoneTemplate +
          +
          + InternetExplorer/AllowIntranetZoneTemplate +
          +
          + InternetExplorer/AllowLocalMachineZoneTemplate +
          +
          + InternetExplorer/AllowLockedDownInternetZoneTemplate +
          +
          + InternetExplorer/AllowLockedDownIntranetZoneTemplate +
          +
          + InternetExplorer/AllowLockedDownLocalMachineZoneTemplate +
          +
          + InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate +
          +
          + InternetExplorer/AllowOneWordEntry +
          +
          + InternetExplorer/AllowSiteToZoneAssignmentList +
          +
          + InternetExplorer/AllowSoftwareWhenSignatureIsInvalid +
          +
          + InternetExplorer/AllowSuggestedSites +
          +
          + InternetExplorer/AllowTrustedSitesZoneTemplate +
          +
          + InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate +
          +
          + InternetExplorer/AllowsRestrictedSitesZoneTemplate +
          +
          + InternetExplorer/CheckServerCertificateRevocation +
          +
          + InternetExplorer/CheckSignaturesOnDownloadedPrograms +
          +
          + InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses +
          +
          + InternetExplorer/DisableAdobeFlash +
          +
          + InternetExplorer/DisableBlockingOfOutdatedActiveXControls +
          +
          + InternetExplorer/DisableBypassOfSmartScreenWarnings +
          +
          + InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles +
          +
          + InternetExplorer/DisableConfiguringHistory +
          +
          + InternetExplorer/DisableCrashDetection +
          +
          + InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation +
          +
          + InternetExplorer/DisableDeletingUserVisitedWebsites +
          +
          + InternetExplorer/DisableEnclosureDownloading +
          +
          + InternetExplorer/DisableEncryptionSupport +
          +
          + InternetExplorer/DisableFirstRunWizard +
          +
          + InternetExplorer/DisableFlipAheadFeature +
          +
          + InternetExplorer/DisableHomePageChange +
          +
          + InternetExplorer/DisableIgnoringCertificateErrors +
          +
          + InternetExplorer/DisableInPrivateBrowsing +
          +
          + InternetExplorer/DisableProcessesInEnhancedProtectedMode +
          +
          + InternetExplorer/DisableProxyChange +
          +
          + InternetExplorer/DisableSearchProviderChange +
          +
          + InternetExplorer/DisableSecondaryHomePageChange +
          +
          + InternetExplorer/DisableSecuritySettingsCheck +
          +
          + InternetExplorer/DisableUpdateCheck +
          +
          + InternetExplorer/DoNotAllowActiveXControlsInProtectedMode +
          +
          + InternetExplorer/DoNotAllowUsersToAddSites +
          +
          + InternetExplorer/DoNotAllowUsersToChangePolicies +
          +
          + InternetExplorer/DoNotBlockOutdatedActiveXControls +
          +
          + InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains +
          +
          + InternetExplorer/IncludeAllLocalSites +
          +
          + InternetExplorer/IncludeAllNetworkPaths +
          +
          + InternetExplorer/InternetZoneAllowAccessToDataSources +
          +
          + InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls +
          +
          + InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads +
          +
          + InternetExplorer/InternetZoneAllowCopyPasteViaScript +
          +
          + InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles +
          +
          + InternetExplorer/InternetZoneAllowFontDownloads +
          +
          + InternetExplorer/InternetZoneAllowLessPrivilegedSites +
          +
          + InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles +
          +
          + InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents +
          +
          + InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls +
          +
          + InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl +
          +
          + InternetExplorer/InternetZoneAllowScriptInitiatedWindows +
          +
          + InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls +
          +
          + InternetExplorer/InternetZoneAllowScriptlets +
          +
          + InternetExplorer/InternetZoneAllowSmartScreenIE +
          +
          + InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript +
          +
          + InternetExplorer/InternetZoneAllowUserDataPersistence +
          +
          + InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls +
          +
          + InternetExplorer/InternetZoneDownloadSignedActiveXControls +
          +
          + InternetExplorer/InternetZoneDownloadUnsignedActiveXControls +
          +
          + InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter +
          +
          + InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows +
          +
          + InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows +
          +
          + InternetExplorer/InternetZoneEnableMIMESniffing +
          +
          + InternetExplorer/InternetZoneEnableProtectedMode +
          +
          + InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer +
          +
          + InternetExplorer/InternetZoneInitializeAndScriptActiveXControls +
          +
          + InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe +
          +
          + InternetExplorer/InternetZoneJavaPermissions +
          +
          + InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME +
          +
          + InternetExplorer/InternetZoneLogonOptions +
          +
          + InternetExplorer/InternetZoneNavigateWindowsAndFrames +
          +
          + InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode +
          +
          + InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode +
          +
          + InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles +
          +
          + InternetExplorer/InternetZoneUsePopupBlocker +
          +
          + InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone +
          +
          + InternetExplorer/IntranetZoneAllowAccessToDataSources +
          +
          + InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls +
          +
          + InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads +
          +
          + InternetExplorer/IntranetZoneAllowFontDownloads +
          +
          + InternetExplorer/IntranetZoneAllowLessPrivilegedSites +
          +
          + InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents +
          +
          + InternetExplorer/IntranetZoneAllowScriptlets +
          +
          + InternetExplorer/IntranetZoneAllowSmartScreenIE +
          +
          + InternetExplorer/IntranetZoneAllowUserDataPersistence +
          +
          + InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls +
          +
          + InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls +
          +
          + InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe +
          +
          + InternetExplorer/IntranetZoneJavaPermissions +
          +
          + InternetExplorer/IntranetZoneNavigateWindowsAndFrames +
          +
          + InternetExplorer/LocalMachineZoneAllowAccessToDataSources +
          +
          + InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls +
          +
          + InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads +
          +
          + InternetExplorer/LocalMachineZoneAllowFontDownloads +
          +
          + InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites +
          +
          + InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents +
          +
          + InternetExplorer/LocalMachineZoneAllowScriptlets +
          +
          + InternetExplorer/LocalMachineZoneAllowSmartScreenIE +
          +
          + InternetExplorer/LocalMachineZoneAllowUserDataPersistence +
          +
          + InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls +
          +
          + InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls +
          +
          + InternetExplorer/LocalMachineZoneJavaPermissions +
          +
          + InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames +
          +
          + InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources +
          +
          + InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls +
          +
          + InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads +
          +
          + InternetExplorer/LockedDownInternetZoneAllowFontDownloads +
          +
          + InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites +
          +
          + InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents +
          +
          + InternetExplorer/LockedDownInternetZoneAllowScriptlets +
          +
          + InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE +
          +
          + InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence +
          +
          + InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls +
          +
          + InternetExplorer/LockedDownInternetZoneJavaPermissions +
          +
          + InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames +
          +
          + InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources +
          +
          + InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls +
          +
          + InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads +
          +
          + InternetExplorer/LockedDownIntranetZoneAllowFontDownloads +
          +
          + InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites +
          +
          + InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents +
          +
          + InternetExplorer/LockedDownIntranetZoneAllowScriptlets +
          +
          + InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE +
          +
          + InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence +
          +
          + InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls +
          +
          + InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames +
          +
          + InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources +
          +
          + InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls +
          +
          + InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads +
          +
          + InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads +
          +
          + InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites +
          +
          + InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents +
          +
          + InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets +
          +
          + InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE +
          +
          + InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence +
          +
          + InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls +
          +
          + InternetExplorer/LockedDownLocalMachineZoneJavaPermissions +
          +
          + InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames +
          +
          + InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources +
          +
          + InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls +
          +
          + InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads +
          +
          + InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads +
          +
          + InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites +
          +
          + InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents +
          +
          + InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets +
          +
          + InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE +
          +
          + InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence +
          +
          + InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls +
          +
          + InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions +
          +
          + InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames +
          +
          + InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources +
          +
          + InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls +
          +
          + InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads +
          +
          + InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads +
          +
          + InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites +
          +
          + InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents +
          +
          + InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets +
          +
          + InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE +
          +
          + InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence +
          +
          + InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls +
          +
          + InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions +
          +
          + InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames +
          +
          + InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses +
          +
          + InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses +
          +
          + InternetExplorer/NotificationBarInternetExplorerProcesses +
          +
          + InternetExplorer/PreventManagingSmartScreenFilter +
          +
          + InternetExplorer/PreventPerUserInstallationOfActiveXControls +
          +
          + InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses +
          +
          + InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls +
          +
          + InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses +
          +
          + InternetExplorer/RestrictFileDownloadInternetExplorerProcesses +
          +
          + InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources +
          +
          + InternetExplorer/RestrictedSitesZoneAllowActiveScripting +
          +
          + InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls +
          +
          + InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads +
          +
          + InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors +
          +
          + InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript +
          +
          + InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles +
          +
          + InternetExplorer/RestrictedSitesZoneAllowFileDownloads +
          +
          + InternetExplorer/RestrictedSitesZoneAllowFontDownloads +
          +
          + InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites +
          +
          + InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles +
          +
          + InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH +
          +
          + InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents +
          +
          + InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls +
          +
          + InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl +
          +
          + InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows +
          +
          + InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls +
          +
          + InternetExplorer/RestrictedSitesZoneAllowScriptlets +
          +
          + InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE +
          +
          + InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript +
          +
          + InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence +
          +
          + InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls +
          +
          + InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls +
          +
          + InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls +
          +
          + InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter +
          +
          + InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows +
          +
          + InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows +
          +
          + InternetExplorer/RestrictedSitesZoneEnableMIMESniffing +
          +
          + InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer +
          +
          + InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls +
          +
          + InternetExplorer/RestrictedSitesZoneJavaPermissions +
          +
          + InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME +
          +
          + InternetExplorer/RestrictedSitesZoneLogonOptions +
          +
          + InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames +
          +
          + InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains +
          +
          + InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins +
          +
          + InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode +
          +
          + InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting +
          +
          + InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets +
          +
          + InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles +
          +
          + InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter +
          +
          + InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode +
          +
          + InternetExplorer/RestrictedSitesZoneUsePopupBlocker +
          +
          + InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses +
          +
          + InternetExplorer/SearchProviderList +
          +
          + InternetExplorer/SecurityZonesUseOnlyMachineSettings +
          +
          + InternetExplorer/SpecifyUseOfActiveXInstallerService +
          +
          + InternetExplorer/TrustedSitesZoneAllowAccessToDataSources +
          +
          + InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls +
          +
          + InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads +
          +
          + InternetExplorer/TrustedSitesZoneAllowFontDownloads +
          +
          + InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites +
          +
          + InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents +
          +
          + InternetExplorer/TrustedSitesZoneAllowScriptlets +
          +
          + InternetExplorer/TrustedSitesZoneAllowSmartScreenIE +
          +
          + InternetExplorer/TrustedSitesZoneAllowUserDataPersistence +
          +
          + InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls +
          +
          + InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls +
          +
          + InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls +
          +
          + InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe +
          +
          + InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe +
          +
          + InternetExplorer/TrustedSitesZoneJavaPermissions +
          +
          + InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames +
          +
          + +
          **InternetExplorer/AddSearchProvider** @@ -45,6 +805,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website. @@ -69,6 +839,7 @@ ADMX Info: +
          **InternetExplorer/AllowActiveXFiltering** @@ -95,6 +866,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly. @@ -119,6 +900,7 @@ ADMX Info: +
          **InternetExplorer/AllowAddOnList** @@ -145,6 +927,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages. @@ -175,6 +967,7 @@ ADMX Info: +
          **InternetExplorer/AllowAutoComplete** @@ -201,6 +994,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
          + + > [!TIP] @@ -219,6 +1021,7 @@ ADMX Info: +
          **InternetExplorer/AllowCertificateAddressMismatchWarning** @@ -245,6 +1048,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -263,6 +1076,7 @@ ADMX Info: +
          **InternetExplorer/AllowDeletingBrowsingHistoryOnExit** @@ -289,6 +1103,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -307,6 +1131,7 @@ ADMX Info: +
          **InternetExplorer/AllowEnhancedProtectedMode** @@ -333,6 +1158,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. @@ -359,6 +1194,7 @@ ADMX Info: +
          **InternetExplorer/AllowEnterpriseModeFromToolsMenu** @@ -385,6 +1221,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu. @@ -409,6 +1255,7 @@ ADMX Info: +
          **InternetExplorer/AllowEnterpriseModeSiteList** @@ -435,6 +1282,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list. @@ -459,6 +1316,7 @@ ADMX Info: +
          **InternetExplorer/AllowFallbackToSSL3** @@ -485,6 +1343,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -503,6 +1370,7 @@ ADMX Info: +
          **InternetExplorer/AllowInternetExplorer7PolicyList** @@ -529,6 +1397,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View. @@ -553,6 +1431,7 @@ ADMX Info: +
          **InternetExplorer/AllowInternetExplorerStandardsMode** @@ -579,6 +1458,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone. @@ -605,6 +1494,7 @@ ADMX Info: +
          **InternetExplorer/AllowInternetZoneTemplate** @@ -631,6 +1521,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. @@ -661,6 +1561,7 @@ ADMX Info: +
          **InternetExplorer/AllowIntranetZoneTemplate** @@ -687,6 +1588,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. @@ -717,6 +1628,7 @@ ADMX Info: +
          **InternetExplorer/AllowLocalMachineZoneTemplate** @@ -743,6 +1655,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. @@ -773,6 +1695,7 @@ ADMX Info: +
          **InternetExplorer/AllowLockedDownInternetZoneTemplate** @@ -799,6 +1722,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. @@ -829,6 +1762,7 @@ ADMX Info: +
          **InternetExplorer/AllowLockedDownIntranetZoneTemplate** @@ -855,6 +1789,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. @@ -885,6 +1829,7 @@ ADMX Info: +
          **InternetExplorer/AllowLockedDownLocalMachineZoneTemplate** @@ -911,6 +1856,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. @@ -941,6 +1896,7 @@ ADMX Info: +
          **InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate** @@ -967,6 +1923,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. @@ -997,6 +1963,7 @@ ADMX Info: +
          **InternetExplorer/AllowOneWordEntry** @@ -1023,6 +1990,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar. @@ -1047,6 +2024,7 @@ ADMX Info: +
          **InternetExplorer/AllowSiteToZoneAssignmentList** @@ -1073,6 +2051,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone. @@ -1103,6 +2091,7 @@ ADMX Info: +
          **InternetExplorer/AllowSoftwareWhenSignatureIsInvalid** @@ -1129,6 +2118,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -1147,6 +2146,7 @@ ADMX Info: +
          **InternetExplorer/AllowSuggestedSites** @@ -1173,6 +2173,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit. @@ -1199,6 +2209,7 @@ ADMX Info: +
          **InternetExplorer/AllowTrustedSitesZoneTemplate** @@ -1225,6 +2236,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. @@ -1255,6 +2276,7 @@ ADMX Info: +
          **InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate** @@ -1281,6 +2303,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. @@ -1311,6 +2343,7 @@ ADMX Info: +
          **InternetExplorer/AllowsRestrictedSitesZoneTemplate** @@ -1337,6 +2370,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. @@ -1367,6 +2410,7 @@ ADMX Info: +
          **InternetExplorer/CheckServerCertificateRevocation** @@ -1393,6 +2437,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -1411,6 +2465,7 @@ ADMX Info: +
          **InternetExplorer/CheckSignaturesOnDownloadedPrograms** @@ -1437,6 +2492,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -1455,6 +2520,7 @@ ADMX Info: +
          **InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses** @@ -1481,6 +2547,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -1499,6 +2575,7 @@ ADMX Info: +
          **InternetExplorer/DisableAdobeFlash** @@ -1525,6 +2602,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects. @@ -1551,6 +2638,7 @@ ADMX Info: +
          **InternetExplorer/DisableBlockingOfOutdatedActiveXControls** @@ -1577,6 +2665,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -1595,6 +2693,7 @@ ADMX Info: +
          **InternetExplorer/DisableBypassOfSmartScreenWarnings** @@ -1621,6 +2720,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious. @@ -1645,6 +2754,7 @@ ADMX Info: +
          **InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles** @@ -1671,6 +2781,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet. @@ -1695,6 +2815,7 @@ ADMX Info: +
          **InternetExplorer/DisableConfiguringHistory** @@ -1721,6 +2842,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -1739,6 +2870,7 @@ ADMX Info: +
          **InternetExplorer/DisableCrashDetection** @@ -1765,6 +2897,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -1783,6 +2925,7 @@ ADMX Info: +
          **InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation** @@ -1809,6 +2952,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP). @@ -1835,6 +2988,7 @@ ADMX Info: +
          **InternetExplorer/DisableDeletingUserVisitedWebsites** @@ -1861,6 +3015,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -1879,6 +3043,7 @@ ADMX Info: +
          **InternetExplorer/DisableEnclosureDownloading** @@ -1905,6 +3070,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. @@ -1929,6 +3104,7 @@ ADMX Info: +
          **InternetExplorer/DisableEncryptionSupport** @@ -1955,6 +3131,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match. @@ -1981,6 +3167,7 @@ ADMX Info: +
          **InternetExplorer/DisableFirstRunWizard** @@ -2007,6 +3194,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. @@ -2035,6 +3232,7 @@ ADMX Info: +
          **InternetExplorer/DisableFlipAheadFeature** @@ -2061,6 +3259,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. @@ -2089,6 +3297,7 @@ ADMX Info: +
          **InternetExplorer/DisableHomePageChange** @@ -2115,6 +3324,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
          + + The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run. @@ -2139,6 +3357,7 @@ ADMX Info: +
          **InternetExplorer/DisableIgnoringCertificateErrors** @@ -2165,6 +3384,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -2183,6 +3412,7 @@ ADMX Info: +
          **InternetExplorer/DisableInPrivateBrowsing** @@ -2209,6 +3439,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -2227,6 +3467,7 @@ ADMX Info: +
          **InternetExplorer/DisableProcessesInEnhancedProtectedMode** @@ -2253,6 +3494,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -2271,6 +3522,7 @@ ADMX Info: +
          **InternetExplorer/DisableProxyChange** @@ -2297,6 +3549,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting specifies if a user can change proxy settings. @@ -2321,6 +3583,7 @@ ADMX Info: +
          **InternetExplorer/DisableSearchProviderChange** @@ -2347,6 +3610,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box. @@ -2371,6 +3644,7 @@ ADMX Info: +
          **InternetExplorer/DisableSecondaryHomePageChange** @@ -2397,6 +3671,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages. @@ -2423,6 +3707,7 @@ ADMX Info: +
          **InternetExplorer/DisableSecuritySettingsCheck** @@ -2449,6 +3734,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -2467,6 +3762,7 @@ ADMX Info: +
          **InternetExplorer/DisableUpdateCheck** @@ -2493,6 +3789,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Prevents Internet Explorer from checking whether a new version of the browser is available. @@ -2519,6 +3824,7 @@ ADMX Info: +
          **InternetExplorer/DoNotAllowActiveXControlsInProtectedMode** @@ -2545,6 +3851,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -2563,6 +3879,7 @@ ADMX Info: +
          **InternetExplorer/DoNotAllowUsersToAddSites** @@ -2589,6 +3906,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level. @@ -2619,6 +3945,7 @@ ADMX Info: +
          **InternetExplorer/DoNotAllowUsersToChangePolicies** @@ -2645,6 +3972,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level. @@ -2675,6 +4011,7 @@ ADMX Info: +
          **InternetExplorer/DoNotBlockOutdatedActiveXControls** @@ -2701,6 +4038,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. @@ -2727,6 +4074,7 @@ ADMX Info: +
          **InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains** @@ -2753,6 +4101,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. @@ -2783,6 +4141,7 @@ ADMX Info: +
          **InternetExplorer/IncludeAllLocalSites** @@ -2809,6 +4168,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone. @@ -2835,6 +4204,7 @@ ADMX Info: +
          **InternetExplorer/IncludeAllNetworkPaths** @@ -2861,6 +4231,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. @@ -2887,6 +4267,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneAllowAccessToDataSources** @@ -2913,6 +4294,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). @@ -2939,6 +4330,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls** @@ -2965,6 +4357,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting manages whether users will be automatically prompted for ActiveX control installations. @@ -2991,6 +4393,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads** @@ -3017,6 +4420,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. @@ -3041,6 +4454,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneAllowCopyPasteViaScript** @@ -3067,6 +4481,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -3085,6 +4509,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles** @@ -3111,6 +4536,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -3129,6 +4564,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneAllowFontDownloads** @@ -3155,6 +4591,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether pages of the zone may download HTML fonts. @@ -3181,6 +4627,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneAllowLessPrivilegedSites** @@ -3207,6 +4654,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. @@ -3233,6 +4690,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles** @@ -3259,6 +4717,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -3277,6 +4745,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents** @@ -3303,6 +4772,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. @@ -3329,6 +4808,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls** @@ -3355,6 +4835,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -3373,6 +4863,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl** @@ -3399,6 +4890,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -3417,6 +4918,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneAllowScriptInitiatedWindows** @@ -3443,6 +4945,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -3461,6 +4973,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls** @@ -3487,6 +5000,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -3505,6 +5028,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneAllowScriptlets** @@ -3531,6 +5055,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether the user can run scriptlets. @@ -3557,6 +5091,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneAllowSmartScreenIE** @@ -3583,6 +5118,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. @@ -3611,6 +5156,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript** @@ -3637,6 +5183,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -3655,6 +5211,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneAllowUserDataPersistence** @@ -3681,6 +5238,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. @@ -3707,6 +5274,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls** @@ -3733,6 +5301,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -3751,6 +5329,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneDownloadSignedActiveXControls** @@ -3777,6 +5356,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -3795,6 +5384,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneDownloadUnsignedActiveXControls** @@ -3821,6 +5411,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -3839,6 +5439,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter** @@ -3865,6 +5466,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -3883,6 +5494,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows** @@ -3909,6 +5521,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -3927,6 +5549,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows** @@ -3953,6 +5576,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -3971,6 +5604,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneEnableMIMESniffing** @@ -3997,6 +5631,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -4015,6 +5659,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneEnableProtectedMode** @@ -4041,6 +5686,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -4059,6 +5714,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer** @@ -4085,6 +5741,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -4103,6 +5769,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneInitializeAndScriptActiveXControls** @@ -4129,6 +5796,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage ActiveX controls not marked as safe. @@ -4157,6 +5834,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe** @@ -4186,6 +5864,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneJavaPermissions** @@ -4212,6 +5891,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -4230,6 +5919,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME** @@ -4256,6 +5946,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -4274,6 +5974,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneLogonOptions** @@ -4300,6 +6001,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -4318,6 +6029,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneNavigateWindowsAndFrames** @@ -4344,6 +6056,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. @@ -4370,6 +6092,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode** @@ -4396,6 +6119,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -4414,6 +6147,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode** @@ -4440,6 +6174,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -4458,6 +6202,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles** @@ -4484,6 +6229,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -4502,6 +6257,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneUsePopupBlocker** @@ -4528,6 +6284,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -4546,6 +6312,7 @@ ADMX Info: +
          **InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone** @@ -4572,6 +6339,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -4590,6 +6367,7 @@ ADMX Info: +
          **InternetExplorer/IntranetZoneAllowAccessToDataSources** @@ -4616,6 +6394,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). @@ -4642,6 +6430,7 @@ ADMX Info: +
          **InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls** @@ -4668,6 +6457,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting manages whether users will be automatically prompted for ActiveX control installations. @@ -4694,6 +6493,7 @@ ADMX Info: +
          **InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads** @@ -4720,6 +6520,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. @@ -4744,6 +6554,7 @@ ADMX Info: +
          **InternetExplorer/IntranetZoneAllowFontDownloads** @@ -4770,6 +6581,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether pages of the zone may download HTML fonts. @@ -4796,6 +6617,7 @@ ADMX Info: +
          **InternetExplorer/IntranetZoneAllowLessPrivilegedSites** @@ -4822,6 +6644,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. @@ -4848,6 +6680,7 @@ ADMX Info: +
          **InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents** @@ -4874,6 +6707,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. @@ -4900,6 +6743,7 @@ ADMX Info: +
          **InternetExplorer/IntranetZoneAllowScriptlets** @@ -4926,6 +6770,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether the user can run scriptlets. @@ -4952,6 +6806,7 @@ ADMX Info: +
          **InternetExplorer/IntranetZoneAllowSmartScreenIE** @@ -4978,6 +6833,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. @@ -5006,6 +6871,7 @@ ADMX Info: +
          **InternetExplorer/IntranetZoneAllowUserDataPersistence** @@ -5032,6 +6898,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. @@ -5058,6 +6934,7 @@ ADMX Info: +
          **InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls** @@ -5084,6 +6961,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -5102,6 +6989,7 @@ ADMX Info: +
          **InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls** @@ -5128,6 +7016,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage ActiveX controls not marked as safe. @@ -5156,6 +7054,7 @@ ADMX Info: +
          **InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe** @@ -5182,6 +7081,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -5200,6 +7109,7 @@ ADMX Info: +
          **InternetExplorer/IntranetZoneJavaPermissions** @@ -5226,6 +7136,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -5244,6 +7164,7 @@ ADMX Info: +
          **InternetExplorer/IntranetZoneNavigateWindowsAndFrames** @@ -5270,6 +7191,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. @@ -5296,6 +7227,7 @@ ADMX Info: +
          **InternetExplorer/LocalMachineZoneAllowAccessToDataSources** @@ -5322,6 +7254,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). @@ -5348,6 +7290,7 @@ ADMX Info: +
          **InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls** @@ -5374,6 +7317,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting manages whether users will be automatically prompted for ActiveX control installations. @@ -5400,6 +7353,7 @@ ADMX Info: +
          **InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads** @@ -5426,6 +7380,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. @@ -5450,6 +7414,7 @@ ADMX Info: +
          **InternetExplorer/LocalMachineZoneAllowFontDownloads** @@ -5476,6 +7441,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether pages of the zone may download HTML fonts. @@ -5502,6 +7477,7 @@ ADMX Info: +
          **InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites** @@ -5528,6 +7504,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. @@ -5554,6 +7540,7 @@ ADMX Info: +
          **InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents** @@ -5580,6 +7567,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. @@ -5606,6 +7603,7 @@ ADMX Info: +
          **InternetExplorer/LocalMachineZoneAllowScriptlets** @@ -5632,6 +7630,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether the user can run scriptlets. @@ -5658,6 +7666,7 @@ ADMX Info: +
          **InternetExplorer/LocalMachineZoneAllowSmartScreenIE** @@ -5684,6 +7693,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. @@ -5712,6 +7731,7 @@ ADMX Info: +
          **InternetExplorer/LocalMachineZoneAllowUserDataPersistence** @@ -5738,6 +7758,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. @@ -5764,6 +7794,7 @@ ADMX Info: +
          **InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls** @@ -5790,6 +7821,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -5808,6 +7849,7 @@ ADMX Info: +
          **InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls** @@ -5834,6 +7876,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage ActiveX controls not marked as safe. @@ -5862,6 +7914,7 @@ ADMX Info: +
          **InternetExplorer/LocalMachineZoneJavaPermissions** @@ -5888,6 +7941,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -5906,6 +7969,7 @@ ADMX Info: +
          **InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames** @@ -5932,6 +7996,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. @@ -5958,6 +8032,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources** @@ -5984,6 +8059,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). @@ -6010,6 +8095,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls** @@ -6036,6 +8122,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting manages whether users will be automatically prompted for ActiveX control installations. @@ -6062,6 +8158,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads** @@ -6088,6 +8185,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. @@ -6112,6 +8219,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownInternetZoneAllowFontDownloads** @@ -6138,6 +8246,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether pages of the zone may download HTML fonts. @@ -6164,6 +8282,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites** @@ -6190,6 +8309,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. @@ -6216,6 +8345,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents** @@ -6242,6 +8372,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. @@ -6268,6 +8408,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownInternetZoneAllowScriptlets** @@ -6294,6 +8435,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether the user can run scriptlets. @@ -6320,6 +8471,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE** @@ -6346,6 +8498,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. @@ -6374,6 +8536,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence** @@ -6400,6 +8563,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. @@ -6426,6 +8599,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls** @@ -6452,6 +8626,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage ActiveX controls not marked as safe. @@ -6480,6 +8664,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownInternetZoneJavaPermissions** @@ -6506,6 +8691,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -6524,6 +8719,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames** @@ -6550,6 +8746,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. @@ -6576,6 +8782,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources** @@ -6602,6 +8809,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). @@ -6628,6 +8845,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls** @@ -6654,6 +8872,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting manages whether users will be automatically prompted for ActiveX control installations. @@ -6680,6 +8908,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads** @@ -6706,6 +8935,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. @@ -6730,6 +8969,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownIntranetZoneAllowFontDownloads** @@ -6756,6 +8996,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether pages of the zone may download HTML fonts. @@ -6782,6 +9032,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites** @@ -6808,6 +9059,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. @@ -6834,6 +9095,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents** @@ -6860,6 +9122,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. @@ -6886,6 +9158,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownIntranetZoneAllowScriptlets** @@ -6912,6 +9185,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether the user can run scriptlets. @@ -6938,6 +9221,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE** @@ -6964,6 +9248,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. @@ -6992,6 +9286,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence** @@ -7018,6 +9313,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. @@ -7044,6 +9349,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls** @@ -7070,6 +9376,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage ActiveX controls not marked as safe. @@ -7098,6 +9414,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames** @@ -7124,6 +9441,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. @@ -7150,6 +9477,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources** @@ -7176,6 +9504,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). @@ -7202,6 +9540,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls** @@ -7228,6 +9567,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting manages whether users will be automatically prompted for ActiveX control installations. @@ -7254,6 +9603,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads** @@ -7280,6 +9630,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. @@ -7304,6 +9664,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads** @@ -7330,6 +9691,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether pages of the zone may download HTML fonts. @@ -7356,6 +9727,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites** @@ -7382,6 +9754,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. @@ -7408,6 +9790,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents** @@ -7434,6 +9817,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. @@ -7460,6 +9853,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets** @@ -7486,6 +9880,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether the user can run scriptlets. @@ -7512,6 +9916,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE** @@ -7538,6 +9943,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. @@ -7566,6 +9981,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence** @@ -7592,6 +10008,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. @@ -7618,6 +10044,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls** @@ -7644,6 +10071,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage ActiveX controls not marked as safe. @@ -7672,6 +10109,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownLocalMachineZoneJavaPermissions** @@ -7698,6 +10136,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -7716,6 +10164,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames** @@ -7742,6 +10191,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. @@ -7768,6 +10227,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources** @@ -7794,6 +10254,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). @@ -7820,6 +10290,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** @@ -7846,6 +10317,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting manages whether users will be automatically prompted for ActiveX control installations. @@ -7872,6 +10353,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** @@ -7898,6 +10380,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. @@ -7922,6 +10414,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads** @@ -7948,6 +10441,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether pages of the zone may download HTML fonts. @@ -7974,6 +10477,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites** @@ -8000,6 +10504,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. @@ -8026,6 +10540,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents** @@ -8052,6 +10567,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. @@ -8078,6 +10603,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets** @@ -8104,6 +10630,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether the user can run scriptlets. @@ -8130,6 +10666,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE** @@ -8156,6 +10693,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. @@ -8184,6 +10731,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence** @@ -8210,6 +10758,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. @@ -8236,6 +10794,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls** @@ -8262,6 +10821,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage ActiveX controls not marked as safe. @@ -8290,6 +10859,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions** @@ -8316,6 +10886,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -8334,6 +10914,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames** @@ -8360,6 +10941,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. @@ -8386,6 +10977,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources** @@ -8412,6 +11004,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). @@ -8438,6 +11040,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls** @@ -8464,6 +11067,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting manages whether users will be automatically prompted for ActiveX control installations. @@ -8490,6 +11103,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads** @@ -8516,6 +11130,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. @@ -8540,6 +11164,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads** @@ -8566,6 +11191,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether pages of the zone may download HTML fonts. @@ -8592,6 +11227,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites** @@ -8618,6 +11254,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. @@ -8644,6 +11290,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents** @@ -8670,6 +11317,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. @@ -8696,6 +11353,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets** @@ -8722,6 +11380,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether the user can run scriptlets. @@ -8748,6 +11416,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE** @@ -8774,6 +11443,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. @@ -8802,6 +11481,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence** @@ -8828,6 +11508,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. @@ -8854,6 +11544,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls** @@ -8880,6 +11571,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage ActiveX controls not marked as safe. @@ -8908,6 +11609,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions** @@ -8934,6 +11636,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -8952,6 +11664,7 @@ ADMX Info: +
          **InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames** @@ -8978,6 +11691,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. @@ -9004,6 +11727,7 @@ ADMX Info: +
          **InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses** @@ -9030,6 +11754,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -9048,6 +11782,7 @@ ADMX Info: +
          **InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses** @@ -9074,6 +11809,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -9092,6 +11837,7 @@ ADMX Info: +
          **InternetExplorer/NotificationBarInternetExplorerProcesses** @@ -9118,6 +11864,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -9136,6 +11892,7 @@ ADMX Info: +
          **InternetExplorer/PreventManagingSmartScreenFilter** @@ -9162,6 +11919,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -9180,6 +11947,7 @@ ADMX Info: +
          **InternetExplorer/PreventPerUserInstallationOfActiveXControls** @@ -9206,6 +11974,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -9224,6 +12002,7 @@ ADMX Info: +
          **InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses** @@ -9250,6 +12029,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -9268,6 +12057,7 @@ ADMX Info: +
          **InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls** @@ -9294,6 +12084,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -9312,6 +12112,7 @@ ADMX Info: +
          **InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses** @@ -9338,6 +12139,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -9356,6 +12167,7 @@ ADMX Info: +
          **InternetExplorer/RestrictFileDownloadInternetExplorerProcesses** @@ -9382,6 +12194,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -9400,6 +12222,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources** @@ -9426,6 +12249,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). @@ -9452,6 +12285,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneAllowActiveScripting** @@ -9478,6 +12312,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -9496,6 +12340,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** @@ -9522,6 +12367,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting manages whether users will be automatically prompted for ActiveX control installations. @@ -9548,6 +12403,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** @@ -9574,6 +12430,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. @@ -9598,6 +12464,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors** @@ -9624,6 +12491,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -9642,6 +12519,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript** @@ -9668,6 +12546,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -9686,6 +12574,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles** @@ -9712,6 +12601,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -9730,6 +12629,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneAllowFileDownloads** @@ -9756,6 +12656,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -9774,6 +12684,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneAllowFontDownloads** @@ -9800,6 +12711,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether pages of the zone may download HTML fonts. @@ -9826,6 +12747,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites** @@ -9852,6 +12774,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. @@ -9878,6 +12810,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles** @@ -9904,6 +12837,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -9922,6 +12865,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH** @@ -9948,6 +12892,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -9966,6 +12920,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents** @@ -9992,6 +12947,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. @@ -10018,6 +12983,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls** @@ -10044,6 +13010,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -10062,6 +13038,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl** @@ -10088,6 +13065,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -10106,6 +13093,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows** @@ -10132,6 +13120,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -10150,6 +13148,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls** @@ -10176,6 +13175,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -10194,6 +13203,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneAllowScriptlets** @@ -10220,6 +13230,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether the user can run scriptlets. @@ -10246,6 +13266,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE** @@ -10272,6 +13293,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. @@ -10300,6 +13331,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript** @@ -10326,6 +13358,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -10344,6 +13386,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence** @@ -10370,6 +13413,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. @@ -10396,6 +13449,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls** @@ -10422,6 +13476,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -10440,6 +13504,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls** @@ -10466,6 +13531,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -10484,6 +13559,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls** @@ -10510,6 +13586,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -10528,6 +13614,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter** @@ -10554,6 +13641,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -10572,6 +13669,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows** @@ -10598,6 +13696,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -10616,6 +13724,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows** @@ -10642,6 +13751,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -10660,6 +13779,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneEnableMIMESniffing** @@ -10686,6 +13806,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -10704,6 +13834,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer** @@ -10730,6 +13861,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -10748,6 +13889,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls** @@ -10774,6 +13916,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage ActiveX controls not marked as safe. @@ -10802,6 +13954,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneJavaPermissions** @@ -10828,6 +13981,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -10846,6 +14009,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME** @@ -10872,6 +14036,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -10890,6 +14064,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneLogonOptions** @@ -10916,6 +14091,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -10934,6 +14119,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames** @@ -10960,6 +14146,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. @@ -10986,6 +14182,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains** @@ -11012,6 +14209,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -11030,6 +14237,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins** @@ -11056,6 +14264,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -11074,6 +14292,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode** @@ -11100,6 +14319,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -11118,6 +14347,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting** @@ -11144,6 +14374,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -11162,6 +14402,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets** @@ -11188,6 +14429,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -11206,6 +14457,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles** @@ -11232,6 +14484,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -11250,6 +14512,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter** @@ -11276,6 +14539,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -11294,6 +14567,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode** @@ -11320,6 +14594,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -11338,6 +14622,7 @@ ADMX Info: +
          **InternetExplorer/RestrictedSitesZoneUsePopupBlocker** @@ -11364,6 +14649,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -11382,6 +14677,7 @@ ADMX Info: +
          **InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses** @@ -11408,6 +14704,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -11426,6 +14732,7 @@ ADMX Info: +
          **InternetExplorer/SearchProviderList** @@ -11452,6 +14759,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website. @@ -11476,6 +14793,7 @@ ADMX Info: +
          **InternetExplorer/SecurityZonesUseOnlyMachineSettings** @@ -11502,6 +14820,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -11520,6 +14847,7 @@ ADMX Info: +
          **InternetExplorer/SpecifyUseOfActiveXInstallerService** @@ -11546,6 +14874,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -11564,6 +14902,7 @@ ADMX Info: +
          **InternetExplorer/TrustedSitesZoneAllowAccessToDataSources** @@ -11590,6 +14929,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). @@ -11616,6 +14965,7 @@ ADMX Info: +
          **InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls** @@ -11642,6 +14992,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting manages whether users will be automatically prompted for ActiveX control installations. @@ -11668,6 +15028,7 @@ ADMX Info: +
          **InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads** @@ -11694,6 +15055,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. @@ -11718,6 +15089,7 @@ ADMX Info: +
          **InternetExplorer/TrustedSitesZoneAllowFontDownloads** @@ -11744,6 +15116,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether pages of the zone may download HTML fonts. @@ -11770,6 +15152,7 @@ ADMX Info: +
          **InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites** @@ -11796,6 +15179,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. @@ -11822,6 +15215,7 @@ ADMX Info: +
          **InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents** @@ -11848,6 +15242,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. @@ -11874,6 +15278,7 @@ ADMX Info: +
          **InternetExplorer/TrustedSitesZoneAllowScriptlets** @@ -11900,6 +15305,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage whether the user can run scriptlets. @@ -11926,6 +15341,7 @@ ADMX Info: +
          **InternetExplorer/TrustedSitesZoneAllowSmartScreenIE** @@ -11952,6 +15368,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. @@ -11980,6 +15406,7 @@ ADMX Info: +
          **InternetExplorer/TrustedSitesZoneAllowUserDataPersistence** @@ -12006,6 +15433,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. @@ -12032,6 +15469,7 @@ ADMX Info: +
          **InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls** @@ -12058,6 +15496,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -12076,6 +15524,7 @@ ADMX Info: +
          **InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls** @@ -12102,6 +15551,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -12120,6 +15579,7 @@ ADMX Info: +
          **InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls** @@ -12146,6 +15606,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage ActiveX controls not marked as safe. @@ -12174,6 +15644,7 @@ ADMX Info: +
          **InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe** @@ -12200,6 +15671,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -12218,6 +15699,7 @@ ADMX Info: +
          **InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe** @@ -12244,6 +15726,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -12262,6 +15754,7 @@ ADMX Info: +
          **InternetExplorer/TrustedSitesZoneJavaPermissions** @@ -12288,6 +15781,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!TIP] @@ -12306,6 +15809,7 @@ ADMX Info: +
          **InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames** @@ -12332,6 +15836,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index d4683f4ded..0297e2a41a 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Kerberos @@ -14,11 +14,30 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          + ## Kerberos policies +
          +
          + Kerberos/AllowForestSearchOrder +
          +
          + Kerberos/KerberosClientSupportsClaimsCompoundArmor +
          +
          + Kerberos/RequireKerberosArmoring +
          +
          + Kerberos/RequireStrictKDCValidation +
          +
          + Kerberos/SetMaximumContextTokenSize +
          +
          + +
          **Kerberos/AllowForestSearchOrder** @@ -45,6 +64,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). @@ -69,6 +97,7 @@ ADMX Info: +
          **Kerberos/KerberosClientSupportsClaimsCompoundArmor** @@ -95,6 +124,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring. @@ -118,6 +156,7 @@ ADMX Info: +
          **Kerberos/RequireKerberosArmoring** @@ -144,6 +183,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. @@ -172,6 +220,7 @@ ADMX Info: +
          **Kerberos/RequireStrictKDCValidation** @@ -198,6 +247,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon. @@ -222,6 +280,7 @@ ADMX Info: +
          **Kerberos/SetMaximumContextTokenSize** @@ -248,6 +307,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md index a8f855bc5e..47c63e821c 100644 --- a/windows/client-management/mdm/policy-csp-licensing.md +++ b/windows/client-management/mdm/policy-csp-licensing.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Licensing @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          + ## Licensing policies +
          +
          + Licensing/AllowWindowsEntitlementReactivation +
          +
          + Licensing/DisallowKMSClientOnlineAVSValidation +
          +
          + +
          **Licensing/AllowWindowsEntitlementReactivation** @@ -45,6 +55,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices. @@ -55,6 +74,7 @@ ms.date: 08/30/2017 +

          **Licensing/DisallowKMSClientOnlineAVSValidation** @@ -81,6 +101,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 5eb02ceae2..f2c1e120e8 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - LocalPoliciesSecurityOptions @@ -14,11 +14,87 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

          + ## LocalPoliciesSecurityOptions policies +
          +
          + LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts +
          +
          + LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus +
          +
          + LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus +
          +
          + LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly +
          +
          + LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount +
          +
          + LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount +
          +
          + LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked +
          +
          + LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn +
          +
          + LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn +
          +
          + LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL +
          +
          + LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit +
          +
          + LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn +
          +
          + LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn +
          +
          + LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests +
          +
          + LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon +
          +
          + LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn +
          +
          + LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation +
          +
          + LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators +
          +
          + LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers +
          +
          + LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated +
          +
          + LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations +
          +
          + LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode +
          +
          + LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation +
          +
          + LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations +
          +
          + +
          **LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts** @@ -45,6 +121,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting prevents users from adding new Microsoft accounts on this computer. @@ -61,6 +146,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus** @@ -87,6 +173,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This security setting determines whether the local Administrator account is enabled or disabled. @@ -104,6 +199,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus** @@ -130,6 +226,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This security setting determines if the Guest account is enabled or disabled. @@ -144,6 +249,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly** @@ -170,6 +276,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Accounts: Limit local account use of blank passwords to console logon only @@ -192,6 +307,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount** @@ -218,6 +334,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Accounts: Rename administrator account @@ -229,6 +354,7 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount** @@ -255,6 +381,15 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Accounts: Rename guest account @@ -266,6 +401,7 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked** @@ -292,6 +428,15 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Interactive Logon:Display user information when the session is locked @@ -304,6 +449,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn** @@ -330,6 +476,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Interactive logon: Don't display last signed-in @@ -347,6 +502,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn** @@ -373,6 +529,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Interactive logon: Don't display username at sign-in @@ -391,6 +556,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL** @@ -417,6 +583,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Interactive logon: Do not require CTRL+ALT+DEL @@ -436,6 +611,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit** @@ -462,6 +638,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Interactive logon: Machine inactivity limit. @@ -476,6 +661,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn** @@ -502,6 +688,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Interactive logon: Message text for users attempting to log on @@ -515,6 +710,7 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn** @@ -541,6 +737,15 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Interactive logon: Message title for users attempting to log on @@ -552,6 +757,7 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests** @@ -578,6 +784,15 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Network security: Allow PKU2U authentication requests to this computer to use online identities. @@ -591,6 +806,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon** @@ -631,6 +847,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn** @@ -657,6 +874,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Shutdown: Allow system to be shut down without having to log on @@ -676,6 +902,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation** @@ -702,6 +929,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. @@ -720,6 +956,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators** @@ -746,6 +983,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode @@ -769,6 +1015,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers** @@ -795,6 +1042,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + User Account Control: Behavior of the elevation prompt for standard users This policy setting controls the behavior of the elevation prompt for standard users. @@ -811,6 +1067,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated** @@ -837,6 +1094,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + User Account Control: Only elevate executable files that are signed and validated @@ -850,6 +1116,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations** @@ -876,6 +1143,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + User Account Control: Only elevate UIAccess applications that are installed in secure locations @@ -895,6 +1171,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode** @@ -921,6 +1198,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + User Account Control: Turn on Admin Approval Mode @@ -935,6 +1221,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation** @@ -961,6 +1248,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + User Account Control: Switch to the secure desktop when prompting for elevation @@ -974,6 +1270,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
          **LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations** @@ -1000,6 +1297,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + User Account Control: Virtualize file and registry write failures to per-user locations diff --git a/windows/client-management/mdm/policy-csp-location.md b/windows/client-management/mdm/policy-csp-location.md index 130111a793..f1124ffad4 100644 --- a/windows/client-management/mdm/policy-csp-location.md +++ b/windows/client-management/mdm/policy-csp-location.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Location @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          + ## Location policies +
          +
          + Location/EnableLocation +
          +
          + +
          **Location/EnableLocation** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page. diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md index ff2b494dee..038d477577 100644 --- a/windows/client-management/mdm/policy-csp-lockdown.md +++ b/windows/client-management/mdm/policy-csp-lockdown.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - LockDown @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

          + ## LockDown policies +
          +
          + LockDown/AllowEdgeSwipe +
          +
          + +
          **LockDown/AllowEdgeSwipe** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch. diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md index 40abac41bc..5c1dab3c54 100644 --- a/windows/client-management/mdm/policy-csp-maps.md +++ b/windows/client-management/mdm/policy-csp-maps.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Maps @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

          + ## Maps policies +
          +
          + Maps/AllowOfflineMapsDownloadOverMeteredConnection +
          +
          + Maps/EnableOfflineMapsAutoUpdate +
          +
          + +
          **Maps/AllowOfflineMapsDownloadOverMeteredConnection** @@ -45,6 +55,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Allows the download and update of map data over metered connections. @@ -58,6 +77,7 @@ ms.date: 08/30/2017 +

          **Maps/EnableOfflineMapsAutoUpdate** @@ -84,6 +104,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Disables the automatic download and update of map data. diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index edaff6765e..eac7199c3e 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Messaging @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

          + ## Messaging policies +
          +
          + Messaging/AllowMMS +
          +
          + Messaging/AllowMessageSync +
          +
          + Messaging/AllowRCS +
          +
          + +
          **Messaging/AllowMMS** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -58,6 +80,7 @@ ms.date: 08/30/2017 +
          **Messaging/AllowMessageSync** @@ -84,6 +107,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control. @@ -94,6 +126,7 @@ ms.date: 08/30/2017 +

          **Messaging/AllowRCS** @@ -120,6 +153,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md index 3196840a3b..95dcb7e362 100644 --- a/windows/client-management/mdm/policy-csp-networkisolation.md +++ b/windows/client-management/mdm/policy-csp-networkisolation.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - NetworkIsolation @@ -14,11 +14,39 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          + ## NetworkIsolation policies +
          +
          + NetworkIsolation/EnterpriseCloudResources +
          +
          + NetworkIsolation/EnterpriseIPRange +
          +
          + NetworkIsolation/EnterpriseIPRangesAreAuthoritative +
          +
          + NetworkIsolation/EnterpriseInternalProxyServers +
          +
          + NetworkIsolation/EnterpriseNetworkDomainNames +
          +
          + NetworkIsolation/EnterpriseProxyServers +
          +
          + NetworkIsolation/EnterpriseProxyServersAreAuthoritative +
          +
          + NetworkIsolation/NeutralResources +
          +
          + +
          **NetworkIsolation/EnterpriseCloudResources** @@ -45,11 +73,21 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**. +

          **NetworkIsolation/EnterpriseIPRange** @@ -76,6 +114,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. For example: @@ -90,6 +137,7 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +

          **NetworkIsolation/EnterpriseIPRangesAreAuthoritative** @@ -116,11 +164,21 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets. +

          **NetworkIsolation/EnterpriseInternalProxyServers** @@ -147,11 +205,21 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies. +

          **NetworkIsolation/EnterpriseNetworkDomainNames** @@ -178,6 +246,15 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com". @@ -193,6 +270,7 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +

          **NetworkIsolation/EnterpriseProxyServers** @@ -219,11 +297,21 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". +

          **NetworkIsolation/EnterpriseProxyServersAreAuthoritative** @@ -250,11 +338,21 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies. +

          **NetworkIsolation/NeutralResources** @@ -281,6 +379,15 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          List of domain names that can used for work or personal resource. diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 2a291f8ba6..f85714b12c 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Notifications @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

          + ## Notifications policies +
          +
          + Notifications/DisallowNotificationMirroring +
          +
          + +
          **Notifications/DisallowNotificationMirroring** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
          + +

          Added in Windows 10, version 1607. Boolean value that turns off notification mirroring. diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 17298b3cdf..e981b7483e 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Power @@ -14,11 +14,42 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

          + ## Power policies +
          +
          + Power/AllowStandbyWhenSleepingPluggedIn +
          +
          + Power/DisplayOffTimeoutOnBattery +
          +
          + Power/DisplayOffTimeoutPluggedIn +
          +
          + Power/HibernateTimeoutOnBattery +
          +
          + Power/HibernateTimeoutPluggedIn +
          +
          + Power/RequirePasswordWhenComputerWakesOnBattery +
          +
          + Power/RequirePasswordWhenComputerWakesPluggedIn +
          +
          + Power/StandbyTimeoutOnBattery +
          +
          + Power/StandbyTimeoutPluggedIn +
          +
          + +
          **Power/AllowStandbyWhenSleepingPluggedIn** @@ -45,6 +76,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. @@ -69,6 +109,7 @@ ADMX Info: +
          **Power/DisplayOffTimeoutOnBattery** @@ -95,6 +136,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1709. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display. @@ -121,6 +171,7 @@ ADMX Info: +

          **Power/DisplayOffTimeoutPluggedIn** @@ -147,6 +198,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1709. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display. @@ -173,6 +233,7 @@ ADMX Info: +

          **Power/HibernateTimeoutOnBattery** @@ -199,6 +260,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1709. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. @@ -226,6 +296,7 @@ ADMX Info: +

          **Power/HibernateTimeoutPluggedIn** @@ -252,6 +323,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1709. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. @@ -278,6 +358,7 @@ ADMX Info: +

          **Power/RequirePasswordWhenComputerWakesOnBattery** @@ -304,6 +385,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. @@ -328,6 +418,7 @@ ADMX Info: +
          **Power/RequirePasswordWhenComputerWakesPluggedIn** @@ -354,6 +445,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. @@ -378,6 +478,7 @@ ADMX Info: +
          **Power/StandbyTimeoutOnBattery** @@ -404,6 +505,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1709. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. @@ -430,6 +540,7 @@ ADMX Info: +

          **Power/StandbyTimeoutPluggedIn** @@ -456,6 +567,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1709. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index ffd1d93c3c..2e7c8296f2 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Printers @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

          + ## Printers policies +
          +
          + Printers/PointAndPrintRestrictions +
          +
          + Printers/PointAndPrintRestrictions_User +
          +
          + Printers/PublishPrinters +
          +
          + +
          **Printers/PointAndPrintRestrictions** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. @@ -82,6 +104,7 @@ ADMX Info: +
          **Printers/PointAndPrintRestrictions_User** @@ -108,6 +131,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
          + + This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. @@ -145,6 +177,7 @@ ADMX Info: +
          **Printers/PublishPrinters** @@ -171,6 +204,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Determines whether the computer's shared printers can be published in Active Directory. diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 2db8de6070..f839be65ee 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Privacy @@ -14,11 +14,246 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          + ## Privacy policies +
          +
          + Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts +
          +
          + Privacy/AllowInputPersonalization +
          +
          + Privacy/DisableAdvertisingId +
          +
          + Privacy/EnableActivityFeed +
          +
          + Privacy/LetAppsAccessAccountInfo +
          +
          + Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps +
          +
          + Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps +
          +
          + Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps +
          +
          + Privacy/LetAppsAccessCalendar +
          +
          + Privacy/LetAppsAccessCalendar_ForceAllowTheseApps +
          +
          + Privacy/LetAppsAccessCalendar_ForceDenyTheseApps +
          +
          + Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps +
          +
          + Privacy/LetAppsAccessCallHistory +
          +
          + Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps +
          +
          + Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps +
          +
          + Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps +
          +
          + Privacy/LetAppsAccessCamera +
          +
          + Privacy/LetAppsAccessCamera_ForceAllowTheseApps +
          +
          + Privacy/LetAppsAccessCamera_ForceDenyTheseApps +
          +
          + Privacy/LetAppsAccessCamera_UserInControlOfTheseApps +
          +
          + Privacy/LetAppsAccessContacts +
          +
          + Privacy/LetAppsAccessContacts_ForceAllowTheseApps +
          +
          + Privacy/LetAppsAccessContacts_ForceDenyTheseApps +
          +
          + Privacy/LetAppsAccessContacts_UserInControlOfTheseApps +
          +
          + Privacy/LetAppsAccessEmail +
          +
          + Privacy/LetAppsAccessEmail_ForceAllowTheseApps +
          +
          + Privacy/LetAppsAccessEmail_ForceDenyTheseApps +
          +
          + Privacy/LetAppsAccessEmail_UserInControlOfTheseApps +
          +
          + Privacy/LetAppsAccessLocation +
          +
          + Privacy/LetAppsAccessLocation_ForceAllowTheseApps +
          +
          + Privacy/LetAppsAccessLocation_ForceDenyTheseApps +
          +
          + Privacy/LetAppsAccessLocation_UserInControlOfTheseApps +
          +
          + Privacy/LetAppsAccessMessaging +
          +
          + Privacy/LetAppsAccessMessaging_ForceAllowTheseApps +
          +
          + Privacy/LetAppsAccessMessaging_ForceDenyTheseApps +
          +
          + Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps +
          +
          + Privacy/LetAppsAccessMicrophone +
          +
          + Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps +
          +
          + Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps +
          +
          + Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps +
          +
          + Privacy/LetAppsAccessMotion +
          +
          + Privacy/LetAppsAccessMotion_ForceAllowTheseApps +
          +
          + Privacy/LetAppsAccessMotion_ForceDenyTheseApps +
          +
          + Privacy/LetAppsAccessMotion_UserInControlOfTheseApps +
          +
          + Privacy/LetAppsAccessNotifications +
          +
          + Privacy/LetAppsAccessNotifications_ForceAllowTheseApps +
          +
          + Privacy/LetAppsAccessNotifications_ForceDenyTheseApps +
          +
          + Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps +
          +
          + Privacy/LetAppsAccessPhone +
          +
          + Privacy/LetAppsAccessPhone_ForceAllowTheseApps +
          +
          + Privacy/LetAppsAccessPhone_ForceDenyTheseApps +
          +
          + Privacy/LetAppsAccessPhone_UserInControlOfTheseApps +
          +
          + Privacy/LetAppsAccessRadios +
          +
          + Privacy/LetAppsAccessRadios_ForceAllowTheseApps +
          +
          + Privacy/LetAppsAccessRadios_ForceDenyTheseApps +
          +
          + Privacy/LetAppsAccessRadios_UserInControlOfTheseApps +
          +
          + Privacy/LetAppsAccessTasks +
          +
          + Privacy/LetAppsAccessTasks_ForceAllowTheseApps +
          +
          + Privacy/LetAppsAccessTasks_ForceDenyTheseApps +
          +
          + Privacy/LetAppsAccessTasks_UserInControlOfTheseApps +
          +
          + Privacy/LetAppsAccessTrustedDevices +
          +
          + Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps +
          +
          + Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps +
          +
          + Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps +
          +
          + Privacy/LetAppsGetDiagnosticInfo +
          +
          + Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps +
          +
          + Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps +
          +
          + Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps +
          +
          + Privacy/LetAppsRunInBackground +
          +
          + Privacy/LetAppsRunInBackground_ForceAllowTheseApps +
          +
          + Privacy/LetAppsRunInBackground_ForceDenyTheseApps +
          +
          + Privacy/LetAppsRunInBackground_UserInControlOfTheseApps +
          +
          + Privacy/LetAppsSyncWithDevices +
          +
          + Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps +
          +
          + Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps +
          +
          + Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps +
          +
          + Privacy/PublishUserActivities +
          +
          + +
          **Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts** @@ -45,6 +280,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. @@ -60,6 +304,7 @@ ms.date: 08/30/2017 +

          **Privacy/AllowInputPersonalization** @@ -86,6 +331,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Updated in Windows 10, version 1709. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users. @@ -99,6 +353,7 @@ ms.date: 08/30/2017 +

          **Privacy/DisableAdvertisingId** @@ -125,6 +380,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Enables or disables the Advertising ID. @@ -138,6 +402,7 @@ ms.date: 08/30/2017 +

          **Privacy/EnableActivityFeed** @@ -164,6 +429,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Added in Windows 10, version 1709. Allows IT Admins to allow Apps/OS to publish to the activity feed. @@ -174,6 +448,7 @@ The following list shows the supported values: +
          **Privacy/LetAppsAccessAccountInfo** @@ -200,6 +475,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Specifies whether Windows apps can access account information. @@ -213,6 +497,7 @@ The following list shows the supported values: +

          **Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps** @@ -239,11 +524,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. +

          **Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps** @@ -270,11 +565,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. +

          **Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps** @@ -301,11 +606,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. +

          **Privacy/LetAppsAccessCalendar** @@ -332,6 +647,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar. @@ -345,6 +669,7 @@ The following list shows the supported values: +

          **Privacy/LetAppsAccessCalendar_ForceAllowTheseApps** @@ -371,11 +696,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. +

          **Privacy/LetAppsAccessCalendar_ForceDenyTheseApps** @@ -402,11 +737,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. +

          **Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps** @@ -433,11 +778,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. +

          **Privacy/LetAppsAccessCallHistory** @@ -464,6 +819,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Specifies whether Windows apps can access call history. @@ -477,6 +841,7 @@ The following list shows the supported values: +

          **Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps** @@ -503,11 +868,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. +

          **Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps** @@ -534,11 +909,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. +

          **Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps** @@ -565,11 +950,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. +

          **Privacy/LetAppsAccessCamera** @@ -596,6 +991,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera. @@ -609,6 +1013,7 @@ The following list shows the supported values: +

          **Privacy/LetAppsAccessCamera_ForceAllowTheseApps** @@ -635,11 +1040,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. +

          **Privacy/LetAppsAccessCamera_ForceDenyTheseApps** @@ -666,11 +1081,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. +

          **Privacy/LetAppsAccessCamera_UserInControlOfTheseApps** @@ -697,11 +1122,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. +

          **Privacy/LetAppsAccessContacts** @@ -728,6 +1163,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts. @@ -741,6 +1185,7 @@ The following list shows the supported values: +

          **Privacy/LetAppsAccessContacts_ForceAllowTheseApps** @@ -767,11 +1212,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. +

          **Privacy/LetAppsAccessContacts_ForceDenyTheseApps** @@ -798,11 +1253,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. +

          **Privacy/LetAppsAccessContacts_UserInControlOfTheseApps** @@ -829,11 +1294,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. +

          **Privacy/LetAppsAccessEmail** @@ -860,6 +1335,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Specifies whether Windows apps can access email. @@ -873,6 +1357,7 @@ The following list shows the supported values: +

          **Privacy/LetAppsAccessEmail_ForceAllowTheseApps** @@ -899,11 +1384,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. +

          **Privacy/LetAppsAccessEmail_ForceDenyTheseApps** @@ -930,11 +1425,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. +

          **Privacy/LetAppsAccessEmail_UserInControlOfTheseApps** @@ -961,11 +1466,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. +

          **Privacy/LetAppsAccessLocation** @@ -992,6 +1507,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Specifies whether Windows apps can access location. @@ -1005,6 +1529,7 @@ The following list shows the supported values: +

          **Privacy/LetAppsAccessLocation_ForceAllowTheseApps** @@ -1031,11 +1556,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. +

          **Privacy/LetAppsAccessLocation_ForceDenyTheseApps** @@ -1062,11 +1597,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. +

          **Privacy/LetAppsAccessLocation_UserInControlOfTheseApps** @@ -1093,11 +1638,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. +

          **Privacy/LetAppsAccessMessaging** @@ -1124,6 +1679,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS). @@ -1137,6 +1701,7 @@ The following list shows the supported values: +

          **Privacy/LetAppsAccessMessaging_ForceAllowTheseApps** @@ -1163,11 +1728,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. +

          **Privacy/LetAppsAccessMessaging_ForceDenyTheseApps** @@ -1194,11 +1769,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. +

          **Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps** @@ -1225,11 +1810,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. +

          **Privacy/LetAppsAccessMicrophone** @@ -1256,6 +1851,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone. @@ -1269,6 +1873,7 @@ The following list shows the supported values: +

          **Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps** @@ -1295,11 +1900,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. +

          **Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps** @@ -1326,11 +1941,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. +

          **Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps** @@ -1357,11 +1982,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. +

          **Privacy/LetAppsAccessMotion** @@ -1388,6 +2023,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data. @@ -1401,6 +2045,7 @@ The following list shows the supported values: +

          **Privacy/LetAppsAccessMotion_ForceAllowTheseApps** @@ -1427,11 +2072,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. +

          **Privacy/LetAppsAccessMotion_ForceDenyTheseApps** @@ -1458,11 +2113,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. +

          **Privacy/LetAppsAccessMotion_UserInControlOfTheseApps** @@ -1489,11 +2154,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. +

          **Privacy/LetAppsAccessNotifications** @@ -1520,6 +2195,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications. @@ -1533,6 +2217,7 @@ The following list shows the supported values: +

          **Privacy/LetAppsAccessNotifications_ForceAllowTheseApps** @@ -1559,11 +2244,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. +

          **Privacy/LetAppsAccessNotifications_ForceDenyTheseApps** @@ -1590,11 +2285,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. +

          **Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps** @@ -1621,11 +2326,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. +

          **Privacy/LetAppsAccessPhone** @@ -1652,6 +2367,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls. @@ -1665,6 +2389,7 @@ The following list shows the supported values: +

          **Privacy/LetAppsAccessPhone_ForceAllowTheseApps** @@ -1691,11 +2416,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. +

          **Privacy/LetAppsAccessPhone_ForceDenyTheseApps** @@ -1722,11 +2457,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. +

          **Privacy/LetAppsAccessPhone_UserInControlOfTheseApps** @@ -1753,11 +2498,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. +

          **Privacy/LetAppsAccessRadios** @@ -1784,6 +2539,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios. @@ -1797,6 +2561,7 @@ The following list shows the supported values: +

          **Privacy/LetAppsAccessRadios_ForceAllowTheseApps** @@ -1823,11 +2588,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. +

          **Privacy/LetAppsAccessRadios_ForceDenyTheseApps** @@ -1854,11 +2629,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. +

          **Privacy/LetAppsAccessRadios_UserInControlOfTheseApps** @@ -1885,11 +2670,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. +

          **Privacy/LetAppsAccessTasks** @@ -1916,11 +2711,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks. +

          **Privacy/LetAppsAccessTasks_ForceAllowTheseApps** @@ -1947,11 +2752,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. +

          **Privacy/LetAppsAccessTasks_ForceDenyTheseApps** @@ -1978,11 +2793,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. +

          **Privacy/LetAppsAccessTasks_UserInControlOfTheseApps** @@ -2009,11 +2834,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. +

          **Privacy/LetAppsAccessTrustedDevices** @@ -2040,6 +2875,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices. @@ -2053,6 +2897,7 @@ The following list shows the supported values: +

          **Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps** @@ -2079,11 +2924,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. +

          **Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps** @@ -2110,11 +2965,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. +

          **Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps** @@ -2141,11 +3006,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. +

          **Privacy/LetAppsGetDiagnosticInfo** @@ -2172,6 +3047,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. @@ -2185,6 +3069,7 @@ The following list shows the supported values: +

          **Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps** @@ -2211,11 +3096,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. +

          **Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps** @@ -2242,11 +3137,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. +

          **Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps** @@ -2273,11 +3178,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. +

          **Privacy/LetAppsRunInBackground** @@ -2304,6 +3219,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background. @@ -2319,6 +3243,7 @@ The following list shows the supported values: +

          **Privacy/LetAppsRunInBackground_ForceAllowTheseApps** @@ -2345,11 +3270,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. +

          **Privacy/LetAppsRunInBackground_ForceDenyTheseApps** @@ -2376,11 +3311,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. +

          **Privacy/LetAppsRunInBackground_UserInControlOfTheseApps** @@ -2407,11 +3352,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. +

          **Privacy/LetAppsSyncWithDevices** @@ -2438,6 +3393,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices. @@ -2451,6 +3415,7 @@ The following list shows the supported values: +

          **Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps** @@ -2477,11 +3442,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. +

          **Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps** @@ -2508,11 +3483,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. +

          **Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps** @@ -2539,11 +3524,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. +

          **Privacy/PublishUserActivities** @@ -2570,6 +3565,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Added in Windows 10, version 1709. Allows It Admins to enable publishing of user activities to the activity feed. diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md index 61751bca3b..71e7c1ee14 100644 --- a/windows/client-management/mdm/policy-csp-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-remoteassistance.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - RemoteAssistance @@ -14,11 +14,27 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          + ## RemoteAssistance policies +
          +
          + RemoteAssistance/CustomizeWarningMessages +
          +
          + RemoteAssistance/SessionLogging +
          +
          + RemoteAssistance/SolicitedRemoteAssistance +
          +
          + RemoteAssistance/UnsolicitedRemoteAssistance +
          +
          + +
          **RemoteAssistance/CustomizeWarningMessages** @@ -45,6 +61,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting lets you customize warning messages. @@ -75,6 +100,7 @@ ADMX Info: +
          **RemoteAssistance/SessionLogging** @@ -101,6 +127,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance. @@ -127,6 +162,7 @@ ADMX Info: +
          **RemoteAssistance/SolicitedRemoteAssistance** @@ -153,6 +189,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. @@ -187,6 +232,7 @@ ADMX Info: +
          **RemoteAssistance/UnsolicitedRemoteAssistance** @@ -213,6 +259,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index 411214069f..589ff8b724 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - RemoteDesktopServices @@ -14,11 +14,33 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          + ## RemoteDesktopServices policies +
          +
          + RemoteDesktopServices/AllowUsersToConnectRemotely +
          +
          + RemoteDesktopServices/ClientConnectionEncryptionLevel +
          +
          + RemoteDesktopServices/DoNotAllowDriveRedirection +
          +
          + RemoteDesktopServices/DoNotAllowPasswordSaving +
          +
          + RemoteDesktopServices/PromptForPasswordUponConnection +
          +
          + RemoteDesktopServices/RequireSecureRPCCommunication +
          +
          + +
          **RemoteDesktopServices/AllowUsersToConnectRemotely** @@ -45,6 +67,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting allows you to configure remote access to computers by using Remote Desktop Services. @@ -75,6 +106,7 @@ ADMX Info: +
          **RemoteDesktopServices/ClientConnectionEncryptionLevel** @@ -101,6 +133,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. @@ -135,6 +176,7 @@ ADMX Info: +
          **RemoteDesktopServices/DoNotAllowDriveRedirection** @@ -161,6 +203,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). @@ -189,6 +240,7 @@ ADMX Info: +
          **RemoteDesktopServices/DoNotAllowPasswordSaving** @@ -215,6 +267,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Controls whether passwords can be saved on this computer from Remote Desktop Connection. @@ -239,6 +300,7 @@ ADMX Info: +
          **RemoteDesktopServices/PromptForPasswordUponConnection** @@ -265,6 +327,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. @@ -295,6 +366,7 @@ ADMX Info: +
          **RemoteDesktopServices/RequireSecureRPCCommunication** @@ -321,6 +393,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md index d084b5d609..7ed74820ef 100644 --- a/windows/client-management/mdm/policy-csp-remotemanagement.md +++ b/windows/client-management/mdm/policy-csp-remotemanagement.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - RemoteManagement @@ -14,11 +14,60 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          + ## RemoteManagement policies +
          +
          + RemoteManagement/AllowBasicAuthentication_Client +
          +
          + RemoteManagement/AllowBasicAuthentication_Service +
          +
          + RemoteManagement/AllowCredSSPAuthenticationClient +
          +
          + RemoteManagement/AllowCredSSPAuthenticationService +
          +
          + RemoteManagement/AllowRemoteServerManagement +
          +
          + RemoteManagement/AllowUnencryptedTraffic_Client +
          +
          + RemoteManagement/AllowUnencryptedTraffic_Service +
          +
          + RemoteManagement/DisallowDigestAuthentication +
          +
          + RemoteManagement/DisallowNegotiateAuthenticationClient +
          +
          + RemoteManagement/DisallowNegotiateAuthenticationService +
          +
          + RemoteManagement/DisallowStoringOfRunAsCredentials +
          +
          + RemoteManagement/SpecifyChannelBindingTokenHardeningLevel +
          +
          + RemoteManagement/TrustedHosts +
          +
          + RemoteManagement/TurnOnCompatibilityHTTPListener +
          +
          + RemoteManagement/TurnOnCompatibilityHTTPSListener +
          +
          + +
          **RemoteManagement/AllowBasicAuthentication_Client** @@ -45,6 +94,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -63,6 +121,7 @@ ADMX Info: +
          **RemoteManagement/AllowBasicAuthentication_Service** @@ -89,6 +148,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -107,6 +175,7 @@ ADMX Info: +
          **RemoteManagement/AllowCredSSPAuthenticationClient** @@ -133,6 +202,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -151,6 +229,7 @@ ADMX Info: +
          **RemoteManagement/AllowCredSSPAuthenticationService** @@ -177,6 +256,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -195,6 +283,7 @@ ADMX Info: +
          **RemoteManagement/AllowRemoteServerManagement** @@ -221,6 +310,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -239,6 +337,7 @@ ADMX Info: +
          **RemoteManagement/AllowUnencryptedTraffic_Client** @@ -265,6 +364,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -283,6 +391,7 @@ ADMX Info: +
          **RemoteManagement/AllowUnencryptedTraffic_Service** @@ -309,6 +418,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -327,6 +445,7 @@ ADMX Info: +
          **RemoteManagement/DisallowDigestAuthentication** @@ -353,6 +472,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -371,6 +499,7 @@ ADMX Info: +
          **RemoteManagement/DisallowNegotiateAuthenticationClient** @@ -397,6 +526,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -415,6 +553,7 @@ ADMX Info: +
          **RemoteManagement/DisallowNegotiateAuthenticationService** @@ -441,6 +580,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -459,6 +607,7 @@ ADMX Info: +
          **RemoteManagement/DisallowStoringOfRunAsCredentials** @@ -485,6 +634,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -503,6 +661,7 @@ ADMX Info: +
          **RemoteManagement/SpecifyChannelBindingTokenHardeningLevel** @@ -529,6 +688,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -547,6 +715,7 @@ ADMX Info: +
          **RemoteManagement/TrustedHosts** @@ -573,6 +742,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -591,6 +769,7 @@ ADMX Info: +
          **RemoteManagement/TurnOnCompatibilityHTTPListener** @@ -617,6 +796,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -635,6 +823,7 @@ ADMX Info: +
          **RemoteManagement/TurnOnCompatibilityHTTPSListener** @@ -661,6 +850,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md index dc1dab2c86..37e4a03a6a 100644 --- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md +++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - RemoteProcedureCall @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          + ## RemoteProcedureCall policies +
          +
          + RemoteProcedureCall/RPCEndpointMapperClientAuthentication +
          +
          + RemoteProcedureCall/RestrictUnauthenticatedRPCClients +
          +
          + +
          **RemoteProcedureCall/RPCEndpointMapperClientAuthentication** @@ -45,6 +55,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. @@ -73,6 +92,7 @@ ADMX Info: +
          **RemoteProcedureCall/RestrictUnauthenticatedRPCClients** @@ -99,6 +119,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md index 32309bdf9d..9dd90c60be 100644 --- a/windows/client-management/mdm/policy-csp-remoteshell.md +++ b/windows/client-management/mdm/policy-csp-remoteshell.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - RemoteShell @@ -14,11 +14,36 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          + ## RemoteShell policies +
          +
          + RemoteShell/AllowRemoteShellAccess +
          +
          + RemoteShell/MaxConcurrentUsers +
          +
          + RemoteShell/SpecifyIdleTimeout +
          +
          + RemoteShell/SpecifyMaxMemory +
          +
          + RemoteShell/SpecifyMaxProcesses +
          +
          + RemoteShell/SpecifyMaxRemoteShells +
          +
          + RemoteShell/SpecifyShellTimeout +
          +
          + +
          **RemoteShell/AllowRemoteShellAccess** @@ -45,6 +70,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -63,6 +97,7 @@ ADMX Info: +
          **RemoteShell/MaxConcurrentUsers** @@ -89,6 +124,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -107,6 +151,7 @@ ADMX Info: +
          **RemoteShell/SpecifyIdleTimeout** @@ -133,6 +178,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -151,6 +205,7 @@ ADMX Info: +
          **RemoteShell/SpecifyMaxMemory** @@ -177,6 +232,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -195,6 +259,7 @@ ADMX Info: +
          **RemoteShell/SpecifyMaxProcesses** @@ -221,6 +286,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -239,6 +313,7 @@ ADMX Info: +
          **RemoteShell/SpecifyMaxRemoteShells** @@ -265,6 +340,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] @@ -283,6 +367,7 @@ ADMX Info: +
          **RemoteShell/SpecifyShellTimeout** @@ -309,6 +394,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 783aac1e8d..d8d759bd86 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Search @@ -14,11 +14,45 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          + ## Search policies +
          +
          + Search/AllowCloudSearch +
          +
          + Search/AllowIndexingEncryptedStoresOrItems +
          +
          + Search/AllowSearchToUseLocation +
          +
          + Search/AllowUsingDiacritics +
          +
          + Search/AlwaysUseAutoLangDetection +
          +
          + Search/DisableBackoff +
          +
          + Search/DisableRemovableDriveIndexing +
          +
          + Search/PreventIndexingLowDiskSpaceMB +
          +
          + Search/PreventRemoteQueries +
          +
          + Search/SafeSearchPermissions +
          +
          + +
          **Search/AllowCloudSearch** @@ -45,6 +79,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1709. Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources. @@ -55,6 +98,7 @@ ms.date: 08/30/2017 +

          **Search/AllowIndexingEncryptedStoresOrItems** @@ -81,6 +125,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files. @@ -97,6 +150,7 @@ ms.date: 08/30/2017 +

          **Search/AllowSearchToUseLocation** @@ -123,6 +177,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Specifies whether search can leverage location information. @@ -135,6 +198,7 @@ ms.date: 08/30/2017 +

          **Search/AllowUsingDiacritics** @@ -161,6 +225,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Allows the use of diacritics. @@ -173,6 +246,7 @@ ms.date: 08/30/2017 +

          **Search/AlwaysUseAutoLangDetection** @@ -199,6 +273,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Specifies whether to always use automatic language detection when indexing content and properties. @@ -211,6 +294,7 @@ ms.date: 08/30/2017 +

          **Search/DisableBackoff** @@ -237,6 +321,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled. @@ -247,6 +340,7 @@ ms.date: 08/30/2017 +

          **Search/DisableRemovableDriveIndexing** @@ -273,6 +367,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          This policy setting configures whether or not locations on removable drives can be added to libraries. @@ -287,6 +390,7 @@ ms.date: 08/30/2017 +

          **Search/PreventIndexingLowDiskSpaceMB** @@ -313,6 +417,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1. @@ -327,6 +440,7 @@ ms.date: 08/30/2017 +

          **Search/PreventRemoteQueries** @@ -353,6 +467,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index.. @@ -363,6 +486,7 @@ ms.date: 08/30/2017 +

          **Search/SafeSearchPermissions** @@ -389,6 +513,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index 229903014f..be8599f45e 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Security @@ -14,11 +14,45 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          + ## Security policies +
          +
          + Security/AllowAddProvisioningPackage +
          +
          + Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices +
          +
          + Security/AllowManualRootCertificateInstallation +
          +
          + Security/AllowRemoveProvisioningPackage +
          +
          + Security/AntiTheftMode +
          +
          + Security/ClearTPMIfNotReady +
          +
          + Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices +
          +
          + Security/RequireDeviceEncryption +
          +
          + Security/RequireProvisioningPackageSignature +
          +
          + Security/RequireRetrieveHealthCertificateOnBoot +
          +
          + +
          **Security/AllowAddProvisioningPackage** @@ -45,6 +79,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Specifies whether to allow the runtime configuration agent to install provisioning packages. @@ -55,6 +98,7 @@ ms.date: 08/30/2017 +

          **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices** @@ -100,6 +144,7 @@ ms.date: 08/30/2017 +
          **Security/AllowManualRootCertificateInstallation** @@ -126,6 +171,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -142,6 +196,7 @@ ms.date: 08/30/2017 +
          **Security/AllowRemoveProvisioningPackage** @@ -168,6 +223,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Specifies whether to allow the runtime configuration agent to remove provisioning packages. @@ -178,6 +242,7 @@ ms.date: 08/30/2017 +

          **Security/AntiTheftMode** @@ -204,6 +269,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -218,6 +292,7 @@ ms.date: 08/30/2017 +
          **Security/ClearTPMIfNotReady** @@ -244,6 +319,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -257,6 +341,7 @@ The following list shows the supported values: +
          **Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices** @@ -283,6 +368,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -299,6 +393,7 @@ The following list shows the supported values: +
          **Security/RequireDeviceEncryption** @@ -325,6 +420,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile. In Windows 10 for desktop, you can query encryption status by using the [DeviceStatus CSP](devicestatus-csp.md) node **DeviceStatus/Compliance/EncryptionCompliance**. @@ -343,6 +447,7 @@ The following list shows the supported values: +
          **Security/RequireProvisioningPackageSignature** @@ -369,6 +474,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Specifies whether provisioning packages must have a certificate signed by a device trusted authority. @@ -379,6 +493,7 @@ The following list shows the supported values: +

          **Security/RequireRetrieveHealthCertificateOnBoot** @@ -405,6 +520,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots. diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 50a3295347..987f2c639b 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Settings @@ -14,11 +14,54 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

          + ## Settings policies +
          +
          + Settings/AllowAutoPlay +
          +
          + Settings/AllowDataSense +
          +
          + Settings/AllowDateTime +
          +
          + Settings/AllowEditDeviceName +
          +
          + Settings/AllowLanguage +
          +
          + Settings/AllowPowerSleep +
          +
          + Settings/AllowRegion +
          +
          + Settings/AllowSignInOptions +
          +
          + Settings/AllowVPN +
          +
          + Settings/AllowWorkplace +
          +
          + Settings/AllowYourAccount +
          +
          + Settings/ConfigureTaskbarCalendar +
          +
          + Settings/PageVisibilityList +
          +
          + +
          **Settings/AllowAutoPlay** @@ -45,6 +88,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -62,6 +114,7 @@ ms.date: 08/30/2017 +
          **Settings/AllowDataSense** @@ -88,6 +141,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Allows the user to change Data Sense settings. @@ -98,6 +160,7 @@ ms.date: 08/30/2017 +

          **Settings/AllowDateTime** @@ -124,6 +187,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Allows the user to change date and time settings. @@ -134,6 +206,7 @@ ms.date: 08/30/2017 +

          **Settings/AllowEditDeviceName** @@ -160,6 +233,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Allows editing of the device name. @@ -170,6 +252,7 @@ ms.date: 08/30/2017 +

          **Settings/AllowLanguage** @@ -196,6 +279,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -210,6 +302,7 @@ ms.date: 08/30/2017 +
          **Settings/AllowPowerSleep** @@ -236,6 +329,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -250,6 +352,7 @@ ms.date: 08/30/2017 +
          **Settings/AllowRegion** @@ -276,6 +379,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -290,6 +402,7 @@ ms.date: 08/30/2017 +
          **Settings/AllowSignInOptions** @@ -316,6 +429,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -330,6 +452,7 @@ ms.date: 08/30/2017 +
          **Settings/AllowVPN** @@ -356,6 +479,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Allows the user to change VPN settings. @@ -366,6 +498,7 @@ ms.date: 08/30/2017 +

          **Settings/AllowWorkplace** @@ -392,6 +525,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -406,6 +548,7 @@ ms.date: 08/30/2017 +
          **Settings/AllowYourAccount** @@ -432,6 +575,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Allows user to change account settings. @@ -442,6 +594,7 @@ ms.date: 08/30/2017 +

          **Settings/ConfigureTaskbarCalendar** @@ -468,6 +621,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
          + +

          Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale. @@ -480,6 +642,7 @@ ms.date: 08/30/2017 +

          **Settings/PageVisibilityList** @@ -506,6 +669,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md index adc515f986..2437d31e21 100644 --- a/windows/client-management/mdm/policy-csp-smartscreen.md +++ b/windows/client-management/mdm/policy-csp-smartscreen.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - SmartScreen @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

          + ## SmartScreen policies +
          +
          + SmartScreen/EnableAppInstallControl +
          +
          + SmartScreen/EnableSmartScreenInShell +
          +
          + SmartScreen/PreventOverrideForFilesInShell +
          +
          + +
          **SmartScreen/EnableAppInstallControl** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store. @@ -55,6 +77,7 @@ ms.date: 08/30/2017 +

          **SmartScreen/EnableSmartScreenInShell** @@ -81,6 +104,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows. @@ -91,6 +123,7 @@ ms.date: 08/30/2017 +

          **SmartScreen/PreventOverrideForFilesInShell** @@ -117,6 +150,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files. diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md index 833057f11a..de1665ee8d 100644 --- a/windows/client-management/mdm/policy-csp-speech.md +++ b/windows/client-management/mdm/policy-csp-speech.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Speech @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

          + ## Speech policies +
          +
          + Speech/AllowSpeechModelUpdate +
          +
          + +
          **Speech/AllowSpeechModelUpdate** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS). diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 75e90f86a0..f73f1b8331 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Start @@ -14,11 +14,99 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

          + ## Start policies +
          +
          + Start/AllowPinnedFolderDocuments +
          +
          + Start/AllowPinnedFolderDownloads +
          +
          + Start/AllowPinnedFolderFileExplorer +
          +
          + Start/AllowPinnedFolderHomeGroup +
          +
          + Start/AllowPinnedFolderMusic +
          +
          + Start/AllowPinnedFolderNetwork +
          +
          + Start/AllowPinnedFolderPersonalFolder +
          +
          + Start/AllowPinnedFolderPictures +
          +
          + Start/AllowPinnedFolderSettings +
          +
          + Start/AllowPinnedFolderVideos +
          +
          + Start/ForceStartSize +
          +
          + Start/HideAppList +
          +
          + Start/HideChangeAccountSettings +
          +
          + Start/HideFrequentlyUsedApps +
          +
          + Start/HideHibernate +
          +
          + Start/HideLock +
          +
          + Start/HidePowerButton +
          +
          + Start/HideRecentJumplists +
          +
          + Start/HideRecentlyAddedApps +
          +
          + Start/HideRestart +
          +
          + Start/HideShutDown +
          +
          + Start/HideSignOut +
          +
          + Start/HideSleep +
          +
          + Start/HideSwitchAccount +
          +
          + Start/HideUserTile +
          +
          + Start/ImportEdgeAssets +
          +
          + Start/NoPinningToTaskbar +
          +
          + Start/StartLayout +
          +
          + +
          **Start/AllowPinnedFolderDocuments** @@ -45,6 +133,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. This policy controls the visibility of the Documents shortcut on the Start menu. @@ -56,6 +153,7 @@ ms.date: 08/30/2017 +

          **Start/AllowPinnedFolderDownloads** @@ -82,6 +180,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. This policy controls the visibility of the Downloads shortcut on the Start menu. @@ -93,6 +200,7 @@ ms.date: 08/30/2017 +

          **Start/AllowPinnedFolderFileExplorer** @@ -119,6 +227,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. This policy controls the visibility of the File Explorer shortcut on the Start menu. @@ -130,6 +247,7 @@ ms.date: 08/30/2017 +

          **Start/AllowPinnedFolderHomeGroup** @@ -156,6 +274,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. This policy controls the visibility of the HomeGroup shortcut on the Start menu. @@ -167,6 +294,7 @@ ms.date: 08/30/2017 +

          **Start/AllowPinnedFolderMusic** @@ -193,6 +321,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. This policy controls the visibility of the Music shortcut on the Start menu. @@ -204,6 +341,7 @@ ms.date: 08/30/2017 +

          **Start/AllowPinnedFolderNetwork** @@ -230,6 +368,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. This policy controls the visibility of the Network shortcut on the Start menu. @@ -241,6 +388,7 @@ ms.date: 08/30/2017 +

          **Start/AllowPinnedFolderPersonalFolder** @@ -267,6 +415,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. This policy controls the visibility of the PersonalFolder shortcut on the Start menu. @@ -278,6 +435,7 @@ ms.date: 08/30/2017 +

          **Start/AllowPinnedFolderPictures** @@ -304,6 +462,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. This policy controls the visibility of the Pictures shortcut on the Start menu. @@ -315,6 +482,7 @@ ms.date: 08/30/2017 +

          **Start/AllowPinnedFolderSettings** @@ -341,6 +509,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. This policy controls the visibility of the Settings shortcut on the Start menu. @@ -352,6 +529,7 @@ ms.date: 08/30/2017 +

          **Start/AllowPinnedFolderVideos** @@ -378,6 +556,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. This policy controls the visibility of the Videos shortcut on the Start menu. @@ -389,6 +576,7 @@ ms.date: 08/30/2017 +

          **Start/ForceStartSize** @@ -415,6 +603,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -432,6 +629,7 @@ ms.date: 08/30/2017 +
          **Start/HideAppList** @@ -458,6 +656,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy requires reboot to take effect. @@ -483,6 +690,7 @@ ms.date: 08/30/2017 +
          **Start/HideChangeAccountSettings** @@ -509,6 +717,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile. @@ -524,6 +741,7 @@ ms.date: 08/30/2017 +

          **Start/HideFrequentlyUsedApps** @@ -550,6 +768,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy requires reboot to take effect. @@ -572,6 +799,7 @@ ms.date: 08/30/2017 +
          **Start/HideHibernate** @@ -598,6 +826,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button. @@ -616,6 +853,7 @@ ms.date: 08/30/2017 +

          **Start/HideLock** @@ -642,6 +880,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile. @@ -657,6 +904,7 @@ ms.date: 08/30/2017 +

          **Start/HidePowerButton** @@ -683,6 +931,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy requires reboot to take effect. @@ -701,6 +958,7 @@ ms.date: 08/30/2017 +
          **Start/HideRecentJumplists** @@ -727,6 +985,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy requires reboot to take effect. @@ -752,6 +1019,7 @@ ms.date: 08/30/2017 +
          **Start/HideRecentlyAddedApps** @@ -778,6 +1046,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy requires reboot to take effect. @@ -800,6 +1077,7 @@ ms.date: 08/30/2017 +
          **Start/HideRestart** @@ -826,6 +1104,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button. @@ -841,6 +1128,7 @@ ms.date: 08/30/2017 +

          **Start/HideShutDown** @@ -867,6 +1155,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button. @@ -882,6 +1179,7 @@ ms.date: 08/30/2017 +

          **Start/HideSignOut** @@ -908,6 +1206,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile. @@ -923,6 +1230,7 @@ ms.date: 08/30/2017 +

          **Start/HideSleep** @@ -949,6 +1257,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button. @@ -964,6 +1281,7 @@ ms.date: 08/30/2017 +

          **Start/HideSwitchAccount** @@ -990,6 +1308,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile. @@ -1005,6 +1332,7 @@ ms.date: 08/30/2017 +

          **Start/HideUserTile** @@ -1031,6 +1359,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy requires reboot to take effect. @@ -1050,6 +1387,7 @@ ms.date: 08/30/2017 +
          **Start/ImportEdgeAssets** @@ -1076,6 +1414,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy requires reboot to take effect. @@ -1096,6 +1443,7 @@ ms.date: 08/30/2017 +
          **Start/NoPinningToTaskbar** @@ -1122,6 +1470,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar. @@ -1140,6 +1497,7 @@ ms.date: 08/30/2017 +

          **Start/StartLayout** @@ -1166,6 +1524,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + + > [!IMPORTANT] > This node is set on a per-user basis and must be accessed using the following paths: diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index e73be79d8b..f7485274a3 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Storage @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          + ## Storage policies +
          +
          + Storage/EnhancedStorageDevices +
          +
          + +
          **Storage/EnhancedStorageDevices** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + This policy setting configures whether or not Windows will activate an Enhanced Storage device. diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 547782becf..e05d775dd4 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/20/2017 +ms.date: 09/29/2017 --- # Policy CSP - System @@ -14,11 +14,54 @@ ms.date: 09/20/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          + ## System policies +
          +
          + System/AllowBuildPreview +
          +
          + System/AllowEmbeddedMode +
          +
          + System/AllowExperimentation +
          +
          + System/AllowFontProviders +
          +
          + System/AllowLocation +
          +
          + System/AllowStorageCard +
          +
          + System/AllowTelemetry +
          +
          + System/AllowUserToResetPhone +
          +
          + System/BootStartDriverInitialization +
          +
          + System/DisableOneDriveFileSync +
          +
          + System/DisableSystemRestore +
          +
          + System/LimitEnhancedDiagnosticDataWindowsAnalytics +
          +
          + System/TelemetryProxy +
          +
          + +
          **System/AllowBuildPreview** @@ -45,6 +88,15 @@ ms.date: 09/20/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise. @@ -62,6 +114,7 @@ ms.date: 09/20/2017 +
          **System/AllowEmbeddedMode** @@ -88,6 +141,15 @@ ms.date: 09/20/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Specifies whether set general purpose device to be in embedded mode. @@ -100,6 +162,7 @@ ms.date: 09/20/2017 +

          **System/AllowExperimentation** @@ -126,6 +189,15 @@ ms.date: 09/20/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is not supported in Windows 10, version 1607. @@ -142,6 +214,7 @@ ms.date: 09/20/2017 +
          **System/AllowFontProviders** @@ -168,6 +241,15 @@ ms.date: 09/20/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts. @@ -189,6 +271,7 @@ ms.date: 09/20/2017 +

          **System/AllowLocation** @@ -215,6 +298,15 @@ ms.date: 09/20/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Specifies whether to allow app access to the Location service. @@ -234,6 +326,7 @@ ms.date: 09/20/2017 +

          **System/AllowStorageCard** @@ -260,6 +353,15 @@ ms.date: 09/20/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card. @@ -272,6 +374,7 @@ ms.date: 09/20/2017 +

          **System/AllowTelemetry** @@ -298,6 +401,16 @@ ms.date: 09/20/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
          + +

          Allow the device to send diagnostic and usage telemetry data, such as Watson. @@ -378,6 +491,7 @@ Windows 10 Values: +

          **System/AllowUserToResetPhone** @@ -404,6 +518,15 @@ Windows 10 Values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination. @@ -416,6 +539,7 @@ Windows 10 Values: +

          **System/BootStartDriverInitialization** @@ -442,6 +566,15 @@ Windows 10 Values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + N/A @@ -460,6 +593,7 @@ ADMX Info: +
          **System/DisableOneDriveFileSync** @@ -486,6 +620,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting: @@ -510,6 +653,7 @@ ADMX Info: +

          **System/DisableSystemRestore** @@ -536,6 +680,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + Allows you to disable System Restore. @@ -566,6 +719,7 @@ ADMX Info: +
          **System/LimitEnhancedDiagnosticDataWindowsAnalytics** @@ -592,6 +746,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. @@ -608,9 +771,9 @@ ADMX Info:

          If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. - +

          **System/TelemetryProxy** @@ -637,6 +800,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device. diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 08041394b9..fde893e7ec 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - TextInput @@ -14,11 +14,54 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

          + ## TextInput policies +
          +
          + TextInput/AllowIMELogging +
          +
          + TextInput/AllowIMENetworkAccess +
          +
          + TextInput/AllowInputPanel +
          +
          + TextInput/AllowJapaneseIMESurrogatePairCharacters +
          +
          + TextInput/AllowJapaneseIVSCharacters +
          +
          + TextInput/AllowJapaneseNonPublishingStandardGlyph +
          +
          + TextInput/AllowJapaneseUserDictionary +
          +
          + TextInput/AllowKeyboardTextSuggestions +
          +
          + TextInput/AllowKoreanExtendedHanja +
          +
          + TextInput/AllowLanguageFeaturesUninstall +
          +
          + TextInput/ExcludeJapaneseIMEExceptJIS0208 +
          +
          + TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC +
          +
          + TextInput/ExcludeJapaneseIMEExceptShiftJIS +
          +
          + +
          **TextInput/AllowIMELogging** @@ -45,6 +88,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -61,6 +113,7 @@ ms.date: 08/30/2017 +
          **TextInput/AllowIMENetworkAccess** @@ -87,6 +140,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -103,6 +165,7 @@ ms.date: 08/30/2017 +
          **TextInput/AllowInputPanel** @@ -129,6 +192,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -145,6 +217,7 @@ ms.date: 08/30/2017 +
          **TextInput/AllowJapaneseIMESurrogatePairCharacters** @@ -171,6 +244,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -187,6 +269,7 @@ ms.date: 08/30/2017 +
          **TextInput/AllowJapaneseIVSCharacters** @@ -213,6 +296,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -229,6 +321,7 @@ ms.date: 08/30/2017 +
          **TextInput/AllowJapaneseNonPublishingStandardGlyph** @@ -255,6 +348,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -271,6 +373,7 @@ ms.date: 08/30/2017 +
          **TextInput/AllowJapaneseUserDictionary** @@ -297,6 +400,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -313,6 +425,7 @@ ms.date: 08/30/2017 +
          **TextInput/AllowKeyboardTextSuggestions** @@ -339,6 +452,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -360,6 +482,7 @@ ms.date: 08/30/2017 +
          **TextInput/AllowKoreanExtendedHanja** @@ -368,6 +491,7 @@ ms.date: 08/30/2017 +
          **TextInput/AllowLanguageFeaturesUninstall** @@ -394,6 +518,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -410,6 +543,7 @@ ms.date: 08/30/2017 +
          **TextInput/ExcludeJapaneseIMEExceptJIS0208** @@ -436,6 +570,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -450,6 +593,7 @@ ms.date: 08/30/2017 +
          **TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC** @@ -476,6 +620,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -490,6 +643,7 @@ ms.date: 08/30/2017 +
          **TextInput/ExcludeJapaneseIMEExceptShiftJIS** @@ -516,6 +670,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index 5eba1aac1c..5da538c24a 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - TimeLanguageSettings @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
          + ## TimeLanguageSettings policies +
          +
          + TimeLanguageSettings/AllowSet24HourClock +
          +
          + +
          **TimeLanguageSettings/AllowSet24HourClock** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Allows for the configuration of the default clock setting to be the 24 hour format. Selecting 'Set 24 hour Clock' enables this setting. Selecting 'Locale default setting' uses the default clock as prescribed by the current locale setting. diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index befad78d96..63d53d42c4 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/20/2017 +ms.date: 09/29/2017 --- # Policy CSP - Update @@ -14,11 +14,150 @@ ms.date: 09/20/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

          + ## Update policies +
          +
          + Update/ActiveHoursEnd +
          +
          + Update/ActiveHoursMaxRange +
          +
          + Update/ActiveHoursStart +
          +
          + Update/AllowAutoUpdate +
          +
          + Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork +
          +
          + Update/AllowMUUpdateService +
          +
          + Update/AllowNonMicrosoftSignedUpdate +
          +
          + Update/AllowUpdateService +
          +
          + Update/AutoRestartDeadlinePeriodInDays +
          +
          + Update/AutoRestartNotificationSchedule +
          +
          + Update/AutoRestartRequiredNotificationDismissal +
          +
          + Update/BranchReadinessLevel +
          +
          + Update/DeferFeatureUpdatesPeriodInDays +
          +
          + Update/DeferQualityUpdatesPeriodInDays +
          +
          + Update/DeferUpdatePeriod +
          +
          + Update/DeferUpgradePeriod +
          +
          + Update/DetectionFrequency +
          +
          + Update/DisableDualScan +
          +
          + Update/EngagedRestartDeadline +
          +
          + Update/EngagedRestartSnoozeSchedule +
          +
          + Update/EngagedRestartTransitionSchedule +
          +
          + Update/ExcludeWUDriversInQualityUpdate +
          +
          + Update/FillEmptyContentUrls +
          +
          + Update/IgnoreMOAppDownloadLimit +
          +
          + Update/IgnoreMOUpdateDownloadLimit +
          +
          + Update/PauseDeferrals +
          +
          + Update/PauseFeatureUpdates +
          +
          + Update/PauseFeatureUpdatesStartTime +
          +
          + Update/PauseQualityUpdates +
          +
          + Update/PauseQualityUpdatesStartTime +
          +
          + Update/RequireDeferUpgrade +
          +
          + Update/RequireUpdateApproval +
          +
          + Update/ScheduleImminentRestartWarning +
          +
          + Update/ScheduleRestartWarning +
          +
          + Update/ScheduledInstallDay +
          +
          + Update/ScheduledInstallEveryWeek +
          +
          + Update/ScheduledInstallFirstWeek +
          +
          + Update/ScheduledInstallFourthWeek +
          +
          + Update/ScheduledInstallSecondWeek +
          +
          + Update/ScheduledInstallThirdWeek +
          +
          + Update/ScheduledInstallTime +
          +
          + Update/SetAutoRestartNotificationDisable +
          +
          + Update/SetEDURestart +
          +
          + Update/UpdateServiceUrl +
          +
          + Update/UpdateServiceUrlAlternate +
          +
          + +
          **Update/ActiveHoursEnd** @@ -45,6 +184,15 @@ ms.date: 09/20/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. @@ -57,6 +205,7 @@ ms.date: 09/20/2017 +

          **Update/ActiveHoursMaxRange** @@ -83,6 +232,15 @@ ms.date: 09/20/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. @@ -92,6 +250,7 @@ ms.date: 09/20/2017 +

          **Update/ActiveHoursStart** @@ -118,6 +277,15 @@ ms.date: 09/20/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. @@ -130,6 +298,7 @@ ms.date: 09/20/2017 +

          **Update/AllowAutoUpdate** @@ -156,6 +325,15 @@ ms.date: 09/20/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Enables the IT admin to manage automatic update behavior to scan, download, and install updates. @@ -178,6 +356,7 @@ ms.date: 09/20/2017 +

          **Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork** @@ -204,6 +383,15 @@ ms.date: 09/20/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1709. Option to download updates automatically over metered connections (off by default). Value type is integer. @@ -213,8 +401,10 @@ ms.date: 09/20/2017 A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates. This policy is accessible through the Update setting in the user interface or Group Policy. + +

          **Update/AllowMUUpdateService** @@ -241,6 +431,15 @@ This policy is accessible through the Update setting in the user interface or Gr + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update. @@ -251,6 +450,7 @@ This policy is accessible through the Update setting in the user interface or Gr +

          **Update/AllowNonMicrosoftSignedUpdate** @@ -277,6 +477,15 @@ This policy is accessible through the Update setting in the user interface or Gr + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. @@ -291,6 +500,7 @@ This policy is accessible through the Update setting in the user interface or Gr +

          **Update/AllowUpdateService** @@ -317,6 +527,15 @@ This policy is accessible through the Update setting in the user interface or Gr + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. @@ -334,6 +553,7 @@ This policy is accessible through the Update setting in the user interface or Gr +

          **Update/AutoRestartDeadlinePeriodInDays** @@ -360,6 +580,15 @@ This policy is accessible through the Update setting in the user interface or Gr + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. This policy defines the deadline in days after which a reboot for updates will become mandatory. @@ -369,6 +598,7 @@ This policy is accessible through the Update setting in the user interface or Gr +

          **Update/AutoRestartNotificationSchedule** @@ -395,6 +625,15 @@ This policy is accessible through the Update setting in the user interface or Gr + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. @@ -404,6 +643,7 @@ This policy is accessible through the Update setting in the user interface or Gr +

          **Update/AutoRestartRequiredNotificationDismissal** @@ -430,6 +670,15 @@ This policy is accessible through the Update setting in the user interface or Gr + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed. @@ -440,6 +689,7 @@ This policy is accessible through the Update setting in the user interface or Gr +

          **Update/BranchReadinessLevel** @@ -466,6 +716,15 @@ This policy is accessible through the Update setting in the user interface or Gr + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. @@ -477,9 +736,9 @@ This policy is accessible through the Update setting in the user interface or Gr - 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). - 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. - +

          **Update/DeferFeatureUpdatesPeriodInDays** @@ -506,6 +765,15 @@ This policy is accessible through the Update setting in the user interface or Gr + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. @@ -518,6 +786,7 @@ This policy is accessible through the Update setting in the user interface or Gr +

          **Update/DeferQualityUpdatesPeriodInDays** @@ -544,6 +813,15 @@ This policy is accessible through the Update setting in the user interface or Gr + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days. @@ -551,6 +829,7 @@ This policy is accessible through the Update setting in the user interface or Gr +

          **Update/DeferUpdatePeriod** @@ -577,6 +856,15 @@ This policy is accessible through the Update setting in the user interface or Gr + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. @@ -675,6 +963,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
          **Update/DeferUpgradePeriod** @@ -701,6 +990,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. @@ -718,6 +1016,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
          **Update/DetectionFrequency** @@ -744,11 +1043,21 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. +

          **Update/DisableDualScan** @@ -775,6 +1084,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1709, but was added to 1607 and 1703 service releases. Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like. @@ -789,6 +1107,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +

          **Update/EngagedRestartDeadline** @@ -815,6 +1134,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling). @@ -824,6 +1152,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +

          **Update/EngagedRestartSnoozeSchedule** @@ -850,6 +1179,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications. @@ -859,6 +1197,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +

          **Update/EngagedRestartTransitionSchedule** @@ -885,6 +1224,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. @@ -894,6 +1242,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +

          **Update/ExcludeWUDriversInQualityUpdate** @@ -920,6 +1269,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. @@ -933,6 +1291,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
          **Update/FillEmptyContentUrls** @@ -959,6 +1318,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). @@ -972,6 +1340,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +

          **Update/IgnoreMOAppDownloadLimit** @@ -998,6 +1367,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. @@ -1021,6 +1399,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +

          **Update/IgnoreMOUpdateDownloadLimit** @@ -1047,6 +1426,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. @@ -1068,6 +1456,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +

          **Update/PauseDeferrals** @@ -1094,6 +1483,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. @@ -1112,6 +1510,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
          **Update/PauseFeatureUpdates** @@ -1138,6 +1537,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. @@ -1151,6 +1559,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +

          **Update/PauseFeatureUpdatesStartTime** @@ -1177,6 +1586,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates. @@ -1184,6 +1602,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +

          **Update/PauseQualityUpdates** @@ -1210,6 +1629,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. @@ -1220,6 +1648,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +

          **Update/PauseQualityUpdatesStartTime** @@ -1246,6 +1675,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates. @@ -1253,6 +1691,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +

          **Update/RequireDeferUpgrade** @@ -1279,6 +1718,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. @@ -1293,6 +1741,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
          **Update/RequireUpdateApproval** @@ -1319,6 +1768,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. @@ -1335,6 +1793,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
          **Update/ScheduleImminentRestartWarning** @@ -1361,6 +1820,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. @@ -1370,6 +1838,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +

          **Update/ScheduleRestartWarning** @@ -1396,6 +1865,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -1409,6 +1887,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
          **Update/ScheduledInstallDay** @@ -1435,6 +1914,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Enables the IT admin to schedule the day of the update installation. @@ -1455,6 +1943,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +

          **Update/ScheduledInstallEveryWeek** @@ -1481,6 +1970,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
          + +

          Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values:

            @@ -1490,6 +1988,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
            **Update/ScheduledInstallFirstWeek** @@ -1516,6 +2015,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
            + +

            Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values:

              @@ -1525,6 +2033,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
              **Update/ScheduledInstallFourthWeek** @@ -1551,6 +2060,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
              + +

              Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values:

                @@ -1560,6 +2078,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
                **Update/ScheduledInstallSecondWeek** @@ -1586,6 +2105,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                + +

                Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values:

                  @@ -1595,6 +2123,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
                  **Update/ScheduledInstallThirdWeek** @@ -1621,6 +2150,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + +

                  Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values:

                    @@ -1630,6 +2168,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
                    **Update/ScheduledInstallTime** @@ -1656,6 +2195,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -1673,6 +2221,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
                    **Update/SetAutoRestartNotificationDisable** @@ -1699,6 +2248,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations. @@ -1709,6 +2267,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +

                    **Update/SetEDURestart** @@ -1735,6 +2294,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1703. For devices in a cart, this policy skips the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. @@ -1745,6 +2313,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +

                    **Update/UpdateServiceUrl** @@ -1771,6 +2340,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + + > [!Important] > Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile. @@ -1804,6 +2382,7 @@ Example +
                    **Update/UpdateServiceUrlAlternate** @@ -1830,6 +2409,15 @@ Example + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 7d019f9c35..e035750dfa 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Wifi @@ -14,11 +14,36 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

                    + ## Wifi policies +
                    +
                    + WiFi/AllowWiFiHotSpotReporting +
                    +
                    + Wifi/AllowAutoConnectToWiFiSenseHotspots +
                    +
                    + Wifi/AllowInternetSharing +
                    +
                    + Wifi/AllowManualWiFiConfiguration +
                    +
                    + Wifi/AllowWiFi +
                    +
                    + Wifi/AllowWiFiDirect +
                    +
                    + Wifi/WLANScanMode +
                    +
                    + +
                    **WiFi/AllowWiFiHotSpotReporting** @@ -27,6 +52,7 @@ ms.date: 08/30/2017 +
                    **Wifi/AllowAutoConnectToWiFiSenseHotspots** @@ -53,6 +79,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Allow or disallow the device to automatically connect to Wi-Fi hotspots. @@ -65,6 +100,7 @@ ms.date: 08/30/2017 +

                    **Wifi/AllowInternetSharing** @@ -91,6 +127,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Allow or disallow internet sharing. @@ -103,6 +148,7 @@ ms.date: 08/30/2017 +

                    **Wifi/AllowManualWiFiConfiguration** @@ -129,6 +175,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. @@ -144,6 +199,7 @@ ms.date: 08/30/2017 +

                    **Wifi/AllowWiFi** @@ -170,6 +226,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Allow or disallow WiFi connection. @@ -182,6 +247,7 @@ ms.date: 08/30/2017 +

                    **Wifi/AllowWiFiDirect** @@ -208,6 +274,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1703. Allow WiFi Direct connection.. @@ -216,6 +291,7 @@ ms.date: 08/30/2017 +

                    **Wifi/WLANScanMode** @@ -242,6 +318,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index ba85960f84..d47b897f44 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - WindowsDefenderSecurityCenter @@ -14,11 +14,57 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

                    + ## WindowsDefenderSecurityCenter policies +
                    +
                    + WindowsDefenderSecurityCenter/CompanyName +
                    +
                    + WindowsDefenderSecurityCenter/DisableAppBrowserUI +
                    +
                    + WindowsDefenderSecurityCenter/DisableEnhancedNotifications +
                    +
                    + WindowsDefenderSecurityCenter/DisableFamilyUI +
                    +
                    + WindowsDefenderSecurityCenter/DisableHealthUI +
                    +
                    + WindowsDefenderSecurityCenter/DisableNetworkUI +
                    +
                    + WindowsDefenderSecurityCenter/DisableNotifications +
                    +
                    + WindowsDefenderSecurityCenter/DisableVirusUI +
                    +
                    + WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride +
                    +
                    + WindowsDefenderSecurityCenter/Email +
                    +
                    + WindowsDefenderSecurityCenter/EnableCustomizedToasts +
                    +
                    + WindowsDefenderSecurityCenter/EnableInAppCustomization +
                    +
                    + WindowsDefenderSecurityCenter/Phone +
                    +
                    + WindowsDefenderSecurityCenter/URL +
                    +
                    + +
                    **WindowsDefenderSecurityCenter/CompanyName** @@ -45,6 +91,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1709. The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display the contact options. @@ -52,6 +107,7 @@ ms.date: 08/30/2017 +

                    **WindowsDefenderSecurityCenter/DisableAppBrowserUI** @@ -78,6 +134,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. @@ -88,6 +153,7 @@ ms.date: 08/30/2017 +

                    **WindowsDefenderSecurityCenter/DisableEnhancedNotifications** @@ -114,6 +180,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1709. Use this policy if you want Windows Defender Security Center to only display notifications which are considered critical. If you disable or do not configure this setting, Windows Defender Security Center will display critical and non-critical notifications to users. @@ -127,6 +202,7 @@ ms.date: 08/30/2017 +

                    **WindowsDefenderSecurityCenter/DisableFamilyUI** @@ -153,6 +229,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. @@ -163,6 +248,7 @@ ms.date: 08/30/2017 +

                    **WindowsDefenderSecurityCenter/DisableHealthUI** @@ -189,6 +275,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. @@ -199,6 +294,7 @@ ms.date: 08/30/2017 +

                    **WindowsDefenderSecurityCenter/DisableNetworkUI** @@ -225,6 +321,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. @@ -235,6 +340,7 @@ ms.date: 08/30/2017 +

                    **WindowsDefenderSecurityCenter/DisableNotifications** @@ -261,6 +367,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. If you disable or do not configure this setting, Windows Defender Security Center notifications will display on devices. @@ -271,6 +386,7 @@ ms.date: 08/30/2017 +

                    **WindowsDefenderSecurityCenter/DisableVirusUI** @@ -297,6 +413,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. @@ -307,6 +432,7 @@ ms.date: 08/30/2017 +

                    **WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride** @@ -333,6 +459,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1709. Prevent users from making changes to the exploit protection settings area in the Windows Defender Security Center. If you disable or do not configure this setting, local users can make changes in the exploit protection settings area. @@ -343,6 +478,7 @@ ms.date: 08/30/2017 +

                    **WindowsDefenderSecurityCenter/Email** @@ -369,6 +505,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1709. The email address that is displayed to users.  The default mail application is used to initiate email actions. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options. @@ -376,6 +521,7 @@ ms.date: 08/30/2017 +

                    **WindowsDefenderSecurityCenter/EnableCustomizedToasts** @@ -402,6 +548,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1709. Enable this policy to display your company name and contact options in the notifications. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will display a default notification text. @@ -412,6 +567,7 @@ ms.date: 08/30/2017 +

                    **WindowsDefenderSecurityCenter/EnableInAppCustomization** @@ -438,6 +594,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1709.Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will not display the contact card fly out notification. @@ -448,6 +613,7 @@ ms.date: 08/30/2017 +

                    **WindowsDefenderSecurityCenter/Phone** @@ -474,6 +640,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1709. The phone number or Skype ID that is displayed to users.  Skype is used to initiate the call. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options. @@ -481,6 +656,7 @@ ms.date: 08/30/2017 +

                    **WindowsDefenderSecurityCenter/URL** @@ -507,6 +683,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1709. The help portal URL this is displayed to users. The default browser is used to initiate this action. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device will not display contact options. diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md index 32d34d88ec..43176e2f15 100644 --- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md +++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - WindowsInkWorkspace @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

                    + ## WindowsInkWorkspace policies +
                    +
                    + WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace +
                    +
                    + WindowsInkWorkspace/AllowWindowsInkWorkspace +
                    +
                    + +
                    **WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace** @@ -45,6 +55,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace. @@ -55,6 +74,7 @@ ms.date: 08/30/2017 +

                    **WindowsInkWorkspace/AllowWindowsInkWorkspace** @@ -81,6 +101,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace. diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 22b96181e5..71a5e7e63a 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - WindowsLogon @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

                    + ## WindowsLogon policies +
                    +
                    + WindowsLogon/DisableLockScreenAppNotifications +
                    +
                    + WindowsLogon/DontDisplayNetworkSelectionUI +
                    +
                    + WindowsLogon/HideFastUserSwitching +
                    +
                    + +
                    **WindowsLogon/DisableLockScreenAppNotifications** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + + This policy setting allows you to prevent app notifications from appearing on the lock screen. @@ -69,6 +91,7 @@ ADMX Info: +
                    **WindowsLogon/DontDisplayNetworkSelectionUI** @@ -95,6 +118,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + + This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. @@ -119,6 +151,7 @@ ADMX Info: +
                    **WindowsLogon/HideFastUserSwitching** @@ -145,6 +178,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index ea09c4b3c7..0d7ab2b543 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - WirelessDisplay @@ -14,11 +14,33 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

                    + ## WirelessDisplay policies +
                    +
                    + WirelessDisplay/AllowProjectionFromPC +
                    +
                    + WirelessDisplay/AllowProjectionFromPCOverInfrastructure +
                    +
                    + WirelessDisplay/AllowProjectionToPC +
                    +
                    + WirelessDisplay/AllowProjectionToPCOverInfrastructure +
                    +
                    + WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver +
                    +
                    + WirelessDisplay/RequirePinForPairing +
                    +
                    + +
                    **WirelessDisplay/AllowProjectionFromPC** @@ -45,6 +67,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC. @@ -53,6 +84,7 @@ ms.date: 08/30/2017 +

                    **WirelessDisplay/AllowProjectionFromPCOverInfrastructure** @@ -79,6 +111,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure. @@ -87,6 +128,7 @@ ms.date: 08/30/2017 +

                    **WirelessDisplay/AllowProjectionToPC** @@ -113,6 +155,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC. @@ -125,6 +176,7 @@ ms.date: 08/30/2017 +

                    **WirelessDisplay/AllowProjectionToPCOverInfrastructure** @@ -151,6 +203,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure. @@ -159,14 +220,25 @@ ms.date: 08/30/2017 +

                    **WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver** + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1703. +

                    **WirelessDisplay/RequirePinForPairing** @@ -193,6 +265,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                    + +

                    Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing. diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md index 0b67cbdc42..36cef1617a 100644 --- a/windows/client-management/new-policies-for-windows-10.md +++ b/windows/client-management/new-policies-for-windows-10.md @@ -202,7 +202,7 @@ No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId= [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) -  +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).     diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index 03b15f9859..5c68eb15b8 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -40,7 +40,7 @@ These are the top Microsoft Support solutions for the most common issues experie - [Resolve Windows 10 upgrade errors : Technical information for IT Pros](/windows/deployment/upgrade/resolve-windows-10-upgrade-errors) - [Windows OOBE fails when you start a new Windows-based computer for the first time](https://support.microsoft.com/help/4020048/windows-oobe-fails-when-you-start-a-new-windows-based-computer-for-the) - ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/help/3194588/-0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus) -- [0xC1900101 error when Windows 10 upgrade fails after the second system restart'(https://support.microsoft.com/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system) +- [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system) - [Updates fix in-place upgrade to Windows 10 version 1607 problem](https://support.microsoft.com/help/4020149/updates-fix-in-place-upgrade-to-windows-10-version-1607-problem) - [OOBE update for Windows 10 Version 1703: May 9, 2017](https://support.microsoft.com/help/4020008) - [OOBE update for Windows 10 Version 1607: May 30, 2017](https://support.microsoft.com/help/4022632) diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index 3e9fff0d5c..0d49be3b9d 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -300,4 +300,4 @@ The resulting taskbar for computers in any other country region: - [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) - +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). diff --git a/windows/configuration/configure-windows-telemetry-in-your-organization.md b/windows/configuration/configure-windows-telemetry-in-your-organization.md index 1aec75a995..cca1fc3f33 100644 --- a/windows/configuration/configure-windows-telemetry-in-your-organization.md +++ b/windows/configuration/configure-windows-telemetry-in-your-organization.md @@ -35,6 +35,8 @@ Use this article to make informed decisions about how you might configure teleme We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). + ## Overview In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control telemetry streams by using the Privacy option in Settings, Group Policy, or MDM. @@ -409,3 +411,5 @@ TechNet Web Pages - [Privacy at Microsoft](http://privacy.microsoft.com) + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md index 7630406f0d..1475e42e38 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md @@ -6,6 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: eross-msft ms.localizationpriority: high +ms.author: lizross --- # Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md index 61bf864982..acf462f7e1 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md @@ -6,6 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: eross-msft ms.localizationpriority: high +ms.author: lizross --- # Send feedback about Cortana at work back to Microsoft diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md index bffa8f1644..554f55e3eb 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md @@ -6,6 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: eross-msft ms.localizationpriority: high +ms.author: lizross --- # Set up and test Cortana with Office 365 in your organization diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index 2a3d087da8..e492f9e0bd 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -6,6 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: eross-msft ms.localizationpriority: high +ms.author: lizross --- # Cortana integration in your business or enterprise diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md index 5dd38b8ec8..ff0dbc4457 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md @@ -6,6 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: eross-msft ms.localizationpriority: high +ms.author: lizross --- # Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md index 1eef8c58d2..3859197f3d 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md @@ -6,6 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: eross-msft ms.localizationpriority: high +ms.author: lizross --- # Set up and test Cortana for Power BI in your organization diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md index 3d96f92396..c319ce2fc7 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md @@ -6,6 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: eross-msft ms.localizationpriority: high +ms.author: lizross --- # Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md index d51d5c4c88..43fcd17368 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md @@ -6,6 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: eross-msft ms.localizationpriority: high +ms.author: lizross --- # Test scenario 2 - Perform a quick search with Cortana at work diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md index b04d11d615..9813519fad 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md @@ -6,6 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: eross-msft ms.localizationpriority: high +ms.author: lizross --- # Test scenario 3 - Set a reminder for a specific location using Cortana at work diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md index df57f9ca9d..dd43c46b35 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md @@ -6,6 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: eross-msft ms.localizationpriority: high +ms.author: lizross --- # Test scenario 4 - Use Cortana at work to find your upcoming meetings diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md index 8306c2143a..ccc50a9ebe 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md @@ -6,6 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: eross-msft ms.localizationpriority: high +ms.author: lizross --- # Test scenario 5 - Use Cortana to send email to a co-worker diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md index 1274f67445..c553334d54 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md @@ -6,6 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: eross-msft ms.localizationpriority: high +ms.author: lizross --- # Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md index 051d96937f..6b2b437b4e 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md @@ -6,6 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: eross-msft ms.localizationpriority: high +ms.author: lizross --- # Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md index 070192c8e0..2fa3e6637d 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md @@ -6,6 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: eross-msft ms.localizationpriority: high +ms.author: lizross --- # Testing scenarios using Cortana in your business or organization diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md index 0738115be9..2f73ac7fb5 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md @@ -6,6 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: eross-msft ms.localizationpriority: high +ms.author: lizross --- # Set up and test custom voice commands in Cortana for your organization diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index bad5148d3a..2d87c06e2e 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -170,7 +170,7 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed - [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) -  +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 16c8908aff..66b8ca5cc0 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -63,9 +63,6 @@ Three features enable Start and taskbar layout control: To apply the Start and taskbar layout to users in a domain, use the Group Policy Management Console (GPMC) to configure a domain-based Group Policy Object (GPO) that sets **Start Layout** policy settings in the **Start Menu and Taskbar** administrative template for users in a domain. ->[!IMPORTANT] ->In Windows 10, version 1709, Edge is pinned to the desktop automatically during Windows 10 installation or upgrade. When you apply a custom Start layout using this policy, Edge will not be pinned to the desktop. - The GPO applies the Start and taskbar layout at the next user sign-in. Each time the user signs in, the timestamp of the .xml file with the Start and taskbar layout is checked and if a newer version of the file is available, the settings in the latest version of the file are applied. The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. @@ -133,7 +130,7 @@ After you use Group Policy to apply a customized Start and taskbar layout on a c - [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)   - +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).   diff --git a/windows/configuration/images/package.png b/windows/configuration/images/package.png index f5e975e3e9..e10cf84f51 100644 Binary files a/windows/configuration/images/package.png and b/windows/configuration/images/package.png differ diff --git a/windows/configuration/images/profile-config.png b/windows/configuration/images/profile-config.png index 473ad156ec..30a7468dcf 100644 Binary files a/windows/configuration/images/profile-config.png and b/windows/configuration/images/profile-config.png differ diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 64859ceeb0..cb4884a6d9 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -23,7 +23,7 @@ ms.author: jdecker A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. >[!NOTE] ->For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk. Avoid applying AppLocker rules to devices running the multi-app kiosk configuration described in this topic. +>For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. @@ -40,7 +40,7 @@ If you don't want to use a provisioning package, you can deploy the configuratio ## Prerequisites -- (latest version of WCD -- is Store version okay at GA?) +- Windows Configuration Designer (Windows 10, version 1709) - The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 @@ -361,7 +361,7 @@ Provisioning packages can be applied to a device during the first-run experience Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML. -If your test device is enrolled with a MDM server which supports applying the assigned access configuration, you can use it to apply the setting remotely. +If your device is enrolled with a MDM server which supports applying the assigned access configuration, you can use it to apply the setting remotely. The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`. @@ -573,7 +573,7 @@ Remove Task Manager | Enabled Remove Change Password option in Security Options UI | Enabled Remove Sign Out option in Security Options UI | Enabled Remove All Programs list from the Start Menu | Enabled – Remove and disable setting -Prevent access to drives from My Computer | Enabled - Restrict all drivers +Prevent access to drives from My Computer | Enabled - Restrict all drivers

                    **Note:** Users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears expalining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index f76eec93a1..8b9ecee3ff 100644 --- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -31,6 +31,8 @@ To help make it easier to deploy settings to restrict connections from Windows 1 We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). + ## What's new in Windows 10, version 1703 Here's a list of changes that were made to this article for Windows 10, version 1703: @@ -71,7 +73,7 @@ See the following table for a summary of the management settings for Windows 10 | Setting | UI | Group Policy | MDM policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | -| [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | | | | +| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | | | | [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | @@ -100,13 +102,14 @@ See the following table for a summary of the management settings for Windows 10 |     [17.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | |     [17.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | |     [17.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.13 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.14 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.15 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.16 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -|     [17.17 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.18 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.19 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +|     [17.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [19. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [20. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | @@ -124,7 +127,7 @@ See the following table for a summary of the management settings for Windows Ser | Setting | UI | Group Policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | -| [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | @@ -150,7 +153,7 @@ See the following table for a summary of the management settings for Windows Ser | Setting | Group Policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | -| [1. Certificate trust lists](#certificate-trust-lists) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [6. Font streaming](#font-streaming) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [13. Network Connection Status Indicator](#bkmk-ncsi) | ![Check mark](images/checkmark.png) | | | @@ -165,7 +168,7 @@ See the following table for a summary of the management settings for Windows Ser | Setting | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | -| [1. Certificate trust lists](#certificate-trust-lists) | ![Check mark](images/checkmark.png) | | +| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | | [20. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | [27. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | | @@ -174,16 +177,15 @@ See the following table for a summary of the management settings for Windows Ser Use the following sections for more information about how to configure each setting. -### 1. Certificate trust lists +### 1. Automatic Root Certificates Update -A certificate trust list is a predefined list of items, such as a list of certificate hashes or a list of file name, that are signed by a trusted entity. Windows automatically downloads an updated certificate trust list when it is available. - -To turn off the automatic download of an updated certificate trust list, you can turn off automatic root updates, which also includes the disallowed certificate list and the pin rules list. +The Automatic Root Certificates Update component is designed to automatically check the list of trusted authorities on Windows Update to see if an update is available. +For more information, see [Automatic Root Certificates Update Configuration](https://technet.microsoft.com/library/cc733922.aspx). +Although not recommended, you can turn off Automatic Root Certificates Update, which also prevents updates to the disallowed certificate list and the pin rules list. > [!CAUTION] > By not automatically downloading the root certificates, the device might have not be able to connect to some websites. - For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core: - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update** @@ -1267,7 +1269,38 @@ To turn off **Choose apps that can read or send messages**: - Turn off the feature in the UI for each app. -### 17.13 Radios +### 17.13 Phone calls + +In the **Phone calls** area, you can choose which apps can make phone calls. + +To turn off **Let apps make phone calls**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps make phone calls** + + - Set the **Select a setting** box to **Force Deny**. + + -or- + +- Apply the Privacy/LetAppsAccessPhone MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone), where: + + - **0**. User in control + - **1**. Force allow + - **2**. Force deny + + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessPhone**, with a value of 2 (two). + + +To turn off **Choose apps that can make phone calls**: + +- Turn off the feature in the UI for each app. + +### 17.14 Radios In the **Radios** area, you can choose which apps can turn a device's radio on or off. @@ -1298,7 +1331,7 @@ To turn off **Choose apps that can control radios**: - Turn off the feature in the UI for each app. -### 17.14 Other devices +### 17.15 Other devices In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info. @@ -1332,7 +1365,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co - Set the **Select a setting** box to **Force Deny**. -### 17.15 Feedback & diagnostics +### 17.16 Feedback & diagnostics In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. @@ -1417,7 +1450,7 @@ To turn off tailored experiences with relevant tips and recommendations by using - Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences** -### 17.16 Background apps +### 17.17 Background apps In the **Background Apps** area, you can choose which apps can run in the background. @@ -1440,7 +1473,7 @@ To turn off **Let apps run in the background**: - **2**. Force deny -### 17.17 Motion +### 17.18 Motion In the **Motion** area, you can choose which apps have access to your motion data. @@ -1464,7 +1497,7 @@ To turn off **Let Windows and your apps use your motion data and collect motion - Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMotion**, with a value of 2 (two). -### 17.18 Tasks +### 17.19 Tasks In the **Tasks** area, you can choose which apps have access to your tasks. @@ -1486,7 +1519,7 @@ To turn this off: - **1**. Force allow - **2**. Force deny -### 17.19 App Diagnostics +### 17.20 App Diagnostics In the **App diagnostics** area, you can choose which apps have access to your diagnostic information. diff --git a/windows/configuration/multi-app-kiosk-troubleshoot.md b/windows/configuration/multi-app-kiosk-troubleshoot.md index def3c5d507..6885f2b2f7 100644 --- a/windows/configuration/multi-app-kiosk-troubleshoot.md +++ b/windows/configuration/multi-app-kiosk-troubleshoot.md @@ -33,11 +33,7 @@ For example: 1. [Verify that the provisioning package is applied successfully](lock-down-windows-10-to-specific-apps.md#validate-provisioning). 2. Verify that the account (config) is mapped to a profile in the configuration XML file. 3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration. -4. If the issue persists, [capture traces](https://msdn.microsoft.com/library/windows/desktop/dn904629.aspx) for components with the following GUIDs: - - 94097d3d-2a5a-5b8a-cdbd-194dd2e51a00 - - ab84611c-2678-5cd7-d292-c940f9be6c6d - - f9f7f27c-5e5d-5273-468f-038e61965660 - - 3e8fb07b-3e10-5981-01a9-fbd924fd5436 + ## Apps configured in AllowedList are blocked @@ -51,6 +47,3 @@ For example: - Check if the apps included in the Start layout are installed for the assigned access user. - Check if the shortcut exists on the target device, if a desktop app is missing on Start. -## Feedback - -Feedback and bugs can be submitted in the Feedback Hub. You can use the [Problems Steps Recorder](https://support.microsoft.com/help/22878/windows-10-record-steps) to reproduce the issue, and attach the resulting .zip file to your feedback. \ No newline at end of file diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index e4bec41c89..713a2b4b8d 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -103,7 +103,7 @@ On devices running Windows 10, you can install [the Windows Configuration Design - [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) - +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).   diff --git a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md index 7a5fa6db77..e26d7208df 100644 --- a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md +++ b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md @@ -21,7 +21,7 @@ ms.localizationpriority: high A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions. -- Use the [Provision kiosk devices wizard](#wizard) in Windows Configuration Designer (Windows 10, version 1607 or later) to create a provisioning package that configures a kiosk device running either a Universal Windows app or a Classic Windows application (Windows 10 Enterprise or Education only). +- Use the [Provision kiosk devices wizard](#wizard) in Windows Configuration Designer (Windows 10, version 1607 or later) to create a provisioning package that configures a kiosk device running either a Universal Windows app or a Classic Windows application (Windows 10 Enterprise or Education only). In Windows 10, version 1709, you can use the [Provision kiosk devices wizard](#wizard) to configure a kiosk device running a Universal Windows app for Windows 10 Pro. or @@ -85,8 +85,8 @@ Using assigned access, Windows 10 runs the designated Universal Windows app abo | Method | Account type | Windows 10 edition | | --- | --- | --- | | [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education | -| [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Enterprise, Education | -| [Create a provisioning package using Windows Configuration Designer](#wizard) | All (domain, local standard, local administrator, etc) | Enterprise, Education | +| [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Pro (1709 only), Enterprise, Education | +| [Create a provisioning package using Windows Configuration Designer](#wizard) | All (domain, local standard, local administrator, etc) | Pro (1709 only), Enterprise, Education | | [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education | @@ -432,6 +432,6 @@ For a more secure kiosk experience, we recommend that you make the following con - [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md) - +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). diff --git a/windows/configuration/stop-employees-from-using-the-windows-store.md b/windows/configuration/stop-employees-from-using-the-windows-store.md index f8b7650447..71e3551c63 100644 --- a/windows/configuration/stop-employees-from-using-the-windows-store.md +++ b/windows/configuration/stop-employees-from-using-the-windows-store.md @@ -114,7 +114,7 @@ If you're using Microsoft Store for Business and you want employees to only see [Manage access to private store](/microsoft-store/manage-access-to-private-store) -  +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).     diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md index 744e0acd11..a22b949f8b 100644 --- a/windows/configuration/wcd/wcd-sharedpc.md +++ b/windows/configuration/wcd/wcd-sharedpc.md @@ -58,4 +58,6 @@ Use these settings to configure policies for shared PC mode. ## Related topics -- [Set up shared or guest PC](../set-up-shared-or-guest-pc.md) \ No newline at end of file +- [Set up shared or guest PC](../set-up-shared-or-guest-pc.md) + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). \ No newline at end of file diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index 10de96a306..35ab57c372 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -111,7 +111,7 @@ The new taskbar layout for upgrades to Windows 10, version 1607 or later, will a - [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) -  +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).  diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index f786f2f6ad..2f86c87a24 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -79,7 +79,7 @@ Pay attention to the checkbox in **Options**. In addition to providing the path [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) -  +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).    diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index a3c44c5ab1..be1ce53781 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -22,7 +22,7 @@ This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant: -1. Work with your reseller to place an order for $0 SKU. There are two SKUs available, depending on their current Windows Enterprise SA license:
                    +1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license:
                    a. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3
                    b. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5
                    2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index e5e8d59bf7..4662c2d40d 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -642,3 +642,5 @@ After some time, you will have a Windows 10 Enterprise x64 image that is fully [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) [Configure MDT settings](configure-mdt-settings.md) + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). \ No newline at end of file diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index f98e4c4744..f7c08f33ec 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -652,3 +652,5 @@ Figure 14. The partitions when deploying an UEFI-based machine. [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) [Configure MDT settings](configure-mdt-settings.md) + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). \ No newline at end of file diff --git a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md index ea7feeecfa..2f9a7b58e0 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md @@ -91,3 +91,6 @@ The information in this guide is designed to help you deploy Windows 10. In ord [Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10) [Volume Activation for Windows 10](../volume-activation/volume-activation-windows-10.md) + + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). \ No newline at end of file diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index f828bce6a8..d898782a7c 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -400,3 +400,5 @@ In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is [Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
                    [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
                    [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). \ No newline at end of file diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index 01404a9781..6ba9b74048 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -48,3 +48,5 @@ Windows as a service provides a new way to think about building, deploying, and >[!TIP] >Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows. >With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). \ No newline at end of file diff --git a/windows/deployment/update/waas-manage-updates-configuration-manager.md b/windows/deployment/update/waas-manage-updates-configuration-manager.md index 0fdb3289c7..4cccf0d888 100644 --- a/windows/deployment/update/waas-manage-updates-configuration-manager.md +++ b/windows/deployment/update/waas-manage-updates-configuration-manager.md @@ -328,3 +328,5 @@ With the task sequence created, you’re ready to deploy it. If you’re using t - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) - [Manage device restarts after updates](waas-restart.md) + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index 765051754a..a342d1a579 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -353,4 +353,6 @@ Now that you have the All Windows 10 Upgrades view, complete the following steps - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) -- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file +- [Manage device restarts after updates](waas-restart.md) + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). \ No newline at end of file diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index fac84472ae..54085bccf6 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -198,4 +198,6 @@ With all these options, which an organization chooses depends on the resources, - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file +- [Manage device restarts after updates](waas-restart.md) + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). \ No newline at end of file diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md index 81aed1c722..71202e04e6 100644 --- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md @@ -966,3 +966,5 @@ Alternatively, re-create installation media the [Media Creation Tool](https://ww
                    [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
                    [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
                    [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). \ No newline at end of file diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index 7b48b01727..8dd86431f4 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -337,7 +337,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
                    [Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)   - +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).   diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md index 9dca476f1c..63c0c66725 100644 --- a/windows/deployment/usmt/usmt-overview.md +++ b/windows/deployment/usmt/usmt-overview.md @@ -46,6 +46,8 @@ There are some scenarios in which the use of USMT is not recommended. These incl ## Related topics - [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md) +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). +     diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md index 57fdf3e0a6..3960b898bb 100644 --- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md +++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md @@ -138,4 +138,4 @@ For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KM ## See also - [Volume Activation for Windows 10](volume-activation-windows-10.md)   -  +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).   diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md index 37335d3504..92299edb2e 100644 --- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md +++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md @@ -75,6 +75,7 @@ Telephone activation is primarily used in situations where a computer is isolate **Note**   A specialized method, Token-based activation, is available for specific situations when approved customers rely on a public key infrastructure in a completely isolated, and usually high-security, environment. For more information, contact your Microsoft Account Team or your service representative. +Token-based Activation option is available for Windows 10 Enterprise LTSB editions (Version 1507 and 1607). ### Multiple activation key diff --git a/windows/deployment/windows-10-architecture-posters.md b/windows/deployment/windows-10-architecture-posters.md index b8accd1126..93173ce925 100644 --- a/windows/deployment/windows-10-architecture-posters.md +++ b/windows/deployment/windows-10-architecture-posters.md @@ -4,7 +4,7 @@ description: Provides architural planning posters for Windows 10 in the enterpri ms.prod: w10 ms.author: elizapo author: lizap -ms.date: 09/22/2017 +ms.date: 09/28/2017 ms.tgt_pltfrm: na ms.topic: article ms.localizationpriority: low @@ -21,5 +21,5 @@ You can download the following posters for architectural information about deplo Learn how you can set up and pre-configure Windows 10 devices. - [Deploy Windows 10 - Windows servicing](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/WindowsServicing.pdf) Learn how to keep Windows up to date. -- [Deploy Windows 10 - Protection solutions](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/WindowsServicing.pdf) +- [Deploy Windows 10 - Protection solutions](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/ProtectionSolutions.pdf) Learn about the two tiers of protection available for Windows 10 devices. diff --git a/windows/deployment/windows-10-auto-pilot.md b/windows/deployment/windows-10-auto-pilot.md index 7f6cdc5a1c..1ed5c3cb85 100644 --- a/windows/deployment/windows-10-auto-pilot.md +++ b/windows/deployment/windows-10-auto-pilot.md @@ -39,7 +39,7 @@ Windows AutoPilot allows you to: ### Prerequisites * [Devices must be registered to the organization](#registering-devices-to-your-organization) -* Devices have to be pre-installed with Windows 10, version 1703 or later +* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later * Devices must have access to the internet * [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features) * Microsoft Intune or other MDM services to manage your devices @@ -100,3 +100,5 @@ In order for your devices to be auto-enrolled into MDM management, MDM auto-enro >[!NOTE] >MDM auto-enrollment requires an Azure AD Premium P1 or P2 subscription. + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index 242f5aa4e7..16998068fa 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -131,4 +131,6 @@ The deployment process for the replace scenario is as follows: - [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) - [Windows setup technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619357) - [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=619358) -- [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619359) \ No newline at end of file +- [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619359) + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). \ No newline at end of file diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md index d6f852cae5..a801374cb3 100644 --- a/windows/deployment/windows-10-deployment-tools.md +++ b/windows/deployment/windows-10-deployment-tools.md @@ -21,3 +21,5 @@ Learn about the tools available to deploy Windows 10. |[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. | |[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. | |[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals | + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). \ No newline at end of file diff --git a/windows/device-security/applocker/applocker-overview.md b/windows/device-security/applocker/applocker-overview.md index fd329b6d3d..c79f90e6e1 100644 --- a/windows/device-security/applocker/applocker-overview.md +++ b/windows/device-security/applocker/applocker-overview.md @@ -134,3 +134,5 @@ For reference in your security planning, the following table identifies the base | [AppLocker design guide](applocker-policies-design-guide.md) | This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. | | [AppLocker deployment guide](applocker-policies-deployment-guide.md) | This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. | | [AppLocker technical reference](applocker-technical-reference.md) | This overview topic for IT professionals provides links to the topics in the technical reference. | + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). \ No newline at end of file diff --git a/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md b/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md index af3bab22cc..98bc91bd6e 100644 --- a/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md +++ b/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md @@ -29,6 +29,8 @@ BitLocker is a data protection feature that encrypts the hard drives on your com - [BitLocker Network Unlock](#bkmk-bnusect) - [Other questions](#bkmk-other) +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). + ## Overview and requirements ### How does BitLocker work? @@ -151,7 +153,15 @@ The following types of system changes can cause an integrity check failure and p ### What causes BitLocker to start into recovery mode when attempting to start the operating system drive? -Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password. The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed. +Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. +For example: + +- Changing the BIOS boot order to boot another drive in advance of the hard drive. +- Adding or removing hardware, such as inserting a new card in the computer, including some PCMIA wireless cards. +- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer. + +In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password. +The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed. ### Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive? diff --git a/windows/device-security/bitlocker/bitlocker-overview.md b/windows/device-security/bitlocker/bitlocker-overview.md index 6a94dab8c8..0e88e352bd 100644 --- a/windows/device-security/bitlocker/bitlocker-overview.md +++ b/windows/device-security/bitlocker/bitlocker-overview.md @@ -80,5 +80,6 @@ When installing the BitLocker optional component on a server you will also need | [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic for IT professionals describes how to recover BitLocker keys from AD DS. | | [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. | | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.| +| [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker) | This topic covers how to use BitLocker with Windows 10 IoT Core | -If you're looking for info on how to use it with Windows 10 IoT Core, see [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker). \ No newline at end of file +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). diff --git a/windows/device-security/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/device-security/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index 8d48b8aff4..16e23be904 100644 --- a/windows/device-security/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/device-security/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -41,7 +41,9 @@ A good practice when using manage-bde is to determine the volume status on the t ``` syntax manage-bde -status ``` -This command returns the volumes on the target, current encryption status and volume type (operating system or data) for each volume. +This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume: + +![Using manage-bde to check encryption status](images/manage-bde-status.png) The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process. diff --git a/windows/device-security/bitlocker/images/feedback-app-icon.png b/windows/device-security/bitlocker/images/feedback-app-icon.png new file mode 100644 index 0000000000..c600883c0e Binary files /dev/null and b/windows/device-security/bitlocker/images/feedback-app-icon.png differ diff --git a/windows/device-security/bitlocker/images/manage-bde-status.png b/windows/device-security/bitlocker/images/manage-bde-status.png new file mode 100644 index 0000000000..321b1fa052 Binary files /dev/null and b/windows/device-security/bitlocker/images/manage-bde-status.png differ diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index 80a04ca0c3..85d2429812 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -30,6 +30,7 @@ #### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md) #### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md) #### [Investigate machines](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md) +##### [Manage machine group and tags](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags) ##### [Alerts related to this machine](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine) ##### [Machine timeline](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline) ###### [Search for specific events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events) @@ -40,12 +41,12 @@ #### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md) #### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md) ##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md) -###### [Manage machine group and tags](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags) ###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package) ###### [Run antivirus scan](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines) -###### [Restrict app execution](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#restict-app-execution) +###### [Restrict app execution](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution) +###### [Remove app restriction](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction) ###### [Isolate machines from the network](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) -###### [Undo machine isolation](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation) +###### [Release machine from the isolation](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation) ###### [Check activity details in Action center](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) ##### [Take response actions on a file](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md) ###### [Stop and quarantine files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) @@ -123,6 +124,7 @@ #### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) #### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) #### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) +#### [Enable Security Analytics security controls](windows-defender-atp\enable-security-analytics-windows-defender-advanced-threat-protection.md) ### [Windows Defender ATP settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md) ### [Windows Defender ATP service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) ### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md) @@ -134,6 +136,7 @@ ### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md) ### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md) +#### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md) ### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md) @@ -199,23 +202,23 @@ #### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md) #### [View Exploit Guard events](windows-defender-exploit-guard\event-views-exploit-guard.md) -### [Exploit Protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md) +### [Exploit protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md) #### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md) -#### [Evaluate Exploit Protection](windows-defender-exploit-guard\evaluate-exploit-protection.md) -#### [Enable Exploit Protection](windows-defender-exploit-guard\enable-exploit-protection.md) -#### [Customize Exploit Protection](windows-defender-exploit-guard\customize-exploit-protection.md) -##### [Import, export, and deploy Exploit Protection configurations](windows-defender-exploit-guard\import-export-exploit-protection-emet-xml.md) -### [Attack Surface Reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md) -#### [Evaluate Attack Surface Reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md) -#### [Enable Attack Surface Reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md) -#### [Customize Attack Surface Reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md) +#### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md) +#### [Enable Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md) +#### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md) +##### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard\import-export-exploit-protection-emet-xml.md) +### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md) +#### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md) +#### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md) +#### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md) ### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md) #### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md) #### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md) -### [Controlled Folder Access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md) -#### [Evaluate Controlled Folder Access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md) -#### [Enable Controlled Folder Access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md) -#### [Customize Controlled Folder Access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md) +### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md) +#### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md) +#### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md) +#### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md) diff --git a/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md index e3f898afa0..ad126f35fa 100644 --- a/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -431,7 +431,7 @@ Examples: Set-ProcessMitigation -Name notepad.exe -Enable SEHOP -Disable MandatoryASLR,DEPATL ``` -- **Convert Attack Surface Reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET’s Attack Surface Reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies). This will enable protections on Windows 10 equivalent to EMET’s ASR protections. +- **Convert Attack surface reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET’s Attack surface reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies). This will enable protections on Windows 10 equivalent to EMET’s ASR protections. - **Convert Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning). For example: diff --git a/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md b/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md index 846f249f82..486f7992dd 100644 --- a/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md +++ b/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md @@ -649,3 +649,5 @@ You can get more info with the following links: - [Event Queries and Event XML](http://msdn.microsoft.com/library/bb399427.aspx) - [Event Query Schema](http://msdn.microsoft.com/library/aa385760.aspx) - [Windows Event Collector](http://msdn.microsoft.com/library/windows/desktop/bb427443.aspx) + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index 5b30a1d8e3..4d97b468d3 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -34,7 +34,7 @@ ms.date: 08/25/2017 - Windows Defender Security Center app -Block at First Sight is a feature of Windows Defender Antivirus cloud-delivered protection that provides a way to detect and block new malware within seconds. +Block at first sight is a feature of Windows Defender Antivirus cloud-delivered protection that provides a way to detect and block new malware within seconds. It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention. You can use group policy settings to confirm the feature is enabled. diff --git a/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md index 92cb4eab33..43bd302fff 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md @@ -82,19 +82,7 @@ Hiding notifications can be useful in situations where you cannot hide the entir > [!NOTE] > Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection). -**Use Group Policy to display additional, custom text in notifications:** - -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. - -5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. - -6. Double-click the **Display additional text to clients when they need to perform an action** setting and set the option to **Enabled**. - -7. Enter the additional text you want to be shown to users. Click **OK**. +See the [Customize the Windows Defender Security Center app for your organization](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center-antivirus.md) topic for instructions to add cusomt contact information to the notifications that users see on their machines. **Use Group Policy to hide notifications:** diff --git a/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md b/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md new file mode 100644 index 0000000000..afa7a3d27d --- /dev/null +++ b/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md @@ -0,0 +1,7 @@ + + Check mark no + + \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md b/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md new file mode 100644 index 0000000000..4dd10553c4 --- /dev/null +++ b/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md @@ -0,0 +1,7 @@ + + Check mark yes + + \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png b/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png new file mode 100644 index 0000000000..b3bcfd6688 Binary files /dev/null and b/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png differ diff --git a/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png b/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png new file mode 100644 index 0000000000..8bfe45dd7b Binary files /dev/null and b/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png differ diff --git a/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps.png b/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps.png new file mode 100644 index 0000000000..b555bb6110 Binary files /dev/null and b/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps.png differ diff --git a/windows/threat-protection/windows-defender-antivirus/images/vtp-wdav.png b/windows/threat-protection/windows-defender-antivirus/images/vtp-wdav.png new file mode 100644 index 0000000000..4351777c34 Binary files /dev/null and b/windows/threat-protection/windows-defender-antivirus/images/vtp-wdav.png differ diff --git a/windows/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md new file mode 100644 index 0000000000..b36b55f7f1 --- /dev/null +++ b/windows/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md @@ -0,0 +1,72 @@ +--- +title: Enable the limited periodic scanning feature in Windows Defender AV +description: Limited periodic scanning lets you use Windows Defender AV in addition to your other installed AV providers +keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 10/02/2017 +--- + + + +# Use limited periodic scanning in Windows Defender AV + + + +**Applies to:** + +- Windows 10, version 1609 + + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Windows Defender Security Center app + + +Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device. + +It can only be enabled in certain situations. See the [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md) topic for more information on when limited periodic scanning can be enabled, and how Windows Defender Antivirus works with other AV products. + + +## How to enable limited periodic scanning + +By default, Windows Defender AV will enable itself on a Windows 10 device if there is no other antivirus product installed, or if the other AV product is out-of-date, expired, or not working correctly. + +If Windows Defender AV is enabled, the usual options will appear to configure Windows Defender AV on that device: + +![Windows Defender Security Center app showing Windows Defender AV options, including scan options, settings, and update options](images/vtp-wdav.png) + + +If another AV product is installed and working correctly, Windows Defender AV will disable itself. The Windows Defender Security Center app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options: + +![Windows Defender Security Center app showing ContosoAV as the installed and running antivirus provider. There is a single link to open ContosoAV settings.](images/vtp-3ps.png) + +Underneath any 3rd party AV products, a new link will appear as **Windows Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning. + + +![The limited periodic option is a toggle to enable or disable **periodic scanning**](images/vtp-3ps-lps.png) + +Sliding the swtich to **On** will show the standard Windows Defender AV options underneath the 3rd party AV product. The limited periodic scanning option will appear at the bottom of the page. + + +![When enabled, periodic scanning shows the normal Windows Defender AV options](images/vtp-3ps-lps-on.png) + + + + +## Related topics + +- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index 1d49a1e634..b2d2890d2b 100644 --- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -15,7 +15,7 @@ ms.date: 09/07/2017 --- -# Windows Defender Antivirus and third party protection products +# Windows Defender Antivirus compatibility **Applies to:** @@ -30,13 +30,11 @@ ms.date: 09/07/2017 Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. -However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender AV will automatically disable itself. +However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender AV will automatically disable itself. You can then choose to enable an optional, limited protection feature, called [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md). If you are also using Windows Defender Advanced Threat Protection, then Windows Defender AV will enter a passive mode. -On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have also installed a third-party antivirus product. See [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) topic for key differences and management options for Windows Server installations. - -The following matrix illustrates how Windows Defender AV operates when third-party antivirus products or Windows Defender ATP are also used. +The following matrix illustrates the states that Windows Defender AV will enter when third-party antivirus products or Windows Defender ATP are also used. Windows version | Antimalware protection offered by | Organization enrolled in Windows Defender ATP | Windows Defender AV state -|-|-|- @@ -44,12 +42,19 @@ Windows 10 | A third-party product that is not offered or developed by Microsoft Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode Windows 10 | Windows Defender AV | Yes | Active mode Windows 10 | Windows Defender AV | No | Active mode -Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode -Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Active mode +Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] +Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Active mode[[1](#fn1)] Windows Server 2016 | Windows Defender AV | Yes | Active mode Windows Server 2016 | Windows Defender AV | No | Active mode +(1) On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [uninstall Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) to prevent problems caused by having multiple antivirus products installed on a machine. + +See the [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md#install-or-uninstall-windows-defender-av-on-windows-server-2016) topic for key differences and management options for Windows Server installations. + + + + >[!IMPORTANT] >Windows Defender AV is only available on endpoints running Windows 10 or Windows Server 2016. > @@ -58,25 +63,28 @@ Windows Server 2016 | Windows Defender AV | No | Active mode >Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/en-us/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations). +This table indicates the functionality and features that are available in each state: +State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Threat definition updates](manage-updates-baselines-windows-defender-antivirus.md) +:-|:-|:-:|:-:|:-:|:-:|:-: +Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] +Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] +Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] -In the passive and automatic disabled modes, Windows Defender AV will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender AV will not provide real-time protection from malware. +Passive mode is enabled if you are enrolled in Windows Defender ATP because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks. -The reasons for this are twofold: - -1. If you are enrolled in Windows Defender ATP, [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks. -2. If the protection offered by a third-party antivirus product goes out of date, is not updated, or stops providing real-time protection from viruses, malware, and other threats, then Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. +Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product goes out of date, is not updated, or stops providing real-time protection from viruses, malware, and other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app. - Therefore, the Windows Defender AV service needs to update itself to ensure it has up-to-date protection coverage in case it needs to automatically enable itself. +In passive and automatic disabled mode, you can still [manage updates for Windows Defender AV](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. - You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. - - If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode. + If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode. >[!WARNING] >You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV, Windows Defender ATP, or the Windows Defender Security Center app. > >This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. +> +>It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md). ## Related topics diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md index 77b79508b8..63f99c38c4 100644 --- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md +++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md @@ -61,7 +61,7 @@ By default, Windows Defender AV is installed and functional on Windows Server 20 If the interface is not installed, you can add it in the **Add Roles and Features Wizard** at the **Features** step, under **Windows Defender Features** by selecting the **GUI for Windows Defender** option. -![](images/server-add-gui.png) +![Add roles and feature wizard showing the GUI for Windows Defender option](images/server-add-gui.png) See the [Install or uninstall roles, role services, or features](https://docs.microsoft.com/en-us/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features) topic for information on using the wizard. @@ -87,6 +87,8 @@ Uninstall-WindowsFeature -Name Windows-Defender-GUI You can also uninstall Windows Defender AV completely with the **Remove Roles and Features Wizard** by deselecting the **Windows Defender Features** option at the **Features** step in the wizard. +This is useful if you have a third-party antivirus product installed on the machine already. Multiple AV products can cause problems when installed and actively running on the same machine. See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/en-us/wdsi/help/antimalware-faq). + >[!NOTE] >Deselecting **Windows Defender** on its own under the **Windows Defender Features** section will automatically prompt you to remove the interface option **GUI for Windows Defender**. @@ -144,8 +146,6 @@ By default, Windows Update does not download and install updates automatically o To ensure that protection from malware is maintained, we recommend that you enable the following services: -- Windows Defender Network Inspection service - - Windows Error Reporting service - Windows Update service @@ -155,9 +155,8 @@ The following table lists the services for Windows Defender and the dependent se |Service Name|File Location|Description| |--------|---------|--------| |Windows Defender Service (Windefend)|C:\Program Files\Windows Defender\MsMpEng.exe|This is the main Windows Defender Antivirus service that needs to be running at all times.| -|Windows Defender Network Inspection Service (Wdnissvc)|C:\Program Files\Windows Defender\NisSrv.exe|This service is invoked when Windows Defender Antivirus encounters a trigger to load it.| |Windows Error Reporting Service (Wersvc)|C:\WINDOWS\System32\svchost.exe -k WerSvcGroup|This service sends error reports back to Microsoft.| -|Windows Firewall (MpsSvc)|C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork|We recommend leaving the Windows Firewall service enabled.| +|Windows Defender Firewall (MpsSvc)|C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork|We recommend leaving the Windows Defender Firewall service enabled.| |Windows Update (Wuauserv)|C:\WINDOWS\system32\svchost.exe -k netsvcs|Windows Update is needed to get definition updates and antimalware engine updates| diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md index 495cc05eec..7f2ef6dac4 100644 --- a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md @@ -38,7 +38,7 @@ In Windows 10, version 1703 (also known as the Creators Update), the Windows Def Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703. > [!IMPORTANT] -> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These will be disabled automatically when a third-party antivirus or firewall product is installed and kept up to date. +> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These will be disabled automatically when a third-party antivirus or firewall product is installed and kept up to date. > [!WARNING] > If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. @@ -121,7 +121,7 @@ This section describes how to perform some of the most common tasks when reviewi >[!NOTE] >If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats. ->If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Defender Security Center app. A setting will appear that will allow you to enable limited periodic scanning. +>If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Defender Security Center app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md). diff --git a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index 15b33475fa..4fb205b6cc 100644 --- a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -24,7 +24,7 @@ Your environment needs the following hardware to run Application Guard. |--------|-----------| |64-bit CPU|A 64-bit computer is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).| |CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

                    **-AND-**

                    One of the following virtualization extensions for VBS:

                    VT-x (Intel)

                    **-OR-**

                    AMD-V| -|Hardware memory|8 GB minimum, 16 GB recommended| +|Hardware memory|Microsoft recommends 8GB RAM for optimal performance| |Hard disk|5 GB free space, solid state disk (SSD) recommended| |Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended| diff --git a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md index 1c0e90fab7..9592c54ea3 100644 --- a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) + Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Windows Defender ATP with. Turn on the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations: @@ -50,6 +52,8 @@ This feature is only available if you have an active Office 365 E5 or the Threat When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into the Windows Defender ATP portal to conduct a holistic security investigation across Office 365 mailboxes and Windows machines. +To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Windows Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512). + ## Enable advanced features 1. In the navigation pane, select **Preferences setup** > **Advanced features**. 2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**. diff --git a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md index 5b05198ca9..42299706d8 100644 --- a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-alertsq-abovefoldlink) + The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In each queue, you'll see details such as the severity of alerts and the number of machines the alerts were raised on. Alerts are organized in queues by their workflow status or assignment: diff --git a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md index e9c01a20cf..764fe72b5d 100644 --- a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md @@ -25,6 +25,9 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink) + Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal. diff --git a/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md index 3f9933916f..8c52c26e52 100644 --- a/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -26,6 +26,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) + Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). Use the following methods to assign security roles. ## Assign user access using Azure PowerShell @@ -82,3 +84,6 @@ For more information see, [Manage Azure AD group and role membership](https://te 7. Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**. ![Image of Microsoft Azure portal](images/atp-azure-ui-user-access.png) + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portalaccess-belowfoldlink) diff --git a/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md index 723ff75a42..b4cac17a7c 100644 --- a/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink) + The sensor health tile provides information on the individual endpoint’s ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues. ![Windows Defender ATP sensor health tile](images/atp-portal-sensor.png) diff --git a/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md index beff40e45f..c4c965309f 100644 --- a/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink) + You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Windows Defender ATP alerts. ## Before you begin diff --git a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md index 59f69d831e..1c7f1bf825 100644 --- a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-emailconfig-abovefoldlink) + You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity. > [!NOTE] diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index 2d17ac8b25..c0c4500c23 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -27,6 +27,9 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink) + + > [!NOTE] > To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later. diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 42a6f77d4d..690593d58b 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink) + You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints. For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 89b06fa326..dccdfe3ee5 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -26,6 +26,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink) + ## Configure endpoints using System Center Configuration Manager (current branch) version 1606 System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682). diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md index e2993d8ccb..c2d209b804 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) + You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network. > [!NOTE] diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md index 8a90f8cb96..433ebdcd72 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md @@ -20,6 +20,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configvdi-abovefoldlink) + ## Onboard non-persistent virtual desktop infrastructure (VDI) machines Windows Defender ATP supports non-persistent VDI session onboarding. There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario: diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md index 8b9d4a256a..12896138c5 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -39,6 +39,9 @@ Topic | Description :---|:--- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) | Use Group Policy to deploy the configuration package on endpoints. [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on endpoints. -[Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) | Use Mobile Device Managment tools or Microsoft Intune to deploy the configuration package on endpoints. +[Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on endpoints. [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) | Learn how to use the local script to deploy the configuration package on endpoints. [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) | Learn how to use the configuration package to configure VDI machines. + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 1363cca541..60d72976e0 100644 --- a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -26,6 +26,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) + The Windows Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Windows Defender ATP cloud service. diff --git a/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index f359c9d10b..343f4351d5 100644 --- a/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -22,6 +22,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink) + Windows Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console. Windows Defender ATP supports the onboarding of the following servers: diff --git a/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md index c90b025275..a11b5b6701 100644 --- a/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) + ## Pull alerts using supported security information and events management (SIEM) tools Windows Defender ATP supports (SIEM) tools to pull alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. diff --git a/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md index 701451367b..60e6cfaceb 100644 --- a/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink) + You'll need to configure Splunk so that it can pull Windows Defender ATP alerts. ## Before you begin diff --git a/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md index 48810c5ae3..5fafa61b0a 100644 --- a/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink) + You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to generate specific alerts that are applicable to your organization. ## Before you begin diff --git a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md index 333d2f5e83..0c3dc01eda 100644 --- a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink) + The **Security operations dashboard** displays a snapshot of: - The latest active alerts on your network @@ -116,6 +118,9 @@ The **Daily machines reporting** tile shows a bar graph that represents the numb ![Image of daily machines reporting tile](images/atp-daily-machines-reporting.png) + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink) + ## Related topics - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index c482403b20..6f7eed13ef 100644 --- a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -79,3 +79,5 @@ Microsoft provides customers with detailed information about Microsoft's securit By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run. For more information on the Windows Defender ATP ISO certification reports, see [Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec-27001). + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-datastorage-belowfoldlink) diff --git a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md index e3a3b4ae51..0f7c42f24e 100644 --- a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md @@ -26,6 +26,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-defendercompat-abovefoldlink) + The Windows Defender Advanced Threat Protection agent depends on Windows Defender Antivirus for some capabilities such as file scanning. If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode. diff --git a/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md index 32ba05c13a..4e98e3b3b4 100644 --- a/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablecustomti-abovefoldlink) + Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal. 1. In the navigation pane, select **Preference Setup** > **Threat intel API**. diff --git a/windows/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..a95a52eb1d --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md @@ -0,0 +1,49 @@ +--- +title: Enable Security Analytics in Windows Defender ATP +description: Set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard. +keywords: enable security analytics, baseline, calculation, analytics, score, security analytics dashboard, dashboard +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Enable Security Analytics security controls + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +Set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations. + + >[!NOTE] + >Changes might take up to a few hours to reflect on the dashboard. + +1. In the navigation pane, select **Preferences setup** > **Security Analytics**. + + ![Image of Security Analytics controls from Preferences setup menu](images/atp-enable-security-analytics.png) + +2. Select the security control, then toggle the setting between **On** and **Off**. + +3. Click **Save preferences**. + +## Related topics +- [View the Security Analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) +- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md) +- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) +- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md) +- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) +- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md index 26467de977..b34a43be0e 100644 --- a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) + Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API. 1. In the navigation pane, select **Preferences setup** > **SIEM integration**. diff --git a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md index f1ff28638b..f23dc99857 100644 --- a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md @@ -334,7 +334,7 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen - +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-eventerrorcodes-belowfoldlink) ## Related topics - [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md index d5eb939076..6085998914 100644 --- a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-experimentcustomti-abovefoldlink) + With the Windows Defender ATP threat intelligence API, you can create custom threat intelligence alerts that can help you keep track of possible attack activities in your organization. For more information about threat intelligence concepts, see [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md). diff --git a/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md index 239c463a13..73a2c6b1c7 100644 --- a/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md @@ -23,6 +23,8 @@ ms.date: 09/05/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). In general, you’ll need to take the following steps to use the APIs: diff --git a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md index 89ede3edae..07eef0d4b5 100644 --- a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-fixsensor-abovefoldlink) + Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section provides some explanations as to what might have caused a machine to be categorized as inactive or misconfigured. ## Inactive machines diff --git a/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md index db7f9796a9..2a702cecc7 100644 --- a/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md @@ -24,6 +24,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-gensettings-abovefoldlink) + During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update some settings which you'll be able to do through the **Preferences setup** menu. 1. In the navigation pane, select **Preferences setup** > **General**. diff --git a/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png b/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png new file mode 100644 index 0000000000..4005404aff Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png b/windows/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png new file mode 100644 index 0000000000..9d8ae5a5cd Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-improv-opps.png b/windows/threat-protection/windows-defender-atp/images/atp-improv-opps.png new file mode 100644 index 0000000000..0f5ef13a77 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-improv-opps.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png b/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png index 65dc93e72c..729042ed30 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png and b/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png b/windows/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png new file mode 100644 index 0000000000..9cbf01f81a Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png differ diff --git a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md index d2e1a9a60a..c743b8f2cb 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -21,6 +21,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink) + Investigate alerts that are affecting your network, what they mean, and how to resolve them. Use the alert details view to see various tiles that provide information about alerts. You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them. ![Image of the alert page](images/atp-alert-details.png) diff --git a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md index 6c5effd35b..e7a73b2f71 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md @@ -24,6 +24,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatedomain-abovefoldlink) + Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain. You can see information from the following sections in the URL view: diff --git a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md index afb66067f3..e90acdfa3d 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md @@ -24,6 +24,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink) + Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach. You can get information from the following sections in the file view: diff --git a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md index 0efb6d5061..beae2f18fb 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md @@ -24,6 +24,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigateip-abovefoldlink) + Examine possible communication between your machines and external internet protocol (IP) addresses. Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected machines. diff --git a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md index 4581751734..d9ae0d1c13 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md @@ -21,6 +21,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink) + ## Investigate machines Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach. @@ -57,6 +59,55 @@ You'll also see details such as logon types for each user account, the user grou For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md). +## Manage machine group and tags +Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident. + +Machine related properties are being extended to account for: + +- Group affiliation +- Dynamic context capturing + + + +### Group machines +Machine group affiliation can represent geographic location, specific activity, importance level and others. Grouping machines with similar attributes can be handy when you need to apply contextual action on a specific list of machines. After creating groups, you can apply the Group filter on the Machines list to get a narrowed list of machines. + +Machine group is defined in the following registry key entry of the machine: + +- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\` +- Registry key value (string): Group + + +### Set standard tags on machines +Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag. + +1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views: + + - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section. + - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. + - **Machines list** - Select the machine name from the list of machines. + - **Search box** - Select Machine from the drop-down menu and enter the machine name. + + You can also get to the alert page through the file and IP views. + +2. Open the **Actions** menu and select **Manage tags**. + + ![Image of taking action to manage tags on a machine](images/atp-manage-tags.png) + +3. Enter tags on the machine. To add more tags, click the + icon. +4. Click **Save and close**. + + ![Image of adding tags on a machine](images/atp-save-tag.png) + + Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** or **Groups** filter to see the relevant list of machines. + +### Manage machine tags +You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel. + +![Image of adding tags on a machine](images/atp-tag-management.png) + + + ## Alerts related to this machine The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. You can also manage alerts from this section by clicking the circle icons to the left of the alert (or using Ctrl or Shift + click to select multiple alerts). diff --git a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md index 52c8a9583f..1b36dc7c3c 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md @@ -24,6 +24,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatgeuser-abovefoldlink) + ## Investigate user account entities Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account. diff --git a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md index ca3569887b..205494624b 100644 --- a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-machinesview-abovefoldlink) + The **Machines list** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network. Use the Machines list in these main scenarios: @@ -56,8 +58,6 @@ You can use the following filters to limit the list of machines displayed during - Windows 10 - Windows Server 2012 R2 - Windows Server 2016 -- Linux -- Mac OS - Other @@ -93,7 +93,7 @@ Filter the list to view specific machines grouped together by the following malw - **PUA** – Unwanted software is a category of applications that install and perform undesirable activity without adequate user consent. These applications are not necessarily malicious, but their behaviors often negatively impact the computing experience, even appearing to invade user privacy. Many of these applications display advertising, modify browser settings, and install bundled software. ## Groups and tags -You can filter the list based on the grouping and tagging that you've added to individual machines. For more information, see [Manage machine group and tags](respond-machine-alerts-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags). +You can filter the list based on the grouping and tagging that you've added to individual machines. For more information, see [Manage machine group and tags](investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags). ## Export machine list to CSV You can download a full list of all the machines in your organization, in CSV format. Click the **Export to CSV** button to download the entire list as a CSV file. diff --git a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md index be0229d1d1..21c56a7475 100644 --- a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-managealerts-abovefoldlink) + Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue** menu. You can manage alerts by selecting an alert in the **Alerts queue** or the **Alerts related to this machine** section of the machine details view. diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index b43ff9eb93..6f4ca6d581 100644 --- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -27,7 +27,7 @@ ms.date: 09/05/2017 There are some minimum requirements for onboarding your network and endpoints. ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1) +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-minreqs-abovefoldlink) ## Minimum requirements You must be on Windows 10, version 1607 at a minimum. diff --git a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md index d5a674a071..358f434974 100644 --- a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) + You need to onboard to Windows Defender ATP before you can use the service. For more information, see [Onboard your Windows 10 endpoints to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be). @@ -45,3 +47,5 @@ Topic | Description [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings. [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding. + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-atp/optimize-security-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/optimize-security-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 2f535cb869..0000000000 --- a/windows/threat-protection/windows-defender-atp/optimize-security-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: Optimize Windows Defender Antivirus -description: -keywords: -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: mjcaparas -localizationpriority: high -ms.date: 09/05/2017 ---- - -# Optimize Windows Defender Antivirus - -**Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prerelease information](prerelease.md)] - -The Antivirus optimization tile provides a list of recommendations to affected machines. Taking action on the recommendations will help improve your overall organizational security: - -- [Use Windows Defender AV with Windows Defender ATP](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility) -- [Turn on cloud-delivered protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) -- [Turn on protection from potentially unwanted applications](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) -- [Turn on real-time protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) -- [Update antivirus protection and definitions](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md index 5d510f2eb6..ac5a0f7173 100644 --- a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) + Enterprise security teams can use the Windows Defender ATP portal to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches. You can use the [Windows Defender ATP portal](https://securitycenter.windows.com/) to: diff --git a/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md index 703b227b63..705ff8da95 100644 --- a/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md @@ -23,6 +23,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-powerbireports-abovefoldlink) + Understand the security status of your organization, including the status of machines, alerts, and investigations using the Windows Defender ATP reporting feature that integrates with Power BI. Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access Windows Defender ATP data using Microsoft Graph. diff --git a/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md index e3960714e7..c1070db950 100644 --- a/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md @@ -175,6 +175,9 @@ $ioc = ``` +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-psexample-belowfoldlink) + + ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) - [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md index beade9fba5..504d423fd0 100644 --- a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md @@ -24,6 +24,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-prefsettings-abovefoldlink) + Use the **Preferences setup** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature. ## In this section diff --git a/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md index ec38ff1fd1..1c08c4225a 100644 --- a/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md @@ -24,6 +24,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-previewsettings-abovefoldlink) + Turn on the preview experience setting to be among the first to try upcoming features. 1. In the navigation pane, select **Preferences setup** > **Preview experience**. diff --git a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index e9237f713e..3dfbb8db03 100644 --- a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -27,6 +27,8 @@ ms.date: 09/05/2017 The Windows Defender ATP service is constantly being updated to include new feature enhancements and capabilities. +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-abovefoldlink) + Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available. @@ -59,7 +61,7 @@ You can lock down a device and prevent subsequent attempts of potentially malici - [Run Windows Defender Antivirus scan on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
                    As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine. -- [Manage machine group and tags](respond-machine-alerts-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
                    +- [Manage machine group and tags](investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
                    Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident. - [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
                    @@ -69,5 +71,5 @@ Windows Defender ATP supports the use of Power BI data connectors to enable you Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you, to automate workflows and innovate based on Windows Defender ATP capabilities. - +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink) diff --git a/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md index ebf7206b49..8a7b308e76 100644 --- a/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) + Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts from the portal. In general, the OAuth 2.0 protocol supports four types of flows: diff --git a/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md index 607ab8d422..222900d1ef 100644 --- a/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md @@ -177,6 +177,10 @@ with requests.Session() as session: pprint(json.loads(response.text)) ``` + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-pyexample-belowfoldlink) + + ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) - [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index 89beeaac45..5f18a842a7 100644 --- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responddile-abovefoldlink) + Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center. >[!NOTE] diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index 0879c73c17..0aa55c8947 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -25,57 +25,14 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-respondmachine-abovefoldlink) + Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center. >[!NOTE] > These response actions are only available for machines on Windows 10, version 1703. -## Manage machine group and tags -Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident. - -Machine related properties are being extended to account for: - -- Group affiliation -- Dynamic context capturing - - - -### Group machines -Machine group affiliation can represent geographic location, specific activity, importance level and others. Grouping machines with similar attributes can be handy when you need to apply contextual action on a specific list of machines. After creating groups, you can apply the Group filter on the Machines list to get a narrowed list of machines. - -Machine group is defined in the following registry key entry of the machine: - -- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\` -- Registry key value (string): Group - - -### Set standard tags on machines -Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag. - -1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views: - - - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section. - - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. - - **Machines list** - Select the machine name from the list of machines. - - **Search box** - Select Machine from the drop-down menu and enter the machine name. - - You can also get to the alert page through the file and IP views. - -2. Open the **Actions** menu and select **Manage tags**. - - ![Image of taking action to manage tags on a machine](images/atp-manage-tags.png) - -3. Enter tags on the machine. To add more tags, click the + icon. -4. Click **Save and close**. - - ![Image of adding tags on a machine](images/atp-save-tag.png) - - Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** or **Groups** filter to see the relevant list of machines. - -### Manage machine tags -You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel. - -![Image of adding tags on a machine](images/atp-tag-management.png) ## Collect investigation package from machines @@ -156,7 +113,7 @@ As part of the investigation or response process, you can remotely initiate an a ![Image of action center with antivirus scan](images/atp-av-scan-action-center.png) - - **Submission time** - Shows when the isolation action was submitted. + - **Submission time** - Shows when the action was submitted. - **Status** - Indicates any pending actions or the results of completed actions. The machine timeline will include a new event, reflecting that a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced during the scan. @@ -188,7 +145,7 @@ The action to restrict an application from running applies a code integrity poli ![Image of action center with app restriction](images/atp-action-center-app-restriction.png) - - **Submission time** - Shows when the isolation action was submitted. + - **Submission time** - Shows when the action was submitted. - **Status** - Indicates any pending actions or the results of completed actions. When the application execution restriction configuration is applied, a new event is reflected in the machine timeline. @@ -244,7 +201,7 @@ On Windows 10, version 1710 and above, you'll have additional control over the n The Action center shows the submission information: ![Image of machine isolation](images/atp-machine-isolation.png) - - **Submission time** - Shows when the isolation action was submitted. + - **Submission time** - Shows when the action was submitted. - **Status** - Indicates any pending actions or the results of completed actions. Additional indications will be provided if you've enabled Outlook and Skype for Business communication. When the isolation configuration is applied, a new event is reflected in the machine timeline. diff --git a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md index 548e32a5b1..095581b550 100644 --- a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md @@ -26,6 +26,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responseactions-abovefoldlink) + You can take response actions on machines and files to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization. >[!NOTE] diff --git a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md index 4a5e44b615..26057dc724 100644 --- a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: View the Security Analytics dashboard in Windows Defender ATP description: Use the Security Analytics dashboard to assess and improve the security state of your organization by analyzing various security control tiles. -keywords: security analytics, dashboard, security recommendations, security control state, security score, score improvement, organizational security score, security coverate, security control, improvement opportunities, edr, antivirus, av, os security updates +keywords: security analytics, dashboard, security recommendations, security control state, security score, score improvement, organizational security score, security coverage, security control, improvement opportunities, edr, antivirus, av, os security updates search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security author: mjcaparas localizationpriority: high -ms.date: 09/05/2017 +ms.date: 10/02/2017 --- # View the Windows Defender Advanced Threat Protection Security analytics dashboard @@ -24,43 +24,50 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-abovefoldlink) + + The Security Analytics dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines. The **Security analytics dashboard** displays a snapshot of: - Organizational security score - Security coverage - Improvement opportunities +- Security score over time -![Security analytics dashboard](images/atp-dashboard-security-analytics.png) +![Security analytics dashboard](images/atp-dashboard-security-analytics-full.png) ## Organizational security score The organization security score is reflective of the average score of all the Windows Defender security controls that are configured according to the recommended baseline. You can improve this score by taking the steps in configuring each of the security controls in the optimal settings. -![Organizational security score](images/atp-org-score.png) +![Organizational security score](images/atp-org-sec-score.png) -Each Windows Defender security control from the **Security coverage** tile contributes 100 points to the organizational security score. +Each Windows Defender security control from the **Security coverage** tile contributes 100 points to the organizational security score. The denominator is reflective of the organizational score potential and calculated by multiplying the number of supported security controls (Security coverage pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar). -In the example image, the total points from the **Improvement opportunities** tile add up to 279 points for the three pillars from the **Security coverage** tile. +In the example image, the total points from the **Improvement opportunities** tile add up to 321 points for the six pillars from the **Security coverage** tile. + +You can set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard through the **Preferences settings**. For more information, see [Enable Security Analytics security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md). ## Security coverage -The security coverage tile shows a bar graph where each bar represents a Windows Defender security control. Each bar contributes 100 points to the overall organizational security score. It also represents the various Windows 10 security components with an indicator of the total number of machines that are well configured and those that require attention. Hovering on top of the individual bars will show exact numbers for each category. +The security coverage tile shows a bar graph where each bar represents a Windows Defender security control. Each bar reflects the number of machines that are well configured and those that require **any kind of attention** for each security control. Hovering on top of the individual bars will show exact numbers for each category. Machines that are green are well configured, while machines that are orange require some level of attention. -![Security coverage](images/atp-sec-coverage.png) +![Security coverage](images/atp-security-coverage.png) ## Improvement opportunities Improve your organizational security score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control. Click on each control to see the recommended optimizations. -![Improvement opportunities](images/atp-improv-ops.png) +![Improvement opportunities](images/atp-improv-opps.png) The numbers beside the green triangle icon on each recommended action represents the number of points you can gain by taking the action. When added together, the total number makes up the numerator in the fraction for each segment in the Improvement opportunities tile. -Recommendations that do not display a green action are informational only and no action is required. +>[!IMPORTANT] +>Recommendations that do not display a green triangle icon are informational only and no action is required. Clicking **View machines** in a specific recommendation opens up the **Machines list** with filters applied to show only the list of machines where the the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice. @@ -68,9 +75,22 @@ The following image shows an example list of machines where the EDR sensor is no ![Image of view machines list with a filter applied](images/atp-security-analytics-view-machines2.png) -### Endpoint detection and response (EDR) optimization -This tile provides a specific list of actions you can take on Windows Defender ATP to improve how endpoints provide sensor data to the Windows Defender ATP service. +## Security score over time +You can track the progression of your organizational security posture over time using this tile. It displays the overall and individual control scores in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture. +![Image of the security score over time tile](images/atp-security-score-over-time.png) + +You can click on specific date points to see the total score for that security control is on a particular date. + +### Endpoint detection and response (EDR) optimization +For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for your Endpoint detection and response tool. + +#### Minimum baseline configuration setting for EDR: +- Windows Defender ATP sensor is on +- Data collection is working correctly +- Communication to Windows Defender ATP service is not impaired + +#### Minimum baseline configuration setting for EDR: You can take the following actions to increase the overall security score of your organization: - Turn on sensor - Fix sensor data collection @@ -78,9 +98,19 @@ You can take the following actions to increase the overall security score of you For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). -### Windows Defender Antivirus optimization -This tile provides a list of specific list of actions you can implement on endpoints with Windows Defender Antivirus to improve the security in your organization. Each action shows the exact number of endpoints where you can apply the action on. +### Windows Defender Antivirus (Windows Defender AV) optimization +For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AV is fulfilled. +#### Minimum baseline configuration setting for Windows Defender AV: +Endpoints are considered "well configured" for Windows Defender AV if the following requirements are met: + +- Windows Defender AV is reporting correctly +- Windows Defender AV is turned on +- Signature definitions are up to date +- Real-time protection is on +- Potentially Unwanted Application (PUA) protection is enabled + +##### Recommended actions: You can take the following actions to increase the overall security score of your organization: >[!NOTE] @@ -90,7 +120,6 @@ You can take the following actions to increase the overall security score of you - This recommendation is displayed when the Windows Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md). - Turn on antivirus - Update antivirus definitions -- Turn on cloud-based protection - Turn on real-time protection - Turn on PUA protection @@ -102,11 +131,115 @@ This tile shows you the exact number of machines that require the latest securit You can take the following actions to increase the overall security score of your organization: - Install the latest security updates +- Fix sensor data collection + - The Windows Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). -For more information on, see [Windows Update Troubleshooter](https://support.microsoft.com/en-us/help/4027322/windows-windows-update-troubleshooter). +For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/en-us/help/4027322/windows-windows-update-troubleshooter). + + +### Windows Defender Exploit Guard (Windows Defender EG) optimization +For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender EG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender EG events on the Windows Defender ATP Machine timeline. + +#### Minimum baseline configuration setting for Windows Defender EG: +Endpoints are considered "well configured" for Windows Defender EG if the following requirements are met: + +- System level protection settings are configured correctly +- Attack Surface Reduction rules are configured correctly +- Controlled Folder Access setting is configured correctly + +##### System level protection: +The following system level configuration settings must be set to **On or Force On**: + +1. Control Flow Guard +2. Data Execution Prevention (DEP) +3. Randomize memory allocations (Bottom-up ASLR) +4. Validate exception chains (SEHOP) +5. Validate heap integrity + +>[!NOTE] +>The setting **Force randomization for images (Mandatory ASLR)** is currently excluded from the baseline. +>Consider configuring **Force randomization for images (Mandatory ASLR)** to **On or Force On** for better protection. + +##### Attack Surface Reduction (ASR) rules: +The following ASR rules must be configured to **Block mode**: + +Rule description | GUIDs +-|- +Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 +Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A +Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 +Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D +Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC +Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B + + +>[!NOTE] +>The setting **Block Office applications from injecting into other processes** with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline. +>Consider enabling this rule in **Audit** or **Block mode** for better protection. + + +##### Controlled Folder Access +The Controlled Folder Access setting must be configured to **Audit** or **Block mode**. + +>[!NOTE] +> Audit mode, allows you to see audit events in the Windows Defender ATP Machine timeline however it does not block suspicious applications. +>Consider enabling Controlled Folder Access for better protection. + +##### Recommended actions: +You can take the following actions to increase the overall security score of your organization: +- Turn on all system-level Exploit Protection settings +- Set all ASR rules to enabled or audit mode +- Turn on Controlled Folder Access +- Turn on Windows Defender Antivirus on compatible machines + +For more information, see [Windows Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md). + +### Windows Defender Application Guard (Windows Defender AG) optimization +For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender AG events on the Windows Defender ATP Machine timeline. + +#### Minimum baseline configuration setting for Windows Defender AG: +Endpoints are considered "well configured" for Windows Defender AG if the following requirements are met: + +- Hardware and software prerequisites are met +- Windows Defender AG is turned on compatible machines +- Managed mode is turned on + +##### Recommended actions: +You can take the following actions to increase the overall security score of your organization: +- Ensure hardware and software prerequisites are met + + >[!NOTE] + >This improvement item does not contribute to the security score in itself because it's not a prerequisite for Windows Defender AG. It gives an indication of a potential reason why Windows Defender AG is not turned on. + +- Turn on Windows Defender AG on compatible machines +- Turn on managed mode + + +For more information, see [Windows Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md). + + +### Windows Defender SmartScreen optimization +For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender SmartScreen is fulfilled. + +#### Minimum baseline configuration setting for Windows Defender SmartScreen: +The following settings must be configured with the following settings: +- Check apps and files: **Warn** or **Block** +- SmartScreen for Microsoft Edge: **Warn** or **Block** +- SmartScreen for Windows Store apps: **Warn** or **Off** + + +You can take the following actions to increase the overall security score of your organization: +- Set **Check app and files** to **Warn** or **Block** +- Set **SmartScreen for Microsoft Edge** to **Warn** or **Block** +- Set **SmartScreen for Windows Store apps** to **Warn** or **Off** + +For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink) ## Related topics -- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) +- [Enable Security Analytics security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md) +- [View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/security-updates-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/security-updates-windows-defender-advanced-threat-protection.md deleted file mode 100644 index a6f76a8f46..0000000000 --- a/windows/threat-protection/windows-defender-atp/security-updates-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -title: -description: -keywords: -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: mjcaparas -localizationpriority: high ---- - -# Security updates - -**Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education -- Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md index 67b2520eea..64db7e6e2b 100644 --- a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-servicestatus-abovefoldlink) + The **Service health** provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time. You'll also see information on historical issues that have been resolved and details such as the date and time when the issue was resolved. When there are no issues on the service, you'll see a healthy status. diff --git a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md index aee67ec43e..51307867de 100644 --- a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-settings-abovefoldlink) + Use the **Settings** menu ![Settings icon](images/settings.png) to configure the time zone and view license information. ## Time zone settings diff --git a/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md index 108fefc1b7..04e81e2885 100644 --- a/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md @@ -23,6 +23,9 @@ ms.date: 09/05/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink) + Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. ## In this section diff --git a/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md index f802ef999b..1a8543fe50 100644 --- a/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-threatindicator-abovefoldlink) + Advanced cybersecurity attacks comprise of multiple complex malicious events, attributes, and contextual information. Identifying and deciding which of these activities qualify as suspicious can be a challenging task. Your knowledge of known attributes and abnormal activities specific to your industry is fundamental in knowing when to call an observed behavior as suspicious. With Windows Defender ATP, you can create custom threat alerts that can help you keep track of possible attack activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack chain. These custom threat alerts will only appear in your organization and will flag events that you set it to track. diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md index a7b4331483..109ede1a84 100644 --- a/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md @@ -48,6 +48,9 @@ If your client secret expires or if you've misplaced the copy provided when you 7. Copy the value and save it in a safe place. +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootcustomti-belowfoldlink) + + ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) - [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 30083255ae..9fbbf9f078 100644 --- a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -274,6 +274,9 @@ Windows Defender Advanced Threat Protection requires one of the following Micros For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2). +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootonboarding-belowfoldlink) + + ## Related topics - [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) - [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md index b04d0fdea3..b8da894820 100644 --- a/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md @@ -49,6 +49,9 @@ If your client secret expires or if you've misplaced the copy provided when you 7. Copy the value and save it in a safe place. +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink) + + ## Related topics - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) - [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md index de337b11fd..c0885c2510 100644 --- a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md @@ -68,6 +68,8 @@ The following date and time formats are currently not supported: **Use of comma to indicate thousand**
                    Support of use of comma as a separator in numbers are not supported. Regions where a number is separated with a comma to indicate a thousand, will only see the use of a dot as a separator. For example, 15,5K is displayed as 15.5K. +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink) + ### Related topic - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md index 727c6135b0..ae473cd899 100644 --- a/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink) + Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can proceed to create custom threat intelligence alerts that are specific to your organization. You can use the code examples to guide you in creating calls to the custom threat intelligence API. diff --git a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md index bcd359ef0c..a0f9d4ce21 100644 --- a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink) + A typical security breach investigation requires a member of a security operations team to: 1. View an alert on the **Security operations dashboard** or **Alerts queue** diff --git a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index e208f89717..17124a8070 100644 --- a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -25,7 +25,7 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1) +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-main-abovefoldlink) > >For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy). diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 0817855e6a..320ea854bf 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -1,7 +1,7 @@ --- -title: Use Attack Surface Reduction rules to prevent malware infection +title: Use Attack surface reduction rules to prevent malware infection description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware -keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention +keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -37,11 +37,11 @@ ms.date: 08/25/2017 - Configuration service providers for mobile device management -Attack Surface Reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. +Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). -Attack Surface Reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Attack surface reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). The feature is comprised of a number of rules, each of which target specific behaviors that are typically used by malware and malicious apps to infect machines, such as: @@ -49,13 +49,13 @@ The feature is comprised of a number of rules, each of which target specific beh - Scripts that are obfuscated or otherwise suspicious - Behaviors that apps undertake that are not usually inititated during normal day-to-day work -See the [Attack Surface Reduction rules](#attack-surface-reduction-rules) section in this topic for more information on each rule. +See the [Attack surface reduction rules](#attack-surface-reduction-rules) section in this topic for more information on each rule. When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. -You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack Surface Reduction would impact your organization if it were enabled. +You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack surface reduction would impact your organization if it were enabled. -## Attack Surface Reduction rules +## Attack surface reduction rules The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table: @@ -125,7 +125,7 @@ It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/l ## Requirements -The following requirements must be met before Attack Surface Reduction will work: +The following requirements must be met before Attack surface reduction will work: Windows 10 version | Windows Defender Antivirus - | - @@ -134,9 +134,9 @@ Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows De -## Review Attack Surface Reduction events in Windows Event Viewer +## Review Attack surface reduction events in Windows Event Viewer -You can review the Windows event log to see events that are created when an Attack Surface Reduction rule is triggered (or audited): +You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited): 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine. @@ -144,13 +144,13 @@ You can review the Windows event log to see events that are created when an Atta 2. On the left panel, under **Actions**, click **Import custom view...** - ![](images/events-import.gif) + ![Animation showing the import custom view on the Event viewer window](images/events-import.gif) 3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). 4. Click **OK**. -5. This will create a custom view that filters to only show the following events related to Attack Surface Reduction: +5. This will create a custom view that filters to only show the following events related to Attack surface reduction: Event ID | Description -|- @@ -172,7 +172,7 @@ You can review the Windows event log to see events that are created when an Atta Topic | Description ---|--- -[Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how the feature works, and what events would typically be created. -[Enable Attack Surface Reduction](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Attack Surface Reduction in your network. -[Customize Attack Surface Reduction](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by Attack Surface Reduction and customize the notification that appears on a user's machine when a rule blocks an app or file. +[Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how the feature works, and what events would typically be created. +[Enable Attack surface reduction](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Attack surface reduction in your network. +[Customize Attack surface reduction](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by Attack surface reduction and customize the notification that appears on a user's machine when a rule blocks an app or file. diff --git a/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index 8ca8c4120a..2d4af77fb8 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -34,7 +34,7 @@ You might want to do this when testing how the feature will work in your organiz While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled. -You can use Windows Defender Advanced Threat Protection to get greater granularity into each event, especially for investigating Attack Surface Reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +You can use Windows Defender Advanced Threat Protection to get greater granularity into each event, especially for investigating Attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. @@ -44,10 +44,10 @@ You can use Group Policy, PowerShell, and configuration servicer providers (CSPs Audit options | How to enable audit mode | How to view events - | - | - -Audit applies to all events | [Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled Folder Access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer) -Audit applies to individual rules | [Enable Attack Surface Reduction rules](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules) | [Attack Surface Reduction events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer) -Audit applies to all events | [Enable Network Protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network Protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) -Audit applies to individual mitigations | [Enable Exploit Protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit Protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) +Audit applies to all events | [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled folder access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer) +Audit applies to individual rules | [Enable Attack surface reduction rules](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules) | [Attack surface reduction events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer) +Audit applies to all events | [Enable Network protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) +Audit applies to individual mitigations | [Enable Exploit protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) You can also use the a custom PowerShell script that enables the features in audit mode automatically: @@ -58,7 +58,7 @@ You can also use the a custom PowerShell script that enables the features in aud 2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt. -3. Enter the following in the PowerShell window to enable Controlled Folder Access and Attack Surface Reduction in audie mode: +3. Enter the following in the PowerShell window to enable Controlled folder access and Attack surface reduction in audie mode: ```PowerShell Set-ExecutionPolicy Bypass -Force \Enable-ExploitGuardAuditMode.ps1 @@ -76,7 +76,7 @@ Topic | Description - [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) - [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) - [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) -- [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) +- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) diff --git a/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md index 2945821a44..7f728d947a 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md @@ -16,7 +16,7 @@ ms.date: 08/25/2017 -# Protect important folders with Controlled Folder Access +# Protect important folders with Controlled folder access **Applies to:** @@ -38,11 +38,11 @@ ms.date: 08/25/2017 - Configuration service providers for mobile device management -Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. +Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). -Controlled Folder Access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Controlled folder access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder. @@ -52,22 +52,22 @@ A notification will appear on the machine where the app attempted to make change The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specifc-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. -As with other features of Windows Defender Exploit Guard, you can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Controlled Folder Access would impact your organization if it were enabled. +As with other features of Windows Defender Exploit Guard, you can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Controlled folder access would impact your organization if it were enabled. ## Requirements -The following requirements must be met before Controlled Folder Access will work: +The following requirements must be met before Controlled folder access will work: Windows 10 version | Windows Defender Antivirus -|- Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled -## Review Controlled Folder Access events in Windows Event Viewer +## Review Controlled folder access events in Windows Event Viewer -You can review the Windows event log to see events that are created when Controlled Folder Access blocks (or audits) an app: +You can review the Windows event log to see events that are created when Controlled folder access blocks (or audits) an app: 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine. @@ -75,25 +75,25 @@ You can review the Windows event log to see events that are created when Control 3. On the left panel, under **Actions**, click **Import custom view...** - ![](images/events-import.gif) + ![Animation showing the import custom view on the Event viewer window](images/events-import.gif) 4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md). 4. Click **OK**. -5. This will create a custom view that filters to only show the following events related to Controlled Folder Access: +5. This will create a custom view that filters to only show the following events related to Controlled folder access: Event ID | Description -|- 5007 | Event when settings are changed -1124 | Audited Controlled Folder Access event -1123 | Blocked Controlled Folder Access event +1124 | Audited Controlled folder access event +1123 | Blocked Controlled folder access event ## In this section Topic | Description ---|--- -[Evaluate Controlled Folder Access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how Controlled Folder Access works, and what events would typically be created. -[Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Controlled Folder Access in your network -[Customize Controlled Folder Access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders. +[Evaluate Controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how Controlled folder access works, and what events would typically be created. +[Enable Controlled folder access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Controlled folder access in your network +[Customize Controlled folder access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders. diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 71db423dcf..a38b93a9db 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -1,7 +1,7 @@ --- title: Configure how ASR works to finetune protection in your network description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR -keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude +keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -14,7 +14,7 @@ ms.author: iawilt ms.date: 08/25/2017 --- -# Customize Attack Surface Reduction +# Customize Attack surface reduction **Applies to:** @@ -35,15 +35,15 @@ ms.date: 08/25/2017 - Configuration service providers for mobile device management -Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. +Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. -This topic describes how to customize Attack Surface Reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer. +This topic describes how to customize Attack surface reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer. You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. ## Exclude files and folders -You can exclude files and folders from being evaluated by Attack Surface Reduction rules. +You can exclude files and folders from being evaluated by Attack surface reduction rules. You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode). @@ -55,9 +55,9 @@ You can specify individual files or folders (using folder paths or fully qualifi 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**. +5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**. -6. Double-click the **Exclude files and paths from Attack Surface Reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. +6. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. ### Use PowerShell to exclude files and folderss @@ -89,6 +89,6 @@ See the [Windows Defender Security Center](../windows-defender-security-center/w ## Related topics - [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) -- [Enable Attack Surface Reduction](enable-attack-surface-reduction.md) -- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md) +- [Enable Attack surface reduction](enable-attack-surface-reduction.md) +- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md) diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md index 9bde74faf6..47df6f39f0 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md @@ -1,7 +1,7 @@ --- title: Add additional folders and apps to be protected by Windows 10 -description: Add additional folders that should be protected by Controlled Folder Access, or whitelist apps that are incorrectly blocking changes to important files. -keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, whitelist, add executable +description: Add additional folders that should be protected by Controlled folder access, or whitelist apps that are incorrectly blocking changes to important files. +keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, whitelist, add executable search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -16,7 +16,7 @@ ms.date: 08/25/2017 -# Customize Controlled Folder Access +# Customize Controlled folder access **Applies to:** @@ -38,20 +38,26 @@ ms.date: 08/25/2017 - Configuration service providers for mobile device management -Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). +Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). -This topic describes how to customize the following settings of the Controlled Folder Access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs): +This topic describes how to customize the following settings of the Controlled folder access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs): - [Add additional folders to be protected](#protect-additional-folders) - [Add apps that should be allowed to access protected folders](#allow-specifc-apps-to-make-changes-to-controlled-folders) +>[!WARNING] +>Controlled folder access is a new technology that monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files. +> +>This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender-exploit-guard.md) to fully assess the feature's impact. + + ## Protect additional folders -Controlled Folder Access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop. +Controlled folder access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop. You can add additional folders to be protected, but you cannot remove the default folders in the default list. -Adding other folders to Controlled Folder Access can be useful, for example, if you dont store files in the default Windows libraries or youve changed the location of the libraries away from the defaults. +Adding other folders to Controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults. You can also enter network shares and mapped drives, but environment variables and wildcards are not supported. @@ -69,7 +75,7 @@ You can use the Windows Defender Security Center app or Group Policy to add and 4. Click **Add a protected folder** and follow the prompts to add apps. - ![](images/cfa-prot-folders.png) + ![Screenshot of the Virus and threat protection settings button](images/cfa-prot-folders.png) ### Use Group Policy to protect additional folders @@ -80,7 +86,7 @@ You can use the Windows Defender Security Center app or Group Policy to add and 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access**. +5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**. 6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder. @@ -101,7 +107,7 @@ You can use the Windows Defender Security Center app or Group Policy to add and Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Defender Security Center app. -![](images/cfa-allow-folder-ps.png) +![Screenshot of a PowerShell window with the cmdlet above entered](images/cfa-allow-folder-ps.png) >[!IMPORTANT] @@ -115,7 +121,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m ## Allow specifc apps to make changes to controlled folders -You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if youre finding a particular app that you know and trust is being blocked by the Controlled Folder Access feature. +You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the Controlled folder access feature. >[!IMPORTANT] >By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Defender Security Center app or by using the associated PowerShell cmdlets. @@ -124,7 +130,7 @@ You can specify if certain apps should always be considered safe and given write You can use the Windows Defender Security Center app or Group Policy to add and remove apps that should be allowed to access protected folders. -When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the whitelist and may be blocked by Controlled Folder Access. +When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the whitelist and may be blocked by Controlled folder access. ### Use the Windows Defender Security app to whitelist specific apps @@ -138,7 +144,7 @@ When you add an app, you have to specify the app's location. Only the app in tha 4. Click **Add an allowed app** and follow the prompts to add apps. - ![](images/cfa-allow-app.png) + ![Screenshot of the add an allowed app button](images/cfa-allow-app.png) ### Use Group Policy to whitelist specific apps @@ -148,7 +154,7 @@ When you add an app, you have to specify the app's location. Only the app in tha 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access**. +5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**. 6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app as Value? Or Value Name? what are the requirements? Have to be exe? Do you have to enter fully qualified path, or will it apply to any .exe with that name? @@ -172,7 +178,7 @@ When you add an app, you have to specify the app's location. Only the app in tha Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Defender Security Center app. -![](images/cfa-allow-app-ps.png) +![Screenshot of a PowerShell window with the above cmdlet entered](images/cfa-allow-app-ps.png) >[!IMPORTANT] @@ -189,6 +195,6 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications] See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. ## Related topics -- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) -- [Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md) +- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) +- [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md) - [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index 86c947101d..1f4767560d 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -1,6 +1,6 @@ --- -title: Enable or disable specific mitigations used by Exploit Protection -keywords: exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr +title: Enable or disable specific mitigations used by Exploit protection +keywords: Exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr description: You can enable individual mitigations using the Windows Defender Security Center app or PowerShell. You can also audit mitigations and export configurations. search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -14,7 +14,7 @@ ms.author: iawilt ms.date: 08/25/2017 --- -# Customize Exploit Protection +# Customize Exploit protection **Applies to:** @@ -35,49 +35,89 @@ ms.date: 08/25/2017 -Exploit Protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. +Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell. - This topic lists each of the mitigations available in Exploit Protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works. + This topic lists each of the mitigations available in Exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works. It also describes how to enable or configure the mitigations using Windows Defender Security Center, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md). -## Exploit Protection mitigations +## Exploit protection mitigations All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level. -You can set each of the mitigations to on, off, or to their default value as indicated in the following table. Some mitigations have additional options, these are indicated in the description in the table. + +You can set each of the mitigations to on, off, or to their default value. Some mitigations have additional options, these are indicated in the description in the table. + + +Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On". + +![Screenshot showing the drop down menu for DEP which shows the default for DEP as On](images/ep-default.png) + +The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults. For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic. -Mitigation | Description | Can be applied to, and default value for system mitigations | Audit mode available +Mitigation | Description | Can be applied to | Audit mode available - | - | - | - -Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level (system default: **On** | No -Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level (system default: **On** | No -Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level (system default: **Off** | No -Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level (system default: **On** | No -Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level (system default: **On** | No -Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level (system default: **Off** | No -Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | Yes -Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | Yes -Block remote images | Prevents loading of images from remote devices. | App-level only | Yes -Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | Yes -Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Windows Store signed images. | App-level only | Yes -Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | No -Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | Yes -Do not allow child processes | Prevents an app from creating child processes. | App-level only | Yes -Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | Yes -Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | Yes -Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | Yes -Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | Yes -Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | No -Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | Yes -Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | App-level only | Yes +Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] +Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] +Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] +Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] +Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] +Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] +Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] +Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] +Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] +Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] +Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Windows Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] +Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.md)] +Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] +Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] +Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] +Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] +Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] +Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] +Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.md)] +Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] +Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] +>[!IMPORTANT] +>If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: +> +> +>Enabled in **Program settings** | Enabled in **System settings** | Behavior +>:-: | :-: | :-: +>[!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | As defined in **Program settings** +>[!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | As defined in **Program settings** +>[!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | As defined in **System settings** +>[!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | Default as defined in **Use default** option +> +> +> +>- **Example 1** +> +> Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**. +> +> Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section. +> +>The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied. +> +> +>- **Example 2** +> +> Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**. +> +> Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**. +> +> Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app. +> +>The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. +>CFG will be enabled for *miles.exe*. @@ -87,19 +127,19 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection** label: - ![](images/wdsc-exp-prot.png) + ![App & browser control screen in the Windows Defender Security Center](images/wdsc-exp-prot.png) -3. Under the **System settings** section, find the mitigation you want to configure and select either: - - **On by default** - - **Off by default** - -**Use default** +3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here: + - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section + - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section + - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation >[!NOTE] >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting. Changing some settings may required a restart, which will be indicated in red text underneath the setting. - ![](images/wdsc-exp-prot-sys-settings.png) + ![Screenshot showing the DEP drop down menu where you can select On, Off, or Default](images/wdsc-exp-prot-sys-settings.png) 4. Repeat this for all the system-level mitigations you want to configure. @@ -114,7 +154,7 @@ Exporting the configuration as an XML file allows you to copy the configuration 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection settings** at the bottom of the screen: - ![](images/wdsc-exp-prot.png) + ![Screenshot showing the Exploit protection label highlighted in the Windows Defender Security Center App & browser settings section](images/wdsc-exp-prot.png) 3. Go to the **Program settings** section and choose the app you want to apply mitigations to: @@ -124,14 +164,14 @@ Exporting the configuration as an XML file allows you to copy the configuration - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. - ![](images/wdsc-exp-prot-app-settings.png) + ![Screenshot showing the add file or folder button](images/wdsc-exp-prot-app-settings.png) 4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. 5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. - ![](images/wdsc-exp-prot-app-settings-options.png) + ![Screenshot showing some of the options available for an added program](images/wdsc-exp-prot-app-settings-options.png) You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or return to configure system-level mitigations. @@ -140,7 +180,7 @@ Exporting the configuration as an XML file allows you to copy the configuration ## PowerShell reference - You can use the Windows Defender Security Center app to configure exploit protection, or you can use PowerShell cmdlets. + You can use the Windows Defender Security Center app to configure Exploit protection, or you can use PowerShell cmdlets. The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Defender Security Center. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply. @@ -255,6 +295,6 @@ See the [Windows Defender Security Center](../windows-defender-security-center/w - [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) -- [Evaluate Exploit Protection](evaluate-exploit-protection.md) -- [Enable Exploit Protection](enable-exploit-protection.md) -- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md) \ No newline at end of file +- [Evaluate Exploit protection](evaluate-exploit-protection.md) +- [Enable Exploit protection](enable-exploit-protection.md) +- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md index f2c3551f4a..1ca6070748 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md @@ -1,7 +1,7 @@ --- -title: Compare the features in Exploit Protection with EMET +title: Compare the features in Exploit protection with EMET keywords: emet, enhanced mitigation experience toolkit, configuration, exploit -description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET. +description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET. search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -37,10 +37,10 @@ We're still working on this content and will have it published soon! -Check out the following topics for more information about Exploit Protection: +Check out the following topics for more information about Exploit protection: - [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) -- [Evaluate Exploit Protection](evaluate-exploit-protection.md) -- [Enable Exploit Protection](enable-exploit-protection.md) -- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md) -- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md) \ No newline at end of file +- [Evaluate Exploit protection](evaluate-exploit-protection.md) +- [Enable Exploit protection](enable-exploit-protection.md) +- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md) +- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md) diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index d128c1da67..c42e32c42f 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -1,7 +1,7 @@ --- title: Enable ASR rules individually to protect your organization description: Enable ASR rules to protect your devices from attacks the use macros, scripts, and common injection techniques -keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on +keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -15,7 +15,7 @@ ms.date: 08/25/2017 --- -# Enable Attack Surface Reduction +# Enable Attack surface reduction **Applies to:** @@ -36,17 +36,17 @@ ms.date: 08/25/2017 - Configuration service providers for mobile device management -Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. +Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. -## Enable and audit Attack Surface Reduction rules +## Enable and audit Attack surface reduction rules You can use Group Policy, PowerShell, or MDM CSPs to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode. For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). -Attack Surface Reduction rules are identified by their unique rule ID. +Attack surface reduction rules are identified by their unique rule ID. You can manually add the rules by using the GUIDs in the following table: @@ -60,9 +60,9 @@ Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-5 Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -See the [Attack Surface Reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. +See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. -### Use Group Policy to enable Attack Surface Reduction rules +### Use Group Policy to enable Attack surface reduction rules 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -71,20 +71,20 @@ See the [Attack Surface Reduction](attack-surface-reduction-exploit-guard.md) to 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**. +5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**. -6. Double-click the **Configure Attack Surface Reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section: +6. Double-click the **Configure Attack surface reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section: - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: - Block mode = 1 - Disabled = 0 - Audit mode = 2 -![](images/asr-rules-gp.png) +![Group policy setting showing a blank ASR rule ID and value of 1](images/asr-rules-gp.png) - ### Use PowerShell to enable Attack Surface Reduction rules + ### Use PowerShell to enable Attack surface reduction rules 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: @@ -92,7 +92,9 @@ See the [Attack Surface Reduction](attack-surface-reduction-exploit-guard.md) to ```PowerShell Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Enabled ``` - + + + You can enable the feature in audit mode using the following cmdlet: ```PowerShell @@ -101,9 +103,24 @@ Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReduct Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. +>[!IMPORTANT> +>You must specify the state individually for each rule, but you can combine rules and states in a comma seperated list. +> +>In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode: +> +>```PowerShell +>Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode +>``` -### Use MDM CSPs to enable Attack Surface Reduction rules +You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list. + +>[!WARNING] +>`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead. +>You can obtain a list of rules and their current state by using `Get-MpPreference` + + +### Use MDM CSPs to enable Attack surface reduction rules Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule. @@ -113,5 +130,5 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https ## Related topics - [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) -- [Customize Attack Surface Reduction](customize-attack-surface-reduction.md) -- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md) +- [Customize Attack surface reduction](customize-attack-surface-reduction.md) +- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md) diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 3471eba455..69153eefb4 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -1,7 +1,7 @@ --- title: Turn on the protected folders feature in Windows 10 -keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, enable, turn on, use -description: Learn how to protect your important files by enabling Controlled Folder Access +keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, enable, turn on, use +description: Learn how to protect your important files by enabling Controlled folder access search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -16,7 +16,7 @@ ms.date: 08/25/2017 -# Enable Controlled Folder Access +# Enable Controlled folder access **Applies to:** @@ -38,19 +38,19 @@ ms.date: 08/25/2017 - Configuration service providers for mobile device management -Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). +Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). -This topic describes how to enable Controlled Folder Access with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). +This topic describes how to enable Controlled folder access with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). -## Enable and audit Controlled Folder Access +## Enable and audit Controlled folder access -You can enable Controlled Folder Access with the Windows Defender Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine. +You can enable Controlled folder access with the Windows Defender Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine. For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). -### Use the Windows Defender Security app to enable Controlled Folder Access +### Use the Windows Defender Security app to enable Controlled folder access 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. @@ -60,9 +60,9 @@ For further details on how audit mode works, and when you might want to use it, 3. Set the switch for the feature to **On** - ![](images/cfa-on.png) + ![Screenshot of the CFA feature switched to On](images/cfa-on.png) -### Use Group Policy to enable Controlled Folder Access +### Use Group Policy to enable Controlled folder access 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -70,19 +70,19 @@ For further details on how audit mode works, and when you might want to use it, 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access**. +5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**. -6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following: +6. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following: - **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log - - **Disable (Default)** - The Controlled Folder Access feature will not work. All apps can make changes to files in protected folders. + - **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders. - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization. - ![](images/cfa-gp-enable.png) + ![Screenshot of group policy option with Enabled and then Enable selected in the drop down](images/cfa-gp-enable.png) >[!IMPORTANT] ->To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu. +>To fully enable the Controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu. -### Use PowerShell to enable Controlled Folder Access +### Use PowerShell to enable Controlled folder access 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: @@ -95,13 +95,13 @@ You can enable the feauting in audit mode by specifying `AuditMode` instead of ` Use `Disabled` to turn the feature off. -### Use MDM CSPs to enable Controlled Folder Access +### Use MDM CSPs to enable Controlled folder access Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. ## Related topics -- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) -- [Customize Controlled Folder Access](customize-controlled-folders-exploit-guard.md) +- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) +- [Customize Controlled folder access](customize-controlled-folders-exploit-guard.md) - [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index 90e6cd1782..851c35b1af 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -1,7 +1,7 @@ --- -title: Turn on Exploit Protection to help mitigate against attacks +title: Turn on Exploit protection to help mitigate against attacks keywords: exploit, mitigation, attacks, vulnerability -description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET. +description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET. search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -16,7 +16,7 @@ ms.date: 08/25/2017 -# Enable Exploit Protection +# Enable Exploit protection **Applies to:** @@ -38,27 +38,27 @@ ms.date: 08/25/2017 -Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. +Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. -Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit Protection. +Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit protection. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). -## Enable and audit Exploit Protection +## Enable and audit Exploit protection -You enable and configure each Exploit Protection mitigation separately. Some mitigations apply to the entire operating system, while others can be targeted towards specific apps. +You enable and configure each Exploit protection mitigation separately. Some mitigations apply to the entire operating system, while others can be targeted towards specific apps. -The mitigations available in Exploit Protection are enabled or configured to their default values automatically in Windows 10. However, you can customize the configuration to suit your organization and then deploy that configuration across your network. +The mitigations available in Exploit protection are enabled or configured to their default values automatically in Windows 10. However, you can customize the configuration to suit your organization and then deploy that configuration across your network. You can also set mitigations to audit mode. Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine. For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). -You can also convert an existing EMET configuration file (in XML format) and import it into Exploit Protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using. +You can also convert an existing EMET configuration file (in XML format) and import it into Exploit protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using. -See the following topics for instructions on configuring Exploit Protection mitigations and importing, exporting, and converting configurations: +See the following topics for instructions on configuring Exploit protection mitigations and importing, exporting, and converting configurations: 1. [Configure the mitigations you want to enable or audit](customize-exploit-protection.md) 2. [Export the configuration to an XML file that you can use to deploy the configuration to multiple machines](import-export-exploit-protection-emet-xml.md). @@ -68,9 +68,9 @@ See the following topics for instructions on configuring Exploit Protection miti - [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) -- [Evaluate Exploit Protection](evaluate-exploit-protection.md) -- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md) -- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md) +- [Evaluate Exploit protection](evaluate-exploit-protection.md) +- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md) +- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md) diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index 4e8f0eea70..87afa2e97d 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -1,7 +1,7 @@ --- -title: Turn Network Protection on -description: Enable Network Protection with Group Policy, PowerShell, or MDM CSPs -keywords: ANetwork Protection, exploits, malicious website, ip, domain, domains, enable, turn on +title: Turn Network protection on +description: Enable Network protection with Group Policy, PowerShell, or MDM CSPs +keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -15,7 +15,7 @@ ms.date: 08/25/2017 --- -# Enable Network Protection +# Enable Network protection **Applies to:** @@ -36,19 +36,19 @@ ms.date: 08/25/2017 - Configuration service providers for mobile device management -Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. +Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. -This topic describes how to enable Network Protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM). +This topic describes how to enable Network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM). -## Enable and audit Network Protection +## Enable and audit Network protection -You can enable Network Protection in either audit or block mode with Group Policy, PowerShell, or MDM settings with CSP. +You can enable Network protection in either audit or block mode with Group Policy, PowerShell, or MDM settings with CSP. For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). -### Use Group Policy to enable or audit Network Protection +### Use Group Policy to enable or audit Network protection 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -57,19 +57,19 @@ For background information on how audit mode works, and when you might want to u 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network Protection**. +5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network protection**. 6. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section you must specify one of the following: - **Block** - Users will not be able to access malicious IP addresses and domains - - **Disable (Default)** - The Network Protection feature will not work. Users will not be blocked from accessing malicious domains + - **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains - **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address. >[!IMPORTANT] ->To fully enable the Network Protection feature, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu. +>To fully enable the Network protection feature, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu. - ### Use PowerShell to enable or audit Network Protection + ### Use PowerShell to enable or audit Network protection 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: @@ -88,13 +88,13 @@ Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. -### Use MDM CSPs to enable or audit Network Protection +### Use MDM CSPs to enable or audit Network protection -Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network Protection. +Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network protection. ## Related topics - [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) -- [Evaluate Network Protection](evaluate-network-protection.md) +- [Evaluate Network protection](evaluate-network-protection.md) diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index 1e5a5acdee..bd2b01af18 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -1,7 +1,7 @@ --- title: Use a demo to see how ASR can help protect your devices description: The custom demo tool lets you create sample malware infection scenarios so you can see how ASR would block and prevent attacks -keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, evaluate, test, demo +keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, evaluate, test, demo search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -15,7 +15,7 @@ ms.date: 08/25/2017 --- -# Evaluate Attack Surface Reduction rules +# Evaluate Attack surface reduction rules **Applies to:** @@ -37,18 +37,18 @@ ms.date: 08/25/2017 -Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md). +Attack surface reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md). -This topic helps you evaluate Attack Surface Reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation. +This topic helps you evaluate Attack surface reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation. >[!NOTE] >This topic uses a customized testing tool and PowerShell cmdlets to make it easy to enable the feature and test it. ->For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md). +>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md). -## Use the demo tool to see how Attack Surface Reduction works +## Use the demo tool to see how Attack surface reduction works -Use the **ExploitGuard ASR test tool** app to see how Attack Surface Reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines. +Use the **ExploitGuard ASR test tool** app to see how Attack surface reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines. The tool is part of the Windows Defender Exploit Guard evaluation package: - [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) @@ -57,12 +57,12 @@ This tool has a simple user interface that lets you choose a rule, configure it When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken. -![](images/asr-test-tool.png) +![Screenshot of the Exploit guard demo tool](images/asr-test-tool.png) Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running. >[!IMPORTANT] ->The settings you change while using this tool will be cleared when you close the tool. If you want to test the feature in a production environment, you should consider using [audit mode to measure impact](#use-audit-mode-to-measure-impact), or see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md). +>The settings you change while using this tool will be cleared when you close the tool. If you want to test the feature in a production environment, you should consider using [audit mode to measure impact](#use-audit-mode-to-measure-impact), or see the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md). **Run a rule using the demo tool:** @@ -93,13 +93,13 @@ Choosing the **Mode** will change how the rule functions: Mode option | Description -|- -Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled Attack Surface Reduction at all. -Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled Attack Surface Reduction. -Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how Attack Surface Reduction will work but without impacting how you use the machine. +Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled Attack surface reduction at all. +Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled Attack surface reduction. +Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how Attack surface reduction will work but without impacting how you use the machine. Block mode will cause a notification to appear on the user's desktop: -![](images/asr-notif.png) +![Example notification that says Action blocked: Your IT administrator caused Windows Defender Antivirus to block this action. Contact your IT desk.](images/asr-notif.png) You can [modify the notification to display your company name and links](customize-attack-surface-reduction.md#customize-the-notification) for users to obtain more information or contact your IT help desk. @@ -181,9 +181,9 @@ Malware and other threats can attempt to obfuscate or hide their malicious code - Potentially obfuscated scripts will be blocked when an attempt is made to access them -## Review Attack Surface Reduction events in Windows Event Viewer +## Review Attack surface reduction events in Windows Event Viewer -You can also review the Windows event log to see the events there were created when using the tool: +You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events). 1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. @@ -193,7 +193,7 @@ You can also review the Windows event log to see the events there were created w 4. Click **OK**. -5. This will create a custom view that filters to only show the following events related to Attack Surface Reduction: +5. This will create a custom view that filters to only show the following events related to Attack surface reduction: Event ID | Description -|- @@ -204,7 +204,7 @@ Event ID | Description ## Use audit mode to measure impact -You can also enable the Attack Surface Reduction feature in audit mode. This lets you see a record of what apps would have been blocked if you had enabled the feature. +You can also enable the Attack surface reduction feature in audit mode. This lets you see a record of what apps would have been blocked if you had enabled the feature. You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use. @@ -214,19 +214,19 @@ To enable audit mode, use the following PowerShell cmdlet: Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode ``` -This enables all Attack Surface Reduction rules in audit mode. +This enables all Attack surface reduction rules in audit mode. >[!TIP] ->If you want to fully audit how Attack Surface Reduction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). -You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md). +>If you want to fully audit how Attack surface reduction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). +You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md). -## Customize Attack Surface Reduction +## Customize Attack surface reduction During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature. -See the [Customize Exploit Protection](customize-exploit-protection.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies. +See the [Customize Exploit protection](customize-exploit-protection.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies. ## Related topics diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index 3b7019e217..f8829b944e 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -1,7 +1,7 @@ --- title: See how CFA can help protect files from being changed by malicious apps -description: Use a custom tool to see how Controlled Folder Access works in Windows 10. -keywords: controlled folder access, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try +description: Use a custom tool to see how Controlled folder access works in Windows 10. +keywords: Exploit protection, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -15,7 +15,7 @@ ms.date: 08/25/2017 --- -# Evaluate Controlled Folder Access +# Evaluate Controlled folder access **Applies to:** @@ -34,27 +34,27 @@ ms.date: 08/25/2017 - Group Policy - PowerShell -Controlled Folder Access is a feature that is part of Windows Defender Exploit Guard [that helps protect your documents and files from modification by suspicious or malicious apps](controlled-folders-exploit-guard.md). +Controlled folder access is a feature that is part of Windows Defender Exploit Guard [that helps protect your documents and files from modification by suspicious or malicious apps](controlled-folders-exploit-guard.md). It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage. -This topic helps you evaluate Controlled Folder Access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation. +This topic helps you evaluate Controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation. >[!NOTE] >This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. ->For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Controlled Folder Access topic](controlled-folders-exploit-guard.md). +>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Controlled folder access topic](controlled-folders-exploit-guard.md). -## Use the demo tool to see how Controlled Folder Access works +## Use the demo tool to see how Controlled folder access works -Use the **ExploitGuard CFA File Creator** tool to see how Controlled Folder Access can prevent a suspicious app from creating files in protected folders. +Use the **ExploitGuard CFA File Creator** tool to see how Controlled folder access can prevent a suspicious app from creating files in protected folders. The tool is part of the Windows Defender Exploit Guard evaluation package: - [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) -This tool can be run locally on an individual machine to see the typical behavior of Controlled Folder Access. The tool is considered by Windows Defender Exploit Guard to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders. +This tool can be run locally on an individual machine to see the typical behavior of Controlled folder access. The tool is considered by Windows Defender Exploit Guard to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders. -You can enable Controlled Folder Access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders. +You can enable Controlled folder access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders. @@ -62,7 +62,7 @@ You can enable Controlled Folder Access, run the tool, and see what the experien 2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt. -3. Enter the following in the PowerShell window to enable Controlled Folder Access: +3. Enter the following in the PowerShell window to enable Controlled folder access: ```PowerShell Set-MpPreference -EnableControlledFolderAccess Enabled ``` @@ -73,15 +73,15 @@ You can enable Controlled Folder Access, run the tool, and see what the experien 6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test. - ![](images/cfa-filecreator.png) + ![Screenshot of the exploit guard demo tool](images/cfa-filecreator.png) 7. A notification will appear, indicating that the tool was prevented from creating the file, as in the following example: - ![](images/cfa-notif.png) + ![Exampke notification that says Unauthorized changes blocked: Controlled folder access blocked (file name) from making changes to the folder (folder name)](images/cfa-notif.png) -## Review Controlled Folder Access events in Windows Event Viewer +## Review Controlled folder access events in Windows Event Viewer -You can also review the Windows event log to see the events there were created when using the tool: +You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events). 1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. @@ -91,18 +91,18 @@ You can also review the Windows event log to see the events there were created w 4. Click **OK**. -5. This will create a custom view that filters to only show the following events related to Controlled Folder Access: +5. This will create a custom view that filters to only show the following events related to Controlled folder access: Event ID | Description -|- 5007 | Event when settings are changed -1124 | Audited Controlled Folder Access event -1123 | Blocked Controlled Folder Access event +1124 | Audited Controlled folder access event +1123 | Blocked Controlled folder access event ## Use audit mode to measure impact -As with other Windows Defender EG features, you can enable the Controlled Folder Access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting. +As with other Windows Defender EG features, you can enable the Controlled folder access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting. You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period. @@ -113,8 +113,8 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode ``` >[!TIP] ->If you want to fully audit how Controlled Folder Access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). -You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [Controlled Folder Access topic](controlled-folders-exploit-guard.md). +>If you want to fully audit how Controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). +You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [Controlled folder access topic](controlled-folders-exploit-guard.md). For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). @@ -125,9 +125,9 @@ For further details on how audit mode works, and when you might want to use it, During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files. -See the main [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) topic for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP. +See the main [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) topic for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP. ## Related topics -- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) +- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) - [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) - [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index 94309ec278..3e65984587 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -1,7 +1,7 @@ --- -title: See how Exploit Protection works in a demo -description: See how Exploit Protection can prevent suspicious behaviors from occurring on specific apps. -keywords: exploit protection, exploits, kernel, events, evaluate, demo, try, mitigiation +title: See how Exploit protection works in a demo +description: See how Exploit protection can prevent suspicious behaviors from occurring on specific apps. +keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigiation search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -16,7 +16,7 @@ ms.date: 08/25/2017 -# Evaluate Exploit Protection +# Evaluate Exploit protection **Applies to:** @@ -36,18 +36,18 @@ ms.date: 08/25/2017 - PowerShell -Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. +Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. -Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit Protection. +Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit protection. -This topcs helps you evaluate Exploit Protection. See the [Exploit Protection topic](exploit-protection-exploit-guard.md) for more information on what Exploit Protection does and how to configure it for real-world deployment. +This topcs helps you evaluate Exploit protection. See the [Exploit protection topic](exploit-protection-exploit-guard.md) for more information on what Exploit protection does and how to configure it for real-world deployment. >[!NOTE] >This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. ->For instructions on how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see the main [Exploit Protection topic](exploit-protection-exploit-guard.md) . +>For instructions on how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see the main [Exploit protection topic](exploit-protection-exploit-guard.md) . -## Enable and validate an Exploit Protection mitigation +## Enable and validate an Exploit protection mitigation For this demo you will enable the mitigation that prevents child processes from being created. You'll use Internet Explorer as the parent app. @@ -58,7 +58,7 @@ First, enable the mitigation using PowerShell, and then confirm that it has been 2. Enter the following cmdlet: ```PowerShell - SetProcessMitigation Name iexplore.exe Enable DisallowChildProcessCreation + Set-ProcessMitigation -Name iexplore.exe -Enable DisallowChildProcessCreation ``` 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. @@ -90,9 +90,9 @@ Lastly, we can disable the mitigation so that Internet Explorer works properly a 5. Validate that Internet Explorer runs by running it from the run dialog box again. It should open as expected. -## Review Exploit Protection events in Windows Event Viewer +## Review Exploit protection events in Windows Event Viewer -You can now review the events that Exploit Protection sent to the Windows Event log to confirm what happened: +You can now review the events that Exploit protection sent to the Windows Event log to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events). 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine. @@ -104,7 +104,7 @@ You can now review the events that Exploit Protection sent to the Windows Event 4. Click **OK**. -5. This will create a custom view that filters to only show the following events related to Exploit Protection, which are all listed in the [Exploit Protection](exploit-protection-exploit-guard.md) topic. +5. This will create a custom view that filters to only show the following events related to Exploit protection, which are all listed in the [Exploit protection](exploit-protection-exploit-guard.md) topic. 6. The specific event to look for in this demo is event ID 4, which should have the following or similar information: @@ -113,13 +113,13 @@ You can now review the events that Exploit Protection sent to the Windows Event ## Use audit mode to measure impact -As with other Windows Defender EG features, you can enable Exploit Protection in audit mode. You can enable audit mode for individual mitigations. +As with other Windows Defender EG features, you can enable Exploit protection in audit mode. You can enable audit mode for individual mitigations. This lets you see a record of what *would* have happened if you had enabled the mitigation. You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious or malicious events generally occur over a certain period. -See the [**PowerShell reference** section in the Customize Exploit Protection topic](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode. +See the [**PowerShell reference** section in the Customize Exploit protection topic](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode. For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). @@ -128,6 +128,6 @@ For further details on how audit mode works, and when you might want to use it, ## Related topics - [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) -- [Enable Exploit Protection](enable-exploit-protection.md) -- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md) -- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md) \ No newline at end of file +- [Enable Exploit protection](enable-exploit-protection.md) +- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md) +- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index 41d3ca0276..af1f57f168 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -1,7 +1,7 @@ --- -title: Conduct a demo to see how Network Protection works -description: Quickly see how Network Protection works by performing common scenarios that it protects against -keywords: Network Protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo +title: Conduct a demo to see how Network protection works +description: Quickly see how Network protection works by performing common scenarios that it protects against +keywords: Network protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -14,7 +14,7 @@ ms.author: iawilt ms.date: 08/25/2017 --- -# Evaluate Network Protection +# Evaluate Network protection @@ -36,16 +36,16 @@ ms.date: 08/25/2017 -Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). +Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. -This topic helps you evaluate Network Protection by enabling the feature and guiding you to a testing site. +This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. >[!NOTE] >The site will replicate the behavior that would happen if a user visted a malicious site or domain. The sites in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. -## Enable Network Protection +## Enable Network protection 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: @@ -64,12 +64,12 @@ You can also carry out the processes described in this topic in audit or disable You will get a 403 Forbidden response in the browser, and you will see a notification that the network connnection was blocked. -![](images/np-notif.png) +![Example notification that says Connection blocked: Your IT administrator caused Windows Defender Security center to block this network connection. Contact your IT help desk.](images/np-notif.png) - ## Review Network Protection events in Windows Event Viewer + ## Review Network protection events in Windows Event Viewer -You can also review the Windows event log to see the events there were created when performing the demo: +You can also review the Windows event log to see the events there were created when performing the demo. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events). 1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. @@ -79,7 +79,7 @@ You can also review the Windows event log to see the events there were created w 4. Click **OK**. -5. This will create a custom view that filters to only show the following events related to Network Protection: +5. This will create a custom view that filters to only show the following events related to Network protection: Event ID | Description -|- @@ -90,7 +90,7 @@ Event ID | Description ## Use audit mode to measure impact -You can also enable the Network Protection feature in audit mode. This lets you see a record of what IPs and domains would have been blocked if the feature were enabled. +You can also enable the Network protection feature in audit mode. This lets you see a record of what IPs and domains would have been blocked if the feature were enabled. You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the feature will block connections during normal use. @@ -102,8 +102,8 @@ Set-MpPreference -EnableNetworkProtection AuditMode >[!TIP] ->If you want to fully audit how Network Protection will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). -You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Network Protection topic](network-protection-exploit-guard.md). +>If you want to fully audit how Network protection will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). +You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Network protection topic](network-protection-exploit-guard.md). diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md index 7f93a40671..014d2fef07 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md @@ -36,10 +36,10 @@ Windows Defender Exploit Guard is comprised of four features. We've developed ev Before you begin, you should read the main [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) topic to get an understanding of each of the features and what their prerequisutes are. -- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md) -- [Evaluate Controlled Folder Access](evaluate-controlled-folder-access.md) -- [Evaluate Exploit Protection](evaluate-exploit-protection.md) -- [Evaluate Network Protection](evaluate-network-protection.md) +- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md) +- [Evaluate Controlled folder access](evaluate-controlled-folder-access.md) +- [Evaluate Exploit protection](evaluate-exploit-protection.md) +- [Evaluate Network protection](evaluate-network-protection.md) You might also be interested in enabling the features in audit mode - which allows you to see how the features work in the real world without impacting your organization or employee's work habits: @@ -52,4 +52,4 @@ Topic | Description - [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) - [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) - [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) -- [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) \ No newline at end of file +- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md index 2e4142e7ae..f3ad3cb57e 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md @@ -16,7 +16,7 @@ ms.author: iawilt --- -# Reduce attack surfaces with Windows Defender Exploit Guard +# View Windows Defender Exploit Guard events **Applies to:** @@ -35,25 +35,29 @@ Reviewing the events is also handy when you are evaluating the features, as you This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events. +You can also get detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md) in the Windows Defender Security Center console, which you gain access to if you have an E5 subsciption and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). + ## Use custom views to review Windows Defender Exploit Guard features You can create custom views in the Windows Event Viewer to only see events for specific features and settings. The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page. +You can also manually navigate to the event area that corresponds to the Windows Defender EG feature, see the [list of all Windows Defender Exploit Guard events](#list-of-all-windows-defender-exploit-guard-events) section at the end of this topic for more details. + ### Import an existing XML custom view -1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropraite file to an easily accessible location. The following filenames are each of the custom views: - - Controlled Folder Access events custom view: *cfa-events.xml* - - Exploit Protection events custom view: *ep-events.xml* - - Attack Surface Reduction events custom view: *asr-events.xml* - - Network Protection events custom view: *np-events.xml* +1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropriate file to an easily accessible location. The following filenames are each of the custom views: + - Controlled folder access events custom view: *cfa-events.xml* + - Exploit protection events custom view: *ep-events.xml* + - Attack surface reduction events custom view: *asr-events.xml* + - Network protection events custom view: *np-events.xml* 1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**. 3. On the left panel, under **Actions**, click **Import Custom View...** - ![](images/events-import.gif) + ![Animation highlighting Import custom view on the left of the Even viewer window](images/events-import.gif) 4. Navigate to where you extracted XML file for the custom view you want and select it. @@ -69,7 +73,7 @@ The easiest way to do this is to import a custom view as an XML file. You can ob 3. On the left panel, under **Actions**, click **Create Custom View...** - ![](images/events-create.gif) + ![Animation highlighting the create custom view option on the Event viewer window ](images/events-create.gif) 4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**. @@ -83,7 +87,7 @@ The easiest way to do this is to import a custom view as an XML file. You can ob -### XML for Attack Surface Reduction events +### XML for Attack surface reduction events ```xml @@ -94,7 +98,7 @@ The easiest way to do this is to import a custom view as an XML file. You can ob ``` -### XML for Controlled Folder Access events +### XML for Controlled folder access events ```xml @@ -105,7 +109,7 @@ The easiest way to do this is to import a custom view as an XML file. You can ob ``` -### XML for Exploit Protection events +### XML for Exploit protection events ```xml @@ -125,7 +129,7 @@ The easiest way to do this is to import a custom view as an XML file. You can ob ``` -### XML for Network Protection events +### XML for Network protection events ```xml @@ -144,40 +148,48 @@ The easiest way to do this is to import a custom view as an XML file. You can ob All Windows Defender Exploit Guard events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table. +You can access these events in Windows Event viewer: + +1. Open the **Start** menu and type **event viewer**, and then click on the **Event Viewer** result. +2. Expand **Applications and Services Logs > Microsoft > Windows** and then go to the folder listed under **Provider/source** in the table below. +3. Double-click on the sub item to see events. Scroll through the events to find the one you are looking. + + ![Animation showing using Event Viewer](images/event-viewer.gif) + Feature | Provider/source | Event ID | Description :-|:-|:-:|:- -Exploit Protection | Security-Mitigations | 1 | ACG audit -Exploit Protection | Security-Mitigations | 2 | ACG enforce -Exploit Protection | Security-Mitigations | 3 | Do not allow child processes audit -Exploit Protection | Security-Mitigations | 4 | Do not allow child processes block -Exploit Protection | Security-Mitigations | 5 | Block low integrity images audit -Exploit Protection | Security-Mitigations | 6 | Block low integrity images block -Exploit Protection | Security-Mitigations | 7 | Block remote images audit -Exploit Protection | Security-Mitigations | 8 | Block remote images block -Exploit Protection | Security-Mitigations | 9 | Disable win32k system calls audit -Exploit Protection | Security-Mitigations | 10 | Disable win32k system calls block -Exploit Protection | Security-Mitigations | 11 | Code integrity guard audit -Exploit Protection | Security-Mitigations | 12 | Code integrity guard block -Exploit Protection | Security-Mitigations | 13 | EAF audit -Exploit Protection | Security-Mitigations | 14 | EAF enforce -Exploit Protection | Security-Mitigations | 15 | EAF+ audit -Exploit Protection | Security-Mitigations | 16 | EAF+ enforce -Exploit Protection | Security-Mitigations | 17 | IAF audit -Exploit Protection | Security-Mitigations | 18 | IAF enforce -Exploit Protection | Security-Mitigations | 19 | ROP StackPivot audit -Exploit Protection | Security-Mitigations | 20 | ROP StackPivot enforce -Exploit Protection | Security-Mitigations | 21 | ROP CallerCheck audit -Exploit Protection | Security-Mitigations | 22 | ROP CallerCheck enforce -Exploit Protection | Security-Mitigations | 23 | ROP SimExec audit -Exploit Protection | Security-Mitigations | 24 | ROP SimExec enforce -Exploit Protection | WER-Diagnostics | 5 | CFG Block -Exploit Protection | Win32K | 260 | Untrusted Font -Network Protection | Windows Defender | 5007 | Event when settings are changed -Network Protection | Windows Defender | 1125 | Event when Network Protection fires in Audit-mode -Network Protection | Windows Defender | 1126 | Event when Network Protection fires in Block-mode -Controlled Folder Access | Windows Defender | 5007 | Event when settings are changed -Controlled Folder Access | Windows Defender | 1124 | Audited Controlled Folder Access event -Controlled Folder Access | Windows Defender | 1123 | Blocked Controlled Folder Access event -Attack Surface Reduction | Windows Defender | 5007 | Event when settings are changed -Attack Surface Reduction | Windows Defender | 1122 | Event when rule fires in Audit-mode -Attack Surface Reduction | Windows Defender | 1121 | Event when rule fires in Block-mode \ No newline at end of file +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 1 | ACG audit +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 2 | ACG enforce +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 3 | Do not allow child processes audit +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 4 | Do not allow child processes block +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 5 | Block low integrity images audit +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 6 | Block low integrity images block +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 7 | Block remote images audit +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 8 | Block remote images block +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 9 | Disable win32k system calls audit +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 10 | Disable win32k system calls block +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 11 | Code integrity guard audit +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 12 | Code integrity guard block +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 13 | EAF audit +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 14 | EAF enforce +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 15 | EAF+ audit +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 16 | EAF+ enforce +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 17 | IAF audit +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 18 | IAF enforce +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 19 | ROP StackPivot audit +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 20 | ROP StackPivot enforce +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 21 | ROP CallerCheck audit +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 22 | ROP CallerCheck enforce +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 23 | ROP SimExec audit +Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 24 | ROP SimExec enforce +Exploit protection | WER-Diagnostics | 5 | CFG Block +Exploit protection | Win32K (Operational) | 260 | Untrusted Font +Network protection | Windows Defender (Operational) | 5007 | Event when settings are changed +Network protection | Windows Defender (Operational) | 1125 | Event when Network protection fires in Audit-mode +Network protection | Windows Defender (Operational) | 1126 | Event when Network protection fires in Block-mode +Controlled folder access | Windows Defender (Operational) | 5007 | Event when settings are changed +Controlled folder access | Windows Defender (Operational) | 1124 | Audited Controlled folder access event +Controlled folder access | Windows Defender (Operational) | 1123 | Blocked Controlled folder access event +Attack surface reduction | Windows Defender (Operational) | 5007 | Event when settings are changed +Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode +Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index cc5ba5334b..8b5068a19b 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -1,7 +1,7 @@ --- title: Apply mitigations to help prevent attacks through vulnerabilities keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet -description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET. +description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET. search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -38,37 +38,37 @@ ms.date: 08/25/2017 -Exploit Protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. +Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). -Exploit Protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You [configure these settings using the Windows Defender Security Center app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once. When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. - You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Exploit Protection would impact your organization if it were enabled. + You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Exploit protection would impact your organization if it were enabled. - Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) have been included in Exploit Protection, and you can convert and import existing EMET configuration profiles into Exploit Protection. + Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. >[!IMPORTANT] - >If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit Protection in Windows 10. You can [convert an existing EMET configuration file into Exploit Protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. + >If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows 10. You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. ## Requirements -The following requirements must be met before Exploit Protection will work: +The following requirements must be met before Exploit protection will work: Windows 10 version | Windows Defender Advanced Threat Protection -|- Insider Preview build 16232 or later (dated July 1, 2017 or later) | For full reporting you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - ## Review Exploit Protection events in Windows Event Viewer + ## Review Exploit protection events in Windows Event Viewer -You can review the Windows event log to see events that are created when Exploit Protection blocks (or audits) an app: +You can review the Windows event log to see events that are created when Exploit protection blocks (or audits) an app: 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine. @@ -76,13 +76,13 @@ You can review the Windows event log to see events that are created when Exploit 3. On the left panel, under **Actions**, click **Import custom view...** - ![](images/events-import.gif) + ![Antimated GIF highlighting the import custom view button on the right pane ](images/events-import.gif) 4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md). 5. Click **OK**. -6. This will create a custom view that filters to only show the following events related to Exploit Protection: +6. This will create a custom view that filters to only show the following events related to Exploit protection: Provider/source | Event ID | Description -|:-:|- @@ -118,8 +118,8 @@ Win32K | 260 | Untrusted Font Topic | Description ---|--- -[Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) | Many of the features in the EMET are now included in Exploit Protection. This topic identifies those features and explains how the features have changed or evolved. -[Evaluate Exploit Protection](evaluate-exploit-protection.md) | Undertake a demo scenario to see how Exploit Protection mitigations can protect your network from malicious and suspicious behavior. -[Enable Exploit Protection](enable-exploit-protection.md) | Use Group Policy or PowerShell to enable and manage Exploit Protection in your network. -[Customize and configure Exploit Protection](customize-exploit-protection.md) | Configure mitigations for the operating system and for individual apps. -[Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md) | Export, import, and deploy the settings across your organization. You can also convert an existing EMET configuration profile and import it into Exploit Protection. \ No newline at end of file +[Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) | Many of the features in the EMET are now included in Exploit protection. This topic identifies those features and explains how the features have changed or evolved. +[Evaluate Exploit protection](evaluate-exploit-protection.md) | Undertake a demo scenario to see how Exploit protection mitigations can protect your network from malicious and suspicious behavior. +[Enable Exploit protection](enable-exploit-protection.md) | Use Group Policy or PowerShell to enable and manage Exploit protection in your network. +[Customize and configure Exploit protection](customize-exploit-protection.md) | Configure mitigations for the operating system and for individual apps. +[Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md) | Export, import, and deploy the settings across your organization. You can also convert an existing EMET configuration profile and import it into Exploit protection. diff --git a/windows/threat-protection/windows-defender-exploit-guard/graphics.md b/windows/threat-protection/windows-defender-exploit-guard/graphics.md new file mode 100644 index 0000000000..62fbf7102a --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/graphics.md @@ -0,0 +1,4 @@ +Check mark no + + +Check mark yes \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/Untitled-1.png b/windows/threat-protection/windows-defender-exploit-guard/images/Untitled-1.png new file mode 100644 index 0000000000..7e4e011d4f Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/Untitled-1.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/check-no.png b/windows/threat-protection/windows-defender-exploit-guard/images/check-no.png new file mode 100644 index 0000000000..040c7d2f63 Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/check-no.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/ep-default.png b/windows/threat-protection/windows-defender-exploit-guard/images/ep-default.png new file mode 100644 index 0000000000..eafac1db7a Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/ep-default.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/event-viewer.gif b/windows/threat-protection/windows-defender-exploit-guard/images/event-viewer.gif new file mode 100644 index 0000000000..7909bfe728 Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/event-viewer.gif differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.md b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.md new file mode 100644 index 0000000000..afa7a3d27d --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.md @@ -0,0 +1,7 @@ + + Check mark no + + \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md new file mode 100644 index 0000000000..4dd10553c4 --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md @@ -0,0 +1,7 @@ + + Check mark yes + + \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md index c864cb9ed7..dec6e37038 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md +++ b/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md @@ -1,7 +1,7 @@ --- -title: Deploy Exploit Protection mitigations across your organization -keywords: exploit protection, mitigations, import, export, configure, emet, convert, conversion, deploy, install -description: Use Group Policy to deploy mitigations configuration. You can also convert an existing EMET configuration and import it as an Exploit Protection configuration. +title: Deploy Exploit protection mitigations across your organization +keywords: Exploit protection, mitigations, import, export, configure, emet, convert, conversion, deploy, install +description: Use Group Policy to deploy mitigations configuration. You can also convert an existing EMET configuration and import it as an Exploit protection configuration. search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -16,7 +16,7 @@ ms.date: 08/25/2017 -# Import, export, and deploy Exploit Protection configurations +# Import, export, and deploy Exploit protection configurations **Applies to:** @@ -39,19 +39,19 @@ ms.date: 08/25/2017 -Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. +Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). -Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are now included in Exploit Protection. +Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are now included in Exploit protection. You use the Windows Defender Security Center or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings. -You can also convert and import an existing EMET configuration XML file into an Exploit Protection configuration XML. +You can also convert and import an existing EMET configuration XML file into an Exploit protection configuration XML. This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration. -The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into Exploit Protection and then review the settings in the Windows Defender Security Center app, as described further in this topic. +The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into Exploit protection and then review the settings in the Windows Defender Security Center app, as described further in this topic. @@ -59,23 +59,22 @@ The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample Before you export a configuration file, you need to ensure you have the correct settings. -You should first configure Exploit Protection on a single, dedicated machine. See the [Customize Exploit Protection](customize-exploit-protection.md) topic for descriptions about and instrucitons for configuring mitigations. +You should first configure Exploit protection on a single, dedicated machine. See the [Customize Exploit protection](customize-exploit-protection.md) topic for descriptions about and instrucitons for configuring mitigations. -When you have configured Exploit Protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Defender Security Center app or PowerShell. +When you have configured Exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Defender Security Center app or PowerShell. ### Use the Windows Defender Security Center app to export a configuration file -1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**: - ![](images/wdsc-exp-prot.png) + ![Highlight of the Exploit protection settings option in the Windows Defender Security Center app](images/wdsc-exp-prot.png) 3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved. - - ![](images/wdsc-exp-prot-export.png) +![Highlight of the Export Settings option](images/wdsc-exp-prot-export.png) >[!NOTE] >When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings. @@ -98,7 +97,7 @@ Change `filename` to any name or location of your choosing. ## Import a configuration file -You can import an Exploit Protection configuration file that you've previously created. You can only use PowerShell to import the configuration file. +You can import an Exploit protection configuration file that you've previously created. You can only use PowerShell to import the configuration file. After importing, the settings will be instantly applied and can be reviewed in the Windows Defender Security Center app. @@ -112,15 +111,15 @@ After importing, the settings will be instantly applied and can be reviewed in t Set-ProcessMitigation -RegistryConfigFilePath filename.xml ``` -Change `filename` to the location and name of the Exploit Protection XML file. +Change `filename` to the location and name of the Exploit protection XML file. >[!IMPORTANT] ->Ensure you import a configuration file that is created specifically for Exploit Protection. You cannot directly import an EMET configuration file, you must convert it first. +>Ensure you import a configuration file that is created specifically for Exploit protection. You cannot directly import an EMET configuration file, you must convert it first. -## Convert an EMET configuration file to an Exploit Protection configuration file +## Convert an EMET configuration file to an Exploit protection configuration file -You can convert an existing EMET configuration file to the new format used by Exploit Protection. You must do this if you want to import an EMET configuration into Exploit Protection in Windows 10. +You can convert an existing EMET configuration file to the new format used by Exploit protection. You must do this if you want to import an EMET configuration into Exploit protection in Windows 10. You can only do this conversion in PowerShell. @@ -149,15 +148,15 @@ You can use Group Policy to deploy the configuration you've created to multiple 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Exploit Guard > Exploit Protection**. +5. Expand the tree to **Windows components > Windows Defender Exploit Guard > Exploit protection**. - ![](images/exp-prot-gp.png) + ![Screenshot of the group policy setting for exploit protection](images/exp-prot-gp.png) -6. Double-click the **Use a common set of exploit protection settings** setting and set the option to **Enabled**. +6. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**. -7. In the **Options::** section, enter the location and filename of the Exploit Protection configuration file that you want to use, such as in the following examples: +7. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples: - C:\MitigationSettings\Config.XML - - \\Server\Share\Config.xml + - \\\Server\Share\Config.xml - https://localhost:8080/Config.xml 8. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). @@ -167,6 +166,6 @@ You can use Group Policy to deploy the configuration you've created to multiple - [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) -- [Evaluate Exploit Protection](evaluate-exploit-protection.md) -- [Enable Exploit Protection](enable-exploit-protection.md) -- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md) +- [Evaluate Exploit protection](evaluate-exploit-protection.md) +- [Enable Exploit protection](enable-exploit-protection.md) +- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md) diff --git a/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md index 2f1e023d45..3f78879c88 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md @@ -1,7 +1,7 @@ --- -title: Use Network Protection to help prevent connections to bad sites +title: Use Network protection to help prevent connections to bad sites description: Protect your network by preventing users from accessing known malicious and suspicious network addresses -keywords: Network Protection, exploits, malicious website, ip, domain, domains +keywords: Network protection, exploits, malicious website, ip, domain, domains search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -36,33 +36,33 @@ ms.date: 08/25/2017 - Configuration service providers for mobile device management -Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. +Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outboud HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). -Network Protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Network protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). -When Network Protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. +When Network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. -You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network Protection would impact your organization if it were enabled. +You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network protection would impact your organization if it were enabled. ## Requirements -The following requirements must be met before Network Protection will work: +The following requirements must be met before Network protection will work: Windows 10 version | Windows Defender Antivirus - | - Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled -## Review Network Protection events in Windows Event Viewer +## Review Network protection events in Windows Event Viewer -You can review the Windows event log to see events that are created when Network Protection blocks (or audits) access to a malicious IP or domain: +You can review the Windows event log to see events that are created when Network protection blocks (or audits) access to a malicious IP or domain: 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *np-events.xml* to an easily accessible location on the machine. @@ -70,19 +70,19 @@ You can review the Windows event log to see events that are created when Network 2. On the left panel, under **Actions**, click **Import custom view...** - ![](images/events-import.gif) + ![Antimation of the import custom view option](images/events-import.gif) 3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). 4. Click **OK**. -5. This will create a custom view that filters to only show the following events related to Network Protection: +5. This will create a custom view that filters to only show the following events related to Network protection: Event ID | Description -|- 5007 | Event when settings are changed -1125 | Event when Network Protection fires in Audit-mode -1126 | Event when Network Protection fires in Block-mode +1125 | Event when Network protection fires in Audit-mode +1126 | Event when Network protection fires in Block-mode @@ -91,5 +91,5 @@ You can review the Windows event log to see events that are created when Network Topic | Description ---|--- -[Evaluate Network Protection](evaluate-network-protection.md) | Undertake aa quick scenario that demonstrate how the feature works, and what events would typically be created. -[Enable Network Protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage the Network Protection feature in your network. \ No newline at end of file +[Evaluate Network protection](evaluate-network-protection.md) | Undertake aa quick scenario that demonstrate how the feature works, and what events would typically be created. +[Enable Network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage the Network protection feature in your network. \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md index 3df7e0ace2..bed224d838 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -1,7 +1,7 @@ --- title: Use Windows Defender Exploit Guard to protect your network description: Windows Defender EG employs features that help protect your network from threats, including helping prevent ransomware encryption and exploit attacks -keywords: emet, exploit guard, Controlled Folder Access, Network Protection, Exploit Protection, Attack Surface Reduction, hips, host intrusion prevention system +keywords: emet, exploit guard, Controlled folder access, Network protection, Exploit protection, Attack surface reduction, hips, host intrusion prevention system search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -33,10 +33,10 @@ Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrus There are four features in Windows Defender EG: -- [Exploit Protection](exploit-protection-exploit-guard.md) can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps -- [Attack Surface Reduction rules](attack-surface-reduction-exploit-guard.md) can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware -- [Network Protection](network-protection-exploit-guard.md) extends the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity on your organization's devices -- [Controlled Folder Access](controlled-folders-exploit-guard.md) helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware +- [Exploit protection](exploit-protection-exploit-guard.md) can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps +- [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware +- [Network protection](network-protection-exploit-guard.md) extends the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity on your organization's devices +- [Controlled folder access](controlled-folders-exploit-guard.md) helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware You can evaluate each feature of Windows Defender EG with the guides at the following link, which provide pre-built PowerShell scripts and testing tools so you can see the features in action: @@ -58,10 +58,10 @@ Each of the features in Windows Defender EG have slightly different requirements Feature | [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | [Windows Defender Advanced Threat Protection license](../windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md) -|-|-|- -Exploit Protection | No requirement | Required for reporting in the Windows Defender ATP console -Attack Surface Reduction | Must be enabled | Required for reporting in the Windows Defender ATP console -Network Protection | Must be enabled | Required for reporting in the Windows Defender ATP console -Controlled Folder Access | Must be enabled | Required for reporting in the Windows Defender ATP console +Exploit protection | No requirement | Required for reporting in the Windows Defender ATP console +Attack surface reduction | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | Required for reporting in the Windows Defender ATP console +Network protection | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | Required for reporting in the Windows Defender ATP console +Controlled folder access | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | Required for reporting in the Windows Defender ATP console > [!NOTE] > Each feature's requirements are further described in the individual topics in this library. @@ -71,9 +71,9 @@ Controlled Folder Access | Must be enabled | Required for reporting in the Windo Topic | Description ---|--- -[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) | Exploit Protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once. +[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once. [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts. [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors. -[Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data. +[Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data. diff --git a/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md index 804c2d9152..d699cfe2ba 100644 --- a/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: iaanw ms.author: iawilt -ms.date: 08/25/2017 +ms.date: 10/04/2017 --- @@ -125,11 +125,11 @@ See the following links for more information on the features in the Windows Defe You can customize notifcations so they show information to users about how to get more help from your organization's help desk. -![](images/security-center-custom-notif.png) +![Sample notification that says Action blocked: Contos caused Windows Defender Security Center to block this action. Contact your IT help desk.](images/security-center-custom-notif.png) This information will also appear as a pop-out window on the Windows Defender Security Center app. -![](images/security-center-custom-flyout.png) +![Screenshot of the Windows Defender Security Center app showing sample phone number and email address to contact support on the bottom right of the app](images/security-center-custom-flyout.png) Users can click on the displayed information to get more help: - Clicking **Call** or the phone number will open Skype to start a call to the displayed number diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index 982900b337..20c9142eb6 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -15,8 +15,9 @@ Below is a list of some of the new and updated features in Windows 10, version 1 >[!NOTE] >For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). -  -  + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). +   ## Deployment ### Windows Imaging and Configuration Designer (ICD) diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index f9ecc8bc12..ce0429a0bf 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -18,6 +18,8 @@ For more general info about Windows 10 features, see [Features available only on >[!NOTE] >Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update). + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).   ## Configuration