diff --git a/browsers/edge/Index.md b/browsers/edge/Index.md index 4188a5ce94..77890240cb 100644 --- a/browsers/edge/Index.md +++ b/browsers/edge/Index.md @@ -37,6 +37,7 @@ Microsoft Edge lets you stay up-to-date through the Windows Store and to manage | [Available policies for Microsoft Edge](available-policies.md) |Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings.

Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. | | [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) |If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11.

Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. | | [Security enhancements for Microsoft Edge](security-enhancements-microsoft-edge.md) |Microsoft Edge is designed with significant security improvements over existing browsers, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. | +|[Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md)|Answering frequently asked questions about Microsoft Edge features, integration, support, and potential problems. ## Interoperability goals and enterprise guidance diff --git a/browsers/edge/TOC.md b/browsers/edge/TOC.md index fb5ad0c6f2..9a9115a9ac 100644 --- a/browsers/edge/TOC.md +++ b/browsers/edge/TOC.md @@ -5,4 +5,5 @@ ##[Available policies for Microsoft Edge](available-policies.md) ##[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) ##[Security enhancements for Microsoft Edge](security-enhancements-microsoft-edge.md) +##[Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md) diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 097833b6a3..b7642204dd 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -21,7 +21,7 @@ Microsoft Edge works with Group Policy and Microsoft Intune to help you manage y By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. > [!NOTE] -> For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924). +> For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924). ## Group Policy settings Microsoft Edge works with these Group Policy settings (`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\`) to help you manage your company's web browser configurations: @@ -1027,5 +1027,4 @@ These are additional Windows 10-specific MDM policy settings that work with Mic - **1 (default).** Employees can sync between PCs. ## Related topics -* [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514) * [Mobile Device Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885) \ No newline at end of file diff --git a/browsers/edge/microsoft-edge-faq.md b/browsers/edge/microsoft-edge-faq.md new file mode 100644 index 0000000000..f24235f60d --- /dev/null +++ b/browsers/edge/microsoft-edge-faq.md @@ -0,0 +1,83 @@ +--- +title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros (Microsoft Edge for IT Pros) +description: Answering frequently asked questions about Microsoft Edge features, integration, support, and potential problems. +author: eross-msft +ms.author: lizross +ms.prod: edge +ms.mktglfcycl: general +ms.sitesec: library +ms.localizationpriority: high +--- + +# Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros + +**Applies to:** + +- Windows 10 +- Windows 10 Mobile + +**Q: What is the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use?** + +**A:** Microsoft Edge is the default browser for all Windows 10 devices. It is built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites on the web that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility) to automatically send users to Internet Explorer 11 for those sites. + +For more information on how Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97). + +**Q: Does Microsoft Edge work with Enterprise Mode?** + +**A:** [Enterprise Mode](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) offers better backward compatibility and enables customers to run many legacy web applications. Microsoft Edge and Internet Explorer can be configured to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. For guidance and additional resources, please visit the [Microsoft Edge IT Center](https://technet.microsoft.com/en-us/microsoft-edge). + + +**Q: I have Windows 10, but I don’t seem to have Microsoft Edge. Why?** + +**A:** Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality and can't be supported on systems running LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. + +**Q: How do I get the latest Canary/Beta/Preview version of Microsoft Edge?** + +**A:** You can access the latest preview version of Microsoft Edge by updating to the latest Windows 10 preview via the [Windows Insider Program](https://insider.windows.com/). To run the preview version of Microsoft Edge on a stable version of Windows 10 (or any other OS), you can download a [Virtual Machine](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/windows/) that we provide or use the upcoming RemoteEdge service. + +**Q: How do I customize Microsoft Edge and related settings for my organization?** + +**A:** You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies) for a list of available policies for Microsoft Edge. + +**Q: Is Adobe Flash supported in Microsoft Edge?** + +**A:** Currently, Adobe Flash is supported as a built-in feature of Microsoft Edge on devices running the desktop version of Windows 10. In July 2017, Adobe announced that Flash will no longer be supported after 2020. We will phase out Flash from Microsoft Edge and Internet Explorer, culminating in the removal of Flash from Windows entirely by the end of 2020. This process began already for Microsoft Edge with [Click-to-Run for Flash](https://blogs.windows.com/msedgedev/2016/12/14/edge-flash-click-run/) in the Windows 10 Creators Update. + +For more information about the phasing out of Flash, read the [End of an Era – Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#85ZBy7aiVlDQHebO.97) blog post. + +**Q: Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java?** + +**A:** No, ActiveX controls and BHOs such as Silverlight or Java are not supported in Microsoft Edge. The need for ActiveX controls has been significantly reduced by modern web standards, which are more interoperable across browsers. We are working on plans for an extension model based on the modern web platform in Microsoft Edge. We look forward to sharing more details on these plans soon. Not supporting legacy controls in Microsoft Edge provides many benefits including better interoperability with other modern browsers, as well as increased performance, security, and reliability. + +**Q: How often will Microsoft Edge be updated?** + +**A:** In Windows 10, we are delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, and the bigger feature updates are currently pushed out with the Windows 10 releases on a semi-annual cadence. + +**Q: How can I provide feedback on Microsoft Edge?** + +**A:** Microsoft Edge is an evergreen browser and we will continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, you can use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. You can also provide feedback through the [Microsoft Edge Dev Twitter](https://twitter.com/MSEdgeDev) account. + +**Q: Will Internet Explorer 11 continue to receive updates?** + +**A:** We will continue to deliver security updates to Internet Explorer 11 through its supported lifespan. To ensure consistent behavior across Windows versions, we will evaluate Internet Explorer 11 bugs for servicing on a case by case basis. The latest features and platform updates will only be available in Microsoft Edge. + +**Q: I loaded a web page and Microsoft Edge sent me to Internet Explorer - what happened?** + +**A:** In some cases, Internet Explorer loads automatically for sites that still rely on legacy technologies such as ActiveX. For more information, read [Legacy web apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#uHpbs94kAaVsU1qB.97). + +**Q: Why is Do Not Track (DNT) off by default in Microsoft Edge?** + +**A:** When Microsoft first set the Do Not Track setting to “On” by default in Internet Explorer 10, industry standards had not yet been established. We are now making this default change as the World Wide Web Consortium (W3C) formalizes industry standards to recommend that default settings allow customers to actively indicate whether they want to enable DNT. As a result, DNT will not be enabled by default in upcoming versions of Microsoft’s browsers, but we will provide customers with clear information on how to turn this feature on in the browser settings should you wish to do so. + +**Q: How do I find out what version of Microsoft Edge I have?** + +**A:** Open Microsoft Edge. In the upper right corner click the ellipses icon (**…**), and then click **Settings**. Look in the **About this app** section to find your version. + +**Q: What is Microsoft EdgeHTML?** + +**A:** Microsoft EdgeHTML is the new web rendering engine that powers the Microsoft Edge web browser and Windows 10 web app platform, and that helps web developers build and maintain a consistent site across all modern browsers. The Microsoft EdgeHTML engine also helps to defend against hacking through support for the W3C standard for [Content Security Policy (CSP)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/content-Security-Policy), which can help web developers defend their sites against cross-site scripting attacks, and support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant), which helps ensure that connections to important sites, such as to your bank, are always secured. + +**Q: Will Windows 7 or Windows 8.1 users get Microsoft Edge or the new Microsoft EdgeHTML rendering engine?** + +**A:** Microsoft Edge has been designed and built to showcase Windows 10 features like Cortana, and is built on top of the Universal Windows Platform. Although we don’t have any plans to bring Microsoft Edge to Windows 7 or Windows 8.1 at this time, you can test Microsoft Edge with older versions of Internet Explorer using [free virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/). + diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md index 74d61c7720..82f4db6262 100644 --- a/devices/surface-hub/TOC.md +++ b/devices/surface-hub/TOC.md @@ -40,6 +40,7 @@ ### [Using a room control system](use-room-control-system-with-surface-hub.md) ## [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) ## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) +## [Top support solutions for Surface Hub](support-solutions-surface-hub.md) ## [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) ## [Troubleshoot Miracast on Surface Hub](miracast-troubleshooting.md) ## [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index 6fc60ccb51..fc50a8188d 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -16,6 +16,12 @@ ms.localizationpriority: medium This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md). +## September 2017 + +New or changed topic | Description +--- | --- +[Top support solutions for Surface Hub](support-solutions-surface-hub.md) | New + ## August 2017 diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md index ab8cbc200f..cdde9fd95e 100644 --- a/devices/surface-hub/index.md +++ b/devices/surface-hub/index.md @@ -44,6 +44,7 @@ In some ways, adding your new Surface Hub is just like adding any other Microsof | [Manage Microsoft Surface Hub](manage-surface-hub.md) | How to manage your Surface Hub after finishing the first-run program. | | [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) | | [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. | PowerShell scripts to help set up and manage your Surface Hub. | +| [Top support solutions for Surface Hub](support-solutions-surface-hub.md) | These are the top Microsoft Support solutions for common issues experienced using Surface Hub. | | [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) | Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. | | [Troubleshoot Miracast on Surface Hub](miracast-troubleshooting.md) | Learn how to resolve Miracast issues. | | [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) | This topic provides links to useful Surface Hub documents, such as product datasheets, the site readiness guide, and user's guide. | diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md index 25cca9e168..bd66726afe 100644 --- a/devices/surface-hub/manage-surface-hub.md +++ b/devices/surface-hub/manage-surface-hub.md @@ -40,3 +40,6 @@ Learn about managing and updating Surface Hub. | [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md) | You can use Miracast on your wireless network or LAN to connect to Surface Hub. | | [Using a room control system]( https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.| +## Related topics + +- [View Power BI presentation mode on Surface Hub & Windows 10](https://powerbi.microsoft.com/documentation/powerbi-mobile-win10-app-presentation-mode/) \ No newline at end of file diff --git a/devices/surface-hub/support-solutions-surface-hub.md b/devices/surface-hub/support-solutions-surface-hub.md new file mode 100644 index 0000000000..f6eeed64e8 --- /dev/null +++ b/devices/surface-hub/support-solutions-surface-hub.md @@ -0,0 +1,50 @@ +--- +title: Top support solutions for Microsoft Surface Hub +description: Find top solutions for common issues using Surface Hub. +ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A +keywords: Troubleshoot common problems, setup issues +ms.prod: w10 +ms.mktglfcycl: support +ms.sitesec: library +ms.pagetype: surfacehub +author: kaushika-msft +ms.author: jdecker +ms.date: 09/07/2017 +ms.localizationpriority: medium +--- + +# Top support solutions for Microsoft Surface Hub + +Microsoft regularly releases both updates and solutions for Surface Hub. To ensure your devices can receive future updates, including security updates, it's important to keep your Surface Hub devices updated. For a complete listing of the update history, see [Surface Hub update history](https://www.microsoft.com/surface/support/surface-hub/surface-hub-update-history) and [Known issues and additional information about Microsoft Surface Hub](https://support.microsoft.com/help/4025643). + + +These are the top Microsoft Support solutions for common issues experienced when using Surface Hub. + +## Setup and install issues + +- [Setup troubleshooting](troubleshoot-surface-hub.md#setup-troubleshooting) +- [Exchange ActiveSync errors](troubleshoot-surface-hub.md#exchange-activesync-errors) + +## Miracast issues + +- [Troubleshoot Miracast on Surface Hub](miracast-troubleshooting.md) + +## Download updates issues + +- [Surface Hub can't download updates from Windows Update](https://support.microsoft.com/help/3191418/surface-hub-can-t-download-updates-from-windows-update) + +## Connect app issues + +- [The Connect app in Surface Hub exits unexpectedly](https://support.microsoft.com/help/3157417/the-connect-app-in-surface-hub-exits-unexpectedly) + + + +  + + +  + + + + + diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md index 46b82e72e3..8fb31f0492 100644 --- a/devices/surface-hub/troubleshoot-surface-hub.md +++ b/devices/surface-hub/troubleshoot-surface-hub.md @@ -20,8 +20,6 @@ Troubleshoot common problems, including setup issues, Exchange ActiveSync errors Common issues are listed in the following table, along with causes and possible fixes. The [Setup troubleshooting](#setup-troubleshooting) section contains a listing of on-device problems, along with several types of issues that may be encountered during the first-run experience. The [Exchange ActiveSync errors](#exchange-activesync-errors) section lists common errors the device may encounter when trying to synchronize with an Microsoft Exchange ActiveSync server. -- [Setup troubleshooting](#setup-troubleshooting) -- [Exchange ActiveSync errors](#exchange-activesync-errors) ## Setup troubleshooting diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index 192f88b5e0..45393cc7e9 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -26,6 +26,7 @@ ### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md) ## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md) ## [Surface Data Eraser](microsoft-surface-data-eraser.md) +## [Top support solutions for Surface devices](support-solutions-surface.md) ## [Change history for Surface documentation](change-history-for-surface.md) diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index 33992b2d0a..04cd11e9f1 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -11,6 +11,12 @@ author: jdeckerms This topic lists new and updated topics in the Surface documentation library. +## September 2017 + +New or changed topic | Description +--- | --- +[Top support solutions for Surface devices](support-solutions-surface.md) | New + ## June 2017 |New or changed topic | Description | diff --git a/devices/surface/deploy-surface-app-with-windows-store-for-business.md b/devices/surface/deploy-surface-app-with-windows-store-for-business.md index 1e6ca989c9..52626b026e 100644 --- a/devices/surface/deploy-surface-app-with-windows-store-for-business.md +++ b/devices/surface/deploy-surface-app-with-windows-store-for-business.md @@ -1,6 +1,6 @@ --- title: Deploy Surface app with Microsoft Store for Business or Microsoft Store for Education (Surface) -description: Find out how to add and download Surface app with Windows Store for Business or Microsoft Store for Education, as well as install Surface app with PowerShell and MDT. +description: Find out how to add and download Surface app with Microsoft Store for Business or Microsoft Store for Education, as well as install Surface app with PowerShell and MDT. keywords: surface app, app, deployment, customize ms.prod: w10 ms.mktglfcycl: deploy @@ -31,7 +31,7 @@ The Surface app is a lightweight Windows Store app that provides control of many * Quick access to support documentation and information for your device -If your organization is preparing images that will be deployed to your Surface devices, you may want to include the Surface app (formerly called the Surface Hub) in your imaging and deployment process instead of requiring users of each individual device to download and install the app from the Windows Store or your Windows Store for Business. +If your organization is preparing images that will be deployed to your Surface devices, you may want to include the Surface app (formerly called the Surface Hub) in your imaging and deployment process instead of requiring users of each individual device to download and install the app from the Windows Store or your Microsoft Store for Business. ##Surface app overview @@ -45,11 +45,11 @@ Before users can install or deploy an app from a company’s Microsoft Store for 2. Log on to the portal. -3. Enable offline licensing: click **Manage->Store settings**, and then select the **Show offline licensed apps to people shopping in the store** checkbox, as shown in Figure 1. For more information about Microsoft Store for Business app licensing models, see [Apps in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing_model).

+3. Enable offline licensing: click **Manage->Store settings**, and then select the **Show offline licensed apps to people shopping in the store** checkbox, as shown in Figure 1. For more information about Microsoft Store for Business app licensing models, see [Apps in Microsoft Store for Business](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing_model).

![Show offline licenses apps checkbox](images/deploysurfapp-figure1-enablingapps.png "Show offline licenses apps checkbox")
*Figure 1. Enable apps for offline use* -4. Add Surface app to your Micrososft Store for Business account by following this procedure: +4. Add Surface app to your Microsoft Store for Business account by following this procedure: * Click the **Shop** menu. * In the search box, type **Surface app**, and then click the search icon. * After the Surface app is presented in the search results, click the app’s icon. @@ -68,9 +68,9 @@ Before users can install or deploy an app from a company’s Microsoft Store for * Click **OK**. ##Download Surface app from a Microsoft Store for Business account -After you add an app to the Windows Store for Business account in Offline mode, you can download and add the app as an AppxBundle to a deployment share. +After you add an app to the Microsoft Store for Business account in Offline mode, you can download and add the app as an AppxBundle to a deployment share. 1. Log on to the Microsoft Store for Business account at https://businessstore.microsoft.com. -2. Click **Manage->Apps & software**. A list of all of your company’s apps is displayed, including the Surface app you added in the [Add Surface app to a Windows Store for Business account](#add-surface-app-to-a-windows-store-for-business-account) section of this article. +2. Click **Manage->Apps & software**. A list of all of your company’s apps is displayed, including the Surface app you added in the [Add Surface app to a Microsoft Store for Business account](#add-surface-app-to-a-microsoft-store-for-business-account) section of this article. 3. Under **Actions**, click the ellipsis (**…**), and then click **Download for offline use** for the Surface app. 4. Select the desired **Platform** and **Architecture** options from the available selections for the selected app, as shown in Figure 4. @@ -78,7 +78,7 @@ After you add an app to the Windows Store for Business account in Offline mode, *Figure 4. Download the AppxBundle package for an app* 5. Click **Download**. The AppxBundle package will be downloaded. Make sure you note the path of the downloaded file because you’ll need that later in this article. -6. Click either the **Encoded license** or **Unencoded license** option. Use the Encoded license option with management tools like System Center Configuration Manager or when you use Windows Imaging and Configuration Designer (Windows ICD). Select the Unencoded license option when you use Deployment Image Servicing and Management (DISM) or deployment solutions based on imaging, including the Microsoft Deployment Toolkit (MDT). +6. Click either the **Encoded license** or **Unencoded license** option. Use the Encoded license option with management tools like System Center Configuration Manager or when you use Windows Configuration Designer to create a provisioning package. Select the Unencoded license option when you use Deployment Image Servicing and Management (DISM) or deployment solutions based on imaging, including the Microsoft Deployment Toolkit (MDT). 7. Click **Generate** to generate and download the license for the app. Make sure you note the path of the license file because you’ll need that later in this article. >[!NOTE] @@ -102,9 +102,12 @@ To download the required frameworks for the Surface app, follow these steps: ##Install Surface app on your computer with PowerShell The following procedure provisions the Surface app onto your computer and makes it available for any user accounts created on the computer afterwards. -1. Using the procedure described in the [How to download Surface app from a Windows Store for Business account](#download-surface-app-from-a-windows-store-for-business-account) section of this article, download the Surface app AppxBundle and license file. +1. Using the procedure described in the [How to download Surface app from a Microsoft Store for Business account](#download-surface-app-from-a-microsoft-store-for-business-account) section of this article, download the Surface app AppxBundle and license file. 2. Begin an elevated PowerShell session. ->**Note:**  If you don’t run PowerShell as an Administrator, the session won’t have the required permissions to install the app. + + >[!NOTE] + >If you don’t run PowerShell as an Administrator, the session won’t have the required permissions to install the app. + 3. In the elevated PowerShell session, copy and paste the following command: ``` Add-AppxProvisionedPackage –Online –PackagePath \ Microsoft.SurfaceHub_10.0.342.0_neutral_~_8wekyb3d8bbwe.AppxBundle –LicensePath \ Microsoft.SurfaceHub_8wekyb3d8bbwe_a53ef8ab-9dbd-dec1-46c5-7b664d4dd003.xml @@ -118,7 +121,9 @@ The following procedure provisions the Surface app onto your computer and makes ``` 4. The Surface app will now be available on your current Windows computer. + Before the Surface app is functional on the computer where it has been provisioned, you must also provision the frameworks described earlier in this article. To provision these frameworks, use the following procedure in the elevated PowerShell session you used to provision the Surface app. + 5. In the elevated PowerShell session, copy and paste the following command: ``` Add-AppxProvisionedPackage –Online –SkipLicense –PackagePath \Microsoft.VCLibs.140.00_14.0.23816.0_x64__8wekyb3d8bbwe.Appx @@ -130,7 +135,7 @@ Before the Surface app is functional on the computer where it has been provision ##Install Surface app with MDT The following procedure uses MDT to automate installation of the Surface app at the time of deployment. The application is provisioned automatically by MDT during deployment and thus you can use this process with existing images. This is the recommended process to deploy the Surface app as part of a Windows deployment to Surface devices because it does not reduce the cross platform compatibility of the Windows image. -1. Using the procedure described [earlier in this article](#download-surface-app-from-a-windows-store-for-business-account), download the Surface app AppxBundle and license file. +1. Using the procedure described [earlier in this article](#download-surface-app-from-a-microsoft-store-for-business-account), download the Surface app AppxBundle and license file. 2. Using the New Application Wizard in the MDT Deployment Workbench, import the downloaded files as a new **Application with source files**. 3. On the **Command Details** page of the New Application Wizard, specify the default **Working Directory** and for the **Command** specify the file name of the AppxBundle, as follows: diff --git a/devices/surface/index.md b/devices/surface/index.md index 65fba37343..eeecfa1314 100644 --- a/devices/surface/index.md +++ b/devices/surface/index.md @@ -30,6 +30,7 @@ For more information on planning for, deploying, and managing Surface devices in | [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) | See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. | | [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md) | Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device. | | [Surface Data Eraser](microsoft-surface-data-eraser.md) | Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. | +| [Top support solutions for Surface devices](support-solutions-surface.md) | These are the top Microsoft Support solutions for common issues experienced using Surface devices in an enterprise. | | [Change history for Surface documentation](change-history-for-surface.md) | This topic lists new and updated topics in the Surface documentation library. | diff --git a/devices/surface/support-solutions-surface.md b/devices/surface/support-solutions-surface.md new file mode 100644 index 0000000000..432c5dfe34 --- /dev/null +++ b/devices/surface/support-solutions-surface.md @@ -0,0 +1,64 @@ +--- +title: Top support solutions for Surface devices +description: Find top solutions for common issues using Surface devices in the enterprise. +ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A +keywords: Troubleshoot common problems, setup issues +ms.prod: w10 +ms.mktglfcycl: support +ms.sitesec: library +ms.pagetype: surfacehub +author: kaushika-msft +ms.author: jdecker +ms.date: 09/07/2017 +ms.localizationpriority: medium +--- + +# Top support solutions for Surface devices + +Microsoft regularly releases both updates and solutions for Surface devices. To ensure your devices can receive future updates, including security updates, it's important to keep your Surface devices updated. For a complete listing of the update history, see [Surface update history](https://www.microsoft.com/surface/support/install-update-activate/surface-update-history) and [Install Surface and Windows updates](https://www.microsoft.com/surface/support/performance-and-maintenance/install-software-updates-for-surface?os=windows-10&=undefined). + + +These are the top Microsoft Support solutions for common issues experienced when using Surface devices in an enterprise. + +## Screen cracked or scratched issues + +- [Cracked screen and physical damage](https://www.microsoft.com/surface/support/warranty-service-and-recovery/surface-is-damaged) + + +##Device cover or keyboard issues + +- [Troubleshoot your Surface Type Cover or keyboard](https://www.microsoft.com/surface/support/hardware-and-drivers/troubleshoot-surface-keyboards) +- [Troubleshoot problems with Surface Keyboard, Surface Ergonomic Keyboard, and Microsoft Modern Keyboard with Fingerprint ID](https://www.microsoft.com/surface/support/touch-mouse-and-search/surface-keyboard-troubleshooting) +- [Set up Microsoft Modern Keyboard with Fingerprint ID](https://www.microsoft.com/surface/support/touch-mouse-and-search/microsoft-modern-keyboard-fingerprintid-set-up) +- [Enabling Surface Laptop keyboard during MDT deployment](https://blogs.technet.microsoft.com/askcore/2017/08/18/enabling-surface-laptop-keyboard-during-mdt-deployment/) + + +## Device won't wake from sleep or hibernation issues + +- [Surface won’t turn on or wake from sleep](https://www.microsoft.com/surface/support/warranty-service-and-recovery/surface-wont-turn-on-or-wake-from-sleep?os=windows-10&=undefined) +- [Surface Pro 4 or Surface Book doesn't hibernate in Windows 10](https://support.microsoft.com/help/3122682) +- [Surface Pro 3 doesn't hibernate after four hours in connected standby](https://support.microsoft.com/help/2998588/surface-pro-3-doesn-t-hibernate-after-four-hours-in-connected-standby) +- [Surface Pro 3 Hibernation Doesn’t Occur on Enterprise Install](https://blogs.technet.microsoft.com/askcore/2014/11/05/surface-pro-3-hibernation-doesnt-occur-on-enterprise-install/) + + +## Other common issues + +- [Trouble installing Surface updates](https://www.microsoft.com/surface/support/performance-and-maintenance/troubleshoot-updates?os=windows-10&=undefined) +- [Troubleshooting common Surface Pro 3 issues post-deployment](http://blogs.technet.com/b/askcore/archive/2015/03/19/troubleshooting-common-surface-pro-3-issues-post-deployment.aspx) +- [Surface Pro 3 hibernation doesn't occur on enterprise install](https://blogs.technet.microsoft.com/askcore/2014/11/05/surface-pro-3-hibernation-doesnt-occur-on-enterprise-install/) +- [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manger OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd) +- [Troubleshoot docking stations for Surface Pro and Surface 3](https://www.microsoft.com/surface/support/hardware-and-drivers/troubleshoot-docking-station?os=windows-8.1-update-1&=undefined) +- [What to do if Surface is running slower](https://www.microsoft.com/surface/support/performance-and-maintenance/what-to-do-if-surface-is-running-slower?os=windows-10&=undefined) + + + + +  + + +  + + + + + diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index 699111447d..f5cf7d1f00 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -15,6 +15,12 @@ ms.date: 08/01/2017 This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation. +## September 2017 + +| New or changed topic | Description | +| --- | ---- | +| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Updated the prerequisites to provide more clarification. | + ## August 2017 | New or changed topic | Description | diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index ca1953e1e0..72ee15e1ab 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -9,7 +9,7 @@ ms.pagetype: edu ms.localizationpriority: high author: CelesteDG ms.author: celested -ms.date: 08/01/2017 +ms.date: 09/18/2017 --- # Use the Set up School PCs app @@ -103,7 +103,10 @@ You can watch the descriptive audio version here: [Microsoft Education: Use the - [Download the latest Set up School PCs app from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4ls40). - Install the app on your work PC and make sure you're connected to your school's network. -- You must be an administrator on Office 365 and Azure Active Directory, and have Microsoft Store for Education configured. It's best if you sign up for and configure Intune for Education before using the Set up School PCs app. +- You must have Office 365 and Azure Active Directory. +- You must have the Microsoft Store for Education configured. +- You must be a global admin, store admin, or purchaser in the Microsoft Store for Education. +- It's best if you sign up for and [configure Intune for Education](../get-started/use-intune-for-education.md) before using the Set up School PCs app. - Have a USB drive, 1 GB or larger, to save the provisioning package. We recommend an 8 GB or larger USB drive if you're installing Office. ## Set up School PCs step-by-step diff --git a/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md b/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md index a0c7a80e05..0167f592cc 100644 --- a/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md +++ b/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md @@ -128,6 +128,20 @@ If different encryption strengths are used, MBAM will report the machine as **no As of HF02, the MBAM Self-Service Portal automatically adds the '-' on Key ID entry. **Note:** The Server has to be reconfigured for the Javascript to take effect. +### MBAM 2.5 Sp1 Reports does not work / render properly +Reports Page does not render properly when SSRS is hosted on SQL Server 2016 edition.  +For example – Browsing to Helpdesk – Clicking on Reports –  ( Highlighted portion have “x”  on it ) +Digging this further with Fiddler – it does look like once we click on Reports – it calls the SSRS page with HTML 4.0 rendering format. + +**Workaround:** Looking at the site.master code and noticed the X-UA mode was dictated as IE8. As IE8 is WAY past the end of life, and customer is using IE11. Update the setting to the below code. This allows the site to utilize IE11 rendering technologies + + + +Original setting is: + + +This is the reason why the issue was not seen with other browsers like Chrome, Firefox etc. + ## Got a suggestion for MBAM? diff --git a/store-for-business/add-profile-to-devices.md b/store-for-business/add-profile-to-devices.md index 0f6cc91a16..2be986c161 100644 --- a/store-for-business/add-profile-to-devices.md +++ b/store-for-business/add-profile-to-devices.md @@ -7,20 +7,20 @@ ms.sitesec: library ms.pagetype: store author: TrudyHa ms.author: TrudyHa -ms.date: 07/05/2107 +ms.date: 09/12/2017 ms.localizationpriority: high --- # Manage Windows device deployment with Windows AutoPilot Deployment **Applies to** - - Windows 10 -> [!IMPORTANT] -> This topic has been updated to reflect the latest functionality, which we are releasing to customers in stages. You may not see all of the options described here until you receive the update. +Windows AutoPilot Deployment Program simplifies device set up for IT Admins. For an overview of benefits, scenarios, and prerequisites, see [Overview of Windows AutoPilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot). -Windows AutoPilot Deployment Program simplifies device set up for IT Admins. For an overview of benefits, scenarios, and prerequisites, see [Overview of Windows AutoPilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot). +Watch this video to learn more about Windows AutoPilot in Micrsoft Store for Business. + + ## What is Windows AutoPilot Deployment Program? In Microsoft Store for Business, you can manage devices for your organization and apply an *AutoPilot deployment profile* to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the AutoPilot deployment profile you applied to the device. @@ -54,9 +54,13 @@ To manage devices through Microsoft Store for Business and Education, you'll nee ### Device information file format Columns in the device information file need to use this naming and be in this order: -- Column 1: Device Serial Number -- Column 2: Windows Product ID -- Column 3: Hardware Hash +- Column A: Device Serial Number +- Column B: Windows Product ID +- Column C: Hardware Hash + +Here's a sample device information file: + +![Notepad file showing example entries for Column A (Device Serial Number), Column B (Windows Product ID), and Column C (Hardware Hash).](images/msfb-autopilot-csv.png) When you add devices, you need to add them to an *AutoPilot deployment group*. Use these groups to apply AutoPilot deployment profiles to a group of devices. The first time you add devices to a group, you'll need to create an AutoPilot deployment group. diff --git a/store-for-business/breadcrumb/toc.yml b/store-for-business/breadcrumb/toc.yml index 104d0bb7a6..4b1853471b 100644 --- a/store-for-business/breadcrumb/toc.yml +++ b/store-for-business/breadcrumb/toc.yml @@ -2,6 +2,6 @@ tocHref: / topicHref: / items: - - name: Windows Store for Business + - name: Microsoft Store for Business tocHref: /microsoft-store topicHref: /microsoft-store/index \ No newline at end of file diff --git a/store-for-business/images/autopilot-process.png b/store-for-business/images/autopilot-process.png index 491b8c0ef0..56c379fd5f 100644 Binary files a/store-for-business/images/autopilot-process.png and b/store-for-business/images/autopilot-process.png differ diff --git a/store-for-business/images/msfb-autopilot-csv.png b/store-for-business/images/msfb-autopilot-csv.png new file mode 100644 index 0000000000..d150ae4f42 Binary files /dev/null and b/store-for-business/images/msfb-autopilot-csv.png differ diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md index d9f542ffd7..227053e01a 100644 --- a/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md @@ -9,7 +9,7 @@ ms.pagetype: security, mobile author: DaniHalfin ms.localizationpriority: high ms.author: daniha -ms.date: 07/07/2017 +ms.date: 09/08/2017 --- # Prepare and Deploy Windows Server 2016 Active Directory Federation Services @@ -36,7 +36,7 @@ Prepare the Active Directory Federation Services deployment by installing and up Sign-in the federation server with _local admin_ equivalent credentials. 1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please advise the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed. -2. Ensure the latest server updates to the federation server includes [KB4022723](https://support.microsoft.com/en-us/help/4022723). +2. Ensure the latest server updates to the federation server includes [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658). >[!IMPORTANT] >The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers. diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/access-protection/hello-for-business/hello-cert-trust-validate-pki.md index c3054a28fa..c9fc5f8eea 100644 --- a/windows/access-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/access-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -36,12 +36,12 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o 1. Open an elevated Windows PowerShell prompt. 2. Use the following command to install the Active Directory Certificate Services role. ```PowerShell - Add-WindowsFeature Adcs-Cert-Authority -IncludeManageTools + Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools ``` 3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration. ```PowerShell - Install-AdcsCertificateAuthority + Install-AdcsCertificationAuthority ``` ## Configure a Production Public Key Infrastructure diff --git a/windows/access-protection/hello-for-business/hello-deployment-guide.md b/windows/access-protection/hello-for-business/hello-deployment-guide.md index c11406fb24..877770ddae 100644 --- a/windows/access-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/access-protection/hello-for-business/hello-deployment-guide.md @@ -9,7 +9,7 @@ ms.pagetype: security, mobile author: DaniHalfin ms.localizationpriority: high ms.author: daniha -ms.date: 07/07/2017 +ms.date: 09/08/2017 --- # Windows Hello for Business Deployment Guide @@ -47,8 +47,10 @@ Hybrid deployments are for enterprises that use Azure Active Directory. On-prem The trust model determines how you want users to authentication to the on-premises Active Directory. Remember hybrid environments use Azure Active Directory and on-premises Active Directory. The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and they have an adequate number of 2016 domain controllers in each site to support the authentication. The certificate-trust model is for enterprise that do want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today. The certificate trust model is also enterprise who are not ready to deploy Windows Server 2016 domain controllers. Following are the various deployment guides included in this topic: +* [Hybrid Certificate Trust Deployment](hello-hybrid-cert-trust.md) * [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md) + ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md new file mode 100644 index 0000000000..a60357cfcf --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -0,0 +1,144 @@ +--- +title: Windows Hello for Business Trust New Installation (Windows Hello for Business) +description: Windows Hello for Business Hybrid baseline deployment +keywords: identity, PIN, biometric, Hello, passport, WHFB +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 09/08/2017 +--- +# Windows Hello for Business Certificate Trust New Installation + +**Applies to** +- Windows 10 + +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid certificate trust deployments of Windows Hello for Business rely on these technolgies + +* [Active Directory](#active-directory) +* [Public Key Infrastructure](#public-key-infrastructure) +* [Azure Active Directory](#azure-active-directory) +* [Directory Synchronization](#directory-synchronization) +* [Active Directory Federation Services](#active-directory-federation-services) + + +New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your exsting envrionment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) section to prepare your Windows Hello for Business deployment by configuring Azure device registration. + +The new installation baseline begins with a basic Active Directory deployment and enterprise PKI. This document expects you have Active Directory deployed using Windows Server 2008 R2 or later domain controllers. + +## Active Directory ## +Production environments should follow Active Directory best practices regarding the number and placement of domain controllers to ensure adequate authentication throughout the organization. + +Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting issue, such as Active Directory replication, which is unrelated to activity's goal. + +### Section Review + +> [!div class="checklist"] +> * Minimum Windows Server 2008 R2 domain controllers +> * Minimum Windows Server 2008 R2 domain and forest functional level +> * Functional networking, name resolution, and Active Directory replication + +## Public Key Infrastructure + +Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. + +This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later. + +### Lab-based public key infrastructure + +The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment. + +Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed. + +>[!NOTE] +>Never install a certificate authority on a domain controller in a production environment. + +1. Open an elevated Windows PowerShell prompt. +2. Use the following command to install the Active Directory Certificate Services role. + ```PowerShell + Add-WindowsFeature Adcs-Cert-Authority -IncludeManageTools + ``` + +3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration. + ```PowerShell + Install-AdcsCertificateAuthority + ``` + +## Configure a Production Public Key Infrastructure + +If you do have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session. + +### Section Review ### + +> [!div class="checklist"] +> * Miniumum Windows Server 2012 Certificate Authority. +> * Enterprise Certificate Authority. +> * Functioning public key infrastructure. + +## Azure Active Directory ## +You’ve prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities. + +The next step of the deployment is to follow the [Creating an Azure AD tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization. + +### Section Review + +> [!div class="checklist"] +> * Review the different ways to establish an Azure Active Directory tenant. +> * Create an Azure Active Directory Tenant. +> * Purchase the appropriate Azure Active Directory subscription or licenses, if necessary. + +## Multifactor Authentication Services ## +Windows Hello for Business uses multifactor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multifactor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA + +Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works. + +### Azure Multi-Factor Authentication (MFA) Cloud ### +> [!IMPORTANT] +As long as your users have licenses that include Azure Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are: +> * Azure Multi-Factor Authentication +> * Azure Active Directory Premium +> * Enterprise Mobility + Security +> +> If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section. + +#### Azure MFA Provider #### +If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant. + +#### Configure Azure MFA Settings #### +Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. + +#### Azure MFA User States #### +After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users. + +### Azure MFA via ADFS 2016 ### +Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section + +### Section Review + +> [!div class="checklist"] +> * Review the overview and uses of Azure Multifactor Authentication. +> * Review your Azure Active Directory subscription for Azure Multifactor Authentication. +> * Create an Azure Multifactor Authentication Provider, if necessary. +> * Configure Azure Multufactor Authentiation features and settings. +> * Understand the different User States and their effect on Azure Multifactor Authentication. +> * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server 2016 Active Directory Federation Services, if necessary. + +> [!div class="nextstepaction"] +> [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. New Installation Baseline (*You are here*) +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md new file mode 100644 index 0000000000..57457517cd --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -0,0 +1,518 @@ +--- +title: Configure Device Registration for Hybrid Windows Hello for Business +description: Azure Device Registration for Hybrid Certificate Trust Deployment (Windows Hello for Business) +keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 09/08/2017 +--- +# Configure Device Registration for Hybrid Windows Hello for Business + +**Applies to** +- Windows 10 + +>[!IMPORTANT] +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +You're environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication. + +> [!IMPORTANT] +> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. + +Use this three phased approach for configuring device registration. +1. [Configure devices to register in Azure](#configure-azure-for-device-registration) +2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-syncrhonization) +3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices) + +> [!NOTE] +> Before proceeding, you should familiarize yourself with device regisration concepts such as: +> * Azure AD registered devices +> * Azure AD joined devices +> * Hybrid Azure AD joined devices +> +> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction) + +## Configure Azure for Device Registration +Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. + +To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/) + +## Configure Active Directory to support Azure device syncrhonization + +Azure Active Directory is now configured for device registration. Next, you need to configure the on-premises Active Directory to support synchronizing hybrid Azure AD joined devices. Begin with upgrading the Active Directory Schema + +### Upgrading Active Directory to the Windows Server 2016 Schema + +To use Windows Hello for Business with Hybrid Azure AD joined devices, you must first upgrade your Active Directory schema to Windows Server 2016. + +> [!IMPORTANT] +> If you already have a Windows Server 2016 domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 Schema** (this section). + +#### Identify the schema role domain controller + +To locate the schema master role holder, open and command prompt and type: + +```Netdom query fsmo | findstr -i schema``` + +![Netdom example output](images\hello-cmd-netdom.png) + +The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. + +#### Updating the Schema + +Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords). During enrollment, the public key is registered in an attribute on the user object in Active Directory. The schema update adds this new attribute to Active Directory. + +Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. + +Sign-in to the domain controller hosting the schema master operational role using Enterprise Admin equivalent credentials. + +1. Open an elevated command prompt. +2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. +3. To update the schema, type ```adprep /forestprep```. +4. Read the Adprep Warning. Type the letter **C*** and press **Enter** to update the schema. +5. Close the Command Prompt and sign-out. + +> [!NOTE] +> If you installed Azure AD Connect prior to upgrading the schema, you will need to re-run the Azure AD Connect installation and refresh the on-premises AD schema to ensure the synchronization rule for msDS-KeyCredentialLink is configured. + + +### Setup Active Directory Federation Services +If you are new to AD FS and federation services, you should review [Understanding Key AD FS Concepts](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts) to prior to designing and deploying your federation service. +Review the [AD FS Design guide](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2) to plan your federation service. + +Once you have your AD FS design ready, review [Deploying a Federation Server farm](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) to configure AD FS in your environment. +> [!IMPORTANT] +> During your AD FS deployment, skip the **Configure a federation server with Device Registration Service** and the **Configure Corporate DNS for the Federation Service and DRS** procedures. + +The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658), which is automatically downloaded and installed through Windows Update. If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) + +#### ADFS Web Proxy ### +Federation server proxies are computers that run AD FS software that have been configured manually to act in the proxy role. You can use federation server proxies in your organization to provide intermediary services between an Internet client and a federation server that is behind a firewall on your corporate network. +Use the [Setting of a Federation Proxy](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment. + +### Deploy Azure AD Connect +Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). + +When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**. + +### Create AD objects for AD FS Device Authentication +If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration. + +![Device Registration](images/hybridct/device1.png) + +> [!NOTE] +> The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1. + +1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**. + +![Device Registration](images/hybridct/device2.png) + +2. On your AD FS primary server, ensure you are logged in as AD DS user with Enterprise Admin (EA ) privileges and open an elevated Windows PowerShell prompt. Then, run the following commands: + + `Import-module activedirectory` + `PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "" ` +3. On the pop-up window click **Yes**. + +> [!NOTE] +> If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$" + +![Device Registration](images/hybridct/device3.png) + +The above PSH creates the following objects: + + +- RegisteredDevices container under the AD domain partition +- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration +- Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration + +![Device Registration](images/hybridct/device4.png) + +4. Once this is done, you will see a successful completion message. + +![Device Registration](images/hybridct/device5.png) + +### Create Service Connection Point (SCP) in Active Directory +If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS +1. Open Windows PowerShell and execute the following: + + `PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1" ` + +> [!NOTE] +> If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep + +![Device Registration](images/hybridct/device6.png) + +2. Provide your Azure AD global administrator credentials + + `PS C:>$aadAdminCred = Get-Credential` + +![Device Registration](images/hybridct/device7.png) + +3. Run the following PowerShell command + + `PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred ` + +Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory. + +The above commands enable Windows 10 clients to find the correct Azure AD domain to join by creating the serviceConnectionpoint object in AD DS. + +### Prepare AD for Device Write Back +To ensure AD DS objects and containers are in the correct state for write back of devices from Azure AD, do the following. + +1. Open Windows PowerShell and execute the following: + + `PS C:>Initialize-ADSyncDeviceWriteBack -DomainName -AdConnectorAccount [AD connector account name] ` + +Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format + +The above command creates the following objects for device write back to AD DS, if they do not exist already, and allows access to the specified AD connector account name + +- RegisteredDevices container in the AD domain partition +- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration + +### Enable Device Write Back in Azure AD Connect +If you have not done so before, enable device write back in Azure AD Connect by running the wizard a second time and selecting **"Customize Synchronization Options"**, then checking the box for device write back and selecting the forest in which you have run the above cmdlets + +## Configure AD FS to use Azure registered devices + +### Configure issuance of claims + +In a federated Azure AD configuration, devices rely on Active Directory Federation Services (AD FS) or a 3rd party on-premises federation service to authenticate to Azure AD. Devices authenticate to get an access token to register against the Azure Active Directory Device Registration Service (Azure DRS). + +Windows current devices authenticate using Integrated Windows Authentication to an active WS-Trust endpoint (either 1.3 or 2005 versions) hosted by the on-premises federation service. + +> [!NOTE] +> When using AD FS, either **adfs/services/trust/13/windowstransport** or **adfs/services/trust/2005/windowstransport** must be enabled. If you are using the Web Authentication Proxy, also ensure that this endpoint is published through the proxy. You can see what end-points are enabled through the AD FS management console under **Service > Endpoints**. +> +> If you don't have AD FS as your on-premises federation service, follow the instructions of your vendor to make sure they support WS-Trust 1.3 or 2005 end-points and that these are published through the Metadata Exchange file (MEX). + +The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS will create a device object in Azure AD with some of this information which is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises. + +* `http://schemas.microsoft.com/ws/2012/01/accounttype` +* `http://schemas.microsoft.com/identity/claims/onpremobjectguid` +* `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid` + +If you have more than one verified domain name, you need to provide the following claim for computers: + +* `http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid` + +If you are already issuing an ImmutableID claim (e.g., alternate login ID) you need to provide one corresponding claim for computers: + +* `http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID` + +In the following sections, you find information about: + +- The values each claim should have +- How a definition would look like in AD FS + +The definition helps you to verify whether the values are present or if you need to create them. + +> [!NOTE] +> If you don't use AD FS for your on-premises federation server, follow your vendor's instructions to create the appropriate configuration to issue these claims. + +#### Issue account type claim + +**`http://schemas.microsoft.com/ws/2012/01/accounttype`** - This claim must contain a value of **DJ**, which identifies the device as a domain-joined computer. In AD FS, you can add an issuance transform rule that looks like this: + + @RuleName = "Issue account type for domain-joined computers" + c:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value = "DJ" + ); + +#### Issue objectGUID of the computer account on-premises + +**`http://schemas.microsoft.com/identity/claims/onpremobjectguid`** - This claim must contain the **objectGUID** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: + + @RuleName = "Issue object GUID for domain-joined computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + store = "Active Directory", + types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), + query = ";objectguid;{0}", + param = c2.Value + ); + +#### Issue objectSID of the computer account on-premises + +**`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: + + @RuleName = "Issue objectSID for domain-joined computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue(claim = c2); + +#### Issue issuerID for computer when multiple verified domain names in Azure AD + +**`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added. + + @RuleName = "Issue account type with the value User when its not a computer" + NOT EXISTS( + [ + Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value == "DJ" + ] + ) + => add( + Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value = "User" + ); + + @RuleName = "Capture UPN when AccountType is User and issue the IssuerID" + c1:[ + Type == "http://schemas.xmlsoap.org/claims/UPN" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value == "User" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", + Value = regexreplace( + c1.Value, + ".+@(?.+)", + "http://${domain}/adfs/services/trust/" + ) + ); + + @RuleName = "Issue issuerID for domain-joined computers" + c:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", + Value = "http:///adfs/services/trust/" + ); + + +In the claim above, + +- `$` is the AD FS service URL +- `` is a placeholder you need to replace with one of your verified domain names in Azure AD + +For more details about verified domain names, see [Add a custom domain name to Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-add-domain). +To get a list of your verified company domains, you can use the [Get-MsolDomain](https://docs.microsoft.com/en-us/powershell/module/msonline/get-msoldomain?view=azureadps-1.0) cmdlet. + +#### Issue ImmutableID for computer when one for users exist (e.g. alternate login ID is set) + +**`http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`** - This claim must contain a valid value for computers. In AD FS, you can create an issuance transform rule as follows: + + @RuleName = "Issue ImmutableID for computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + store = "Active Directory", + types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), + query = ";objectguid;{0}", + param = c2.Value + ); + +#### Helper script to create the AD FS issuance transform rules + +The following script helps you with the creation of the issuance transform rules described above. + + $multipleVerifiedDomainNames = $false + $immutableIDAlreadyIssuedforUsers = $false + $oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains + + $rule1 = '@RuleName = "Issue account type for domain-joined computers" + c:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value = "DJ" + );' + + $rule2 = '@RuleName = "Issue object GUID for domain-joined computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + store = "Active Directory", + types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), + query = ";objectguid;{0}", + param = c2.Value + );' + + $rule3 = '@RuleName = "Issue objectSID for domain-joined computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue(claim = c2);' + + $rule4 = '' + if ($multipleVerifiedDomainNames -eq $true) { + $rule4 = '@RuleName = "Issue account type with the value User when it is not a computer" + NOT EXISTS( + [ + Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value == "DJ" + ] + ) + => add( + Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value = "User" + ); + + @RuleName = "Capture UPN when AccountType is User and issue the IssuerID" + c1:[ + Type == "http://schemas.xmlsoap.org/claims/UPN" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value == "User" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", + Value = regexreplace( + c1.Value, + ".+@(?.+)", + "http://${domain}/adfs/services/trust/" + ) + ); + + @RuleName = "Issue issuerID for domain-joined computers" + c:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", + Value = "http://' + $oneOfVerifiedDomainNames + '/adfs/services/trust/" + );' + } + + $rule5 = '' + if ($immutableIDAlreadyIssuedforUsers -eq $true) { + $rule5 = '@RuleName = "Issue ImmutableID for computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + store = "Active Directory", + types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), + query = ";objectguid;{0}", + param = c2.Value + );' + } + + $existingRules = (Get-ADFSRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline).IssuanceTransformRules + + $updatedRules = $existingRules + $rule1 + $rule2 + $rule3 + $rule4 + $rule5 + + $crSet = New-ADFSClaimRuleSet -ClaimRule $updatedRules + + Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString + +#### Remarks + +- This script appends the rules to the existing rules. Do not run the script twice because the set of rules would be added twice. Make sure that no corresponding rules exist for these claims (under the corresponding conditions) before running the script again. + +- If you have multiple verified domain names (as shown in the Azure AD portal or via the Get-MsolDomains cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing issuerid claim that might have been created by Azure AD Connect or via other means. Here is an example for this rule: + + + c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] + => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?.+)", "http://${domain}/adfs/services/trust/")); + +- If you have already issued an **ImmutableID** claim for user accounts, set the value of **$immutableIDAlreadyIssuedforUsers** in the script to **$true**. + +#### Configure Device Authentication in AD FS +Using an elevated PowerShell command window, configure AD FS policy by executing the following command + +`PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod All` + +#### Check your configuration +For your reference, below is a comprehensive list of the AD DS devices, containers and permissions required for device write-back and authentication to work + +- object of type ms-DS-DeviceContainer at CN=RegisteredDevices,DC=<domain> + - read access to the AD FS service account + - read/write access to the Azure AD Connect sync AD connector account +- Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> +- Container Device Registration Service DKM under the above container + +![Device Registration](images/hybridct/device8.png) + +- object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration +- Configuration,CN=Services,CN=Configuration,DC=<domain> + - read/write access to the specified AD connector account name on the new object +- object of type msDS-DeviceRegistrationServiceContainer at CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> +- object of type msDS-DeviceRegistrationService in the above container + +>[!div class="nextstepaction"] +[Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. Configure Azure Device Registration (*You are here*) +5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md new file mode 100644 index 0000000000..7c56e7ded8 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -0,0 +1,139 @@ +--- +title: Hybrid Windows Hello for Business Prerequistes (Windows Hello for Business) +description: Prerequisites for Hybrid Windows Hello for Business Deployments +keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 09/08/2017 +--- +# Hybrid Windows Hello for Business Prerequisites + +**Applies to** +- Windows 10 + + +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. + +The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: +* [Directories](#directories) +* [Public Key Infrastucture](#public-key-infastructure) +* [Directory Synchronization](#directory-synchronization) +* [Federation](#federation) +* [MultiFactor Authetication](#multifactor-authentication) +* [Device Registration](#device-registration) + +## Directories ## +Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain controller, domain functional level, and forest functional level for Windows Hello for Business deployment is Windows Server 2008 R2. + +A hybrid Windows Hello for Busines deployment needs an Azure Active Directory subscription. Different deployment configurations are supported by different Azure subscriptions. The hybrid-certificate trust deployment needs an Azure Active Directory premium subscription because it uses the device write-back synchronization feature. Other deployments, such as the hybrid key-trust deployment, may not require Azure Active Directory premium subscription. + +Windows Hello for Business can be deployed in any environment with Windows Server 2008 R2 or later domain controllers. Azure device registration and Windows Hello for Business require the Windows Server 2016 Active Directory schema. + +Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs. + +### Section Review ### + +> [!div class="checklist"] +> * Active Directory Domain Functional Level +> * Active Directory Forest Functional Level +> * Domain Controller version +> * Windows Server 2016 Schema +> * Azure Active Directory subscription +> * Correct subscription for desired features and outcomes + +
+ +## Public Key Infrastructure ## +The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller. + +Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment use the Windows Server 2016 Active Directory Federation Server (AS FS) as a certificate registration authority. + +The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012. + +### Section Review +> [!div class="checklist"] +> * Windows Server 2012 Issuing Certificate Authority +> * Windows Server 2016 Active Directory Federation Services + +
+ +## Directory Synchronization ## +The two directories used in hybrid deployments must be synchronized. You need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. + +Organizations using older directory synchronization technology, such as DirSync or Azure AD sync need to upgrade to Azure AD Connect + +### Section Review +> [!div class="checklist"] +> * Azure Active Directory Connect directory synchronization +> * [Upgrade from DirSync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-dirsync-upgrade-get-started) +> * [Upgrade from Azure AD Sync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-upgrade-previous-version) + +
+ +## Federation ## +Federating your on-premises Active Directory with Azure Active Directory ensures all identities have access to all resources regardless if they reside in cloud or on-premises. Windows Hello for Business hybrid certificate trust needs Windows Server 2016 Active Directory Federation Services. All nodes in the AD FS farm must run the same version of AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices. + +The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658), which is automatically downloaded and installed through Windows Update. If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) + +### Section Review ### +> [!div class="checklist"] +> * Windows Server 2016 Active Directory Federation Services +> * Minimum update of [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658) + +
+ +## Multifactor Authentication ## +Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor. but needs a second factor of authentication. + +Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provides by Windows Server 2016 Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS. + +### Section Review +> [!div class="checklist"] +> * Azure MFA Service +> * Windows Server 2016 AD FS and Azure +> * Windows Server 2016 AD FS and third party MFA Adapter + +
+ +## Device Registration ## +Organizations wanting to deploy hybrid certificate trust need thier domain joined devices to register to Azure Active Directory. Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud. This ensures that only approved computers are used with that Azure Active Directory. Each computer registers its identity in Azure Active Directory. + +Hybrid certificate trust deployments need the device write back feature. Authentication to the Windows Server 2016 Active Directory Federation Services needs both the user and the computer to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the computer and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device writeback, which is an Azure Active Directory premium feature. + +### Section Checklist ### +> [!div class="checklist"] +> * Azure Active Directory Device writeback +> * Azure Active Directory Premium subscription + +
+ +### Next Steps ### +Follow the Windows Hello for Business hybrid certificate trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Basline**. + +If your environment is already federated, but does not include Azure device registration, choose **Configure Azure Device Registration**. + +If your environment is already federated and supports Azure device registration, choose **Configure Windows Hello for Business settings**. + +> [!div class="op_single_selector"] +> - [New Installation Baseline](hello-hybrid-cert-new-install.md) +> - [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +> - [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. Prerequistes (*You are here*) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md new file mode 100644 index 0000000000..576a4d3481 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -0,0 +1,51 @@ +--- +title: Hybrid Certificate Trust Deployment (Windows Hello for Business) +description: Hybrid Certificate Trust Deployment Overview +keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 09/08/2017 +--- +# Hybrid Azure AD joined Certificate Trust Deployment + +**Applies to** +- Windows 10 + +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + + +Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario. + +It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). + +This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment. + +## New Deployment Baseline ## +The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. + +This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in. + +## Federated Baseline ## +The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment. + +Regardless of the baseline you choose, you’re next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. + +> [!div class="nextstepaction"] +> [Prerequistes](hello-hybrid-cert-trust-prereqs.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. Overview (*You are here*) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. [Device Registration](hello-hybrid-cert-trust-devreg.md) +5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md new file mode 100644 index 0000000000..744f4930a3 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -0,0 +1,75 @@ +--- +title: Hybrid Windows Hello for Business Provisioning (Windows Hello for Business) +description: Provisioning for Hybrid Windows Hello for Business Deployments +keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 09/08/2017 +--- +# Hybrid Windows Hello for Business Provisioning + +**Applies to** +- Windows 10 + + +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +## Provisioning +The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. + +![Event358](images/Event358.png) + +The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **EnterpriseJoined** reads **Yes**. + +![dsreg output](images/dsregcmd.png) + + +Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**. + +![Setup a PIN Provisioning](images/setupapin.png) + +The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment. Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA. The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry. + +![MFA prompt during provisioning](images/mfa.png) + +After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity requirements that you deployed to the environment. + + + +The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment. +* A successful single factor authentication (username and password at sign-in) +* A device that has successfully completed device registration +* A fresh, successful multi-factor authentication +* A validated PIN that meets the PIN complexity requirements + +The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. AAD Connect syncrhonizes the user's key to the on-prem Active Directory. + +> [!IMPORTANT] +> The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. This synchronization latency delays the certificate enrollment for the user. After the user's public key has synchronized to Active Directory, the user's certificate enrolls automatically as long as the user's session is active (actively working or locked, but still signed-in). Also, the Action Center notifies the user thier PIN is ready for use. + +> [!NOTE] +> Microsoft is actively investigating ways to reduce the syncrhonization latency and delays in certificate enrollment with the goal to make certificate enrollment occur real-time. + +After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment. + +The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. + +The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user they can use their PIN to sign-in through the Windows Action Center. + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings-policy.md) +6. Sign-in and Provision(*You are here*)  + diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md new file mode 100644 index 0000000000..27eba8dd44 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -0,0 +1,81 @@ +--- +title: Configuring Hybrid Windows Hello for Business - Active Directory (AD) +description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport, WHFB, ad +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +localizationpriority: high +author: mikestephens-MS +ms.author: mstephen +ms.date: 09/08/2017 +--- +# Configuring Windows Hello for Business: Active Directory + +**Applies to** +- Windows 10 + +>[!div class="step-by-step"] +[< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md) +[Configure Azure AD Connect >](hello-hybrid-cert-whfb-settings-dir-sync.md) + +The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. + +>[!IMPORTANT] +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +### Creating Security Groups + +Windows Hello for Business uses several security groups to simplify the deployment and managment. + +> [!Important] +> If your environment has one or more Windows Server 2016 domain controllers in the domain to which you are deploying Windows Hello for Business, then skip the **Create the KeyCredentials Admins Security Group**. Domains that include Windows Server 2016 domain controllers use the KeyAdmins group, which is created during the installation of the first Windows Server 2016 domain controller. + +#### Create the KeyCredential Admins Security Group + +Azure Active Directory Connect synchronizes the public key on the user object created during provisioning. You assign write and read permission to this group to the Active Directory attribute to ensure the Azure AD Connect service can add and remove keys as part of its normal workflow. + +Sign-in a domain controller or management workstation with *Domain Admin* equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click **View** and click **Advance Features**. +3. Expand the domain node from the navigation pane. +4. Right-click the **Users** container. Click **New**. Click **Group**. +5. Type **KeyCredential Admins** in the **Group Name** text box. +6. Click **OK**. + +#### Create the Windows Hello for Business Users Security Group + +The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate. + +Sign-in a domain controller or management workstation with *Domain Admin* equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click **View** and click **Advanced Features**. +3. Expand the domain node from the navigation pane. +4. Right-click the **Users** container. Click **New**. Click **Group**. +5. Type **Windows Hello for Business Users** in the **Group Name** text box. +6. Click **OK**. + +### Section Review + +> [!div class="checklist"] +> * Create the KeyCredential Admins Security group (optional) +> * Create the Windows Hello for Business Users group + +>[!div class="step-by-step"] +[< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md) +[Configure Azure AD Connect >](hello-hybrid-cert-whfb-settings-dir-sync.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. Configure Windows Hello for Business settings: Active Directory (*You are here*) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md new file mode 100644 index 0000000000..e68276a09e --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -0,0 +1,89 @@ +--- +title: Configuring Hybrid Windows Hello for Business - Active Directory Federation Services (ADFS) +description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport, WHFB, adfs +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +localizationpriority: high +author: mikestephens-MS +ms.author: mstephen +ms.date: 09/08/2017 +--- +# Configure Windows Hello for Business: Active Directory Federation Services + +**Applies to** +- Windows10 + +## Federation Services + +>[!IMPORTANT] +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +>[!div class="step-by-step"] +[< Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) +[Configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md) + + +The Windows Server 2016 Active Directory Fedeartion Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. + +The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. + +### Configure the Registration Authority + +Sign-in the AD FS server with *Domain Admin* equivalent credentials. + +1. Open a **Windows PowerShell** prompt. +2. Type the following command + + ```PowerShell + Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication + ``` + + +The `Set-AdfsCertificateAuthority` cmdlet should show the following warning: +>WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured. These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured. + +This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates. Windows 10, version 1703 clients check this configuration during prerequisite checks. If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in. + +>[!NOTE] +> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. + + +### Group Memberships for the AD FS Service Account + +The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. + +Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click the **Users** container in the navigation pane. +3. Right-click **Windows Hello for Business Users** group +4. Click the **Members** tab and click **Add** +5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. +6. Click **OK** to return to **Active Directory Users and Computers**. +7. Restart the AD FS server. + +### Section Review +> [!div class="checklist"] +> * Configure the registration authority +> * Update group memberships for the AD FS service account + + +>[!div class="step-by-step"] +[< Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) +[Configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. Configure Windows Hello for Business settings: AD FS (*You are here*) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) + diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md new file mode 100644 index 0000000000..51d3af12b8 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -0,0 +1,86 @@ +--- +title: Configuring Hybrid Windows Hello for Business - Directory Synchronization +description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +localizationpriority: high +author: mikestephens-MS +ms.author: mstephen +ms.date: 09/08/2017 +--- +# Configure Hybrid Windows Hello for Business: Directory Synchronization + +**Applies to** +- Windows 10 + +>[!div class="step-by-step"] +[< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md) +[Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) + +## Directory Syncrhonization + +>[!IMPORTANT] +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +In hybrid deployments, users register the public portion of their Windows Hello for Business crednetial with Azure. Azure AD Connect syncrhonizes the Windows Hello for Business public key to Active Directory. + +The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. + +> [!IMPORTANT] +> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. + +### Configure Permissions for Key Syncrhonization + +Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Right-click your domain name from the navigation pane and click **Properties**. +3. Click **Security** (if the Security tab is missing, turn on Advanced Features from the View menu). +4. Click **Advanced**. Click **Add**. Click **Select a principal**. +5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**. Click **OK**. +6. In the **Applies to** list box, select **Descendant User objects**. +7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**. +8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**. +9. Click **OK** three times to complete the task. + + +### Group Memberships for the Azure AD Connect Service Account + +The KeyAdmins or KeyCredential Admins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory. + +Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click the **Users** container in the navigation pane. +>[!IMPORTANT] +> If you already have a Windows Server 2016 domain controller in your domain, use the Keyadmins group in the next step, otherwise use the KeyCredential admins group you previously created. + +3. Right-click either the **KeyAdmins** or **KeyCredential Admins** in the details pane and click **Properties**. +4. Click the **Members** tab and click **Add** +5. In the **Enter the object names to select** text box, type the name of the Azure AD Connect service account. Click **OK**. +6. Click **OK** to return to **Active Directory Users and Computers**. + +### Section Review + +> [!div class="checklist"] +> * Configure Permissions for Key Synchronization +> * Configure group membership for Azure AD Connect + +>[!div class="step-by-step"] +[< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md) +[Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. Configure Windows Hello for Business settings: Directory Syncrhonization (*You are here*) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md new file mode 100644 index 0000000000..27ea8e8a47 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -0,0 +1,199 @@ +--- +title: Configuring Hybrid Windows Hello for Business - Public Key Infrastructure (PKI) +description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport, WHFB, PKI +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +localizationpriority: high +author: mikestephens-MS +ms.author: mstephen +ms.date: 09/08/2017 +--- + +# Configure Hybrid Windows Hello for Business: Public Key Infrastructure + +**Applies to** +- Windows 10 + +> [!div class="step-by-step"] +[< Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md) +[Configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md) + +>[!IMPORTANT] +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certifcates to validate the name of the server to which they are connecting and to encyrpt the data that flows them and the client computer. + +All deployments use enterprise issed certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificate to registration authorites to provide defenese-in-depth security for issueing user authentication certificates. + +## Certifcate Templates + +This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authtority. + +### Domain Controller certificate template + +Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain - namely the enterprise certificate authority. + +Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template. + +By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template a baseline to create an updated domain controller certificate template. + +#### Create a Domain Controller Authentication (Kerberos) Certificate Template + +Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. + +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs. + **Note**If you use different template names, you'll need to remember and substitute these names in different portions of the lab. +6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. +8. Close the console. + +#### Configure Certificate Suspeding for the Domain Controller Authentication (Kerberos) Certificate Template + +Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers--the domain controller certificate template. Later releases provided a new certificate template--the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension. + +The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). + +The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. + +Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. + +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. +4. Click the **Superseded Templates** tab. Click **Add**. +5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. +6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. +7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**. +8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab. +9. Click **OK** and close the **Certificate Templates** console. + +The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. + +### Enrollment Agent certificate template + +Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. + +Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. + +> [!IMPORTANT] +> Follow the procedures below based on the AD FS service account used in your environment. + +#### Creating an Enrollment Agent certificate for Group Managed Service Accounts + +Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. + +1. Open the **Certificate Authority Management** console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. +6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. + **Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. + +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +8. On the **Security** tab, click **Add**. +9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**. +10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**. +11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. +12. Close the console. + +#### Creating an Enrollment Agent certificate for typical Service Acconts + +Sign-in a certificate authority or management workstations with *Domain Admin* equivalent credentials. + +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. +6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**. +9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. +10. Close the console. + +### Creating Windows Hello for Business authentication certificate template + +During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring. + +Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. + +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. + **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. +6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. +8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box. + * Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. +9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. +10. On the **Request Handling** tab, select the **Renew with same key** check box. +11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. +12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. +13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. +14. Click on the **Apply** to save changes and close the console. + +#### Mark the template as the Windows Hello Sign-in template + +Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials. +1. Open an elevated command prompt. +2. Run `certutil -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` + +>[!NOTE] +>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. +Publish Templates + +### Publish Certificate Templates to a Certificate Authority + +The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. + +### Unpublish Superseded Certificate Templates + +The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. + +The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. + +Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials. + +1. Open the **Certificate Authority** management console. +2. Expand the parent node from the navigation pane. +3. Click **Certificate Templates** in the navigation pane. +4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window. +5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. + +### Section Review +> [!div class="checklist"] +> * Domain Controller certificate template +> * Configure superseded domain controller certificate templates +> * Enrollment Agent certifcate template +> * Windows Hello for Business Authentication certificate template +> * Mark the certifcate template as Windows Hello for Business sign-in template +> * Publish Certificate templates to certificate authorities +> * Unpublish superseded certificate templates + + +> [!div class="step-by-step"] +[< Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md) +[Configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. Configure Windows Hello for Business settings: PKI (*You are here*) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) + diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md new file mode 100644 index 0000000000..2c0b6759f9 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -0,0 +1,204 @@ +--- +title: Configuring Hybrid Windows Hello for Business - Group Policy +description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport, WHFB +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +localizationpriority: high +author: mikestephens-MS +ms.author: mstephen +ms.date: 09/08/2017 +--- +# Configure Hybrid Windows Hello for Business: Group Policy + +**Applies to** +- Windows 10 + +> [!div class="step-by-step"] +[< Configure AD FS](hello-hybrid-cert-whfb-settings-adfs.md) + + +## Policy Configuration + +>[!IMPORTANT] +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). +Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. + +Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. + +Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) autoamtically request and renew the correct domain controller certifcate. + +Domain joined clients of hybrid certificate-based deployments of Windows Hello for Business needs three Group Policy settings: +* Enable Windows Hello for Business +* Use certificate for on-premises authentication +* Enable automatic enrollment of certificates + +### Configure Domain Controllers for Automatic Certificate Enrollment + +Domain controllers automatically request a certificate from the *Domain Controller* certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. + +To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. + +#### Create a Domain Controller Automatic Certifiacte Enrollment Group Policy object + +Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. + +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click **Group Policy object** and select **New** +4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**. +5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. +6. In the navigation pane, expand **Policies** under **Computer Configuration**. +7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. +8. In the details pane, right-click **Certificate Services Client � Auto-Enrollment** and select **Properties**. +9. Select **Enabled** from the **Configuration Model** list. +10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. +11. Select the **Update certificates that use certificate templates** check box. +12. Click **OK**. Close the **Group Policy Management Editor**. + +#### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object + +Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. + +1. Start the **Group Policy Management Console** (gpmc.msc) +2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO�** +3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. + +### Windows Hello for Business Group Policy + +The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory + +#### Enable Windows Hello for Business + +The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. + +You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. + +#### Use certificate for on-premises authentication + +The Use certificate for on-premises authentication Group Policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model. You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication, which requires a sufficient number of Windows Server 2016 domain controllers to handle the Windows Hello for Business key-trust authentication requests. + +You can configure this Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users requesting a Windows Hello for Business authentication certificate. Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence. + +#### Enable automatic enrollment of certificates + +Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The Windows 10, version 1703 certificate auto enrollment was updated to renew these certificates before they expire, which significantly reduces user authentication failures from expired user certificates. + +The process requires no user interaction provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires. + +#### Create the Windows Hello for Business Group Policy object + +The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. + +Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. + +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click **Group Policy object** and select **New**. +4. Type *Enable Windows Hello for Business* in the name box and click **OK**. +5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. +6. In the navigation pane, expand **Policies** under **User Configuration**. +7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. +8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. +9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. + +#### Configure Automatic Certificate Enrollment + +1. Start the **Group Policy Management Console** (gpmc.msc). +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. +4. In the navigation pane, expand **Policies** under **User Configuration**. +5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. +6. In the details pane, right-click **Certificate Services Client � Auto-Enrollment** and select **Properties**. +7. Select **Enabled** from the **Configuration Model** list. +8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. +9. Select the **Update certificates that use certificate templates** check box. +10. Click **OK**. Close the **Group Policy Management Editor**. + +#### Configure Security in the Windows Hello for Business Group Policy object + +The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Double-click the **Enable Windows Hello for Business** Group Policy object. +4. In the **Security Filtering** section of the content pane, click **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and click **OK**. +5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**. +6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. + +#### Deploy the Windows Hello for Business Group Policy object + +The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO�** +3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. + +Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. + +## Other Related Group Policy settings + +### Windows Hello for Business + +There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. + +#### Use a hardware security device + +The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential. + +You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. + +Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. + +#### Use biometrics + +Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security. + +The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint. + +### PIN Complexity + +PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. + +Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: +* Require digits +* Require lowercase letters +* Maximum PIN length +* Minimum PIN length +* Expiration +* History +* Require special characters +* Require uppercase letters + +Starting with Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under **Computer Configuration\Administrative Templates\System\PIN Complexity** of the Group Policy editor. + +## Add users to the Windows Hello for Business Users group + +Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Wwindows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business. + +### Section Review +> [!div class="checklist"] +> * Configure domain controllers for automatic certificate enrollment. +> * Create Windows Hello for Business Group Policy object. +> * Enable the Use Windows Hello for Business policy setting. +> * Enable the Use certificate for on-premises authentication policy setting. +> * Enable user automatic certificate enrollment. +> * Add users or groups to the Windows Hello for Business group + + +> [!div class="nextstepaction"] +[Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. Configure Windows Hello for Business policy settings (*You are here*) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md new file mode 100644 index 0000000000..2dbfc5fda4 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -0,0 +1,50 @@ +--- +title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business) +description: Configuring Windows Hello for Business Settings in Hybrid deployment +keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +localizationpriority: high +author: mikestephens-MS +ms.author: mstephen +ms.date: 09/08/2017 +--- +# Configure Windows Hello for Business + +**Applies to** +- Windows 10 + +> [!div class="step-by-step"] +[Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md) + +>[!IMPORTANT] +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +You're environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. +> [!IMPORTANT] +> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. + +The configuration for Windows Hello for Business is grouped in four categories. These categories are: +* [Active Directory](hello-hybrid-cert-whfb-settings-ad.md) +* [Public Key Infrastructure](hello-hybrid-cert-whfb-settings-pki.md) +* [Active Directory Federation Services](hello-hybrid-cert-whfb-settings-adfs.md) +* [Group Policy](hello-hybrid-cert-whfb-settings-policy.md) + +For the most efficent deployment, configure these technologies in order beginning with the Active Directory configuration + +> [!div class="step-by-step"] +[Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. Configure Windows Hello for Business settings (*You are here*) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-identity-verification.md b/windows/access-protection/hello-for-business/hello-identity-verification.md index 6bc13714ae..59a9bb791e 100644 --- a/windows/access-protection/hello-for-business/hello-identity-verification.md +++ b/windows/access-protection/hello-for-business/hello-identity-verification.md @@ -10,7 +10,7 @@ ms.pagetype: security, mobile author: DaniHalfin ms.localizationpriority: high ms.author: daniha -ms.date: 07/07/2017 +ms.date: 09/08/2017 --- # Windows Hello for Business @@ -78,7 +78,7 @@ There are many deployment options from which to choose. Some of those options re Windows Hello for Business is two-factor authentication based the observed authentication factors of: something you have, something you know, and something part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. Using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor". ### Can I use PIN and biometrics to unlock my device? -No. Windows Hello for Business provides two-factor authentication. However, we are investigating the ability to unlock the device with multiple factors. +No. Windows Hello for Business provides two-factor authentication. However, we are investigating the ability to unlock the desktop with additional factors. ### What is the difference between Windows Hello and Windows Hello for Business Windows Hello represents the biometric framework provided in Windows 10. Windows Hello enables users to use biometrics to sign into their devices by securely storing their username and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate. @@ -86,6 +86,28 @@ Windows Hello represents the biometric framework provided in Windows 10. Window ### I have extended Active Directory to Azure Active Directory. Can I use the on-prem deployment model? No. If your organization is federated or using online services, such as Office 365 or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organization who need more time before moving to the cloud and exclusively use Active Directory. +### Does Windows Hello for Business prevent the use of simple PINs? +Yes. Our simple PIN algorithm looks for and disallows any PIN that has a constant delta from one digit to the next. This prevents repeating numbers, sequential numbers and simple patterns. +So, for example: +* 1111 has a constant delta of 0, so it is not allowed +* 1234 has a constant delta of 1, so it is not allowed +* 1357 has a constant delta of 2, so it is not allowed +* 9630 has a constant delta of -3, so it is not allowed +* 1231 does not have a constant delta, so it is okay +* 1593 does not have a constant delta, so it is okay + +This algorithm does not apply to alphanumeric PINs. + +### How does PIN caching work with Windows Hello for Business? +Windows Hello for Business provides a PIN caching user experience using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting as long as the user is interactively signed-in. Microsoft Account sign-in keys are considered transactional keys, which means the user is always prompted when accessing the key. + +Beginning with Windows 10, Fall Creators Update, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations will not prompt the user for the PIN. + +The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process does not receive the PIN, but rather the ticket that grants them private key operations. Windows 10 does not provide any Group Policy settings to adjust this caching. + +### Can I disable the PIN while using Windows Hello for Business? +No. The movement away from passwords is accomplished by gradually reducing the use of the password. In the occurence where you cannot authenticate with biometrics, you need a fall back mechansim that is not a password. The PIN is the fall back mechansim. Disabling or hiding the PIN credential provider disabled the use of biometrics. + ### Does Windows Hello for Business work with third party federation servers? Windows Hello for Business can work with any third-party federation servers that support the protocols used during provisioning experience. Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration) @@ -98,3 +120,4 @@ Windows Hello for Business can work with any third-party federation servers that ### Does Windows Hello for Business work with Mac and Linux clients? Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third parties who are interested in moving these platforms away from passwords. Interested third parties can inqury at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration) + diff --git a/windows/access-protection/hello-for-business/hello-manage-in-organization.md b/windows/access-protection/hello-for-business/hello-manage-in-organization.md index 6d8b9b37a2..52c93015e2 100644 --- a/windows/access-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/access-protection/hello-for-business/hello-manage-in-organization.md @@ -25,7 +25,7 @@ You can create a Group Policy or mobile device management (MDM) policy that will > >Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. > ->Use **Windows Hello for Business** policy settings to manage PINs for Windows Hello for Business. +>Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business.   ## Group Policy settings for Windows Hello for Business @@ -292,71 +292,6 @@ The following table lists the MDM policy settings that you can configure for Win >[!NOTE]   > If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN.   -## Prerequisites - -To deploy Windows Hello for Business, in some modes you must add Windows Server 2016 domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Windows Hello for Business build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Azure Active Directory to deploy Windows Hello for Business in your network. - -You’ll need this software to set Windows Hello for Business policies in your enterprise. - ------ - - - - - - - - - - - - - - - - - - - - - - -
Windows Hello for Business modeAzure ADActive Directory (AD) on-premises (only supported with Windows 10, version 1703 clients)Azure AD/AD hybrid (available with production release of Windows Server 2016)
Key-based authenticationAzure AD subscription
    -
  • Active Directory Federation Service (AD FS) (Windows Server 2016)
    • -
  • A few Windows Server 2016 domain controllers on-site
    • -
    -
  • Azure AD subscription
    • -
  • [Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)
    • -
  • A few Windows Server 2016 domain controllers on-site
    • -
  • A management solution, such as Configuration Manager, Group Policy, or MDM
    • -
  • Active Directory Certificate Services (AD CS) without Network Device Enrollment Service (NDES)
    • -
Certificate-based authentication
    -
  • Azure AD subscription
    • -
  • Intune or non-Microsoft mobile device management (MDM) solution
    • -
  • PKI infrastructure
    • -
    -
  • ADFS (Windows Server 2016)
    • -
  • Active Directory Domain Services (AD DS) Windows Server 2016 schema
    • -
  • PKI infrastructure
    • -
    -
  • Azure AD subscription
    • -
  • [Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)
    • -
  • AD CS with NDES
    • -
  • Configuration Manager for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Windows Hello for Business
    • -
-  -Configuration Manager and MDM provide the ability to manage Windows Hello for Business policy and to deploy and manage certificates protected by Windows Hello for Business. - -Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts. - ->[!IMPORTANT] ->Active Directory on-premises deployment **is not currently available** and will become available with a future update of ADFS on Windows Server 2016. The requirements listed in the above table will apply when this deployment type becomes available. - ## How to use Windows Hello for Business with Azure Active Directory diff --git a/windows/access-protection/hello-for-business/hello-planning-guide.md b/windows/access-protection/hello-for-business/hello-planning-guide.md index 104805b446..54739d877a 100644 --- a/windows/access-protection/hello-for-business/hello-planning-guide.md +++ b/windows/access-protection/hello-for-business/hello-planning-guide.md @@ -68,7 +68,7 @@ It’s fundamentally important to understand which deployment model to use for a #### Trust types -A deployments trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trusts types, key trust and certificate trust. +A deployments trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trusts types, key trust and certificate trust. The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during an in-box provisioning experience, which requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. @@ -88,7 +88,7 @@ The goal of Windows Hello for Business is to move organizations away from passwo Cloud only and hybrid deployments provide many choices for multifactor authentication. On-premises deployments must use a multifactor authentication that provides an AD FS multifactor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use from the on-premises Azure Multifactor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information). >[!NOTE] -> Azure Multi-Factor Authentication is available through a: +> Azure Multi-Factor Authentication is available through: >* Microsoft Enterprise Agreement >* Open Volume License Program >* Cloud Solution Providers program @@ -160,6 +160,10 @@ If your organization does not have cloud resources, write **On-Premises** in box Choose a trust type that is best suited for your organizations. Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers. +One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end enetity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust). + +Because the certificate trust tyoes issues certificates, there is more configuration and infrastrucutre needed to accomodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificatat-trust deployements includes a certificate registration authority. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. + If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**. If your organization wants to use the certificate trust type, write **certificate trust** in box **1b** on your planning worksheet. Write **Windows Server 2008 R2 or later** in box **4d**. In box **5c**, write **smart card logon** under the **Template Name** column and write **users** under the **Issued To** column on your planning worksheet. @@ -208,7 +212,7 @@ If your Azure AD Connect is configured to synchronize identities (usernames only You can configure your on-premises Windows Server 2016 AD FS role to use the Azure MFA service adapter. In this configuration, users are redirected to the on premises AD FS server (synchronizing identities only). The AD FS server uses the MFA adapter to communicate to the Azure MFA service to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA cloud service adapter, write **AD FS with Azure MFA cloud adapter** in box **1f** on your planning worksheet. -Alternatively, you can use AD FS with an on-premises Azure MFA server adapter. Rather than AD FS communicating directly with the Azure MFA cloud service, it communicates with an on-premises AD FS server that synchronizes user information with the on-premises Active Directory. The Azure MFA server communicates with Azure MFA cloud services to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Azure MFA server adapter** in box **1f** on your planning worksheet. +Alternatively, you can use AD FS with an on-premises Azure MFA server adapter. Rather than AD FS communicating directly with the Azure MFA cloud service, it communicates with an on-premises Azure MFA server that synchronizes user information with the on-premises Active Directory. The Azure MFA server communicates with Azure MFA cloud services to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Azure MFA server adapter** in box **1f** on your planning worksheet. The last option is for you to use AD FS with a third-party adapter as the second factor of authentication. If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet. @@ -267,9 +271,9 @@ If box **1a** on your planning worksheet reads **cloud only**, ignore the public If box **1b** on your planning worksheet reads **key trust**, write **N/A** in box **5b** on your planning worksheet. -The registration authority only relates to certificate trust deployments and the management used for domain and non-domain joined devices. +The registration authority only relates to certificate trust deployments and the management used for domain and non-domain joined devices. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. -If box **3a** reads **GP** and box **3b** reads **modern management**, write **AD FS RA and NDES** in box **5b** on your planning worksheet. In box **5c**, write the following certificate templates names and issuances: +If box **2a** reads **GP** and box **2b** reads **modern management**, write **AD FS RA and NDES** in box **5b** on your planning worksheet. In box **5c**, write the following certificate templates names and issuances: | Certificate Template Name | Issued To | | --- | --- | @@ -279,14 +283,14 @@ If box **3a** reads **GP** and box **3b** reads **modern management**, write **A | Web Server | NDES | | CEP Encryption | NDES | -If box **3a** reads **GP** and box **3b** reads **N/A**, write **AD FA RA** in box **5b** and write the following certificate template names and issuances in box **5c** on your planning worksheet. +If box **2a** reads **GP** and box **2b** reads **N/A**, write **AD FA RA** in box **5b** and write the following certificate template names and issuances in box **5c** on your planning worksheet. | Certificate Template Name | Issued To | | --- | --- | | Exchange Enrollment Agent | AD FS RA | | Web Server | AD FS RA | -If box **3a** or **3b** reads modern management, write **NDES** in box **5b** and write the following certificate template names and issuances in box 5c on your planning worksheet. +If box **2a** or **2b** reads modern management, write **NDES** in box **5b** and write the following certificate template names and issuances in box 5c on your planning worksheet. | Certificate Template Name | Issued To | | --- | --- | diff --git a/windows/access-protection/hello-for-business/images/SetupAPin.png b/windows/access-protection/hello-for-business/images/SetupAPin.png new file mode 100644 index 0000000000..50029cc00e Binary files /dev/null and b/windows/access-protection/hello-for-business/images/SetupAPin.png differ diff --git a/windows/access-protection/hello-for-business/images/dsregcmd.png b/windows/access-protection/hello-for-business/images/dsregcmd.png new file mode 100644 index 0000000000..85bc6491cf Binary files /dev/null and b/windows/access-protection/hello-for-business/images/dsregcmd.png differ diff --git a/windows/access-protection/hello-for-business/images/event358.png b/windows/access-protection/hello-for-business/images/event358.png new file mode 100644 index 0000000000..70376c35a1 Binary files /dev/null and b/windows/access-protection/hello-for-business/images/event358.png differ diff --git a/windows/access-protection/hello-for-business/images/hybridct/device1.png b/windows/access-protection/hello-for-business/images/hybridct/device1.png new file mode 100644 index 0000000000..2835e56049 Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hybridct/device1.png differ diff --git a/windows/access-protection/hello-for-business/images/hybridct/device2.png b/windows/access-protection/hello-for-business/images/hybridct/device2.png new file mode 100644 index 0000000000..4874ca4516 Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hybridct/device2.png differ diff --git a/windows/access-protection/hello-for-business/images/hybridct/device3.png b/windows/access-protection/hello-for-business/images/hybridct/device3.png new file mode 100644 index 0000000000..c6572cbd5a Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hybridct/device3.png differ diff --git a/windows/access-protection/hello-for-business/images/hybridct/device4.png b/windows/access-protection/hello-for-business/images/hybridct/device4.png new file mode 100644 index 0000000000..3a72066a31 Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hybridct/device4.png differ diff --git a/windows/access-protection/hello-for-business/images/hybridct/device5.png b/windows/access-protection/hello-for-business/images/hybridct/device5.png new file mode 100644 index 0000000000..c3754b5389 Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hybridct/device5.png differ diff --git a/windows/access-protection/hello-for-business/images/hybridct/device6.png b/windows/access-protection/hello-for-business/images/hybridct/device6.png new file mode 100644 index 0000000000..97db24c262 Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hybridct/device6.png differ diff --git a/windows/access-protection/hello-for-business/images/hybridct/device7.png b/windows/access-protection/hello-for-business/images/hybridct/device7.png new file mode 100644 index 0000000000..80f9d53d2c Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hybridct/device7.png differ diff --git a/windows/access-protection/hello-for-business/images/hybridct/device8.png b/windows/access-protection/hello-for-business/images/hybridct/device8.png new file mode 100644 index 0000000000..97ad2a1bfb Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hybridct/device8.png differ diff --git a/windows/access-protection/hello-for-business/images/mfa.png b/windows/access-protection/hello-for-business/images/mfa.png new file mode 100644 index 0000000000..b7086b9b79 Binary files /dev/null and b/windows/access-protection/hello-for-business/images/mfa.png differ diff --git a/windows/access-protection/hello-for-business/toc.md b/windows/access-protection/hello-for-business/toc.md index e99fabcb82..ceb776ae4e 100644 --- a/windows/access-protection/hello-for-business/toc.md +++ b/windows/access-protection/hello-for-business/toc.md @@ -1,4 +1,4 @@ -# [Windows Hello for Business](hello-identity-verification.md) +# [Windows Hello for Business](hello-identity-verification.md) ## [Windows Hello for Business Overview](hello-overview.md) ## [How Windows Hello for Business works](hello-how-it-works.md) @@ -13,6 +13,12 @@ ## [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) ## [Windows Hello for Business Deployment Guide](hello-deployment-guide.md) +### [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md) +#### [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +#### [New Installation Baseline](hello-hybrid-cert-new-install.md) +#### [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +#### [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings.md) +#### [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) ### [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md) #### [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) diff --git a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md index 47ca379543..2d55ec35a7 100644 --- a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md +++ b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md @@ -1,7 +1,6 @@ --- title: Windows Defender Firewall with Advanced Security Design Guide (Windows 10) -description: Windows Defender Firewall with Advanced Security -Design Guide +description: Windows Defender Firewall with Advanced Security Design Guide ms.assetid: 5c631389-f232-4b95-9e48-ec02b8677d51 ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md index 5c764b532e..3f1e9a5aaa 100644 --- a/windows/application-management/TOC.md +++ b/windows/application-management/TOC.md @@ -100,5 +100,7 @@ #### [Viewing App-V Server Publishing Metadata](app-v/appv-viewing-appv-server-publishing-metadata.md) #### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md) ## [Service Host process refactoring](svchost-service-refactoring.md) +## [Per-user services in Windows](per-user-services-in-windows.md) +## [Understand apps in Windows 10](apps-in-windows-10.md) ## [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) ## [Change history for Application management](change-history-for-application-management.md) diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md new file mode 100644 index 0000000000..215e71f9f0 --- /dev/null +++ b/windows/application-management/apps-in-windows-10.md @@ -0,0 +1,153 @@ +--- +title: Windows 10 - Apps +description: What are Windows, UWP, and Win32 apps +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: mobile +ms.author: elizapo +author: lizap +ms.localizationpriority: low +ms.date: 09/15/2017 +--- +# Understand the different apps included in Windows 10 + +The following types of apps run on Windows 10: +- Windows apps - introduced in Windows 8, primarily installed from the Store app. +- Universal Windows Platform (UWP) apps - designed to work across platforms, can be installed on multiple platforms including Windows client, Windows Phone, and Xbox. All UWP apps are also Windows apps, but not all Windows apps are UWP apps. +- "Win32" apps - traditional Windows applications, built for 32-bit systems. + +Digging into the Windows apps, there are two categories: +- System apps - Apps that are installed in the c:\Windows\* directory. These apps are integral to the OS. +- Apps - All other apps, installed in c:\Program Files\WindowsApps. There are two classes of apps: + - Provisioned: Installed the first time you sign into Windows. You'll see a tile or Start menu item for these apps, but they aren't installed until the first sign-in. + - Installed: Installed as part of the OS. + +The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1511, 1607, and 1703, and indicate whether an app can be uninstalled through the UI. + +Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running. + +> [!TIP] +> Want to see a list of the apps installed on your specific image? You can run the following PowerShell cmdlet: +> ```powershell +> Get-AppxPackage |Select Name,PackageFamilyName +> Get-AppsProvisionedPackage -Online | select DisplayName,PackageName +> ``` + + +## System apps +System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1511, 1607, and 1703. + +| Name | Full name | 1511 | 1607 | 1703 | Uninstall through UI? | +|------------------|-------------------------------------------|------|------|------|--------------------------------------------------------| +| Cortana UI | CortanaListenUIApp | | | x | No | +| | Desktop Learning | | | x | No | +| | DesktopView | | | x | No | +| | EnvironmentsApp | | | x | No | +| Mixed Reality + | HoloCamera | | | x | No | +| Mixed Reality + | HoloItemPlayerApp | | | x | No | +| Mixed Reality + | HoloShell | | | x | No | +| | Microsoft.AAD.Broker.Plugin | x | x | x | No | +| | Microsoft.AccountsControl | x | x | x | No | +| Hello setup UI | Microsoft.BioEnrollment | x | x | x | No | +| | Microsoft.CredDialogHost | | | x | No | +| | Microsoft.LockApp | x | x | x | No | +| Microsoft Edge | Microsoft.Microsoft.Edge | x | x | x | No | +| | Microsoft.PPIProjection | | x | x | No | +| | Microsoft.Windows. Apprep.ChxApp | | x | x | No | +| | Microsoft.Windows. AssignedAccessLockApp | x | x | x | No | +| | Microsoft.Windows. CloudExperienceHost | x | x | x | No | +| | Microsoft.Windows. ContentDeliveryManager | x | x | x | No | +| Cortana | Microsoft.Windows.Cortana | x | x | x | No | +| | Microsoft.Windows. Holographic.FirstRun | | | x | No | +| | Microsoft.Windows. ModalSharePickerHost | | | x | No | +| | Microsoft.Windows. OOBENetworkCaptivePort | | | x | No | +| | Microsoft.Windows. OOBENetworkConnection | | | x | No | +| | Microsoft.Windows. ParentalControls | x | x | x | No | +| | Microsoft.Windows. SecHealthUI | | | x | No | +| | Microsoft.Windows. SecondaryTileExperience | x | x | x | No | +| | Microsoft.Windows. SecureAssessmentBrowser | | x | x | No | +| Start | Microsoft.Windows. ShellExperienceHost | x | x | x | No | +| Windows Feedback | Microsoft.WindowsFeedback | x | * | * | No | +| | Microsoft.XboxGameCallableUI | x | x | x | No | +| Xbox logon UI | Microsoft.XboxIdentityProvider | x | | | No | +| Contact Support | Windows.ContactSupport | x | x* | x* | In 1511, no.* | +| | Windows.Devicesflow | x | | | No | +| Settings | Windows.ImmersiveControlPanel | x | x | x | No | +| Connect | Windows.MiracastView | x | x | x | No | +| Print UI | Windows.PrintDialog | x | x | x | No | +| Purchase UI | Windows.PurchaseDialog | x | | | No | + +> [!NOTE] +> - The Windows Feedback app changed to the Windows Feedback Hub in version 1607. It's listed in the installed apps table below. +> - As of Windows 10 version 1607, you can use the Optional Features app to uninstall the Contact Support app. + +## Installed Windows apps +Here are the typical installed Windows apps in Windows 10 versions 1511, 1607, and 1703. + +| Name | Full name | 1511 | 1607 | 1703 | Uninstall through UI? | +|--------------------|-----------------------------------------|------|------|------|---------------------------| +| Remote Desktop | Microsoft.RemoteDesktop | | x | x | Yes | +| PowerBI | Microsoft.Microsoft PowerBIforWindows | | x | x | Yes | +| Candy Crush | king.com.CandyCrushSodaSaga | x | | | Yes | +| Code Writer | ActiproSoftwareLLC.562882FEEB491 | | x | x | Yes | +| Eclipse Manager | 46928bounde.EclipseManager | | x | x | Yes | +| Pandora | PandoraMediaInc.29680B314EFC2 | | x | x | Yes | +| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | | x | x | Yes | +| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | | | x | Yes | +| Network Speed Test | Microsoft.NetworkSpeedTest | | x | x | Yes | +| Paid Wi-FI | | x | | | Yes | +| Skype Video | | x | | | Yes | +| Twitter | | x | | | Yes | +| PicArts | | x | | | Yes | +| Minecraft | | x | | | Yes | +| Flipboard | | x | | | Yes | + +## Provisioned Windows apps +Here are the typical provisioned Windows apps in Windows 10 versions 1511, 1607, and 1703. + +| Name | Full name | 1511 | 1607 | 1703 | Uninstall through UI? | +|---------------------------------|----------------------------------------|------|------|------|---------------------------| +| 3D Builder | Microsoft.3DBuilder | x | | x | Yes | +| App Connector | Microsoft.Appconnector | x | | | Yes, through Settings app | +| Money | Microsoft.BingFinance | x | | | Yes | +| News | Microsoft.BingNews | x | * | * | Yes | +| Sports | Microsoft.BingSports | x | | | Yes | +| Weather | Microsoft.BingWeather | x | x | x | No | +| Phone Companion | Microsoft.CommsPhone | x | | | Yes | +| | Microsoft.ConnectivityStore | x | | | No | +| | Microsoft.DesktopAppInstaller | | x | x | Yes, through Settings app | +| Get Started/Tips | Microsoft.Getstarted | x | x | x | Yes | +| Messaging | Microsoft.Messaging | x | x | x | No | +| Microsoft 3D Viewer | Microsoft.Microsoft3DViewer | | | x | No | +| Get Office | Microsoft.MicrosoftOfficeHub | x | x | x | Yes | +| Solitaire | Microsoft.Microsoft SolitaireCollection | x | x | x | Yes | +| Sticky Notes | Microsoft.MicrosoftStickyNotes | | x | x | No | +| OneNote | Microsoft.Office.OneNote | x | x | x | No | +| Sway | Microsoft.Office.Sway | x | * | * | Yes | +| | Microsoft.OneConnect | | x | x | No | +| Paint 3D | Microsoft.MSPaint | | | x | No | +| People | Microsoft.People | x | x | x | No | +| Get Skype/Skype (preview)/Skype | Microsoft.SkypeApp | x | x | x | Yes | +| | Microsoft.StorePurchaseApp | | x | x | No | +| | Microsoft.Wallet | | | x | No | +| Photos | Microsoft.Windows.Photos | x | x | x | No | +| Alarms & Clock | Microsoft.WindowsAlarms | x | x | x | No | +| Calculator | Microsoft.WindowsCalculator | x | x | x | No | +| Camera | Microsoft.WindowsCamera | x | x | x | No | +| Mail and Calendar | Microsoft.windows communicationsapps | x | x | x | No | +| Feedback Hub | Microsoft.WindowsFeedbackHub | * | x | x | Yes | +| Maps | Microsoft.WindowsMaps | x | x | x | No | +| Phone | Microsoft.WindowsPhone | x | | | No | +| Voice Recorder | Microsoft.SoundRecorder | x | x | x | No | +| Store | Microsoft.WindowsStore | x | x | x | No | +| Xbox | Microsoft.XboxApp | x | x | x | No | +| | Microsoft.XboxGameOverlay | | | x | No | +| | Microsoft.XboxIdentityProvider | * | x | x | No | +| Groove | Microsoft.ZuneMusic | x | x | x | No | +| Movies & TV | Microsoft.ZuneVideo | x | x | x | No | +| | Microsoft.XboxSpeech ToTextOverlay | | | x | No | + +> [!NOTE] +> - As of Windows 10, version 1607, News and Sway are installed apps. +> - Both Feedback Hub and Microsoft.XboxIdentityProvider were installed apps in version 1511 and provisioned apps in versions 1607 and later. \ No newline at end of file diff --git a/windows/application-management/change-history-for-application-management.md b/windows/application-management/change-history-for-application-management.md index 92e5039334..5178cf9050 100644 --- a/windows/application-management/change-history-for-application-management.md +++ b/windows/application-management/change-history-for-application-management.md @@ -8,12 +8,19 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: jdeckerms +ms.date: 09/15/2017 --- # Change history for Configure Windows 10 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## September 2017 +| New or changed topic | Description | +| --- | --- | +| [Per-user services in Windows 10](per-user-services-in-windows.md) | New | +| [Understand the different apps included in Windows 10](apps-in-windows-10.md) | New | + ## July 2017 | New or changed topic | Description | | --- | --- | diff --git a/windows/application-management/index.md b/windows/application-management/index.md index d6c32fbe93..17767877fd 100644 --- a/windows/application-management/index.md +++ b/windows/application-management/index.md @@ -6,6 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: medium +ms.date: 09/15/2017 --- # Windows 10 application management @@ -20,5 +21,7 @@ Learn about managing applications in Windows 10 and Windows 10 Mobile clients. |---|---| |[App-V](app-v/appv-getting-started.md)| Microsoft Application Virtualization (App-V) for Windows 10 enables organizations to deliver Win32 applications to users as virtual applications| |[Sideload apps in Windows 10](sideload-apps-in-windows-10.md)| Requirements and instructions for side-loading LOB applications on Windows 10 and Windows 10 Mobile clients| +|[Per User services in Windows 10](sideload-apps-in-windows-10.md)| Overview of per user services and instructions for viewing and disabling them in Windows 10 and Windows 2016| +|[Understand apps in Windows 10](apps-in-windows-10.md)| Overview of the different apps included by default in Windows 10 Enterprise| | [Service Host process refactoring](svchost-service-refactoring.md) | Changes to Service Host grouping in Windows 10 | | [Deploy app updgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | How to upgrade apps on Windows 10 Mobile | diff --git a/windows/application-management/media/gpp-hklm.png b/windows/application-management/media/gpp-hklm.png new file mode 100644 index 0000000000..6e73a3b078 Binary files /dev/null and b/windows/application-management/media/gpp-hklm.png differ diff --git a/windows/application-management/media/gpp-per-user-services.png b/windows/application-management/media/gpp-per-user-services.png new file mode 100644 index 0000000000..6d2d181d93 Binary files /dev/null and b/windows/application-management/media/gpp-per-user-services.png differ diff --git a/windows/application-management/media/gpp-svc-disabled.png b/windows/application-management/media/gpp-svc-disabled.png new file mode 100644 index 0000000000..ba082cec1b Binary files /dev/null and b/windows/application-management/media/gpp-svc-disabled.png differ diff --git a/windows/application-management/media/gpp-svc-start.png b/windows/application-management/media/gpp-svc-start.png new file mode 100644 index 0000000000..6966b6453f Binary files /dev/null and b/windows/application-management/media/gpp-svc-start.png differ diff --git a/windows/application-management/media/regedit-change-service-startup-type.png b/windows/application-management/media/regedit-change-service-startup-type.png new file mode 100644 index 0000000000..ab7fd3b02a Binary files /dev/null and b/windows/application-management/media/regedit-change-service-startup-type.png differ diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md new file mode 100644 index 0000000000..f784c78af2 --- /dev/null +++ b/windows/application-management/per-user-services-in-windows.md @@ -0,0 +1,172 @@ +--- +title: Per-user services in Windows 10 and Windows Server +description: Learn about per-user services introduced in Windows 10. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: mobile +ms.author: elizapo +author: lizap +ms.date: 09/13/2017 +--- + +# Per-user services in Windows 10 and Windows Server + +> Applies to: Windows 10, Windows Server + +Per-user services are services that are created when a user signs into Windows or Windows Server and are stopped and deleted when that user signs out. These services run in the security context of the user account - this provides better resource management than the previous approach of running these kinds of services in Explorer, associated with a preconfigured account, or as tasks. + +> [!NOTE] +> Per-user services are only in available in Windows Server if you have installed the Desktop Experience. If you are running a Server Core or Nano Server installation, you won't see these services. + +You can configure the template service to create per-user services in a stopped and disabled state by setting the template service's **Startup Type** to **Disabled**. + +> [!IMPORTANT] +> Carefully test any changes to the template service's Startup Type before deploying in production. + +Use the following information to understand per-user services, change the template service Startup Type, and manage per-user services through Group Policy and security templates. +For more information about disabling system services for Windows Server, see [Guidance on disabling system services on Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server). + +## Per-user services + +Windows 10 and Windows Server (with the Desktop Experience) have the following per-user services. The template services are located in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. + +Before you disable any of these services, review the **Description** column in this table to understand the implications, including dependent apps that will no longer work correctly. + +| Key name | Display name | Default start type | Dependencies | Description | +|------------------------|-----------------------------------------|--------------------|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| CDPUserSvc | CDPUserSvc | Auto | | Used for Connected Devices Platform scenarios | +| OneSyncSvc | Sync Host | Auto (delayed) | | Synchronizes mail, contacts, calendar, and other user data. Mail and other applications dependent on this service don't work correctly when this service is not running. | +| PimIndexMaintenanceSvc | Contact Data | Manual | UnistoreSvc | Indexes contact data for fast contact searching. If you stop or disable this service, search results might not display all contacts. | +| UnistoreSvc | User Data Storage | Manual | | Handles storage of structured user data, including contact info, calendars, and messages. If you stop or disable this service, apps that use this data might not work correctly. | +| UserDataSvc | User Data Access | Manual | UnistoreSvc | Provides apps access to structured user data, including contact info, calendars, and messages. If you stop or disable this service, apps that use this data might not work correctly. | +| WpnUserService | Windows Push Notifications User Service | Manual | | Hosts Windows notification platform, which provides support for local and push notifications. Supported notifications are tile, toast, and raw. | + +## Disable per-user services + +The template service isn't displayed in the Services console (services.msc) so you need to edit the registry directly, either with Group Policy or a scripted solution, to disable a per-user service. + +> [!NOTE] +> Disabling a per-user service simply means that it is created in a stopped and disabled state. When the user signs out, the per-user service is removed. + +You can't manage all of the per-user service templates services using normal Group Policy management methods. Because the per-user services aren't displayed in the Services management console, they're also not displayed in the Group Policy Services policy editor UI. + +Additionally, there are four template services that can't be managed with a security template: +- PimIndexMaintenanceSvc +- UnistoreSvc +- UserDataSvc +- WpnUserService + +In light of these restrictions, you can use the following methods to manage per-user services template services: + +- A combination of a security template and a script or Group Policy preferences registry policy +- Group Policy preferences for all of the services +- A script for all of the services + +### Manage template services using a security template + +You can manage the CDPUserSvc and OneSyncSvc per-user services with a [security template](/windows/device-security/security-policy-settings/administer-security-policy-settings#bkmk-sectmpl). See [Administer security policy settings](/windows/device-security/security-policy-settings/administer-security-policy-settings) for more information. + +device-security/security-policy-settings/administer-security-policy-settings + +For example: + +``` +[Unicode] +Unicode=yes +[Version] +signature="$CHICAGO$" +Revision=1 +[Service General Setting] +"CDPUserSVC".4,"" +``` + +### Manage template services using Group Policy preferences + +If a per-user service can't be disabled using a the security template, you can disable it by using Group Policy preferences. + +1. On a Windows Server domain controller or Windows 10 PC that has the [Remote Server Administration Tools (RSAT)](https://www.microsoft.com/en-us/download/details.aspx?id=45520) installed, click **Start**, type GPMC.MSC, and then press **Enter** to open the **Group Policy Management Console**. + +2. Create a new Group Policy Object (GPO) or use an existing GPO. + +3. Right-click the GPO and click **Edit** to launch the Group Policy Object Editor. + +4. Depending on how you want to target the Group Policy, under **Computer configuration** or **User configuration** browse to Preferences\Windows Settings\Registry. + +5. Right-click **Registry** > **New** > **Registry Item**. + + ![Group Policy preferences disabling per-user services](media/gpp-per-user-services.png) + +6. Make sure that HKEY_Local_Machine is selected for Hive and then click ... (the ellipses) next to Key Path. + + ![Choose HKLM](media/gpp-hklm.png) + +7. Browse to **System\CurrentControlSet\Services\PimIndexMaintenanceSvc**. In the list of values, highlight **Start** and click **Select**. + + ![Select Start](media/gpp-svc-start.png) + +8. Change **Value data** from **00000003** to **00000004** and click **OK**. Note setting the Value data to **4** = **Disabled**. + + ![Startup Type is Disabled](media/gpp-svc-disabled.png) + +9. To add the other services that cannot be managed with a Group Policy templates, edit the policy and repeat steps 5-8. + +### Managing Template Services with reg.exe + +If you cannot use GPP to manage the per-user services you can edit the registry with reg.exe. +To disable the Template Services change the Startup Type for each service to 4 (disabled). +For example: + +```code +REG.EXE ADD HKLM\System\CurrentControlSet\Services\CDPUserSvc /v Start /t REG_DWORD /d 4 /f +REG.EXE ADD HKLM\System\CurrentControlSet\Services\OneSyncSvc /v Start /t REG_DWORD /d 4 /f +REG.EXE ADD HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc /v Start /t REG_DWORD /d 4 /f +REG.EXE ADD HKLM\System\CurrentControlSet\Services\UnistoreSvc /v Start /t REG_DWORD /d 4 /f +REG.EXE ADD HKLM\System\CurrentControlSet\Services\UserDataSvc /v Start /t REG_DWORD /d 4 /f +REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t REG_DWORD /d 4 /f +``` + +> [!CAUTION] +> We recommend that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the Registry Editor or by the Windows operating system before they are applied. As a result, incorrect values can be stored, and this can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as the Microsoft Management Console (MMC) to accomplish tasks. If you must edit the registry, use extreme caution. + +### Managing Template Services with regedit.exe + +If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the Template Services change the Startup Type for each service to 4 (disabled), as shown in the following example: + +![Using Regedit to change servive Starup Type](media/regedit-change-service-startup-type.png) + +> [!CAUTION] +> We recommend that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the Registry Editor or by the Windows operating system before they are applied. As a result, incorrect values can be stored, and this can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as the Microsoft Management Console (MMC) to accomplish tasks. If you must edit the registry, use extreme caution. + +### Manage template services by modifying the Windows image + +If you're using custom images to deploy Windows, you can modify the Startup Type for the template services as part of the normal imaging process. + +### Use a script to manage per-user services + +You can create a script to change the Startup Type for the per-user services. Then use Group Policy or another management solution to deploy the script in your environment. + +Sample script using [sc.exe](https://technet.microsoft.com/library/cc990290%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396): + +``` +sc.exe configure start= disabled +``` +Note that the space after "=" is intentional. + +Sample script using the [Set-Service PowerShell cmdlet](https://technet.microsoft.com/library/ee176963.aspx): + +```powershell +Set-Service -StartupType Disabled +``` + +## View per-user services in the Services console (services.msc) + +As mentioned you can't view the template services in the Services console, but you can see the user-specific per-user services - they are displayed using the _LUID format (where LUID is the locally unique identifier). + +For example, you might see the following per-user services listed in the Services console: + +- CPDUserSVC_443f50 +- ContactData_443f50 +- Sync Host_443f50 +- User Data Access_443f50 +- User Data Storage_443f50 \ No newline at end of file diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 2d6046fef1..8b53725783 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -17,9 +17,9 @@ ## [Enterprise app management](enterprise-app-management.md) ## [Device update management](device-update-management.md) ## [Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md) -## [Management tool for the Windows Store for Business](management-tool-for-windows-store-for-business.md) -### [REST API reference for Windows Store for Business](rest-api-reference-windows-store-for-business.md) -#### [Data structures for Windows Store for Business](data-structures-windows-store-for-business.md) +## [Management tool for the Micosoft Store for Business](management-tool-for-windows-store-for-business.md) +### [REST API reference for Micosoft Store for Business](rest-api-reference-windows-store-for-business.md) +#### [Data structures for Micosoft Store for Business](data-structures-windows-store-for-business.md) #### [Get Inventory](get-inventory.md) #### [Get product details](get-product-details.md) #### [Get localized product details](get-localized-product-details.md) diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 7564c89e41..2737a54616 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -266,9 +266,9 @@ FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corp You can get the publisher name and product name of apps using a web API. -**To find publisher and product name for Microsoft apps in Windows Store for Business** +**To find publisher and product name for Microsoft apps in Microsoft Store for Business** -1. Go to the Windows Store for Business website, and find your app. For example, Microsoft OneNote. +1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https:<\span>//www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, **9wzdncrfhvjl**. 3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. diff --git a/windows/client-management/mdm/assign-seats.md b/windows/client-management/mdm/assign-seats.md index 510be6e748..f8ba2b865f 100644 --- a/windows/client-management/mdm/assign-seats.md +++ b/windows/client-management/mdm/assign-seats.md @@ -1,6 +1,6 @@ --- title: Assign seat -description: The Assign seat operation assigns seat for a specified user in the Windows Store for Business. +description: The Assign seat operation assigns seat for a specified user in the Microsoft Store for Business. ms.assetid: B42BF490-35C9-405C-B5D6-0D9F0E377552 ms.author: maricia ms.topic: article @@ -12,7 +12,7 @@ ms.date: 06/19/2017 # Assign seat -The **Assign seat** operation assigns seat for a specified user in the Windows Store for Business. +The **Assign seat** operation assigns seat for a specified user in the Microsoft Store for Business. ## Request diff --git a/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md index 33f5904925..7b7845d806 100644 --- a/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md +++ b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md @@ -1,6 +1,6 @@ --- title: Bulk assign and reclaim seats from users -description: The Bulk assign and reclaim seats from users operation returns reclaimed or assigned seats in the Windows Store for Business. +description: The Bulk assign and reclaim seats from users operation returns reclaimed or assigned seats in the Microsoft Store for Business. ms.assetid: 99E2F37D-1FF3-4511-8969-19571656780A ms.author: maricia ms.topic: article @@ -12,7 +12,7 @@ ms.date: 06/19/2017 # Bulk assign and reclaim seats from users -The **Bulk assign and reclaim seats from users** operation returns reclaimed or assigned seats in the Windows Store for Business. +The **Bulk assign and reclaim seats from users** operation returns reclaimed or assigned seats in the Microsoft Store for Business. ## Request diff --git a/windows/client-management/mdm/data-structures-windows-store-for-business.md b/windows/client-management/mdm/data-structures-windows-store-for-business.md index 7a1bbaa552..d272b736e4 100644 --- a/windows/client-management/mdm/data-structures-windows-store-for-business.md +++ b/windows/client-management/mdm/data-structures-windows-store-for-business.md @@ -1,5 +1,5 @@ --- -title: Data structures for Windows Store for Business +title: Data structures for Microsoft Store for Business MS-HAID: - 'p\_phdevicemgmt.business\_store\_data\_structures' - 'p\_phDeviceMgmt.data\_structures\_windows\_store\_for\_business' @@ -13,10 +13,10 @@ author: nickbrower ms.date: 06/19/2017 --- -# Data structures for Windows Store for Business +# Data structures for Microsoft Store for Business -Here's the list of data structures used in the Windows Store for Business REST APIs: +Here's the list of data structures used in the Microsoft Store for Business REST APIs: - [AlternateIdentifier](#alternateidentifier) - [BulkSeatOperationResultSet](#bulkseatoperationresultset) diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md index c203cabb0a..fd6c08650e 100644 --- a/windows/client-management/mdm/enterprise-app-management.md +++ b/windows/client-management/mdm/enterprise-app-management.md @@ -18,7 +18,7 @@ This topic covers one of the key mobile device management (MDM) features in Wind Windows 10 offers the ability for management servers to: -- Install apps directly from the Windows Store for Business +- Install apps directly from the Microsoft Store for Business - Deploy offline Store apps and licenses - Deploy line-of-business (LOB) apps (non-Store apps) - Inventory all apps for a user (Store and non-Store apps) diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index ebe9611293..f8a14b5289 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -68,7 +68,7 @@ The following image shows the EnterpriseModernAppManagement configuration servic - PackageDetails - returns all inventory attributes of the package. This includes all information from PackageNames parameter, but does not validate RequiresReinstall. - RequiredReinstall - Validates the app status of the apps in the inventory query to determine if they require a reinstallation. This attribute may impact system performance depending on the number of apps installed. Requiring reinstall occurs when resource package updates or when the app is in a tampered state. - Source - specifies the app classification that aligns to the existing inventory nodes. You can use a specific filter or if no filter is specified then all sources will be returned. If no value is specified, all classifications are returned. Valid values are: - - AppStore - This classification is for apps that were acquired from Windows Store. These were apps directly installed from Windows Store or enterprise apps from Windows Store for Business. + - AppStore - This classification is for apps that were acquired from Windows Store. These were apps directly installed from Windows Store or enterprise apps from Microsoft Store for Business. - nonStore - This classification is for apps that were not acquired from the Windows Store. - System - Apps that are part of the OS. You cannot uninstall these apps. This classification is read-only and can only be inventoried. - PackageTypeFilter - Specifies one or multiple types of packages you can use to query the user or device. Multiple values must be separated by |. Valid values are: diff --git a/windows/client-management/mdm/get-inventory.md b/windows/client-management/mdm/get-inventory.md index 3c83d22f62..c5268976eb 100644 --- a/windows/client-management/mdm/get-inventory.md +++ b/windows/client-management/mdm/get-inventory.md @@ -1,6 +1,6 @@ --- title: Get Inventory -description: The Get Inventory operation retrieves information from the Windows Store for Business to determine if new or updated applications are available. +description: The Get Inventory operation retrieves information from the Microsoft Store for Business to determine if new or updated applications are available. MS-HAID: - 'p\_phdevicemgmt.get\_seatblock' - 'p\_phDeviceMgmt.get\_inventory' @@ -15,7 +15,7 @@ ms.date: 06/19/2017 # Get Inventory -The **Get Inventory** operation retrieves information from the Windows Store for Business to determine if new or updated applications are available. +The **Get Inventory** operation retrieves information from the Microsoft Store for Business to determine if new or updated applications are available. ## Request diff --git a/windows/client-management/mdm/get-localized-product-details.md b/windows/client-management/mdm/get-localized-product-details.md index eaa61805b9..d735043656 100644 --- a/windows/client-management/mdm/get-localized-product-details.md +++ b/windows/client-management/mdm/get-localized-product-details.md @@ -1,6 +1,6 @@ --- title: Get localized product details -description: The Get localized product details operation retrieves the localization information of a product from the Windows Store for Business. +description: The Get localized product details operation retrieves the localization information of a product from the Micosoft Store for Business. ms.assetid: EF6AFCA9-8699-46C9-A3BB-CD2750C07901 ms.author: maricia ms.topic: article @@ -12,7 +12,7 @@ ms.date: 06/19/2017 # Get localized product details -The **Get localized product details** operation retrieves the localization information of a product from the Windows Store for Business. +The **Get localized product details** operation retrieves the localization information of a product from the Micosoft Store for Business. ## Request diff --git a/windows/client-management/mdm/get-offline-license.md b/windows/client-management/mdm/get-offline-license.md index 3bf57d69fb..292398084a 100644 --- a/windows/client-management/mdm/get-offline-license.md +++ b/windows/client-management/mdm/get-offline-license.md @@ -1,6 +1,6 @@ --- title: Get offline license -description: The Get offline license operation retrieves the offline license information of a product from the Windows Store for Business. +description: The Get offline license operation retrieves the offline license information of a product from the Micosoft Store for Business. ms.assetid: 08DAD813-CF4D-42D6-A783-994A03AEE051 ms.author: maricia ms.topic: article @@ -12,7 +12,7 @@ ms.date: 06/19/2017 # Get offline license -The **Get offline license** operation retrieves the offline license information of a product from the Windows Store for Business. +The **Get offline license** operation retrieves the offline license information of a product from the Micosoft Store for Business. ## Request diff --git a/windows/client-management/mdm/get-product-details.md b/windows/client-management/mdm/get-product-details.md index f11532b8c5..c35071dc7b 100644 --- a/windows/client-management/mdm/get-product-details.md +++ b/windows/client-management/mdm/get-product-details.md @@ -1,6 +1,6 @@ --- title: Get product details -description: The Get product details operation retrieves the product information from the Windows Store for Business for a specific application. +description: The Get product details operation retrieves the product information from the Micosoft Store for Business for a specific application. ms.assetid: BC432EBA-CE5E-43BD-BD54-942774767286 ms.author: maricia ms.topic: article @@ -12,7 +12,7 @@ ms.date: 06/19/2017 # Get product details -The **Get product details** operation retrieves the product information from the Windows Store for Business for a specific application. +The **Get product details** operation retrieves the product information from the Micosoft Store for Business for a specific application. ## Request diff --git a/windows/client-management/mdm/get-product-package.md b/windows/client-management/mdm/get-product-package.md index 30f41c7a77..69792850cb 100644 --- a/windows/client-management/mdm/get-product-package.md +++ b/windows/client-management/mdm/get-product-package.md @@ -1,6 +1,6 @@ --- title: Get product package -description: The Get product package operation retrieves the information about a specific application in the Windows Store for Business. +description: The Get product package operation retrieves the information about a specific application in the Micosoft Store for Business. ms.assetid: 4314C65E-6DDC-405C-A591-D66F799A341F ms.author: maricia ms.topic: article @@ -12,7 +12,7 @@ ms.date: 06/19/2017 # Get product package -The **Get product package** operation retrieves the information about a specific application in the Windows Store for Business. +The **Get product package** operation retrieves the information about a specific application in the Micosoft Store for Business. ## Request diff --git a/windows/client-management/mdm/get-product-packages.md b/windows/client-management/mdm/get-product-packages.md index f65a5ec30c..932a85e68d 100644 --- a/windows/client-management/mdm/get-product-packages.md +++ b/windows/client-management/mdm/get-product-packages.md @@ -1,6 +1,6 @@ --- title: Get product packages -description: The Get product packages operation retrieves the information about applications in the Windows Store for Business. +description: The Get product packages operation retrieves the information about applications in the Micosoft Store for Business. ms.assetid: 039468BF-B9EE-4E1C-810C-9ACDD55C0835 ms.author: maricia ms.topic: article @@ -12,7 +12,7 @@ ms.date: 06/19/2017 # Get product packages -The **Get product packages** operation retrieves the information about applications in the Windows Store for Business. +The **Get product packages** operation retrieves the information about applications in the Micosoft Store for Business. ## Request diff --git a/windows/client-management/mdm/get-seat.md b/windows/client-management/mdm/get-seat.md index 5c1e6fbba9..c6b07c1a2a 100644 --- a/windows/client-management/mdm/get-seat.md +++ b/windows/client-management/mdm/get-seat.md @@ -1,6 +1,6 @@ --- title: Get seat -description: The Get seat operation retrieves the information about an active seat for a specified user in the Windows Store for Business. +description: The Get seat operation retrieves the information about an active seat for a specified user in the Micosoft Store for Business. ms.assetid: 715BAEB2-79FD-4945-A57F-482F9E7D07C6 ms.author: maricia ms.topic: article @@ -12,7 +12,7 @@ ms.date: 06/19/2017 # Get seat -The **Get seat** operation retrieves the information about an active seat for a specified user in the Windows Store for Business. +The **Get seat** operation retrieves the information about an active seat for a specified user in the Micosoft Store for Business. ## Request diff --git a/windows/client-management/mdm/get-seats-assigned-to-a-user.md b/windows/client-management/mdm/get-seats-assigned-to-a-user.md index d7c55310d3..d0227888e5 100644 --- a/windows/client-management/mdm/get-seats-assigned-to-a-user.md +++ b/windows/client-management/mdm/get-seats-assigned-to-a-user.md @@ -1,6 +1,6 @@ --- title: Get seats assigned to a user -description: The Get seats assigned to a user operation retrieves information about assigned seats in the Windows Store for Business. +description: The Get seats assigned to a user operation retrieves information about assigned seats in the Micosoft Store for Business. ms.assetid: CB963E44-8C7C-46F9-A979-89BBB376172B ms.author: maricia ms.topic: article @@ -12,7 +12,7 @@ ms.date: 06/19/2017 # Get seats assigned to a user -The **Get seats assigned to a user** operation retrieves information about assigned seats in the Windows Store for Business. +The **Get seats assigned to a user** operation retrieves information about assigned seats in the Micosoft Store for Business. ## Request diff --git a/windows/client-management/mdm/get-seats.md b/windows/client-management/mdm/get-seats.md index 88d7e51517..4b995cc98c 100644 --- a/windows/client-management/mdm/get-seats.md +++ b/windows/client-management/mdm/get-seats.md @@ -1,6 +1,6 @@ --- title: Get seats -description: The Get seats operation retrieves the information about active seats in the Windows Store for Business. +description: The Get seats operation retrieves the information about active seats in the Micosoft Store for Business. ms.assetid: 32945788-47AC-4259-B616-F359D48F4F2F ms.author: maricia ms.topic: article @@ -12,7 +12,7 @@ ms.date: 06/19/2017 # Get seats -The **Get seats** operation retrieves the information about active seats in the Windows Store for Business. +The **Get seats** operation retrieves the information about active seats in the Micosoft Store for Business. ## Request diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index 0cef4c42b9..02d281e49f 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -1,6 +1,6 @@ --- -title: Management tool for the Windows Store for Business -description: The Windows Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. +title: Management tool for the Micosoft Store for Business +description: The Micosoft Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. MS-HAID: - 'p\_phdevicemgmt.business\_store\_portal\_management\_tool' - 'p\_phDeviceMgmt.management\_tool\_for\_windows\_store\_for\_business' @@ -13,9 +13,9 @@ author: nickbrower ms.date: 06/19/2017 --- -# Management tool for the Windows Store for Business +# Management tool for the Micosoft Store for Business -The Windows Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. The Store for Business enables several capabilities that are required for the enterprise to manage the lifecycle of applications from acquisition to updates. +The Micosoft Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. The Store for Business enables several capabilities that are required for the enterprise to manage the lifecycle of applications from acquisition to updates. Here's the list of the available capabilities: @@ -26,7 +26,7 @@ Here's the list of the available capabilities: - Custom Line of Business app support –Enables management and distribution of enterprise applications through the Store for Business. - Support for Windows desktop and mobile devices - The Store for Business supports both desktop and mobile devices. -For additional information about Store for Business, see the TechNet topics in [Windows Store for Business](https://technet.microsoft.com/library/mt606951.aspx). +For additional information about Store for Business, see the TechNet topics in [Micosoft Store for Business](https://technet.microsoft.com/library/mt606951.aspx). ## Management services diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 8d2e232161..38b240b6b4 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -102,7 +102,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s -

Management tool for the Windows Store for Business

+

Management tool for the Micosoft Store for Business

New topics. The Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. It enables several capabilities that are required for the enterprise to manage the lifecycle of applications from acquisition to updates.

@@ -929,6 +929,16 @@ For details about Microsoft mobile device management protocols for Windows 10 s +The [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx) +

The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:

+
    +
  • UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
    • +
  • ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
    • +
  • DomainName - fully qualified domain name if the device is domain-joined.
    • +
+

For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.

+ + [Firewall CSP](firewall-csp.md)

Added new CSP in Windows 10, version 1709.

@@ -989,9 +999,14 @@ For details about Microsoft mobile device management protocols for Windows 10 s

Added new policies.

+Microsoft Store for Business +

Windows Store for Business name changed to Microsoft Store for Business.

+ + [Policy CSP](policy-configuration-service-provider.md)

Added the following new policies for Windows 10, version 1709:

    +
  • Authentication/AllowAadPasswordReset
  • Browser/LockdownFavorites
  • Browser/ProvisionFavorites
  • CredentialProviders/DisableAutomaticReDeploymentCredentials
    • @@ -1043,7 +1058,9 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • Education/DefaultPrinterName
  • Education/PreventAddingNewPrinters
  • Education/PrinterNames
    • +
  • Search/AllowCloudSearch
  • Security/ClearTPMIfNotReady
    • +
  • System/LimitEnhancedDiagnosticDataWindowsAnalytics
  • Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork
  • Update/DisableDualScan
  • Update/ScheduledInstallEveryWeek
    • @@ -1335,6 +1352,47 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware ## Change history in MDM documentation +### September 2017 + + ++++ + + + + + + + + + + + + + + + + + +
    New or updated topicDescription
    [Policy CSP](policy-configuration-service-provider.md)

    Added the following new policies for Windows 10, version 1709:

    +
      +
    • Authentication/AllowAadPasswordReset
      • +
    • Search/AllowCloudSearch
      • +
    • System/LimitEnhancedDiagnosticDataWindowsAnalytics
      • +
    +

    Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.

    +
    Microsoft Store for Business

    Windows Store for Business name changed to Microsoft Store for Business.

    +
    The [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx)

    The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:

    +
      +
    • UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
      • +
    • ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
      • +
    • DomainName - fully qualified domain name if the device is domain-joined.
      • +
    +

    For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.

    +
    + ### August 2017 diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a36b8b8b5f..eaafad9a16 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -307,6 +307,9 @@ The following diagram shows the Policy configuration service provider in tree fo ### Authentication policies
    +
    + Authentication/AllowAadPasswordReset +
    Authentication/AllowEAPCertSSO
    @@ -2383,6 +2386,9 @@ The following diagram shows the Policy configuration service provider in tree fo ### Search policies
    +
    + Search/AllowCloudSearch +
    Search/AllowIndexingEncryptedStoresOrItems
    @@ -2646,6 +2652,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    System/DisableSystemRestore
    +
    + System/LimitEnhancedDiagnosticDataWindowsAnalytics +
    System/TelemetryProxy
    diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index fcc6506c15..3c483fb097 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/06/2017 --- # Policy CSP - Authentication @@ -19,6 +19,42 @@ ms.date: 08/30/2017 ## Authentication policies + +**Authentication/AllowAadPasswordReset** + + +
    + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark3check mark3check mark3check mark3cross markcross mark
    + + + +

    Added in Windows 10, version 1709. Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the windows logon screen.  + +

    The following list shows the supported values: + +- 0 (default) – Not allowed. +- 1 – Allowed. + + + **Authentication/AllowEAPCertSSO** @@ -46,10 +82,6 @@ ms.date: 08/30/2017 -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - -

    Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources. > [!IMPORTANT] diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 81e87eb957..3f35e2d4eb 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -572,7 +572,7 @@ ms.date: 08/30/2017

    Added in Windows 10, version 1709. This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe".. -Value type is string. +

    Value type is string. @@ -609,7 +609,9 @@ Value type is string.

    Added in Windows 10, version 1709. This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule. -Value type is string. +

    For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction). + +

    Value type is string. diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 8c510ae5c1..783aac1e8d 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -19,6 +19,42 @@ ms.date: 08/30/2017 ## Search policies + +**Search/AllowCloudSearch** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark3check mark3check mark3check mark3check mark3check mark3
    + + + +

    Added in Windows 10, version 1709. Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources. + +

    The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + **Search/AllowIndexingEncryptedStoresOrItems** diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 53b9ec2f30..d077ea3454 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -554,6 +554,51 @@ ADMX Info: +**System/LimitEnhancedDiagnosticDataWindowsAnalytics** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark3check mark3check mark3check mark3check mark3check mark3
    + + + +

    This policy setting, in combination with the System/AllowTelemetry + policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. + +

    To enable this behavior you must complete two steps: +

      +
    • Enable this policy setting
      • +
    • Set Allow Telemetry to level 2 (Enhanced)
      • +
    + +

    When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://go.microsoft.com/fwlink/?linkid=847594). + +

    Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. + +

    If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. + + + + + **System/TelemetryProxy** diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index e3a796b41d..1bf1c34365 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -471,8 +471,12 @@ This policy is accessible through the Update setting in the user interface or Gr

    The following list shows the supported values: -- 16 (default) – User gets all applicable upgrades from Current Branch (CB). -- 32 – User gets upgrades from Current Branch for Business (CBB). +- 2 {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709) +- 4 {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709) +- 8 {0x8} - Release Windows Insider build (added in Windows 10, version 1709) +- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). +- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. + @@ -1253,12 +1257,12 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. -

    Allows the IT admin to set a device to CBB train. +

    Allows the IT admin to set a device to Semi-Annual Channel train.

    The following list shows the supported values: -- 0 (default) – User gets upgrades from Current Branch. -- 1 – User gets upgrades from Current Branch for Business. +- 0 (default) – User gets upgrades from Semi-Annual Channel (Targeted). +- 1 – User gets upgrades from Semi-Annual Channel. diff --git a/windows/client-management/mdm/reclaim-seat-from-user.md b/windows/client-management/mdm/reclaim-seat-from-user.md index ee30992445..1319338ddc 100644 --- a/windows/client-management/mdm/reclaim-seat-from-user.md +++ b/windows/client-management/mdm/reclaim-seat-from-user.md @@ -1,6 +1,6 @@ --- title: Reclaim seat from user -description: The Reclaim seat from user operation returns reclaimed seats for a user in the Windows Store for Business. +description: The Reclaim seat from user operation returns reclaimed seats for a user in the Micosoft Store for Business. ms.assetid: E2C3C899-D0AD-469A-A319-31A420472A4C ms.author: maricia ms.topic: article @@ -12,7 +12,7 @@ ms.date: 06/19/2017 # Reclaim seat from user -The **Reclaim seat from user** operation returns reclaimed seats for a user in the Windows Store for Business. +The **Reclaim seat from user** operation returns reclaimed seats for a user in the Micosoft Store for Business. ## Request diff --git a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md index 5016c86ac9..d64e4e1b4d 100644 --- a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md +++ b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md @@ -1,6 +1,6 @@ --- -title: REST API reference for Windows Store for Business -description: REST API reference for Windows Store for Business +title: REST API reference for Micosoft Store for Business +description: REST API reference for Micosoft Store for Business MS-HAID: - 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference' - 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business' @@ -13,7 +13,7 @@ author: nickbrower ms.date: 06/19/2017 --- -# REST API reference for Windows Store for Business +# REST API reference for Micosoft Store for Business Here's the list of available operations: diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md new file mode 100644 index 0000000000..03b15f9859 --- /dev/null +++ b/windows/client-management/windows-10-support-solutions.md @@ -0,0 +1,62 @@ +--- +title: Top support solutions for Windows 10 +description: Get links to solutions for Windows 10 issues +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.author: elizapo +author: kaushika-msft +ms.localizationpriority: high +--- +# Top support solutions for Windows 10 + +Microsoft regularly releases both updates and solutions for Windows 10. To ensure your computers can receive future updates, including security updates, it's important to keep them updated. Check out the following links for a complete list of released updates: + +- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124/) +- [Windows 10 Version 1607 update history](https://support.microsoft.com/help/4000825/) +- [Windows 10 Version 1511 update history](https://support.microsoft.com/help/4000824/) + + +These are the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment. The links below include links to KB articles, updates, and library articles. + +## Solutions related to installing Windows updates or hotfixes +- [Understanding the Windowsupdate.log file for advanced users](https://support.microsoft.com/help/4035760/understanding-the-windowsupdate-log-file-for-advanced-users) +- [You can't install updates on a Windows-based computer](https://support.microsoft.com/help/2509997/you-can-t-install-updates-on-a-windows-based-computer) +- [Get-WindowsUpdateLog](https://technet.microsoft.com/itpro/powershell/windows/windowsupdate/get-windowsupdatelog) +- [How to read the Windowsupdate.log file](https://support.microsoft.com/help/902093/how-to-read-the-windowsupdate-log-file) +- [Can't download updates from Windows Update from behind a firewall or proxy server](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) +- [Computer staged from a SysPrepped image doesn't receive WSUS updates](https://support.microsoft.com/help/4010909/computer-staged-from-a-sysprepped-image-doesn-t-receive-wsus-updates) +- [Servicing stack update for Windows 10 Version 1703: June 13, 2017](https://support.microsoft.com/help/4022405/servicingstackupdateforwindows10version1703june13-2017) +- [Servicing stack update for Windows 10 Version 1607 and Windows Server 2016: March 14, 2017](https://support.microsoft.com/help/4013418/servicing-stack-update-for-windows-10-version-1607-and-windows-server) + +## Solutions related to Bugchecks or Stop Errors +- [Troubleshooting Stop error problems for IT Pros](https://support.microsoft.com/help/3106831/troubleshooting-stop-error-problems-for-it-pros) +- [How to use Windows Recovery Environment (WinRE) to troubleshoot common startup issues](https://support.microsoft.com/help/4026030/how-to-use-windows-recovery-environment-winre-to-troubleshoot-common-s) +- [How to troubleshoot Windows-based computer freeze issues](https://support.microsoft.com/help/3118553/how-to-troubleshoot-windows-based-computer-freeze-issues) +- [Understanding Bugchecks](https://blogs.technet.microsoft.com/askperf/2007/12/18/understanding-bugchecks/) +- [Understanding Crash Dump Files](https://blogs.technet.microsoft.com/askperf/2008/01/08/understanding-crash-dump-files/) + +## Solutions related to installing or upgrading Windows +- [Resolve Windows 10 upgrade errors : Technical information for IT Pros](/windows/deployment/upgrade/resolve-windows-10-upgrade-errors) +- [Windows OOBE fails when you start a new Windows-based computer for the first time](https://support.microsoft.com/help/4020048/windows-oobe-fails-when-you-start-a-new-windows-based-computer-for-the) +- ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/help/3194588/-0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus) +- [0xC1900101 error when Windows 10 upgrade fails after the second system restart'(https://support.microsoft.com/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system) +- [Updates fix in-place upgrade to Windows 10 version 1607 problem](https://support.microsoft.com/help/4020149/updates-fix-in-place-upgrade-to-windows-10-version-1607-problem) +- [OOBE update for Windows 10 Version 1703: May 9, 2017](https://support.microsoft.com/help/4020008) +- [OOBE update for Windows 10 Version 1607: May 30, 2017](https://support.microsoft.com/help/4022632) +- [OOBE update for Windows 10 Version 1511: May 30, 2017](https://support.microsoft.com/help/4022633) + +## Solutions related to configuring or managing the Start menu +- [Manage Windows 10 Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies) +- [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout) +- [Changes to Group Policy settings for Windows 10 Start](/windows/configuration/changes-to-start-policies-in-windows-10) +- [Preinstalled system applications and Start menu may not work when you upgrade to Windows 10, Version 1511](https://support.microsoft.com/help/3152599) +- [Start menu shortcuts aren't immediately accessible in Windows Server 2016](https://support.microsoft.com/help/3198613) +- [Troubleshoot problems opening the Start menu or Cortana](https://support.microsoft.com/help/12385/windows-10-troubleshoot-problems-opening-start-menu-cortana) +- [Modern apps are blocked by security software when you start the applications on Windows 10 Version 1607](https://support.microsoft.com/help/4016973/modern-apps-are-blocked-by-security-software-when-you-start-the-applic) + +## Solutions related to wireless networking and 802.1X authentication + +- [Windows 10 devices can't connect to an 802.1X environment](http://support.microsoft.com/kb/3121002) +- [Windows 10 wireless connection displays "Limited" status](http://support.microsoft.com/kb/3114149) +- [Computer that has VPN software installed can't detect wireless network after upgrading to Windows 10](http://support.microsoft.com/kb/3084164) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index 76c39cc45d..2a2a60a09d 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -14,6 +14,12 @@ author: jdeckerms This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## September 2017 + +New or changed topic | Description +--- | --- + [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added that Windows Spotlight can be managed by the Experience/AllowWindowsSpotlight MDM policy. + ## August 2017 New or changed topic | Description @@ -23,11 +29,12 @@ New or changed topic | Description ## July 2017 | New or changed topic | Description | | --- | --- | -| [Add image for secondary tiles](start-secondary-tiles.md) | Added XML example for Edge secondary tiles and **ImportEdgeAssets** | -| [Customize and export Start layout](customize-and-export-start-layout.md) | Added explanation for tile behavior when the app is not installed | -| [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md) | Added that Microsoft Edge is not supported for assigned access | +|[Windows 10, version 1703 Diagnostic Data](windows-diagnostic-data.md)|Updated categories and included diagnostic data.| +|[Add image for secondary tiles](start-secondary-tiles.md) | Added XML example for Edge secondary tiles and **ImportEdgeAssets** | +|[Customize and export Start layout](customize-and-export-start-layout.md) | Added explanation for tile behavior when the app is not installed | +|[Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md) | Added that Microsoft Edge is not supported for assigned access | |[Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)|Updated several Appraiser events and added Census.Speech. | -| [Manage connections from Windows operating system components to Microsoft-services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Updated Date & Time and Windows spotlight sections. | +|[Manage connections from Windows operating system components to Microsoft-services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Updated Date & Time and Windows spotlight sections. | ## June 2017 diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index e5ebed0c80..f76eec93a1 100644 --- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -113,7 +113,7 @@ See the following table for a summary of the management settings for Windows 10 | [21. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [22. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [23. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | -| [24. Windows spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [24. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [25. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [26. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [27. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | @@ -558,7 +558,7 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http | Browser/FirstRunURL | Choose the home page for Microsoft Edge on Windows Mobile 10.
    Default: blank | -For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx). +For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/available-policies). ### 13. Network Connection Status Indicator @@ -1636,7 +1636,7 @@ You can stop sending file samples back to Microsoft. -or- -- For Windows 10 only, apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: +- For Windows 10 only, apply the Defender/SubmitSamplesConsent MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender), where: - **0**. Always prompt. @@ -1682,9 +1682,9 @@ To remove Windows Media Player on Windows Server 2016: - Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** -### 24. Windows spotlight +### 24. Windows Spotlight -Windows spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or through Group Policy. +Windows Spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface, MDM policy, or through Group Policy. If you're running Windows 10, version 1607 or later, you only need to enable the following Group Policy: @@ -1695,6 +1695,10 @@ If you're running Windows 10, version 1607 or later, you only need to enable the -or- +- For Windows 10 only, apply the Experience/AllowWindowsSpotlight MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience), with a value of 0 (zero). + + -or- + - Create a new REG\_DWORD registry setting in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one). If you're not running Windows 10, version 1607 or later, you can use the other options in this section. @@ -1733,7 +1737,7 @@ If you're not running Windows 10, version 1607 or later, you can use the other o -or- - - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsConsumerFeatures**, with a value of 1 (one). + - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsConsumerFeatures**, with a value of 1 (one). For more info, see [Windows Spotlight on the lock screen](windows-spotlight.md). @@ -1847,7 +1851,7 @@ You can turn off automatic updates by doing one of the following. This is not re -or- -- For Windows 10 only, apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: +- For Windows 10 only, apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update), where: - **0**. Notify the user before downloading the update. diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md index e203016bfa..6454a3fe7c 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start-layout-xml-desktop.md @@ -32,8 +32,7 @@ On Windows 10 for desktop editions, the customized Start works by: >[!NOTE] >Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/en-US/library/jj649079.aspx). ->[!NOTE] ->Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/library/jj649079.aspx). + ## LayoutModification XML diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md index d3dd731cdf..7e89dfdb30 100644 --- a/windows/configuration/wcd/wcd-accounts.md +++ b/windows/configuration/wcd/wcd-accounts.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md index daa6ca5eb8..52223258ad 100644 --- a/windows/configuration/wcd/wcd-admxingestion.md +++ b/windows/configuration/wcd/wcd-admxingestion.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-applicationmanagement.md b/windows/configuration/wcd/wcd-applicationmanagement.md index f032ce168c..af27cea5f0 100644 --- a/windows/configuration/wcd/wcd-applicationmanagement.md +++ b/windows/configuration/wcd/wcd-applicationmanagement.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md index ad5d7551fb..201fc633e1 100644 --- a/windows/configuration/wcd/wcd-assignedaccess.md +++ b/windows/configuration/wcd/wcd-assignedaccess.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-automatictime.md b/windows/configuration/wcd/wcd-automatictime.md index abb8bbd179..52d9845460 100644 --- a/windows/configuration/wcd/wcd-automatictime.md +++ b/windows/configuration/wcd/wcd-automatictime.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md index 787b6fa65b..a8af54b4f9 100644 --- a/windows/configuration/wcd/wcd-browser.md +++ b/windows/configuration/wcd/wcd-browser.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-callandmessagingenhancement.md b/windows/configuration/wcd/wcd-callandmessagingenhancement.md index bb07ccc02c..f3905fe8bc 100644 --- a/windows/configuration/wcd/wcd-callandmessagingenhancement.md +++ b/windows/configuration/wcd/wcd-callandmessagingenhancement.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md index 64258bbe02..7ea42d279d 100644 --- a/windows/configuration/wcd/wcd-cellular.md +++ b/windows/configuration/wcd/wcd-cellular.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-certificates.md b/windows/configuration/wcd/wcd-certificates.md index 6347a4795d..4e414b4677 100644 --- a/windows/configuration/wcd/wcd-certificates.md +++ b/windows/configuration/wcd/wcd-certificates.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-cleanpc.md b/windows/configuration/wcd/wcd-cleanpc.md index ec1f5eaadc..fa14dead06 100644 --- a/windows/configuration/wcd/wcd-cleanpc.md +++ b/windows/configuration/wcd/wcd-cleanpc.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md index 1ce0db8e5b..98fdd61592 100644 --- a/windows/configuration/wcd/wcd-connections.md +++ b/windows/configuration/wcd/wcd-connections.md @@ -5,14 +5,14 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- # Connections (Windows Configuration Designer reference) -Use to configure settings related to variou types of phone connections. +Use to configure settings related to various types of phone connections. ## Applies to diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md index bb7d3366c0..2a71e900c4 100644 --- a/windows/configuration/wcd/wcd-connectivityprofiles.md +++ b/windows/configuration/wcd/wcd-connectivityprofiles.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-countryandregion.md b/windows/configuration/wcd/wcd-countryandregion.md index aea53e22de..84e1e611f1 100644 --- a/windows/configuration/wcd/wcd-countryandregion.md +++ b/windows/configuration/wcd/wcd-countryandregion.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md index 1cf770db9b..6f954aec14 100644 --- a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md +++ b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-developersetup.md b/windows/configuration/wcd/wcd-developersetup.md index e7c4378477..76c7f07631 100644 --- a/windows/configuration/wcd/wcd-developersetup.md +++ b/windows/configuration/wcd/wcd-developersetup.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-deviceformfactor.md b/windows/configuration/wcd/wcd-deviceformfactor.md index dc1e5cd524..c9d4434a24 100644 --- a/windows/configuration/wcd/wcd-deviceformfactor.md +++ b/windows/configuration/wcd/wcd-deviceformfactor.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md index 9297174468..297225f5a1 100644 --- a/windows/configuration/wcd/wcd-devicemanagement.md +++ b/windows/configuration/wcd/wcd-devicemanagement.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-dmclient.md b/windows/configuration/wcd/wcd-dmclient.md index 4efec80320..27a6b9dd36 100644 --- a/windows/configuration/wcd/wcd-dmclient.md +++ b/windows/configuration/wcd/wcd-dmclient.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-editionupgrade.md b/windows/configuration/wcd/wcd-editionupgrade.md index cb2fd133b6..76e05d28ae 100644 --- a/windows/configuration/wcd/wcd-editionupgrade.md +++ b/windows/configuration/wcd/wcd-editionupgrade.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md b/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md index 833b66a43a..2203a1cb2b 100644 --- a/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md +++ b/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-firewallconfiguration.md b/windows/configuration/wcd/wcd-firewallconfiguration.md index 5e394b2f6b..df61861e90 100644 --- a/windows/configuration/wcd/wcd-firewallconfiguration.md +++ b/windows/configuration/wcd/wcd-firewallconfiguration.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md index b3a53776ff..cf0f7c1983 100644 --- a/windows/configuration/wcd/wcd-firstexperience.md +++ b/windows/configuration/wcd/wcd-firstexperience.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-folders.md b/windows/configuration/wcd/wcd-folders.md index bbad0c9cb9..08eff6065d 100644 --- a/windows/configuration/wcd/wcd-folders.md +++ b/windows/configuration/wcd/wcd-folders.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-initialsetup.md b/windows/configuration/wcd/wcd-initialsetup.md index db5b9cee8b..a579fca408 100644 --- a/windows/configuration/wcd/wcd-initialsetup.md +++ b/windows/configuration/wcd/wcd-initialsetup.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-internetexplorer.md b/windows/configuration/wcd/wcd-internetexplorer.md index d1a2e56c56..e3290e6905 100644 --- a/windows/configuration/wcd/wcd-internetexplorer.md +++ b/windows/configuration/wcd/wcd-internetexplorer.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-licensing.md b/windows/configuration/wcd/wcd-licensing.md index 5b3ebb4f41..7ae7661ea8 100644 --- a/windows/configuration/wcd/wcd-licensing.md +++ b/windows/configuration/wcd/wcd-licensing.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-maps.md b/windows/configuration/wcd/wcd-maps.md index 4a1bfc4a7a..afe5f92c1c 100644 --- a/windows/configuration/wcd/wcd-maps.md +++ b/windows/configuration/wcd/wcd-maps.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-messaging.md b/windows/configuration/wcd/wcd-messaging.md index a00378d147..871e87042c 100644 --- a/windows/configuration/wcd/wcd-messaging.md +++ b/windows/configuration/wcd/wcd-messaging.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-modemconfigurations.md b/windows/configuration/wcd/wcd-modemconfigurations.md index dc45dff1ef..98bae12f8b 100644 --- a/windows/configuration/wcd/wcd-modemconfigurations.md +++ b/windows/configuration/wcd/wcd-modemconfigurations.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-multivariant.md b/windows/configuration/wcd/wcd-multivariant.md index 37a5519dfd..fa8c0d735f 100644 --- a/windows/configuration/wcd/wcd-multivariant.md +++ b/windows/configuration/wcd/wcd-multivariant.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-networkproxy.md b/windows/configuration/wcd/wcd-networkproxy.md index 7eb31bc61c..3689226767 100644 --- a/windows/configuration/wcd/wcd-networkproxy.md +++ b/windows/configuration/wcd/wcd-networkproxy.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-networkqospolicy.md b/windows/configuration/wcd/wcd-networkqospolicy.md index 5906d70cdd..be9d9f4d69 100644 --- a/windows/configuration/wcd/wcd-networkqospolicy.md +++ b/windows/configuration/wcd/wcd-networkqospolicy.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-nfc.md b/windows/configuration/wcd/wcd-nfc.md index c03217c87e..1b56de1940 100644 --- a/windows/configuration/wcd/wcd-nfc.md +++ b/windows/configuration/wcd/wcd-nfc.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md index 7a72de6bb0..e609255e3d 100644 --- a/windows/configuration/wcd/wcd-oobe.md +++ b/windows/configuration/wcd/wcd-oobe.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-otherassets.md b/windows/configuration/wcd/wcd-otherassets.md index f5f33e19a2..ff79d72f5f 100644 --- a/windows/configuration/wcd/wcd-otherassets.md +++ b/windows/configuration/wcd/wcd-otherassets.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-personalization.md b/windows/configuration/wcd/wcd-personalization.md index 27f82ea825..a5aaee541d 100644 --- a/windows/configuration/wcd/wcd-personalization.md +++ b/windows/configuration/wcd/wcd-personalization.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index 72357237a0..f672b70b05 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md index 5ed43d8d18..7ab3bd2e35 100644 --- a/windows/configuration/wcd/wcd-provisioningcommands.md +++ b/windows/configuration/wcd/wcd-provisioningcommands.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md index d771bbee7b..744e0acd11 100644 --- a/windows/configuration/wcd/wcd-sharedpc.md +++ b/windows/configuration/wcd/wcd-sharedpc.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-shell.md b/windows/configuration/wcd/wcd-shell.md index 8d7ad0b7ff..a0b581cb04 100644 --- a/windows/configuration/wcd/wcd-shell.md +++ b/windows/configuration/wcd/wcd-shell.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md index ce6de17758..df459903c7 100644 --- a/windows/configuration/wcd/wcd-smisettings.md +++ b/windows/configuration/wcd/wcd-smisettings.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md index 25fcc57075..3256dea604 100644 --- a/windows/configuration/wcd/wcd-start.md +++ b/windows/configuration/wcd/wcd-start.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-startupapp.md b/windows/configuration/wcd/wcd-startupapp.md index 06c5b20b7a..3e9d1ca9b2 100644 --- a/windows/configuration/wcd/wcd-startupapp.md +++ b/windows/configuration/wcd/wcd-startupapp.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-startupbackgroundtasks.md b/windows/configuration/wcd/wcd-startupbackgroundtasks.md index 6b0840c310..2e5c3fa161 100644 --- a/windows/configuration/wcd/wcd-startupbackgroundtasks.md +++ b/windows/configuration/wcd/wcd-startupbackgroundtasks.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-surfacehubmanagement.md b/windows/configuration/wcd/wcd-surfacehubmanagement.md index f2da4a2dd6..4a6dbb3dd3 100644 --- a/windows/configuration/wcd/wcd-surfacehubmanagement.md +++ b/windows/configuration/wcd/wcd-surfacehubmanagement.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md index a8d2ea900a..5f454d89bb 100644 --- a/windows/configuration/wcd/wcd-tabletmode.md +++ b/windows/configuration/wcd/wcd-tabletmode.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-takeatest.md b/windows/configuration/wcd/wcd-takeatest.md index 75613f3b2e..c498ffd865 100644 --- a/windows/configuration/wcd/wcd-takeatest.md +++ b/windows/configuration/wcd/wcd-takeatest.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-theme.md b/windows/configuration/wcd/wcd-theme.md index 2d3e643f85..bc5710c264 100644 --- a/windows/configuration/wcd/wcd-theme.md +++ b/windows/configuration/wcd/wcd-theme.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md index fe65f8413f..5ba21b01a3 100644 --- a/windows/configuration/wcd/wcd-unifiedwritefilter.md +++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md index 6ba1b3993a..50f88c2fdc 100644 --- a/windows/configuration/wcd/wcd-universalappinstall.md +++ b/windows/configuration/wcd/wcd-universalappinstall.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md index 17bbc8f15b..70cd723052 100644 --- a/windows/configuration/wcd/wcd-universalappuninstall.md +++ b/windows/configuration/wcd/wcd-universalappuninstall.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-usberrorsoemoverride.md b/windows/configuration/wcd/wcd-usberrorsoemoverride.md index 7175b5e14b..47596e69d3 100644 --- a/windows/configuration/wcd/wcd-usberrorsoemoverride.md +++ b/windows/configuration/wcd/wcd-usberrorsoemoverride.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- @@ -13,7 +13,7 @@ ms.date: 08/21/2017 # UsbErrorsOEMOverride (reference) -Use UsbErrorsOEMOverride settings to . +Allows an OEM to hide the USB option UI in Settings and all USB device errors. ## Applies to @@ -24,4 +24,4 @@ Use UsbErrorsOEMOverride settings to . ## HideUsbErrorNotifyOptionUI - +Configure to **Show** or **Hide** the USB error notification. diff --git a/windows/configuration/wcd/wcd-weakcharger.md b/windows/configuration/wcd/wcd-weakcharger.md index f1316bc77a..92f8844d81 100644 --- a/windows/configuration/wcd/wcd-weakcharger.md +++ b/windows/configuration/wcd/wcd-weakcharger.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-windowsteamsettings.md b/windows/configuration/wcd/wcd-windowsteamsettings.md index b9ee438e22..26c23a84ce 100644 --- a/windows/configuration/wcd/wcd-windowsteamsettings.md +++ b/windows/configuration/wcd/wcd-windowsteamsettings.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md index 6b641db70f..80bbb26cf5 100644 --- a/windows/configuration/wcd/wcd-wlan.md +++ b/windows/configuration/wcd/wcd-wlan.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd-workplace.md b/windows/configuration/wcd/wcd-workplace.md index 901e30a048..8db1aa11a4 100644 --- a/windows/configuration/wcd/wcd-workplace.md +++ b/windows/configuration/wcd/wcd-workplace.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md index 38f6061d9f..080f9e469f 100644 --- a/windows/configuration/wcd/wcd.md +++ b/windows/configuration/wcd/wcd.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -localizationpriority: medium +ms.localizationpriority: medium ms.author: jdecker ms.date: 08/21/2017 --- diff --git a/windows/configuration/windows-diagnostic-data.md b/windows/configuration/windows-diagnostic-data.md index 611432abea..9f56ccf841 100644 --- a/windows/configuration/windows-diagnostic-data.md +++ b/windows/configuration/windows-diagnostic-data.md @@ -6,12 +6,14 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: high -author: brianlic-msft +author: eross-msft +ms.author: lizross +ms.date: 09/14/2017 --- # Windows 10, version 1703 Diagnostic Data -Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide relevant tips and recommendations to tailor Microsoft products to the user’s needs. This article describes all types diagnostic data collected by Windows at the Full telemetry level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1703 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md). +Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide more relevant tips and recommendations to tailor Microsoft products to the user’s needs. This article describes all types diagnostic data collected by Windows at the Full telemetry level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1703 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md). The data covered in this article is grouped into the following categories: @@ -21,10 +23,8 @@ The data covered in this article is grouped into the following categories: - Product and Service Usage data - Product and Service Performance data - Software Setup and Inventory data -- Content Consumption data -- Browsing, Search and Query data +- Browsing History data - Inking, Typing, and Speech Utterance data -- Licensing and Purchase data > [!NOTE] > The majority of diagnostic data falls into the first four categories. @@ -66,8 +66,15 @@ This type of data includes details about the health of the device, operating sys | Category Name | Description and Examples | | - | - | -| Device health and crash data | Information about the device and software health such as:

    • Error codes and error messages, name and ID of the app, and process reporting the error
    • DLL library predicted to be the source of the error -- xyz.dll
    • System generated files -- app or product logs and trace files to help diagnose a crash or hang
    • System settings such as registry keys
    • User generated files – .doc, .ppt, .csv files where they are indicated as a potential cause for a crash or hang
    • Details and counts of abnormal shutdowns, hangs, and crashes
    • Crash failure data – OS, OS component, driver, device, 1st and 3rd party app data
    • Crash and Hang dumps
      • The recorded state of the working memory at the point of the crash.
      • Memory in use by the kernel at the point of the crash.
      • Memory in use by the application at the point of the crash.
      • All the physical memory used by Windows at the point of the crash.
      • Class and function name within the module that failed.
      | -| Device performance and reliability data | Information about the device and software performance such as:
      • User Interface interaction durations -- Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.
      • Device on/off performance -- Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).
      • In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction.
      • User input responsiveness – onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.
      • UI and media performance and glitches/smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
      • Disk footprint -- Free disk space, out of memory conditions, and disk score.
      • Excessive resource utilization – components impacting performance or battery life through high CPU usage during different screen and power states
      • Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
      • Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness environmental response times
      • Device setup -- first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.
      • Power and Battery life – power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, auto-brightness details, time device is plugged into AC vs. battery, battery state transitions
      • Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.
      • Diagnostic heartbeat – regular signal to validate the health of the diagnostics system
      +|Device health and crash data | Information about the device and software health such as:
      • Error codes and error messages, name and ID of the app, and process reporting the error
      • DLL library predicted to be the source of the error -- xyz.dll
      • System generated files -- app or product logs and trace files to help diagnose a crash or hang
      • System settings such as registry keys
      • User generated files – .doc, .ppt, .csv files where they are indicated as a potential cause for a crash or hang
      • Details and counts of abnormal shutdowns, hangs, and crashes
      • Crash failure data – OS, OS component, driver, device, 1st and 3rd party app data
      • Crash and Hang dumps
        • The recorded state of the working memory at the point of the crash.
        • Memory in use by the kernel at the point of the crash.
        • Memory in use by the application at the point of the crash.
        • All the physical memory used by Windows at the point of the crash.
        • Class and function name within the module that failed.
        | +|Device performance and reliability data | Information about the device and software performance such as:
        • User Interface interaction durations -- Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.
        • Device on/off performance -- Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).
        • In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction.
        • User input responsiveness – onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.
        • UI and media performance and glitches/smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
        • Disk footprint -- Free disk space, out of memory conditions, and disk score.
        • Excessive resource utilization – components impacting performance or battery life through high CPU usage during different screen and power states
        • Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
        • Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness environmental response times
        • Device setup -- first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.
        • Power and Battery life – power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, auto-brightness details, time device is plugged into AC vs. battery, battery state transitions
        • Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.
        • Diagnostic heartbeat – regular signal to validate the health of the diagnostics system
        | +|Movies|Information about movie consumption functionality on the device. This isn't intended to capture user viewing, listening or habits.
        • Video Width, height, color pallet, encoding (compression) type, and encryption type
        • Instructions for how to stream content for the user -- the smooth streaming manifest of chunks of content files that must be pieced together to stream the content based on screen resolution and bandwidth
        • URL for a specific two second chunk of content if there is an error
        • Full screen viewing mode details| +|Music & TV|Information about music and TV consumption on the device. This isn't intended to capture user viewing, listening or habits.
          • Service URL for song being downloaded from the music service – collected when an error occurs to facilitate restoration of service
          • Content type (video, audio, surround audio)
          • Local media library collection statistics -- number of purchased tracks, number of playlists
          • Region mismatch -- User OS Region, and Xbox Live region
          | +|Reading|Information about reading consumption functionality on the device. This isn't intended to capture user viewing, listening or habits.
          • App accessing content and status and options used to open a Microsoft Store book
          • Language of the book
          • Time spent reading content
          • Content type and size details
          | +|Photos App|Information about photos usage on the device. This isn't intended to capture user viewing, listening or habits.
          • File source data -- local, SD card, network device, and OneDrive
          • Image & video resolution, video length, file sizes types and encoding
          • Collection view or full screen viewer use and duration of view
        | +|On-device file query | Information about local search activity on the device such as:
        • Kind of query issued and index type (ConstraintIndex, SystemIndex)
        • Number of items requested and retrieved
        • File extension of search result user interacted with
        • Launched item kind, file extension, index of origin, and the App ID of the opening app.
        • Name of process calling the indexer and time to service the query.
        • A hash of the search scope (file, Outlook, OneNote, IE history)
        • The state of the indices (fully optimized, partially optimized, being built)
        | +|Purchasing| Information about purchases made on the device such as:
        • Product ID, edition ID and product URI
        • Offer details -- price
        • Order requested date/time
        • Store client type -- web or native client
        • Purchase quantity and price
        • Payment type -- credit card type and PayPal
        | +|Entitlements | Information about entitlements on the device such as:
        • Service subscription status and errors
        • DRM and license rights details -- Groove subscription or OS volume license
        • Entitlement ID, lease ID, and package ID of the install package
        • Entitlement revocation
        • License type (trial, offline vs online) and duration
        • License usage session
        | ## Software Setup and Inventory data @@ -78,25 +85,13 @@ This type of data includes software installation and update information on the d | Installed Applications and Install History | Information about apps, drivers, update packages, or OS components installed on the device such as:
        • App, driver, update package, or component’s Name, ID, or Package Family Name
        • Product, SKU, availability, catalog, content, and Bundle IDs
        • OS component, app or driver publisher, language, version and type (Win32 or UWP)
        • Install date, method, and install directory, count of install attempts
        • MSI package code and product code
        • Original OS version at install time
        • User or administrator or mandatory installation/update
        • Installation type – clean install, repair, restore, OEM, retail, upgrade, and update
        | | Device update information | Information about Windows Update such as:
        • Update Readiness analysis of device hardware, OS components, apps, and drivers (progress, status, and results)
        • Number of applicable updates, importance, type
        • Update download size and source -- CDN or LAN peers
        • Delay upgrade status and configuration
        • OS uninstall and rollback status and count
        • Windows Update server and service URL
        • Windows Update machine ID
        • Windows Insider build details
        -## Content Consumption data +## Browsing History data -This type of data includes diagnostic details about Microsoft applications that provide media consumption functionality (such as Groove Music), and is not intended to capture user viewing, listening or reading habits. - -| Category Name | Examples | -| - | - | -| Movies | Information about movie consumption functionality on the device such as:
        • Video Width, height, color pallet, encoding (compression) type, and encryption type
        • Instructions for how to stream content for the user -- the smooth streaming manifest of chunks of content files that must be pieced together to stream the content based on screen resolution and bandwidth
        • URL for a specific two second chunk of content if there is an error
        • Full screen viewing mode details
        | -| Music & TV | Information about music and TV consumption on the device such as:
        • Service URL for song being downloaded from the music service – collected when an error occurs to facilitate restoration of service
        • Content type (video, audio, surround audio)
        • Local media library collection statistics -- number of purchased tracks, number of playlists
        • Region mismatch -- User OS Region, and Xbox Live region
        | -| Reading | Information about reading consumption functionality on the device such as:
        • App accessing content and status and options used to open a Microsoft Store book
        • Language of the book
        • Time spent reading content
        • Content type and size details
        | -| Photos App | Information about photos usage on the device such as:
        • File source data -- local, SD card, network device, and OneDrive
        • Image & video resolution, video length, file sizes types and encoding
        • Collection view or full screen viewer use and duration of view
        - -## Browsing, Search and Query data - -This type of data includes details about web browsing, search and query activity in the Microsoft browsers and Cortana, and local file searches on the device. +This type of data includes details about web browsing in the Microsoft browsers. | Category Name | Description and Examples | | - | - | | Microsoft browser data | Information about Address bar and search box performance on the device such as:
        • Text typed in address bar and search box
        • Text selected for Ask Cortana search
        • Service response time
        • Auto-completed text if there was an auto-complete
        • Navigation suggestions provided based on local history and favorites
        • Browser ID
        • URLs (which may include search terms)
        • Page title
        | -| On-device file query | Information about local search activity on the device such as:
        • Kind of query issued and index type (ConstraintIndex, SystemIndex)
        • Number of items requested and retrieved
        • File extension of search result user interacted with
        • Launched item kind, file extension, index of origin, and the App ID of the opening app.
        • Name of process calling the indexer and time to service the query.
        • A hash of the search scope (file, Outlook, OneNote, IE history)
        • The state of the indices (fully optimized, partially optimized, being built)
        | ## Inking Typing and Speech Utterance data @@ -105,13 +100,4 @@ This type of data gathers details about the voice, inking, and typing input feat | Category Name | Description and Examples | | - | - | -| Voice, inking, and typing | Information about voice, inking and typing features such as:
        • Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used
        • Pen gestures (click, double click, pan, zoom, rotate)
        • Palm Touch x,y coordinates
        • Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate
        • Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as names, email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.
        • Text of speech recognition results -- result codes and recognized text
        • Language and model of the recognizer, System Speech language
        • App ID using speech features
        • Whether user is known to be a child
        • Confidence and Success/Failure of speech recognition
        | - -## ​​​​​​​Licensing and Purchase data - -This type of data includes diagnostic details about the purchase and entitlement activity on the device. - -| Category Name | Data Examples | -| - | - | -| Purchase history | Information about purchases made on the device such as:
        • Product ID, edition ID and product URI
        • Offer details -- price
        • Order requested date/time
        • Store client type -- web or native client
        • Purchase quantity and price
        • Payment type -- credit card type and PayPal
        | -| Entitlements | Information about entitlements on the device such as:
        • Service subscription status and errors
        • DRM and license rights details -- Groove subscription or OS volume license
        • Entitlement ID, lease ID, and package ID of the install package
        • Entitlement revocation
        • License type (trial, offline vs online) and duration
        • License usage session
        | \ No newline at end of file +| Voice, inking, and typing | Information about voice, inking and typing features such as:
        • Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used
        • Pen gestures (click, double click, pan, zoom, rotate)
        • Palm Touch x,y coordinates
        • Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate
        • Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values) which could be used to reconstruct the original content or associate the input to the user.
        • Text input from Windows Mobile on-screen keyboards except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.
        • Text of speech recognition results -- result codes and recognized text
        • Language and model of the recognizer, System Speech language
        • App ID using speech features
        • Whether user is known to be a child
        • Confidence and Success/Failure of speech recognition
        | \ No newline at end of file diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index b070057f1d..3d057730dc 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -222,8 +222,6 @@ #### [Windows Insider Program for Business using Azure Active Directory](update/waas-windows-insider-for-business-aad.md) #### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md) #### [Olympia Corp enrollment](update/olympia/olympia-enrollment-guidelines.md) -##### [Keep your current Windows 10 edition](update/olympia/enrollment-keep-current-edition.md) -##### [Upgrade your Windows 10 edition from Pro to Enterprise](update/olympia/enrollment-upgrade-to-enterprise.md) ### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md) ## Windows Analytics diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index a05a03bbe9..a3c44c5ab1 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -15,8 +15,18 @@ author: greg-lindsay This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). ->Note: Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. ->Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. +>Note: Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
        +>Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
        + +## Enabling Subscription Activation with an existing EA + +If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant: + +1. Work with your reseller to place an order for $0 SKU. There are two SKUs available, depending on their current Windows Enterprise SA license:
        + a. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3
        + b. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5
        +2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. +3. The admin can now assign subscription licenses to users. Also in this article: - [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses. @@ -195,5 +205,4 @@ Devices must be running Windows 10 Pro, version 1703, and be Azure Active Direct A popup window will display the Windows 10 version number and detailed OS build information. - If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal. - + If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal. \ No newline at end of file diff --git a/windows/deployment/update/olympia/enrollment-keep-current-edition.md b/windows/deployment/update/olympia/enrollment-keep-current-edition.md deleted file mode 100644 index b0016c44ee..0000000000 --- a/windows/deployment/update/olympia/enrollment-keep-current-edition.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Keep your current Windows 10 edition -description: Olympia Corp enrollment - Keep your current Windows 10 edition -ms.author: nibr -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: nickbrower -ms.date: 09/01/2017 ---- - -# Olympia Corp enrollment - -## Keep your current Windows 10 edition - -1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). - - ![Settings -> Accounts](images/1-1.png) - -2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. - -3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. - - ![Set up a work or school account](images/1-3.png) - -4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. - - > [!NOTE] - > Passwords should contain 8-16 characters, including at least one special character or number. - - ![Update your password](images/1-4.png) - -5. Read the **Terms and Conditions**. Click **Accept** to participate in the program. - -6. If this is the first time you are logging in, please fill in the additional information to help you retrieve your account details. - -7. Create a PIN for signing into your Olympia corporate account. - -8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. - - > [!NOTE] - > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). - -9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. diff --git a/windows/deployment/update/olympia/enrollment-upgrade-to-enterprise.md b/windows/deployment/update/olympia/enrollment-upgrade-to-enterprise.md deleted file mode 100644 index 6643971428..0000000000 --- a/windows/deployment/update/olympia/enrollment-upgrade-to-enterprise.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -title: Upgrade your Windows 10 edition from Pro to Enterprise -description: Olympia Corp enrollment - Upgrade your Windows 10 edition from Pro to Enterprise -ms.author: nibr -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: nickbrower -ms.date: 09/01/2017 ---- - -# Olympia Corp enrollment - -## Upgrade your Windows 10 edition from Pro to Enterprise - -1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). - - ![Settings -> Accounts](images/1-1.png) - -2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. - -3. Click **Connect**, then click **Join this device to Azure Active Directory**. - - ![Update your password](images/2-3.png) - -4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. - - ![Set up a work or school account](images/2-4.png) - -5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. - - > [!NOTE] - > Passwords should contain 8-16 characters, including at least one special character or number. - - ![Update your password](images/2-5.png) - -6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. - -7. If this is the first time you are signing in, please fill in the additional information to help you retrieve your account details. - -8. Create a PIN for signing into your Olympia corporate account. - -9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. - -10. Restart your PC. - -11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your PC will upgrade to Windows 10 Enterprise*. - -12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. - - > [!NOTE] - > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). - -13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. - -\* Please note that your Windows 10 Enterprise license will not be renewed if your PC is not connected to Olympia. - diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md index 17b87bd7b0..fddd959017 100644 --- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md +++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/01/2017 +ms.date: 09/14/2017 --- # Olympia Corp enrollment guidelines @@ -17,6 +17,87 @@ As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Ent Choose one of the following two enrollment options: -1. [Keep your current Windows 10 edition](./enrollment-keep-current-edition.md) +1. [Keep your current Windows 10 edition](#enrollment-keep-current-edition) + +2. [Upgrade your Windows 10 edition from Pro to Enterprise](#enrollment-upgrade-to-enterprise) + + + +## Keep your current Windows 10 edition + +1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). + + ![Settings -> Accounts](images/1-1.png) + +2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. + +3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. + + ![Set up a work or school account](images/1-3.png) + +4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. + + > [!NOTE] + > Passwords should contain 8-16 characters, including at least one special character or number. + + ![Update your password](images/1-4.png) + +5. Read the **Terms and Conditions**. Click **Accept** to participate in the program. + +6. If this is the first time you are logging in, please fill in the additional information to help you retrieve your account details. + +7. Create a PIN for signing into your Olympia corporate account. + +8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. + + > [!NOTE] + > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). + +9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. + + + +## Upgrade your Windows 10 edition from Pro to Enterprise + +1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). + + ![Settings -> Accounts](images/1-1.png) + +2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. + +3. Click **Connect**, then click **Join this device to Azure Active Directory**. + + ![Update your password](images/2-3.png) + +4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. + + ![Set up a work or school account](images/2-4.png) + +5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. + + > [!NOTE] + > Passwords should contain 8-16 characters, including at least one special character or number. + + ![Update your password](images/2-5.png) + +6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. + +7. If this is the first time you are signing in, please fill in the additional information to help you retrieve your account details. + +8. Create a PIN for signing into your Olympia corporate account. + +9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. + +10. Restart your PC. + +11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your PC will upgrade to Windows 10 Enterprise*. + +12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. + + > [!NOTE] + > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). + +13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. + +\* Please note that your Windows 10 Enterprise license will not be renewed if your PC is not connected to Olympia. -2. [Upgrade your Windows 10 edition from Pro to Enterprise](./enrollment-upgrade-to-enterprise.md) diff --git a/windows/deployment/usmt/usmt-common-issues.md b/windows/deployment/usmt/usmt-common-issues.md index 118d52b056..12589a4f94 100644 --- a/windows/deployment/usmt/usmt-common-issues.md +++ b/windows/deployment/usmt/usmt-common-issues.md @@ -5,6 +5,7 @@ ms.assetid: 5a37e390-8617-4768-9eee-50397fbbb2e1 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.date: 09/07/2017 author: greg-lindsay --- @@ -28,6 +29,8 @@ The following sections discuss common issues that you might see when you run the [Hard Link Migration Problems](#bkmk-hardlink) +[USMT does not migrate the Start layout](#usmt-does-not-migrate-the-start-layout) + ## General Guidelines for Identifying Migration Problems @@ -222,6 +225,26 @@ There are three typical causes for this issue. **Resolution:** To migrate PST files that are not linked to Outlook profiles, you must create a separate migration rule to capture these files. +### USMT does not migrate the Start layout + +**Description:** You are using USMT to migrate profiles from one installation of Windows 10 to another installation of Windows 10 on different hardware. After migration, the user signs in on the new device and does not have the Start menu layout they had previously configured. + +**Cause:** A code change in the Start Menu with Windows 10 version 1607 is incompatible with this USMT function. + +**Resolution:** The following workaround is available: + +1. With the user signed in, back up the Start layout using the following Windows PowerShell command. You can specify a different path if desired: + + ``` + Export-StartLayout -Path "C:\Layout\user1.xml" + ``` +2. Migrate the user's profile with USMT. +3. Before the user signs in on the new device, import the Start layout using the following Windows PowerShell command: + + ``` + Import-StartLayout –LayoutPath "C:\Layout\user1.xml" –MountPath %systemdrive% + ``` + ## Offline Migration Problems @@ -286,6 +309,10 @@ USMTutils /rd You should also reboot the machine. + + + + ## Related topics diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md index 6ff122772a..02e64c33e8 100644 --- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md +++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md @@ -1,6 +1,6 @@ --- -title: What Does USMT Migrate (Windows 10) -description: What Does USMT Migrate +title: What does USMT migrate (Windows 10) +description: What does USMT migrate ms.assetid: f613987d-0f17-43fe-9717-6465865ceda7 ms.prod: w10 ms.mktglfcycl: deploy @@ -8,23 +8,23 @@ ms.sitesec: library author: greg-lindsay --- -# What Does USMT Migrate? +# What does USMT migrate? -## In This Topic +## In this topic -- [Default Migration Scripts](#bkmk-defaultmigscripts) +- [Default migration scripts](#bkmk-defaultmigscripts) - [User Data](#bkmk-3) -- [Operating-System Components](#bkmk-4) +- [Operating-system components](#bkmk-4) -- [Supported Applications](#bkmk-2) +- [Supported applications](#bkmk-2) -- [What USMT Does Not Migrate](#no) +- [What USMT does not migrate](#no) -## Default Migration Scripts +## Default migration scripts The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts: @@ -43,7 +43,7 @@ The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer ca - Access control lists (ACLs) for folders outside the user profile. -## User Data +## User data This section describes the user data that USMT migrates by default, using the MigUser.xml file. It also defines how to migrate ACLs. @@ -52,6 +52,9 @@ This section describes the user data that USMT migrates by default, using the Mi My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites. + >[!IMPORTANT] + >Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout). + - **Folders from the All Users and Public profiles.** When you specify the MigUser.xml file, USMT also migrates the following from the **All Users** profile in Windows® XP, or the **Public** profile in Windows Vista, Windows 7, or Windows 8: - Shared Documents @@ -84,7 +87,7 @@ To migrate ACLs, you must specify the directory to migrate in the MigUser.xml fi   -## Operating-System Components +## Operating-system components USMT migrates operating-system components to a destination computer from computers running Windows 7 and Windows 8 @@ -151,7 +154,7 @@ Some settings, such as fonts, are not applied by the LoadState tool until after   -## Supported Applications +## Supported applications Although it is not required for all applications, it is good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that the migrated settings are not overwritten by the application installers. @@ -361,12 +364,12 @@ When you specify the MigApp.xml file, USMT migrates the settings for the followi   -## What USMT Does Not Migrate +## What USMT does not migrate The following is a list of the settings that USMT does not migrate. If you are having a problem that is not listed here, see [Common Issues](usmt-common-issues.md). -### Application Settings +### Application settings USMT does not migrate the following application settings: @@ -382,7 +385,7 @@ USMT does not migrate the following application settings: - You attempt to migrate from a 32-bit computer to a 64-bit computer. This is because the ICQ Pro default installation directory is different on the two types of computers. When you install ICQ Pro on a 32-bit computer, the default location is "C:\\Program Files\\...". The ICQ Pro default installation directory on an x64-based computer, however, is “C:\\Program Files (x86)\\...”. -### Operating-System Settings +### Operating-System settings USMT does not migrate the following operating-system settings. @@ -402,10 +405,14 @@ You should also note the following: - You can use the /**localonly** option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify /**localonly**, see [ScanState Syntax](usmt-scanstate-syntax.md). +### Start menu layout + +Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout). + ## Related topics -[Plan Your Migration](usmt-plan-your-migration.md) +[Plan your migration](usmt-plan-your-migration.md)   diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index a6f560cc33..fc38a3df22 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy localizationpriority: high ms.sitesec: library ms.pagetype: mdt -ms.date: 08/23/2017 +ms.date: 09/05/2017 author: greg-lindsay --- @@ -15,6 +15,11 @@ author: greg-lindsay This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops. +Deployment instructions are provided for the following scenarios: +1. [Active Directory-joined VMs](#active-directory-joined-vms) +2. [Azure Active Directory-joined VMs](#azure-active-directory-joined-vms) +3. [Azure Gallery VMs](#azure-gallery-vms) + ## Requirements - VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later. @@ -64,7 +69,35 @@ For Azure AD-joined VMs, follow the same instructions (above) as for [Active Dir - In step 9, during setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it is not for Active Directory joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**. - In step 12, during setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in and add the bulk token using your organization's credentials. - In step 17, when entering the PackagePath, use the project name you entered in step 9 (ex: **Desktop Bulk Enrollment Token Pro GVLK.ppkg**) -- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described below. +- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described below in [Create custom RDP settings for Azure](#create-custom-rpd-settings-for-azure). + +## Azure Gallery VMs + +1. (Optional) To disable network level authentication, type the following at an elevated command prompt: + + ``` + REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f + ``` + +2. At an elevated command prompt, type **sysdm.cpl** and press ENTER. +3. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**. +4. Click **Add**, type **Authenticated users**, and then click **OK** three times. +(https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image#steps-to-generalize-a-vhd). +5. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). +6. Open Windows Configuration Designer and click **Provison desktop services**. +7. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name. + - Note: You can use a different project name, but this name is also used with dism.exe in a subsequent step. +8. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**. +9. On the Set up network page, choose **Off**. +10. On the Account Management page, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials. +11. On the Add applications page, add applications if desired. This step is optional. +12. On the Add certificates page, add certificates if desired. This step is optional. +13. On the Finish page, click **Create**. +14. Copy the .ppkg file to the remote Virtual machine. Double click to initiate the provisioning package install. This will reboot the system. + +- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described [below](#create-custom-rpd-settings-for-azure). + +## Create custom RDP settings for Azure To create custom RDP settings for Azure: diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md index c767d18075..9f6b5c02a8 100644 --- a/windows/deployment/windows-10-enterprise-subscription-activation.md +++ b/windows/deployment/windows-10-enterprise-subscription-activation.md @@ -102,7 +102,7 @@ changepk.exe /ProductKey %ProductKey% ### Obtaining an Azure AD licence Enterprise Agreement/Software Assurance (EA/SA): -- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). +- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/en-us/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea). - The license administrator can assign seats to Azure AD users with the same process that is used for O365. - New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription. diff --git a/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 97e9d04fb9..2fc47e4258 100644 --- a/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -26,7 +26,7 @@ Table 2 lists specific data-protection concerns and how they are addressed in Wi | Windows 7 | Windows 10 | |---|---| | When BitLocker is used with a PIN to protect startup, PCs such as kiosks cannot be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.

        Network Unlock allows PCs to start automatically when connected to the internal network. | -| Users must contact the IT department to change their BitLocker PIN or password. | Modern Windows devices no longer require a PIN in the pre-boot environment to protect BitLocker encryption keys from cold boot attacks.

        Users who have standard privileges can change their BitLocker PIN or password on legacy devices that require a PIN. | + | Users must contact the IT department to change their BitLocker PIN or password. | Modern Windows devices no longer require a PIN in the pre-boot environment to protect BitLocker encryption keys from cold boot attacks.

        Users who have standard privileges can change their BitLocker PIN or password on legacy devices that require a PIN. | | When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. | | There is no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. | | Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. | @@ -66,7 +66,7 @@ Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryp Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens: -* When a clean installation of Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). +* When a clean installation of Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points. * If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials. * If the user uses a domain account to sign in, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed. * Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed. diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index 9f7bef9162..8b11311fb6 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -36,6 +36,8 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you - bginfo.exe[1] - cdb.exe - csi.exe +- dbghost.exe +- dbgsvc.exe - dnx.exe - fsi.exe - fsiAnyCpu.exe @@ -106,11 +108,14 @@ Microsoft recommends that you block the following Microsoft-signed applications + - + + + @@ -163,7 +168,7 @@ Microsoft recommends that you block the following Microsoft-signed applications - + @@ -177,6 +182,8 @@ Microsoft recommends that you block the following Microsoft-signed applications + + diff --git a/windows/device-security/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png b/windows/device-security/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png new file mode 100644 index 0000000000..52acafba66 Binary files /dev/null and b/windows/device-security/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png differ diff --git a/windows/device-security/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png b/windows/device-security/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png new file mode 100644 index 0000000000..858be4e70e Binary files /dev/null and b/windows/device-security/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png differ diff --git a/windows/device-security/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png b/windows/device-security/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png new file mode 100644 index 0000000000..2efa6877c8 Binary files /dev/null and b/windows/device-security/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png differ diff --git a/windows/device-security/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/device-security/security-policy-settings/password-must-meet-complexity-requirements.md index d51142a117..29f724e680 100644 --- a/windows/device-security/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/device-security/security-policy-settings/password-must-meet-complexity-requirements.md @@ -30,7 +30,9 @@ The **Passwords must meet complexity requirements** policy setting determines wh - Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters) - Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters) - Base 10 digits (0 through 9) - - Non-alphanumeric characters (special characters) (for example, !, $, \#, %) + - Non-alphanumeric characters (special characters): + (~!@#$%^&*_-+=`|\\(){}\[\]:;"'<>,.?/) + Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting. - Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. Complexity requirements are enforced when passwords are changed or created. diff --git a/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md index e0e41611ad..b452b3c093 100644 --- a/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md +++ b/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md @@ -18,9 +18,10 @@ Describes the best practices, location, values, policy management and security c ## Reference This policy setting determines the behavior of Admin Approval Mode for the built-in administrator account. -When the Admin Approval Mode is enabled, the local administrator account functions like a standard user account, but it has the ability to elevate privileges without logging on by using a different account. In this mode, any operation that requires elevation of privilege displays a prompt that allows the administrator to permit or deny the elevation of privilege. If Admin Approval Mode is not enabled, the built-in Administrator account logs on in Windows XP Mode, and it runs all applications by default with full administrative privileges. By default, this setting is set to **Disabled**. +When the Admin Approval Mode is enabled, the local administrator account functions like a standard user account, but it has the ability to elevate privileges without logging on by using a different account. In this mode, any operation that requires elevation of privilege displays a prompt that allows the administrator to permit or deny the elevation of privilege. If Admin Approval Mode is not enabled, the built-in Administrator account runs all applications by default with full administrative privileges. By default, Admin Approval Mode is set to **Disabled**. ->**Note:**  If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled. +> [!NOTE] +> If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled.   ### Possible values @@ -30,11 +31,16 @@ When the Admin Approval Mode is enabled, the local administrator account functio - Disabled - The built-in administrator account logs on in Windows XP Mode, and it runs all applications by default with full administrative privileges. + If Admin Approval Mode is not enabled, the built-in Administrator account runs all applications by default with full administrative privileges ### Best practices -- Do not enable the built-in administrator account on the client computer, but use the standard user account and User Account Control (UAC). +- It is recommended not to enable the built-in Administrator account on the client computer, but to use the standard user account and User Account Control (UAC) instead. If you want to enable the built-in Administrator account to carry out administrative tasks, for security reasons you should also enable Admin Approval Mode. See [UAC-Admin-Approval-Mode-for-the-Built-in-Administrator-account](https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account) + + To enable Admin Approval Mode, you must also configure the local security policy setting: [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) to **Prompt for consent on the secure desktop** and then click OK. + +> [!NOTE] +> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt. ### Location @@ -67,10 +73,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -One of the risks of the User Account Control (UAC) feature is that it is intended to mitigate malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for malicious programs is to discover the password of the administrator account because that user account was created for all installations of the Windows. To address this risk, the built-in administrator account is disabled in computers running at least Windows Vista. In computers running at least Windows Server 2008, the administrator account is enabled, and the password must be changed the first time the Administrator logs on. In a default installation of a computer running at least Windows Vista, accounts with administrative control over the computer are initially set up in one of two ways: - -- If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. -- If the computer is joined to a domain, no local administrator accounts are created. The enterprise or domain administrator must log on to the computer and create a local administrator account if one is warranted. +One of the risks that the UAC feature tries to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for malicious programs is to discover the password of the Administrator account because that user account was created for all installations of Windows. To address this risk, the built-in Administrator account is disabled in computers running at least Windows Vista. In computers running at least Windows Server 2008, the Administrator account is enabled, and the password must be changed the first time the administrator logs on. In a default installation of a computer running at least Windows Vista, if the computer is not joined to a domain, the first user account you create has the equivalent permissions of a local administrator. ### Countermeasure diff --git a/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md index cbc598ba9f..bd001552c4 100644 --- a/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md +++ b/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md @@ -25,7 +25,8 @@ This policy setting determines the behavior of the elevation prompt for accounts - **Elevate without prompting** Assumes that the administrator will permit an operation that requires elevation, and additional consent or credentials are not required. - >**Note:**  Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure. + + **Note**  Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure.   - **Prompt for credentials on the secure desktop** @@ -33,7 +34,7 @@ This policy setting determines the behavior of the elevation prompt for accounts - **Prompt for consent on the secure desktop** - When an operation requires elevation of privilege, the user is prompted on the secure desktop to select **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege. + When an operation requires elevation of privilege, the user is prompted on the secure desktop to select **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.* - **Prompt for credential**s @@ -47,10 +48,17 @@ This policy setting determines the behavior of the elevation prompt for accounts This is the default. When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege. +\*If you have enabled the built-in Administrator account and have configured Admin Approval Mode, you must also configure the option **Prompt for consent on the secure desktop**. You can also configure this option from User Account Control, by typing **UAC** in the search box. From the User Account Control Settings dialog box, set the slider control to **Notify me only when apps try to make changes to my computer (default)**. + +> [!NOTE] +> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt. + ### Best practices - Selecting the option **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure. +- It is recommended not to enable the built-in Administrator account on the client computer, but to use the standard user account and User Account Control (UAC) instead. If you want to enable the built-in Administrator account to carry out administrative tasks, for security reasons you should also enable Admin Approval Mode. For further information, see [UAC-Admin-Approval-Mode-for-the-Built-in-Administrator-account](https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account) + ### Location Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options @@ -58,7 +66,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec ### Default values -| Server type or GPO Default value | +| Server type or GPO | Default value | | - | - | | Default Domain Policy | Not defined| | Default Domain Controller Policy | Not defined | diff --git a/windows/device-security/tpm/tpm-recommendations.md b/windows/device-security/tpm/tpm-recommendations.md index 7c44d3803e..8dcde29788 100644 --- a/windows/device-security/tpm/tpm-recommendations.md +++ b/windows/device-security/tpm/tpm-recommendations.md @@ -105,7 +105,6 @@ The following table defines which Windows features require TPM support. | Passport: Domain AADJ Join | Required | Required | Supports both versions of TPM, but requires TPM with HMAC and EK certificate for key attestation support. | | Passport: MSA or Local Account | Required | Required | TPM 2.0 is required with HMAC and EK certificate for key attestation support. | | Device Encryption | Not Applicable | Required | TPM 2.0 is required for all InstantGo devices. | -| Device Guard / Configurable Code Integrity | Not Applicable | Required | Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. | | Credential Guard | Required | Required | For Windows 10, version 1511, TPM 1.2 or 2.0 is highly recommended. If you don't have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM. | | Device Health Attestation | Required | Required | | | Windows Hello / Windows Hello for Business | Not Required | Recommended | Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. [How keys are protected](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-how-it-works#how-keys-are-protected) | diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md index 8ed1a52f71..56c4ddc65a 100644 --- a/windows/hub/TOC.md +++ b/windows/hub/TOC.md @@ -6,4 +6,5 @@ ## [Application management](/windows/application-management) ## [Access protection](/windows/access-protection) ## [Device security](/windows/device-security) -## [Threat protection](/windows/threat-protection) \ No newline at end of file +## [Threat protection](/windows/threat-protection) +## [Troubleshooting](/windows/client-management/windows-10-support-solutions) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index 258a939423..4d97b468d3 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -45,12 +45,11 @@ You can also [specify how long the file should be prevented from running](config ## How it works -When a Windows Defender Antivirus client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. The following video describes how this feature works. +When a Windows Defender Antivirus client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. -The Block at first sight feature only uses the cloud protection backend for executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the EXE file is checked via the cloud backend to determine if this is a previously undetected file. +The Block at First Sight feature only uses the cloud protection backend for executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file. - + If the cloud backend is unable to make a determination, the file will be locked by Windows Defender AV while a copy is uploaded to the cloud. The cloud will perform additional analysis to reach a determination before it allows the file to run or blocks it in all future encounters, depending on whether the file is determined to be malicious or safe. diff --git a/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md index b8b5733748..6a6267b89a 100644 --- a/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md @@ -33,6 +33,11 @@ Cloud-delivered protection for Windows Defender Antivirus, also referred to as M Enabling cloud-delivered protection helps detect and block new malware - even if the malware has never been seen before - without needing to wait for a traditionally delivered definition update to block it. Definition updates can take hours to prepare and deliver, while our cloud service can deliver updated protection in seconds. +The following video describes how it works: + + + Cloud-delivered protection is enabled by default, however you may need to re-enable it if it has been disabled as part of previous organizational policies. The following table describes the differences in cloud-delivered protection between recent versions of Windows and System Center Configuration Manager. diff --git a/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index 5221675063..0018059252 100644 --- a/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -8,7 +8,6 @@ ms.pagetype: security author: eross-msft ms.author: lizross ms.date: 08/11/2017 -localizationpriority: high --- # Configure Windows Defender Application Guard policy settings diff --git a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 78a7228f40..d5206df9fb 100644 --- a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -8,7 +8,6 @@ ms.pagetype: security author: eross-msft ms.author: lizross ms.date: 08/11/2017 -localizationpriority: high --- # Frequently asked questions - Windows Defender Application Guard diff --git a/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index a93a6519fc..0504f9f546 100644 --- a/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -8,7 +8,6 @@ ms.pagetype: security author: eross-msft ms.author: lizross ms.date: 08/11/2017 -localizationpriority: high --- # Prepare and install Windows Defender Application Guard diff --git a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index c9f657f6f9..15b33475fa 100644 --- a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -8,7 +8,6 @@ ms.pagetype: security author: eross-msft ms.author: lizross ms.date: 08/11/2017 -localizationpriority: high --- # System requirements for Windows Defender Application Guard diff --git a/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index 152f404382..b7cb312c08 100644 --- a/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -8,7 +8,6 @@ ms.pagetype: security author: eross-msft ms.author: lizross ms.date: 08/11/2017 -localizationpriority: high --- # Testing scenarios using Windows Defender Application Guard in your business or organization diff --git a/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md index ac7c37e883..df475ea509 100644 --- a/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md +++ b/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -8,7 +8,6 @@ ms.pagetype: security author: eross-msft ms.author: lizross ms.date: 08/11/2017 -localizationpriority: high --- # Windows Defender Application Guard overview diff --git a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md index 2d146c99a0..f775017c4c 100644 --- a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md @@ -36,240 +36,39 @@ The ArcSight field column contains the default mapping between the Windows Defen Field numbers match the numbers in the images below. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Portal labelSIEM field nameArcSight fieldExample valueDescription
        1AlertTitlenameA dll was unexpectedly loaded into a high integrity process without a UAC promptValue available for every alert.
        2SeveritydeviceSeverityMediumValue available for every alert.
        3CategorydeviceEventCategoryPrivilege EscalationValue available for every alert.
        4SourcesourceServiceNameWindowsDefenderATPWindows Defender Antivirus or Windows Defender ATP. Value available for every alert.
        5MachineNamesourceHostNameliz-beanValue available for every alert.
        6FileNamefileNameRobocopy.exeAvailable for alerts associated with a file or process.
        7FilePathfilePathC:\Windows\System32\Robocopy.exeAvailable for alerts associated with a file or process. \
        8UserDomainsourceNtDomaincontosoThe domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts.
        9UserNamesourceUserNameliz-beanThe user context running the activity, available for Windows Defender ATP behavioral based alerts.
        10Sha1fileHash5b4b3985339529be3151d331395f667e1d5b7f35Available for alerts associated with a file or process.
        11Md5deviceCustomString555394b85cb5edddff551f6f3faa9d8ebAvailable for Windows Defender AV alerts.
        12Sha256deviceCustomString69987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5Available for Windows Defender AV alerts.
        13ThreatNameeviceCustomString1Trojan:Win32/Skeeyah.A!bitAvailable for Windows Defender AV alerts.
        14IpAddresssourceAddress218.90.204.141Available for alerts associated to network events. For example, 'Communication to a malicious network destination'.
        15UrlrequestUrldown.esales360.cnAvailabe for alerts associated to network events. For example, 'Communication to a malicious network destination'.
        16RemediationIsSuccessdeviceCustomNumber2TRUEAvailable for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.
        17WasExecutingWhileDetecteddeviceCustomNumber1FALSEAvailable for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.
        18AlertIdexternalId636210704265059241_673569822Value available for every alert.
        19LinkToWDATPflexString1`https://securitycenter.windows.com/alert/636210704265059241_673569822`Value available for every alert.
        20AlertTimedeviceReceiptTime2017-05-07T01:56:59.3191352ZThe time the activity relevant to the alert occurred. Value available for every alert.
        21MachineDomainsourceDnsDomaincontoso.comDomain name not relevant for AAD joined machines. Value available for every alert.
        22ActordeviceCustomString4Available for alerts related to a known actor group.
        21+5ComputerDnsNameNo mappingliz-bean.contoso.comThe machine fully qualified domain name. Value available for every alert.
        LogOnUserssourceUserIdcontoso\liz-bean; contoso\jay-hardeeThe domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available.
        Internal fieldLastProcessedTimeUtcNo mapping2017-05-07T01:56:58.9936648ZTime when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved.
        Not part of the schemadeviceVendorStatic value in the ArcSight mapping - 'Microsoft'.
        Not part of the schemadeviceProductStatic value in the ArcSight mapping - 'Windows Defender ATP'.
        Not part of the schemadeviceVersionStatic value in the ArcSight mapping - '2.0', used to identify the mapping versions.
        +> [!div class="mx-tableFixed"] +| Portal label | SIEM field name | ArcSight field | Example value | Description | +|------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 1 | AlertTitle | name | A dll was unexpectedly loaded into a high integrity process without a UAC prompt | Value available for every alert. | +| 2 | Severity | deviceSeverity | Medium | Value available for every alert. | +| 3 | Category | deviceEventCategory | Privilege Escalation | Value available for every alert. | +| 4 | Source | sourceServiceName | WindowsDefenderATP | Windows Defender Antivirus or Windows Defender ATP. Value available for every alert. | +| 5 | MachineName | sourceHostName | liz-bean | Value available for every alert. | +| 6 | FileName | fileName | Robocopy.exe | Available for alerts associated with a file or process. | +| 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for alerts associated with a file or process. | +| 8 | UserDomain | sourceNtDomain | contoso | The domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts. | +| 9 | UserName | sourceUserName | liz-bean | The user context running the activity, available for Windows Defender ATP behavioral based alerts. | +| 10 | Sha1 | fileHash | 5b4b3985339529be3151d331395f667e1d5b7f35 | Available for alerts associated with a file or process. | +| 11 | Md5 | deviceCustomString5 | 55394b85cb5edddff551f6f3faa9d8eb | Available for Windows Defender AV alerts. | +| 12 | Sha256 | deviceCustomString6 | 9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5 | Available for Windows Defender AV alerts. | +| 13 | ThreatName | eviceCustomString1 | Trojan:Win32/Skeeyah.A!bit | Available for Windows Defender AV alerts. | +| 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. | +| 15 | Url | requestUrl | down.esales360.cn | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. | +| 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. | +| 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. | +| 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every alert. | +| 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every alert. | +| 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the activity relevant to the alert occurred. Value available for every alert. | +| 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined machines. Value available for every alert. | +| 22 | Actor | deviceCustomString4 | | Available for alerts related to a known actor group. | +| 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The machine fully qualified domain name. Value available for every alert. | +| | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available. | +| | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. | +| | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. | +| Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved. | +| | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. | +| | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Windows Defender ATP'. | +| | Not part of the schema | deviceVersion | | Static value in the ArcSight mapping - '2.0', used to identify the mapping versions. ![Image of alert with numbers](images/atp-alert-page.png) diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index a1f1d75d60..42a6f77d4d 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -29,6 +29,11 @@ You can use mobile device management (MDM) solutions to configure endpoints. Win For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). +## Before you begin +If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied successfully. + +For more information on enabling MDM with Microsoft Intune, see [Setup Windows Device Management](https://docs.microsoft.com/intune-classic/deploy-use/set-up-windows-device-management-with-microsoft-intune). + ## Configure endpoints using Microsoft Intune For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). diff --git a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index b10e923513..c482403b20 100644 --- a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -73,5 +73,9 @@ Your data will be kept for a period of at least 90 days, during which it will be ## Can Microsoft help us maintain regulatory compliance? -Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP has a roadmap for obtaining national, regional and industry-specific certifications, starting with ISO 27001. The service is designed, implemented, and maintained according to the compliance and privacy principles of ISO 27001, as well as Microsoft’s compliance standards. -By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run, including this new Microsoft cloud service. +Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP is ISO 27001 certified and has a roadmap for obtaining national, regional and industry-specific certifications. + + +By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run. + +For more information on the Windows Defender ATP ISO certification reports, see [Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec-27001). diff --git a/windows/threat-protection/windows-defender-atp/images/atp-preview-features.png b/windows/threat-protection/windows-defender-atp/images/atp-preview-features.png new file mode 100644 index 0000000000..aeae7b6a42 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-preview-features.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-region-control-panel.png b/windows/threat-protection/windows-defender-atp/images/atp-region-control-panel.png new file mode 100644 index 0000000000..58d25e0f9d Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-region-control-panel.png differ diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index 158de675fc..b43ff9eb93 100644 --- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -38,7 +38,7 @@ Windows Defender Advanced Threat Protection requires one of the following Micros - Windows 10 Enterprise E5 - Windows 10 Education E5 -- Secure Productive Enterprise E5 (SPE E5) which includes Windows 10 Enterprise E5 +- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5 For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2). diff --git a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md index 7a8e8393e6..9e98297388 100644 --- a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md @@ -30,7 +30,7 @@ Enterprise security teams can use the Windows Defender ATP portal to monitor and You can use the [Windows Defender ATP portal](https://securitycenter.windows.com/) to: - View, sort, and triage alerts from your endpoints - Search for more information on observed indicators such as files and IP Addresses -- Change Windows Defender ATP settings, including time zone and alert suppression rules +- Change Windows Defender ATP settings, including time zone and licensing information. ## Windows Defender ATP portal When you open the portal, you’ll see the main areas of the application: @@ -48,10 +48,10 @@ You can navigate through the portal using the menu options available in all sect Area | Description :---|:--- -(1) Search bar, Feedback, Settings, Help and support | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text.
        **Feedback** -Access the feedback button to provide comments about the portal.
        **Settings** - Gives you access to the configuration settings where you can set time zones, alert suppression rules, and license information.
        **Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support. +(1) Search bar, Feedback, Settings, Help and support | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text.
        **Feedback** -Access the feedback button to provide comments about the portal.
        **Settings** - Gives you access to the configuration settings where you can set time zones and view license information.
        **Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support. (2) Navigation pane | Use the navigation pane to move between the **Dashboards**, **Alerts queue**, **Machines list**, **Service health**, **Preferences setup**, and **Endpoint management**. **Dashboards** | Enables you to view the Security operations or the Security analytics dashboard. -**Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts. +**Alerts queue** | Enables you to view separate queues of new, in progress, resolved alerts, alerts assigned to you, and suppression rules. **Machines list** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts. **Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. **Preferences setup** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set email notifications, activate the preview experience, and enable or turn off advanced features. diff --git a/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md index 1419c95077..703b227b63 100644 --- a/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md @@ -78,9 +78,12 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t 7. Click **File** > **Options and settings** > **Custom data connectors**. 8. Select **New table and matrix visuals** and **Custom data connectors** and click **OK**. + + >[!NOTE] + >If you are using Power BI Desktop July 2017 version (or later), you won't need to select **New table and matrix visuals**. You'll only need to select **Custom data connectors**. ![Power BI options page](images/atp-powerbi-options.png) - + 9. Restart Power BI Desktop. ## Customize the Windows Defender ATP Power BI dashboard diff --git a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index 096f49bab4..e9237f713e 100644 --- a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -34,6 +34,9 @@ You'll have access to upcoming features which you can provide feedback on to hel Turn on the preview experience setting to be among the first to try upcoming features. 1. In the navigation pane, select **Preferences setup** > **Preview experience**. + + ![Image of Preferences setup and preview experience](images/atp-preview-features.png) + 2. Toggle the setting between **On** and **Off** and select **Save preferences**. ## Preview features diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index 328a0ff719..89beeaac45 100644 --- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -93,11 +93,15 @@ You can roll back and remove a file from quarantine if you’ve determined that > Windows Defender ATP will remove all files that were quarantined on this machine in the last 30 days. ## Block files in your network -You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization. +You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization. >[!NOTE] >This feature is only available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).

        -This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. The coverage will be extended over time. The action takes effect on machines with the latest Windows 10 Insider Preview build. +This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. This response action is available for machines on Windows 10, version 1703 or later. + +>[!IMPORTANT] +> The PE file needs to be in the machine timeline for you to be able to take this action. + ### Enable the block file feature 1. In the navigation pane, select **Preference Setup** > **Advanced features** > **Block file**. @@ -109,9 +113,7 @@ This feature is designed to prevent suspected malware (or potentially malicious 3. Type a comment and select **Yes, block file** to take action on the file. - The Action center shows the submission information: - ![Image of block file](images/atp-blockfile.png) - **Submission time** - Shows when the action was submitted.
        diff --git a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md index 0d217af685..81b976e914 100644 --- a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md @@ -25,7 +25,7 @@ ms.date: 09/05/2017 [!include[Prerelease information](prerelease.md)] -Use the **Settings** menu ![Settings icon](images/settings.png) to configure the time zone, suppression rules, and view license information. +Use the **Settings** menu ![Settings icon](images/settings.png) to configure the time zone and view license information. ## Time zone settings The aspect of time is important in the assessment and analysis of perceived and actual cyberattacks. @@ -39,7 +39,7 @@ Your current time zone setting is shown in the Windows Defender ATP menu. You ca ### UTC time zone Windows Defender ATP uses UTC time by default. -Setting the Windows Defender ATP time zone to UTC will display all system timestamps (alerts, events, and others) in UTC for all users. Choosing this setting means that all users will see the same timestamps in Windows Defender ATP, regardless of their regional settings. This can help security analysts working in different locations across the globe to use the same time stamps while investigating events. +Setting the Windows Defender ATP time zone to UTC will display all system timestamps (alerts, events, and others) in UTC for all users. This can help security analysts working in different locations across the globe to use the same time stamps while investigating events. ### Local time zone You can choose to have Windows Defender ATP use local time zone settings. All alerts and events will be displayed using your local time zone. @@ -55,10 +55,36 @@ To set the time zone: 1. Click the **Settings** menu ![Settings icon](images/settings.png). 2. Select the **Timezone UTC** indicator. -3. Select **Timezone Local** or **-8:00**. +3. Select **Timezone UTC** or your local time zone, for example -7:00. -## Suppression rules -The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. For more information see, [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts). +### Regional settings +To apply different date formats for Windows Defender ATP, use regional settings for IE and Edge. If you're using another browser such as Google Chrome, follow the required steps to change the time and date settings for that browser. + + +**Internet Explorer (IE) and Microsoft Edge (Edge)** + +IE and Edge use the **Region** settings configured in the **Clocks, Language, and Region** option in the Control panel. + + +#### Known issues with regional formats + +**Date and time formats**
        +There are some known issues with the time and date formats. + +The following date formats are supported: +- MM/dd/yyyy +- dd/MM/yyyy + +The following date and time formats are currently not supported: +- Date format yyyy-MM-dd +- Date format dd-MMM-yy +- Date format dd/MM/yy +- Date format MM/dd/yy +- Date format with yy. Will only show yyyy. +- Time format HH:mm:ss is not supported (the 12 hour AM/PM format is not supported). Only the 24-hour format is supported. + +**Decimal symbol used in numbers**
        +Decimal symbol used is always a dot, even if a comma is selected in the **Numbers** format settings in **Region** settings. For example, 15,5K is displayed as 15.5K. ## License Click the license link in the **Settings** menu to view the license agreement information for Windows Defender ATP. diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md index 00ddbd8987..de337b11fd 100644 --- a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md @@ -50,6 +50,24 @@ If onboarding endpoints successfully completes but Windows Defender ATP does not For more information, see [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy). +#### Known issues with regional formats + +**Date and time formats**
        +There are some known issues with the time and date formats. + +The following date formats are supported: +- MM/dd/yyyy +- dd/MM/yyyy + +The following date and time formats are currently not supported: +- Date format yyyy/MM/dd +- Date format dd/MM/yy +- Date format with yy. Will only show yyyy. +- Time format HH:mm:ss is not supported (the 12 hour AM/PM format is not supported). Only the 24-hour format is supported. + +**Use of comma to indicate thousand**
        +Support of use of comma as a separator in numbers are not supported. Regions where a number is separated with a comma to indicate a thousand, will only see the use of a dot as a separator. For example, 15,5K is displayed as 15.5K. + ### Related topic - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 0916abe7b6..0817855e6a 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -129,7 +129,7 @@ The following requirements must be met before Attack Surface Reduction will work Windows 10 version | Windows Defender Antivirus - | - -Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled +Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled diff --git a/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md index 2cda929649..2945821a44 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md @@ -62,7 +62,7 @@ The following requirements must be met before Controlled Folder Access will work Windows 10 version | Windows Defender Antivirus -|- -Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled +Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled ## Review Controlled Folder Access events in Windows Event Viewer diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 910db87d44..d128c1da67 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -79,8 +79,7 @@ See the [Attack Surface Reduction](attack-surface-reduction-exploit-guard.md) to - Disabled = 0 - Audit mode = 2 - - ![](images/asr-rules-gp.png) +![](images/asr-rules-gp.png) @@ -91,13 +90,13 @@ See the [Attack Surface Reduction](attack-surface-reduction-exploit-guard.md) to 2. Enter the following cmdlet: ```PowerShell - Add-MpPreference -AttackSurfaceReductionRules_Ids + Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Enabled ``` You can enable the feature in audit mode using the following cmdlet: ```PowerShell -Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode +Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode ``` Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. diff --git a/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md b/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md index 5e1df99718..853ef9a50d 100644 --- a/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md +++ b/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.pagetype: security ms.sitesec: library author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) diff --git a/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md index 2b6985d243..922db68920 100644 --- a/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -6,7 +6,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # How to collect Windows Information Protection (WIP) audit event logs diff --git a/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index 50bf85a578..cee2d5b687 100644 --- a/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate diff --git a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md index e4edc3e586..163ef51a0f 100644 --- a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md +++ b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune diff --git a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md index 7b54968b51..83010d82bf 100644 --- a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md +++ b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 6f9d99a876..48b2f0abd2 100644 --- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -6,7 +6,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md index 2f74bae405..b40ee0a441 100644 --- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md +++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md index 25be0c5cdc..af978f2b5a 100644 --- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager diff --git a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md index b953181936..1324eed5be 100644 --- a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md +++ b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune diff --git a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md index 1cdad28951..8dd0fcf76f 100644 --- a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md +++ b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune diff --git a/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index 3694e13ba8..f3ef168e1c 100644 --- a/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # List of enlightened Microsoft apps for use with Windows Information Protection (WIP) diff --git a/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md index 73eddd870d..08e74a6265 100644 --- a/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md +++ b/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # General guidance and best practices for Windows Information Protection (WIP) diff --git a/windows/threat-protection/windows-information-protection/limitations-with-wip.md b/windows/threat-protection/windows-information-protection/limitations-with-wip.md index 67b6897a16..9c61e080b5 100644 --- a/windows/threat-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/threat-protection/windows-information-protection/limitations-with-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Limitations while using Windows Information Protection (WIP) diff --git a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md index d810066027..34070f6316 100644 --- a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Mandatory tasks and settings required to turn on Windows Information Protection (WIP) diff --git a/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md b/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md index 428c25c20d..6dcd047747 100644 --- a/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md +++ b/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Create a Windows Information Protection (WIP) policy diff --git a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md index 934aa9ae7c..d374d95478 100644 --- a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Protect your enterprise data using Windows Information Protection (WIP) diff --git a/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md index 418c24c0ef..5bd3eccc1f 100644 --- a/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP) diff --git a/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md index 0c5aff23c1..88f14510a5 100644 --- a/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Testing scenarios for Windows Information Protection (WIP) diff --git a/windows/threat-protection/windows-information-protection/using-owa-with-wip.md b/windows/threat-protection/windows-information-protection/using-owa-with-wip.md index e2aacd97c4..dbba82c416 100644 --- a/windows/threat-protection/windows-information-protection/using-owa-with-wip.md +++ b/windows/threat-protection/windows-information-protection/using-owa-with-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Using Outlook on the web with Windows Information Protection (WIP) diff --git a/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md index fbf77802f5..bc89db2205 100644 --- a/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md +++ b/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Determine the Enterprise Context of an app running in Windows Information Protection (WIP)