For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. | Disable setting (default) | Any added search engines are removed from the employee’s device. |
-| Do not configure | The search engine list is set to what is specified in App settings. |
+## Always Enable book library
+>*Supporteded versions: Windows 10*
-### Configure Autofill
+This policy settings specifies whether to always show the Books Library in Microsoft Edge. By default, this setting is disabled, which means the library is only visible in countries or regions where available. if enabled, the Books Library is always shown regardless of countries or region of activation.
+
+**Microsoft Intune to manage your MDM settings**
+| | |
+|---|---|
+|MDM name |[AlwaysEnableBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) |
+|Supported devices |Desktop
Mobile |
+|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary |
+|Data type | Integer |
+|Allowed values |
- **0 (default)** - Disable. Use default visibility of the Books Library. The Library will be only visible in countries or regions where it’s available.
- **1** - Enable. Always show the Books Library, regardless of countries or region of activation.
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/ConfigureAdditionalSearchEngines | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Additional search engines are not allowed.
- **1** - Additional search engines are allowed.
- **0** - Employees cannot use Autofill to complete form fields.
- **1 (default)** - Employees can use Autofill to complete form fields.
- **Allow all cookies (default)** from all websites.
- **Block all cookies** from all websites.
- **Block only 3rd-party cookies** from 3rd-party websites.
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowCookies | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Allows all cookies from all sites.
- **1** - Blocks only cookies from 3rd party websites.
- **2** - Blocks all cookies from all sites.
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Stops you from sending Do Not Track headers to websites requesting tracking info.
- **1** - Employees can send Do Not Track headers to websites requesting tracking info.
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites | +|Data type | String | + + +## Configure Password Manager +>*Supported versions: Windows 10* + +This policy setting specifies whether saving and managing passwords locally on the device is allowed. By default, this setting is enabled allowing you to save their passwords locally. If not configured, you can choose whether or not to save and manage passwords locally. If disabled, saving and managing passwords locally is turned off. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | +|Supported devices |Desktop
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Employees cannot use Password Manager to save passwords locally.
- **1** - Employees can use Password Manager to save passwords locally.
- **0 (default)** - Turns off Pop-up Blocker, allowing pop-up windows.
- **1** - Turns on Pop-up Blocker, stopping pop-up windows.
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Employees cannot see search suggestions in the Address bar of Microsoft Edge.
- **1** - Employees can see search suggestions in the Address bar of Microsoft Edge.
- **0** - Adobe Flash content is automatically loaded and run by Microsoft Edge.
- **1 (default)** - An employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.
`
>If you already use a site list, enterprise mode continues to work during the 65-second wait; it just uses the existing site list instead of the new one. -### Configure Windows Defender SmartScreen +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[EnterpriseModeSiteList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) | +|Supported devices |Desktop | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList | +|Data type | String | +|Allowed values |
- Not configured.
- **1 (default)** - Use the Enterprise Mode Site List, if configured.
- **2** - Specify the location to the site list.
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Turns off Windows Defender SmartScreen.
- **1** - Turns on Windows Defender SmartScreen, providing warning messages to your you about potential phishing scams and malicious software.
- **0 (default)** - Enable lockdown of the Start pages according to the settings specified in the Browser/HomePages policy. Users cannot change the Start pages.
- **1** - Disable lockdown of the Start pages and allow users to modify them.
Enabling this setting stops Microsoft Edge favorites from syncing between connected Windows 10 devices. | -| Disable or do not configure | Employees cannot sync their favorites between Internet Explorer and Microsoft Edge. | +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) | +|Supported devices |Desktop | +|URI full path |./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings | +|Location |Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync | +|Data type | Integer | +|Allowed values |
- **0** - Employees cannot sync settings between PCs.
- **1 (default)** - Employees can sync between PCs.
- **0 (default)** - Synchronization is turned off.
- **1** - Synchronization is turned on.
- **0 (default)** - Employees can access the about:flags page in Microsoft Edge.
- **1** - Employees cannot access the about:flags page in Microsoft Edge.
Mobile | +|URI full path | ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Lets you ignore the Windows Defender SmartScreen warnings about unverified files and lets them continue the download process.
- **1** - Stops you from ignoring the Windows Defender SmartScreen warnings about unverified files.
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Turns off Windows Defender SmartScreen.
- **1** - Turns on Windows Defender SmartScreen.
`https://fabrikam.com/opensearch.xml` | -| Disable | The policy-set default search engine is removed. If this is also the current in-use default, the search engine changes to the Microsoft Edge specified engine for the market . | -| Do not configure | The default search engine is set to the one specified in App settings. | +This policy setting specifies whether you can add, import, sort, or edit the Favorites list in Microsoft Edge. By default, this setting is disabled or not configured (turned on), which means the Favorites list is not locked down and you can make changes to the Favorites list. If enabled, you cannot make changes to the Favorites list. Also, the Save a Favorite, Import settings, and the context menu items, such as Create a new folder, are turned off. >[!Important] ->If you'd like your employees to use the default Microsoft Edge settings for each market , you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine, you can set the string to EDGEBING. +>Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops you from syncing their favorites between Internet Explorer and Microsoft Edge. -### Show message when opening sites in Internet Explorer +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[LockdownFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | +|Supported devices |Desktop
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/LockdownFavorites | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Disabled. Do not lockdown Favorites.
- **1** - Enabled. Lockdown Favorites.
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Microsoft servers will be contacted if a site is pinned to Start from Microsoft Edge.
- **1** - Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge.
Mobile | +|URI full path | ./Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage | +|Data type | Integer | +|Allowed values |
- **0 (default)** - Employees see the First Run webpage.
- **1** - Employees do not see the First Run webpage.
- **0 (default)** - Shows an employee's LocalHost IP address while using the WebRTC protocol.
- **1** - Does not show an employee's LocalHost IP address while using the WebRTC protocol.
- **0 (default)** - Automatically opens all websites, including intranet sites, using Microsoft Edge.
- **1** - Automatically opens all intranet sites using Internet Explorer 11.
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine | +|Data type | Integer | +|Allowed values |
- **0 (default)** - The default search engine is set to the one specified in App settings.
- **1** - Allows you to configure the default search engine for your you.
- **0 (default)** - Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
- **1** - Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
- **0** - No shared folder.
- **1** - Use as shared folder.
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
-
-### Favorites
-- **Supported versions:** Windows 10, version 1511 or later
-
-- **Supported devices:** Both
-
-- **Details:**
-
- - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/Favorites
-
- - **Data type:** String
-
- - **Allowed values:**
-
- - Configure the **Favorite** URLs for your employees.
-
- **Example:**
-
- Accounts: Block Microsoft accounts **Note** Microsoft accounts can still be used in apps. Enabled Interactive logon: Do not display last user name Enabled Interactive logon: Sign-in last interactive user automatically after a system-initiated restart Disabled Interactive logon: Sign-in last interactive user automatically after a system-initiated restart Disabled User Account Control: Behavior of the elevation prompt for standard users Auto deny ASP.NET MVC 4.0 [ASP.NET MVC 4 download](https://go.microsoft.com/fwlink/?LinkId=392271) Service Principal Name (SPN) The web applications require an SPN for the virtual host name under the domain account that you use for the web application pools. If your administrative rights permit you to create SPNs in Active Directory Domain Services, MBAM creates the SPN for you. See [Setspn](http://technet.microsoft.com/library/cc731241.aspx) for information about the rights required to create SPNs. Added in Windows 10, version 1703. Used to remove packages.
+ Added in Windows 10, version 1703. Used to remove packages. Not supported for ./User/Vendor/MSFT.
Parameters:
Supported operation is Execute.
- The following example removes a package for the specified user:
-
-```XML
- The following example removes a package for all users:
````XML
@@ -307,7 +291,12 @@ The following image shows the EnterpriseModernAppManagement configuration servic
Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/Users**
- Required. Registered users of the app. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. Value type is string.
+ Required. Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. Value type is string.
+
+- Not Installed = 0
+- Staged = 1
+- Installed = 2
+- Paused = 6
Supported operation is Get.
diff --git a/windows/client-management/mdm/images/provisioning-csp-vpn.png b/windows/client-management/mdm/images/provisioning-csp-vpn.png
index 15e907a16c..f46b884641 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-vpn.png and b/windows/client-management/mdm/images/provisioning-csp-vpn.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png b/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png
index 8e18128149..c8f2721143 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png and b/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png differ
diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md
index 5453323c70..b82b5779fd 100644
--- a/windows/client-management/mdm/multisim-csp.md
+++ b/windows/client-management/mdm/multisim-csp.md
@@ -24,49 +24,49 @@ The following diagram shows the MultiSIM configuration service provider in tree
**./Device/Vendor/MSFT/MultiSIM**
Root node.
-**_ModemID_**
+**_ModemID_**
Node representing a Mobile Broadband Modem. The node name is the modem ID. Modem ID is a GUID without curly braces, with exception of "Embedded" which represents the embedded modem.
-**_ModemID_/Identifier**
+**_ModemID_/Identifier**
Modem ID.
Supported operation is Get. Value type is string.
-**_ModemID_/IsEmbedded**
+**_ModemID_/IsEmbedded**
Indicates whether this modem is embedded or external.
Supported operation is Get. Value type is bool.
-**_ModemID_/Slots**
+**_ModemID_/Slots**
Represents all SIM slots in the Modem.
-**_ModemID_/Slots/_SlotID_**
+**_ModemID_/Slots/_SlotID_**
Node representing a SIM Slot. The node name is the Slot ID. SIM Slot ID format is "0", "1", etc., with exception of "Embedded" which represents the embedded Slot.
-**_ModemID_/Slots/_SlotID_/Identifier**
+**_ModemID_/Slots/_SlotID_/Identifier**
Slot ID.
Supported operation is Get. Value type is integer.
-**_ModemID_/Slots/_SlotID_/IsEmbedded**
+**_ModemID_/Slots/_SlotID_/IsEmbedded**
Indicates whether this Slot is embedded or a physical SIM slot.
Supported operation is Get. Value type is bool.
-**_ModemID_/Slots/_SlotID_/IsSelected**
+**_ModemID_/Slots/_SlotID_/IsSelected**
Indicates whether this Slot is selected or not.
Supported operation is Get and Replace. Value type is bool.
-**_ModemID_/Slots/_SlotID_/State**
+**_ModemID_/Slots/_SlotID_/State**
Slot state (Unknown = 0, OffEmpty = 1, Off = 2, Empty = 3, NotReady = 4, Active = 5, Error = 6, ActiveEsim = 7, ActiveEsimNoProfile = 8)
Supported operation is Get. Value type is integer.
-**_ModemID_/Policies**
+**_ModemID_/Policies**
Policies associated with the Modem.
-**_ModemID_/Policies/SlotSelectionEnabled**
+**_ModemID_/Policies/SlotSelectionEnabled**
Determines whether the user is allowed to change slots in the Cellular settings UI. Default is true.
Supported operation is Get and Replace. Value type is bool.
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index a7eeb7a2b0..31bc357659 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 03/23/2018
+ms.date: 04/06/2018
---
# What's new in MDM enrollment and management
@@ -1149,6 +1149,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
Added a new CSP in Windows 10, version 1803. Added the following node in Windows 10, version 1803: Added the following node in Windows 10, version 1803: Added the following new policies for Windows 10, version 1803: The following existing policies were updated: Returns status on Application Guard installation and pre-requisites. Value type is integer. Supported operation is Get. **In Windows 10, version 1511** **In Windows 10, version 1607 and later** Use this setting if you only want to support Azure AD in your organization.|
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location|Search/AllowSearchToUseLocation|Specifies whether Cortana can use your current location during searches and for location reminders.|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required. **Note** **Note** **In Windows 10 Pro edition** **In Windows 10 Enterprise edition** **Important**
-
+
+
diff --git a/education/windows/windows-automatic-redeployment.md b/education/windows/windows-automatic-redeployment.md
index f65d87c10f..5d64b44037 100644
--- a/education/windows/windows-automatic-redeployment.md
+++ b/education/windows/windows-automatic-redeployment.md
@@ -92,16 +92,10 @@ Windows Automatic Redeployment is a two-step process: trigger it and then authen
Windows Automatic Redeployment will fail when the [Windows Recovery Environment (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is not enabled on the device. You will see `Error code: ERROR_NOT_SUPPORTED (0x80070032)`.
-To check if WinRE is enabled, use the [REAgentC.exe tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command:
+To make sure WinRE is enabled, use the [REAgentC.exe tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command:
```
-reagent /info
-```
-
-If WinRE is not enabled, use the [REAgentC.exe tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command:
-
-```
-reagent /enable
+reagentc /enable
```
If Windows Automatic Reployment fails after enabling WinRE, or if you are unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance.
diff --git a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
index 7234d14a83..6161649e6f 100644
--- a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
+++ b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
@@ -14,7 +14,7 @@ ms.date: 04/23/2017
# How to Enable BitLocker by Using MBAM as Part of a Windows Deployment
-This topic explains how to enable BitLocker on an end user's computer by using MBAM as part of your Windows imaging and deployment process.
+This topic explains how to enable BitLocker on an end user's computer by using MBAM as part of your Windows imaging and deployment process. If you see a black screen at restart (after Install phase concludes) indicating that the drive cannot be unlocked, see [Windows versions prior Windows 10 build 1511 fail to start after "Setup Windows and Configuration Manager" step when Pre-Provision BitLocker is used with Windows PE 10.0.586.0 (1511)](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2016/03/30/windows-versions-prior-windows-10-build-1511-fail-to-start-after-setup-windows-and-configuration-manager-step-when-pre-provision-bitlocker-is-used-with-windows-pe-10-0-586-0-1511/).
**Prerequisites:**
@@ -59,7 +59,7 @@ This topic explains how to enable BitLocker on an end user's computer by using M
- Robust error handling
- You can download the `Invoke-MbamClientDeployment.ps1` script from [Microsoft.com Download Center](https://www.microsoft.com/download/details.aspx?id=48698). This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server.
+ You can download the `Invoke-MbamClientDeployment.ps1` script from [Microsoft.com Download Center](https://www.microsoft.com/download/details.aspx?id=54439). This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server.
**WMI deployment methods for MBAM:** The following WMI methods have been added in MBAM 2.5 SP1 to support enabling BitLocker by using the `Invoke-MbamClientDeployment.ps1` PowerShell script.
diff --git a/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md b/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md
index 79fac92aba..b5cd982105 100644
--- a/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md
+++ b/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md
@@ -286,6 +286,10 @@ The following table lists the installation prerequisites for the MBAM Administra
+
+
@@ -121,34 +121,18 @@ The following image shows the EnterpriseModernAppManagement configuration servic
-
-
-<<<<<<< HEAD
+[AccountManagement CSP](accountmanagement-csp.md)
@@ -1608,6 +1616,45 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
## Change history in MDM documentation
+### April 2018
+
+[RootCATrustedCertificates CSP](rootcacertificates-csp.md)
->>>>>>> 2aa0839b99c52229c7cf43d58f467019b1284a6a
+
+
### March 2018
+
+
+
+New or updated topic
+Description
+
+
+[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)
+
+
+
+
+
+[Policy CSP](policy-configuration-service-provider.md)
+
+
+
@@ -1669,6 +1716,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
+
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 3abd56fb99..d108e8bfc0 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -399,6 +399,9 @@ The following diagram shows the Policy configuration service provider in tree fo
@@ -28,6 +30,9 @@ ms.date: 03/12/2018
+
+**Bluetooth/AllowPromptedProximalConnections**
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ Mobile Enterprise
+
+
+
4
+
+
+
+Added in Windows 10, version 1803. This policy allows the IT admin to block users on these managed devices from using Quick Pair and other proximity based scenarios.
+
+
+
+The following list shows the supported values:
+
+- 0 - Disallow. Block users on these managed devices from using Quick Pair and other proximity based scenarios
+- 1 - Allow. Allow users on these managed devices to use Quick Pair and other proximity based scenarios
+
+
+
+
+
+
+
+
+
+
+
+
**Bluetooth/LocalDeviceName**
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 79d91ff2dc..76ccab305a 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 03/13/2018
+ms.date: 03//2018
---
# Policy CSP - Browser
@@ -445,8 +445,9 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Not allowed.
-- 1 (default) – Allowed.
+- 0 – Block all cookies
+- 1 – Block only third party cookies
+- 2 - Allow cookies
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
index 835be83eb0..89b92cd690 100644
--- a/windows/client-management/mdm/policy-csp-eventlogservice.md
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 03/12/2018
+ms.date: 04/02/2018
---
# Policy CSP - EventLogService
@@ -200,7 +200,7 @@ ADMX Info:
This policy setting specifies the maximum size of the log file in kilobytes.
-If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
+If you enable this policy setting, you can configure the maximum log file size to be between 20 megabytes (20480 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index 3f96460055..51935ec669 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -359,7 +359,7 @@ The following list shows the supported values:
-Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e.g. auto-enrolled), which is majority of the case for Intune, then disabling the MDM unenrollment has no effect.
+Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e.g. auto-enrolled), then disabling the MDM unenrollment has no effect.
> [!NOTE]
> The MDM server can always remotely delete the account.
@@ -1027,7 +1027,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1083. This policy allows IT admins to turn off Suggestions in Settings app. These suggestions from Microsoft may show after each OS clean install, upgrade or an on-going basis to help users discover apps/features on Windows or across devices, to make thier experience productive.
+Added in Windows 10, version 1803. This policy allows IT admins to turn off Suggestions in Settings app. These suggestions from Microsoft may show after each OS clean install, upgrade or an on-going basis to help users discover apps/features on Windows or across devices, to make thier experience productive.
- User setting is under Settings -> Privacy -> General -> Show me suggested content in Settings app.
- User Setting is changeable on a per user basis.
diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md
index 27f995e4d9..583d9b17cd 100644
--- a/windows/client-management/mdm/policy-csp-kioskbrowser.md
+++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 03/12/2018
+ms.date: 04/06/2018
---
# Policy CSP - KioskBrowser
@@ -14,6 +14,8 @@ ms.date: 03/12/2018
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Microsoft Store app, added in Windows 10 version 1803, that provides IT a way to customize the end user’s browsing experience to fulfill kiosk, signage, and shared device scenarios. Application developers can also create their own kiosk browser and read these policies using [NamedPolicy.GetPolicyFromPath(String, String) Method](https://docs.microsoft.com/en-us/uwp/api/windows.management.policies.namedpolicy.getpolicyfrompath#Windows_Management_Policies_NamedPolicy_GetPolicyFromPath_System_String_System_String_).
+
@@ -83,6 +85,9 @@ ms.date: 03/12/2018
Added in Windows 10, version 1803. List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
+> [!Note]
+> This policy only applies to the Kiosk Browser app in Microsoft Store.
+
@@ -127,6 +132,9 @@ Added in Windows 10, version 1803. List of exceptions to the blocked website URL
Added in Windows 10, version 1803. List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to.
+> [!Note]
+> This policy only applies to the Kiosk Browser app in Microsoft Store.
+
@@ -171,6 +179,9 @@ Added in Windows 10, version 1803. List of blocked website URLs (with wildcard s
Added in Windows 10, version 1803. Configures the default URL kiosk browsers to navigate on launch and restart.
+> [!Note]
+> This policy only applies to the Kiosk Browser app in Microsoft Store.
+
@@ -215,6 +226,9 @@ Added in Windows 10, version 1803. Configures the default URL kiosk browsers to
Added in Windows 10, version 1803. Enable/disable kiosk browser's home button.
+> [!Note]
+> This policy only applies to the Kiosk Browser app in Microsoft Store.
+
@@ -259,6 +273,9 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's home button.
Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation buttons (forward/back).
+> [!Note]
+> This policy only applies to the Kiosk Browser app in Microsoft Store.
+
@@ -305,6 +322,9 @@ Added in Windows 10, version 1803. Amount of time in minutes the session is idle
The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser.
+> [!Note]
+> This policy only applies to the Kiosk Browser app in Microsoft Store.
+
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 327397bc54..34c61a2c31 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 03/16/2018
+ms.date: 04/06/2018
---
# Policy CSP - LocalPoliciesSecurityOptions
@@ -51,6 +51,15 @@ ms.date: 03/16/2018
+
+**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways**
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ Mobile Enterprise
+
+
+
+
+
+
+Domain member: Digitally encrypt or sign secure channel data (always)
+
+This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
+
+Domain member: Digitally encrypt secure channel data (when possible)
+Domain member: Digitally sign secure channel data (when possible)
+
+Default: Enabled.
+
+Notes:
+
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
+
+
+
+GP Info:
+- GP English name: *Domain member: Digitally encrypt or sign secure channel data (always)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible**
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ Mobile Enterprise
+
+
+
+
+
+
+Domain member: Digitally encrypt secure channel data (when possible)
+
+This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.
+
+Default: Enabled.
+
+Important
+
+There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
+
+Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
+
+
+
+GP Info:
+- GP English name: *Domain member: Digitally encrypt secure channel data (when possible)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges**
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ Mobile Enterprise
+
+
+
+
+
+
+Domain member: Disable machine account password changes
+
+Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.
+
+Default: Disabled.
+
+Notes
+
+This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.
+This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
+
+
+
+GP Info:
+- GP English name: *Domain member: Disable machine account password changes*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**
@@ -2122,6 +2357,282 @@ GP Info:
+
+**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication**
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ Mobile Enterprise
+
+
+
+
+
+
+Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
+
+This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured.
+
+If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication.
+
+If you do not configure this policy setting, no exceptions will be applied.
+
+The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character.
+
+
+
+GP Info:
+- GP English name: *Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic**
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ Mobile Enterprise
+
+
+
+
+
+
+Network security: Restrict NTLM: Audit Incoming NTLM Traffic
+
+This policy setting allows you to audit incoming NTLM traffic.
+
+If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic.
+
+If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option.
+
+If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option.
+
+This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+
+Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+
+
+
+GP Info:
+- GP English name: *Network security: Restrict NTLM: Audit Incoming NTLM Traffic*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic**
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ Mobile Enterprise
+
+
+
+
+
+
+Network security: Restrict NTLM: Incoming NTLM traffic
+
+This policy setting allows you to deny or allow incoming NTLM traffic.
+
+If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests.
+
+If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon.
+
+If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error.
+
+This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+
+Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+
+
+
+GP Info:
+- GP English name: *Network security: Restrict NTLM: Incoming NTLM traffic*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers**
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ Mobile Enterprise
+
+
+
+
+
+
+Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
+
+This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server.
+
+If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication.
+
+If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer.
+
+If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication.
+
+This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+
+Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+
+
+
+GP Info:
+- GP English name: *Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon**
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index 5bee576aca..fc85260394 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -171,10 +171,10 @@ ADMX Info:
@@ -235,10 +235,10 @@ ADMX Info:
@@ -299,10 +299,10 @@ ADMX Info:
@@ -363,10 +363,10 @@ ADMX Info:
@@ -551,10 +551,10 @@ ADMX Info:
@@ -615,10 +615,10 @@ ADMX Info:
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index dfdf82afa1..12b9c8386e 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -834,7 +834,7 @@ The following list shows the supported values:
> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. Desktop users should use Search/DoNotUseWebResults.
Specifies what level of safe search (filtering adult content) is required.
diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md
index 9dd4ebd067..1efa6419f1 100644
--- a/windows/client-management/mdm/policy-csp-systemservices.md
+++ b/windows/client-management/mdm/policy-csp-systemservices.md
@@ -80,7 +80,7 @@ ms.date: 03/12/2018
-Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+Added in Windows 10, version 1803. This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
@@ -129,7 +129,7 @@ GP Info:
-Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+Added in Windows 10, version 1803. This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
@@ -178,7 +178,7 @@ GP Info:
-Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+Added in Windows 10, version 1803. This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
@@ -227,7 +227,7 @@ GP Info:
-Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+Added in Windows 10, version 1803. This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
@@ -276,7 +276,7 @@ GP Info:
-Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+Added in Windows 10, version 1803. This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
@@ -325,7 +325,7 @@ GP Info:
-Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+Added in Windows 10, version 1803. This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md
index 47e0032fd3..fdbdbaed7c 100644
--- a/windows/client-management/mdm/vpn-csp.md
+++ b/windows/client-management/mdm/vpn-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/26/2017
+ms.date: 04/02/2017
---
# VPN CSP
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 710bbc8021..e123d33d74 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/22/2018
---
# WindowsDefenderApplicationGuard CSP
@@ -81,6 +81,18 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se
- 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off.
- 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
+**Settings/AllowVirtualGPU**
+Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual GPU to process graphics. Supported operations are Add, Get, Replace, and Delete. Value type is integer.
+
+- 0 (default) - Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0).
+- 1 - Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container.
+
+**Settings/SaveFilesToHost**
+Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. Supported operations are Add, Get, Replace, and Delete. Value type is integer.
+
+- 0 (default) - The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0).
+- 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system.
+
**Status**
settings-win.data.microsoft.com |
| [Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
| [Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 |
@@ -167,7 +173,7 @@ The diagnostic data data is categorized into four levels:
- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
-- **Basic**. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the **Security** level.
+- **Basic**. Basic device info, including: quality-related data, app compatibility, and data from the **Security** level.
- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels.
@@ -188,7 +194,7 @@ Windows Server Update Services (WSUS) and System Center Configuration Manager fu
The data gathered at this level includes:
-- **Connected User Experiences and Telemetry component settings**. If general diagnostic data data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
+- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
@@ -240,8 +246,6 @@ The data gathered at this level includes:
- **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
- - **App usage data**. Includes how an app is used, including how long an app is used, when the app has focus, and when the app is started
-
- **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
- **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS.
@@ -322,9 +326,9 @@ However, before more data is gathered, Microsoft’s privacy governance team, in
Sharing diagnostic data data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option.
-Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic, Enhanced, and Full. The Security level is not available.
+Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available.
-IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy overrides users’ choices. The remainder of this section describes how to do that.
+IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users’ choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this section describes how to use group policy to configure levels and settings interface.
### Manage your diagnostic data settings
@@ -340,7 +344,7 @@ The lowest diagnostic data setting level supported through management policies i
### Configure the operating system diagnostic data level
-You can configure your operating system diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy overrides any device level settings.
+You can configure your operating system diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device.
Use the appropriate value in the table below when you configure the management policy.
@@ -351,6 +355,8 @@ Use the appropriate value in the table below when you configure the management p
| Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | **2** |
| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** |
+ > [!NOTE]
+ > When the User Configuration policy is set for Diagnostic Data, this will override the Computer Configuration setting.
### Use Group Policy to set the diagnostic data level
@@ -433,4 +439,4 @@ Web Pages
- [Privacy at Microsoft](http://privacy.microsoft.com)
-
\ No newline at end of file
+
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
index f411b5bc5e..7e48ef64a7 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
@@ -26,7 +26,7 @@ ms.date: 10/05/2017
|None|System/AllowLocation|Specifies whether to allow app access to the Location service.
Cortana won’t work if this setting is turned off (disabled).
Cortana still works if this setting is turned off (disabled).|
|None|Accounts/AllowMicrosoftAccountConnection|Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.
This setting only applies to Windows 10 Mobile.|
+|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required.
This setting only applies to Windows 10 Mobile. Other versions of Windows should use Don't search the web or display web results. |
|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box|None|Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.|
|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results|None|Specifies whether search can perform queries on the web and if the web results are displayed in search.
This setting can’t be managed.
Cortana won't work if this setting is turned off (disabled).|
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Experience/AllowCortana|Specifies whether employees can use Cortana.
Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off.|
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index 94f70ce62d..81fe4b5d61 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -230,6 +230,7 @@
### [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md)
### [Manage device restarts after updates](update/waas-restart.md)
### [Manage additional Windows Update settings](update/waas-wu-settings.md)
+### [Determine the source of Windows updates](update/windows-update-sources.md)
### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md)
#### [Introduction to the Windows Insider Program for Business](update/WIP4Biz-intro.md)
#### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md)
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index 40c3fdf557..2388a8b57a 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -9,7 +9,7 @@ ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
-ms.date: 11/09/2017
+ms.date: 04/03/2018
---
# Create a Windows 10 reference image
@@ -20,7 +20,7 @@ ms.date: 11/09/2017
Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution.
For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, PC0001 is a Windows 10 Enterprise x64 client, and MDT01 is a Windows Server 2012 R2 standard server. HV01 is a Hyper-V host server, but HV01 could be replaced by PC0001 as long as PC0001 has enough memory and is capable of running Hyper-V. MDT01, HV01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation.
->{!NOTE]}
+>!NOTE]
>For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md
index a9805be280..0cd39373d7 100644
--- a/windows/deployment/update/index.md
+++ b/windows/deployment/update/index.md
@@ -1,16 +1,16 @@
---
-title: Update Windows 10 in the enterprise (Windows 10)
+title: Update Windows 10 in enterprise deployments (Windows 10)
description: Windows as a service provides an all-new way to think about building, deploying, and servicing Windows 10.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: DaniHalfin
+author: Jaimeo
ms.localizationpriority: high
-ms.author: daniha
-ms.date: 11/17/2017
+ms.author: jaimeo
+ms.date: 04/06/2018
---
-# Update Windows 10 in the enterprise
+# Update Windows 10 in enterprise deployments
**Applies to**
diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md
index 24c89c24be..0967178c16 100644
--- a/windows/deployment/update/waas-integrate-wufb.md
+++ b/windows/deployment/update/waas-integrate-wufb.md
@@ -90,7 +90,7 @@ For Windows 10, version 1607, organizations already managing their systems with
-
+For more information, see [Integration with Windows Update for Business in Windows 10](https://docs.microsoft.com/en-us/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10).
## Related topics
diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
index 1edb363d0b..6719b903ce 100644
--- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
+++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
-ms.date: 03/20/2018
+ms.date: 04/03/2018
---
# Frequently asked questions and troubleshooting Windows Analytics
@@ -33,6 +33,8 @@ If you've followed the steps in the [Enrolling devices in Windows Analytics](win
[Disable Upgrade Readiness](#disable-upgrade-readiness)
+[Exporting large data sets](#exporting-large-data-sets)
+
### Devices not showing up
@@ -55,6 +57,11 @@ If you want to check a large number of devices, you should run the latest script
If you think the issue might be related to a network proxy, check "Enable data sharing" section of the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic. Also see [Understanding connectivity scenarios and the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog.
+If you have deployed images that have not been generalized, then many of them might have the same ID and so analytics will see them as one device. If you suspect this is the issue, then you can reset the IDs on the non-generalized devices by performing these steps:
+1. Net stop diagtrack
+2. Reg delete hklm\software\microsoft\sqmclient /v MachineId /f
+3. Net start diagtrack
+
### Device Health crash data not appearing
@@ -174,6 +181,24 @@ If you want to stop using Upgrade Readiness and stop sending diagnostic data dat
3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*.
4. **Optional step:** You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection".
+### Exporting large data sets
+
+Azure Log Analytics is optimized for advanced analytics of large data sets and can efficiently generate summaries and analytics for them. The query language is not optimized (or intended) for returning large raw data sets and has built-in limits to protect against overuse. There are times when it might be necessary to get more data than this, but that should be done sparingly since this is not the intended way to use Azure Log Analytics. The following code snippet shows how to retrieve data from UAApp one “page” at a time:
+
+```
+let snapshot = toscalar(UAApp | summarize max(TimeGenerated));
+let pageSize = 100000;
+let pageNumber = 0;
+
+UAApp
+| where TimeGenerated == snapshot and IsRollup==true and RollupLevel=="Granular" and Importance == "Low install count"
+| order by AppName, AppVendor, AppVersion desc
+| serialize
+| where row_number(0) >= (pageSize * pageNumber)
+| take pageSize
+```
+
+
## Other common questions
diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md
index d2655a4cb3..3775d77bac 100644
--- a/windows/deployment/update/windows-analytics-get-started.md
+++ b/windows/deployment/update/windows-analytics-get-started.md
@@ -53,7 +53,8 @@ To enable data sharing, configure your proxy sever to whitelist the following en
| `https://oca.telemetry.microsoft.com` | Online Crash Analysis; required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. |
-
+>[!NOTE]
+>If you have SSL Inspection enabled on your proxy server, you might need to add the above URLs to your SSL inspection exclusion list to allow data to reach Microsoft endpoints.
### Configuring endpoint access with proxy servers
If your organization uses proxy server authentication for outbound traffic, use one or more of the following approaches to ensure that the diagnostic data is not blocked by proxy authentication:
diff --git a/windows/deployment/update/windows-update-sources.md b/windows/deployment/update/windows-update-sources.md
new file mode 100644
index 0000000000..2fd8f9c79a
--- /dev/null
+++ b/windows/deployment/update/windows-update-sources.md
@@ -0,0 +1,37 @@
+---
+title: Determine the source of Windows updates
+description: Determine the source that Windows Update service is currently using.
+ms.prod: w10
+ms.mktglfcycl:
+ms.sitesec: library
+author: kaushika-msft
+ms.localizationpriority: high
+ms.author: jaimeo
+ms.date: 04/05/2018
+---
+
+# Determine the source of Windows updates
+
+Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps:
+
+1. Start Windows PowerShell as an administrator
+2. Run `\$MUSM = New-Object -ComObject “Microsoft.Update.ServiceManager”`.
+3. Run `\$MUSM.Services`. Check the resulting output for the **Name** and **OffersWindowsUPdates** parameters, which you can intepret according to this table:
+
+| Output | Interpretation |
+|-----------------------------------------------------|-----------------------------------|
+| - Name: **Microsoft Update**
-OffersWindowsUpdates: **True** | - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
- Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.)|
+|- Name: **DCat Flighting Prod**
- OffersWindowsUpdates: **False**|- The update source is the Windows Insider Program.
- Indicates that the client will not receive or is not configured to receive these updates. |
+| - Name: **Windows Store (DCat Prod)**
- OffersWindowsUpdates: **False** |-The update source is Insider Updates for Store Apps.
- Indicates that the client will not receive or is not configured to receive these updates.|
+|- Name: **Windows Server Update Service**
- OffersWindowsUpdates: **True** |- The source is a Windows Server Updates Services server.
- The client is configured to receive updates from WSUS.|
+|- Name: **Windows Update**
- OffersWindowsUpdates: **True** |- The source is Windows Update.
- The client is configured to receive updates from Windows Update Online.|
+
+
+
+See also:
+
+[Understanding the Windowsupdate.log file for advanced users](https://support.microsoft.com/help/4035760)
+
+[You can't install updates on a Windows-based computer](https://support.microsoft.com/help/2509997/you-can-t-install-updates-on-a-windows-based-computer)
+
+[How to read the Windowsupdate.log file on Windows 7 and earlier OS versions](https://support.microsoft.com/help/902093/how-to-read-the-windowsupdate-log-file)
diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
index 347b42dee1..1f7c1def87 100644
--- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
-ms.date: 03/30/2018
+ms.date: 04/03/2018
ms.localizationpriority: high
---
diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
index fb04dd5bf6..7b45c2ed1b 100644
--- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
+++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
@@ -66,7 +66,7 @@ To run the Upgrade Readiness deployment script:
>
> *IEOptInLevel = 3 Data collection is enabled for all sites*
-4. The latest version (03.02.17) of the deployment script is configured to collect and send diagnostic and debugging data to Microsoft. If you wish to disable sending diagnostic and debugging data to Microsoft, set **AppInsightsOptIn = false**. By default, **AppInsightsOptIn** is set to **true**.
+4. A recent version (03.02.17) of the deployment script is configured to collect and send diagnostic and debugging data to Microsoft. If you wish to disable sending diagnostic and debugging data to Microsoft, set **AppInsightsOptIn = false**. By default, **AppInsightsOptIn** is set to **true**.
The data that is sent is the same data that is collected in the text log file that captures the events and error codes while running the script. This file is named in the following format: **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. Log files are created in the drive that is specified in the RunConfig.bat file. By default this is set to: **%SystemDrive%\UADiagnostics**.
@@ -75,7 +75,9 @@ To run the Upgrade Readiness deployment script:
\*vortex\*.data.microsoft.com
\*settings\*.data.microsoft.com
-5. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
+5. The latest version (03.28.2018) of the deployment script configures insider builds to continue to send the device name to the diagnostic data management service and the analytics portal. If you do not want to have insider builds send the device name sent to analytics and be available in the analytics portal, set **DeviceNAmeOptIn = false**. By default it is true, which preserves the behavior on previous versions of Windows. This setting only applies to insider builds. Note that the device name is also sent to AppInsights, so to ensure the device name is not sent to either place you would need to also set **AppInsightsOptIn = false**.
+
+6. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
## Exit codes
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 51a8bd92fe..2dced411ff 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.sitesec: library
-ms.date: 03/16/2018
+ms.date: 04/03/2018
author: greg-lindsay
---
@@ -23,7 +23,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
- Dynamic deployment methods enable you to configure applications and settings for specific use cases.
- Traditional deployment methods use tools such as Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager.
-
+
Category
Scenario
Description
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index d3be3e2ba8..0e81b79e6d 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -20,7 +20,7 @@ Prefer video? See
[Windows Defender Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
in the Deep Dive into Windows Defender Credential Guard video series.
-For Windows Defender Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
+For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
## Hardware and software requirements
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index c8fbfbe290..29fcf7faee 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -72,7 +72,7 @@ The table shows the minimum requirements for each deployment.
## Frequently Asked Questions
### Can I deploy Windows Hello for Business using System Center Configuration Manager?
-Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deploymnet model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager wil no long be supported after November 2018.
+Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager will no long be supported after November 2018.
### What is the password-less strategy?
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 61dc742a69..880d8394b1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -284,7 +284,7 @@ If box **2a** reads **GP** and box **2b** reads **modern management**, write **A
| Web Server | NDES |
| CEP Encryption | NDES |
-If box **2a** reads **GP** and box **2b** reads **N/A**, write **AD FA RA** in box **5b** and write the following certificate template names and issuances in box **5c** on your planning worksheet.
+If box **2a** reads **GP** and box **2b** reads **N/A**, write **AD FS RA** in box **5b** and write the following certificate template names and issuances in box **5c** on your planning worksheet.
| Certificate Template Name | Issued To |
| --- | --- |
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index c68ad8e70c..20431799cb 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -62,7 +62,7 @@ WIP provides:
- Additional data protection for existing line-of-business apps without a need to update the apps.
-- Ability to wipe corporate data from devices while leaving personal data alone.
+- Ability to wipe corporate data from Intune MDM enrolled devices while leaving personal data alone.
- Use of audit reports for tracking issues and remedial actions.
diff --git a/windows/security/threat-protection/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/applocker/configure-the-application-identity-service.md
index 73a7463d29..eace7b9b57 100644
--- a/windows/security/threat-protection/applocker/configure-the-application-identity-service.md
+++ b/windows/security/threat-protection/applocker/configure-the-application-identity-service.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: brianlic-msft
-ms.date: 09/21/2017
+ms.date: 04/02/2018
---
# Configure the Application Identity service
@@ -38,4 +38,12 @@ Membership in the local **Administrators** group, or equivalent, is the minimum
2. Click the **Services** tab, right-click **AppIDSvc**, and then click **Start Service**.
3. Verify that the status for the Application Identity service is **Running**.
-Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic**.
+Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic** by using the Sevices snap-in. Try either of these methods instead:
+
+- Open an elevated commnad prompt or PowerShell session and type:
+
+ ```powershell
+ sc.exe config appidsvc start= auto
+ ```
+
+- Create a security template that configures appidsvc to be automatic start, and apply it using secedit.exe or LGPO.exe.
diff --git a/windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md
index 0d9c04fc68..5e17a306fa 100644
--- a/windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -152,7 +152,7 @@ After the catalog file is signed, add the signing certificate to a WDAC policy,
> **Note** Include the **-UserPEs** parameter to ensure that the policy includes user mode code integrity.
-3. Use [Add-SignerRule](https://technet.microsoft.com/library/mt634479.aspx) to add the signing certificate to the WDAC policy, filling in the correct path and filenames for `
-*.updates.microsoft.com
+*.update.microsoft.com
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 4fe762ad49..fb71bda388 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -9,9 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: iaanw
-ms.author: iawilt
-ms.date: 11/09/2017
+author: andreabichsel
+ms.author: v-anbic
+ms.date: 04/04/2018
---
@@ -67,7 +67,7 @@ This table indicates the functionality and features that are available in each s
State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Threat definition updates](manage-updates-baselines-windows-defender-antivirus.md)
:-|:-|:-:|:-:|:-:|:-:|:-:
-Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
+Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)]]
Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
index 576adf3128..551c97fea5 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
-ms.date: 11/30/2017
+ms.date: 04/04/2018
---
# Configure Windows Defender ATP server endpoints
@@ -80,13 +80,52 @@ Once completed, you should see onboarded servers in the portal within an hour.
| winatp-gw-weu.microsoft.com | 443 |
-### Offboard server endpoints
+## Offboard server endpoints
+You have two options to offboard servers from the service:
+- Uninstall the MMA agent
+- Remove the Windows Defender ATP workspace configuration
+
+
+### Uninstall servers by uinstalling the MMA agent
To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP.
For more information, see [To disable an agent](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent).
>[!NOTE]
>Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months.
+
+### Remove the Windows Defender ATP workspace configuration
+To offboard the server, you can use either of the following methods:
+
+- Remove the Windows Defender ATP workspace configuration from the MMA agent
+- Run a PowerShell command to remove the configuration
+
+#### Remove the Windows Defender ATP workspace configuration from the MMA agent
+
+1. In the **Microsoft Monitoring Agent Properties**, select the **Azure Log Analytics (OMS)** tab.
+
+2. Select the Windows Defender ATP workspace, and click **Remove**.
+
+ 
+
+#### Run a PowerShell command to remove the configuration
+
+1. Get your workspace ID by going to **Endpoint management** > **Servers**:
+
+ 
+
+2. Open an elevated PowerShell and run the following command. Use the workspace ID you obtained and replacing `WorkspaceID`:
+
+ ```
+ # Load agent scripting object
+ $AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
+ # Remove OMS Workspace
+ $AgentCfg.RemoveCloudWorkspace($WorkspaceID)
+ # Reload the configuration and apply changes
+ $AgentCfg.ReloadConfiguration()
+ ```
+
+
## Related topics
- [Configure Windows Defender ATP client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure non-Windows endpoints](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-mma.png b/windows/security/threat-protection/windows-defender-atp/images/atp-mma.png
new file mode 100644
index 0000000000..37219b5b0b
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-mma.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-server-onboarding-workspaceid.png b/windows/security/threat-protection/windows-defender-atp/images/atp-server-onboarding-workspaceid.png
new file mode 100644
index 0000000000..ef0a1a23bc
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-server-onboarding-workspaceid.png differ