diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 5d581c9574..2a308af532 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -2,46 +2,13 @@ "build_entry_point": "", "docsets_to_publish": [ { - "docset_name": "bcs-VSTS", - "build_source_folder": "bcs", - "build_output_subfolder": "bcs-VSTS", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": false, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "education-VSTS", + "docset_name": "education", "build_source_folder": "education", - "build_output_subfolder": "education-VSTS", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 - }, - { - "docset_name": "eula-vsts", - "build_source_folder": "windows/eulas", - "build_output_subfolder": "eula-vsts", + "build_output_subfolder": "education", "locale": "en-us", "monikers": [], "moniker_ranges": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -51,44 +18,12 @@ "template_folder": "_themes" }, { - "docset_name": "gdpr", - "build_source_folder": "gdpr", - "build_output_subfolder": "gdpr", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": false, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "internet-explorer-VSTS", - "build_source_folder": "browsers/internet-explorer", - "build_output_subfolder": "internet-explorer-VSTS", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 - }, - { - "docset_name": "itpro-hololens-VSTS", + "docset_name": "hololens", "build_source_folder": "devices/hololens", - "build_output_subfolder": "itpro-hololens-VSTS", + "build_output_subfolder": "hololens", "locale": "en-us", "monikers": [], + "moniker_ranges": [], "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", @@ -96,35 +31,32 @@ "RestApi": "Content" }, "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 + "template_folder": "_themes" }, { - "docset_name": "keep-secure-VSTS", + "docset_name": "internet-explorer", + "build_source_folder": "browsers/internet-explorer", + "build_output_subfolder": "internet-explorer", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "keep-secure", "build_source_folder": "windows/keep-secure", - "build_output_subfolder": "keep-secure-VSTS", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 - }, - { - "docset_name": "known-issues", - "build_source_folder": "windows/known-issues", - "build_output_subfolder": "known-issues", + "build_output_subfolder": "keep-secure", "locale": "en-us", "monikers": [], "moniker_ranges": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -134,11 +66,12 @@ "template_folder": "_themes" }, { - "docset_name": "mdop-VSTS", + "docset_name": "mdop", "build_source_folder": "mdop", - "build_output_subfolder": "mdop-VSTS", + "build_output_subfolder": "mdop", "locale": "en-us", "monikers": [], + "moniker_ranges": [], "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", @@ -146,31 +79,12 @@ "RestApi": "Content" }, "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 + "template_folder": "_themes" }, { - "docset_name": "microsoft-edge-VSTS", + "docset_name": "microsoft-edge", "build_source_folder": "browsers/edge", - "build_output_subfolder": "microsoft-edge-VSTS", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 - }, - { - "docset_name": "privacy", - "build_source_folder": "windows/privacy", - "build_output_subfolder": "privacy", + "build_output_subfolder": "microsoft-edge", "locale": "en-us", "monikers": [], "moniker_ranges": [], @@ -184,9 +98,9 @@ "template_folder": "_themes" }, { - "docset_name": "security", - "build_source_folder": "windows/security", - "build_output_subfolder": "security", + "docset_name": "release-information", + "build_source_folder": "windows/release-information", + "build_output_subfolder": "release-information", "locale": "en-us", "monikers": [], "moniker_ranges": [], @@ -194,18 +108,18 @@ "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", - "RestApi": "Content", - "LandingData": "Content" + "RestApi": "Content" }, "build_entry_point": "docs", "template_folder": "_themes" }, { - "docset_name": "smb-VSTS", + "docset_name": "smb", "build_source_folder": "smb", - "build_output_subfolder": "smb-VSTS", + "build_output_subfolder": "smb", "locale": "en-us", "monikers": [], + "moniker_ranges": [], "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", @@ -213,16 +127,15 @@ "RestApi": "Content" }, "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 + "template_folder": "_themes" }, { - "docset_name": "store-for-business-VSTS", + "docset_name": "store-for-business", "build_source_folder": "store-for-business", - "build_output_subfolder": "store-for-business-VSTS", + "build_output_subfolder": "store-for-business", "locale": "en-us", "monikers": [], + "moniker_ranges": [], "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", @@ -230,33 +143,15 @@ "RestApi": "Content" }, "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 + "template_folder": "_themes" }, { - "docset_name": "surface-hub-VSTS", - "build_source_folder": "devices/surface-hub", - "build_output_subfolder": "surface-hub-VSTS", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 - }, - { - "docset_name": "surface-VSTS", + "docset_name": "surface", "build_source_folder": "devices/surface", - "build_output_subfolder": "surface-VSTS", + "build_output_subfolder": "surface", "locale": "en-us", "monikers": [], + "moniker_ranges": [], "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", @@ -264,16 +159,31 @@ "RestApi": "Content" }, "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 + "template_folder": "_themes" }, { - "docset_name": "win-access-protection-VSTS", + "docset_name": "surface-hub", + "build_source_folder": "devices/surface-hub", + "build_output_subfolder": "surface-hub", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "win-access-protection", "build_source_folder": "windows/access-protection", - "build_output_subfolder": "win-access-protection-VSTS", + "build_output_subfolder": "win-access-protection", "locale": "en-us", "monikers": [], + "moniker_ranges": [], "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", @@ -281,16 +191,15 @@ "RestApi": "Content" }, "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 + "template_folder": "_themes" }, { - "docset_name": "win-app-management-VSTS", + "docset_name": "win-app-management", "build_source_folder": "windows/application-management", - "build_output_subfolder": "win-app-management-VSTS", + "build_output_subfolder": "win-app-management", "locale": "en-us", "monikers": [], + "moniker_ranges": [], "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", @@ -298,16 +207,15 @@ "RestApi": "Content" }, "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 + "template_folder": "_themes" }, { - "docset_name": "win-client-management-VSTS", + "docset_name": "win-client-management", "build_source_folder": "windows/client-management", - "build_output_subfolder": "win-client-management-VSTS", + "build_output_subfolder": "win-client-management", "locale": "en-us", "monikers": [], + "moniker_ranges": [], "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", @@ -315,16 +223,15 @@ "RestApi": "Content" }, "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 + "template_folder": "_themes" }, { - "docset_name": "win-configuration-VSTS", + "docset_name": "win-configuration", "build_source_folder": "windows/configuration", - "build_output_subfolder": "win-configuration-VSTS", + "build_output_subfolder": "win-configuration", "locale": "en-us", "monikers": [], + "moniker_ranges": [], "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", @@ -332,16 +239,15 @@ "RestApi": "Content" }, "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 + "template_folder": "_themes" }, { - "docset_name": "win-development-VSTS", + "docset_name": "win-deployment", "build_source_folder": "windows/deployment", - "build_output_subfolder": "win-development-VSTS", + "build_output_subfolder": "win-deployment", "locale": "en-us", "monikers": [], + "moniker_ranges": [], "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", @@ -349,16 +255,15 @@ "RestApi": "Content" }, "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 + "template_folder": "_themes" }, { - "docset_name": "win-device-security-VSTS", + "docset_name": "win-device-security", "build_source_folder": "windows/device-security", - "build_output_subfolder": "win-device-security-VSTS", + "build_output_subfolder": "win-device-security", "locale": "en-us", "monikers": [], + "moniker_ranges": [], "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", @@ -366,16 +271,15 @@ "RestApi": "Content" }, "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 + "template_folder": "_themes" }, { - "docset_name": "windows-configure-VSTS", + "docset_name": "windows-configure", "build_source_folder": "windows/configure", - "build_output_subfolder": "windows-configure-VSTS", + "build_output_subfolder": "windows-configure", "locale": "en-us", "monikers": [], + "moniker_ranges": [], "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", @@ -383,16 +287,15 @@ "RestApi": "Content" }, "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 + "template_folder": "_themes" }, { - "docset_name": "windows-deploy-VSTS", + "docset_name": "windows-deploy", "build_source_folder": "windows/deploy", - "build_output_subfolder": "windows-deploy-VSTS", + "build_output_subfolder": "windows-deploy", "locale": "en-us", "monikers": [], + "moniker_ranges": [], "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", @@ -400,16 +303,15 @@ "RestApi": "Content" }, "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 + "template_folder": "_themes" }, { - "docset_name": "windows-hub-VSTS", + "docset_name": "windows-hub", "build_source_folder": "windows/hub", - "build_output_subfolder": "windows-hub-VSTS", + "build_output_subfolder": "windows-hub", "locale": "en-us", "monikers": [], + "moniker_ranges": [], "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", @@ -417,16 +319,31 @@ "RestApi": "Content" }, "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 + "template_folder": "_themes" }, { - "docset_name": "windows-manage-VSTS", + "docset_name": "windows-known-issues", + "build_source_folder": "windows/known-issues", + "build_output_subfolder": "windows-known-issues", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "windows-manage", "build_source_folder": "windows/manage", - "build_output_subfolder": "windows-manage-VSTS", + "build_output_subfolder": "windows-manage", "locale": "en-us", "monikers": [], + "moniker_ranges": [], "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", @@ -434,16 +351,15 @@ "RestApi": "Content" }, "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 + "template_folder": "_themes" }, { - "docset_name": "windows-plan-VSTS", + "docset_name": "windows-plan", "build_source_folder": "windows/plan", - "build_output_subfolder": "windows-plan-VSTS", + "build_output_subfolder": "windows-plan", "locale": "en-us", "monikers": [], + "moniker_ranges": [], "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", @@ -451,16 +367,47 @@ "RestApi": "Content" }, "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 + "template_folder": "_themes" }, { - "docset_name": "windows-update-VSTS", + "docset_name": "windows-privacy", + "build_source_folder": "windows/privacy", + "build_output_subfolder": "windows-privacy", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "windows-security", + "build_source_folder": "windows/security", + "build_output_subfolder": "windows-security", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "windows-update", "build_source_folder": "windows/update", - "build_output_subfolder": "windows-update-VSTS", + "build_output_subfolder": "windows-update", "locale": "en-us", "monikers": [], + "moniker_ranges": [], "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", @@ -468,16 +415,15 @@ "RestApi": "Content" }, "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 + "template_folder": "_themes" }, { - "docset_name": "win-threat-protection-VSTS", + "docset_name": "win-threat-protection", "build_source_folder": "windows/threat-protection", - "build_output_subfolder": "win-threat-protection-VSTS", + "build_output_subfolder": "win-threat-protection", "locale": "en-us", "monikers": [], + "moniker_ranges": [], "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", @@ -485,16 +431,15 @@ "RestApi": "Content" }, "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 + "template_folder": "_themes" }, { - "docset_name": "win-whats-new-VSTS", + "docset_name": "win-whats-new", "build_source_folder": "windows/whats-new", - "build_output_subfolder": "win-whats-new-VSTS", + "build_output_subfolder": "win-whats-new", "locale": "en-us", "monikers": [], + "moniker_ranges": [], "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", @@ -502,14 +447,15 @@ "RestApi": "Content" }, "build_entry_point": "docs", - "template_folder": "_themes", - "moniker_groups": [], - "version": 0 + "template_folder": "_themes" } ], "notification_subscribers": [ "elizapo@microsoft.com" ], + "sync_notification_subscribers": [ + "daniha@microsoft.com" + ], "branches_to_filter": [ "" ], @@ -518,6 +464,7 @@ "skip_source_output_uploading": false, "need_preview_pull_request": true, "resolve_user_profile_using_github": true, + "contribution_branch_mappings": {}, "dependent_repositories": [ { "path_to_root": "_themes.pdf", @@ -540,10 +487,6 @@ "master": [ "Publish", "Pdf" - ], - "atp-api-danm": [ - "Publish", - "Pdf" ] }, "need_generate_pdf_url_template": true, diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 47d3a0ac90..f6b41f4ac4 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6,6 +6,31 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md", +"redirect_url": "/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md", +"redirect_url": "/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md", +"redirect_url": "/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md", +"redirect_url": "/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md", "redirect_url": "/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-containers-help-protect-windows", "redirect_document_id": true @@ -13909,5 +13934,20 @@ "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/threat-analytics", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/manage-indicators", +"redirect_document_id": true +}, ] } diff --git a/bcs/docfx.json b/bcs/docfx.json index 16e842d530..2fa639d038 100644 --- a/bcs/docfx.json +++ b/bcs/docfx.json @@ -40,6 +40,7 @@ }, "fileMetadata": {}, "template": [], - "dest": "bcs-vsts" + "dest": "bcs-vsts", + "markdownEngineName": "dfm" } } \ No newline at end of file diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index 42532b3fb2..981615d98b 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -19,20 +19,20 @@ "ROBOTS": "INDEX, FOLLOW", "ms.technology": "microsoft-edge", "ms.topic": "article", - "ms.author": "shortpatti", - "ms.date": "04/05/2017", - "feedback_system": "GitHub", + "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "Win.microsoft-edge" + "depot_name": "Win.microsoft-edge", + "folder_relative_path_in_docset": "./" } } }, "externalReference": [ ], "template": "op.html", - "dest": "browsers/edge" + "dest": "browsers/edge", + "markdownEngineName": "dfm" } -} \ No newline at end of file +} diff --git a/browsers/edge/edge-technical-demos.md b/browsers/edge/edge-technical-demos.md index b401556fed..4044596777 100644 --- a/browsers/edge/edge-technical-demos.md +++ b/browsers/edge/edge-technical-demos.md @@ -1,7 +1,7 @@ --- title: Microsoft Edge training and demonstrations -ms.prod: browser-edge -layout: article +description: Get access to training and demonstrations for Microsoft Edge. +ms.prod: edge ms.topic: article ms.manager: elizapo author: lizap diff --git a/browsers/edge/includes/configure-start-pages-include.md b/browsers/edge/includes/configure-start-pages-include.md index 7c469da556..3d007554e7 100644 --- a/browsers/edge/includes/configure-start-pages-include.md +++ b/browsers/edge/includes/configure-start-pages-include.md @@ -42,7 +42,7 @@ ms:topic: include ### Related policies -- [Disable Lockdown of Start Pages](#disable-lockdown-of-start-pages-include): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] +- [Disable Lockdown of Start Pages](#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] - [Configure Open Microsoft Edge With](../available-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] diff --git a/browsers/edge/microsoft-edge-faq.md b/browsers/edge/microsoft-edge-faq.md index f989f0e5c8..d862020dcc 100644 --- a/browsers/edge/microsoft-edge-faq.md +++ b/browsers/edge/microsoft-edge-faq.md @@ -1,96 +1,52 @@ --- title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems. -author: shortpatti -ms.author: pashort +author: lizap +ms.author: elizapo ms.prod: edge -ms.topic: reference +ms.topic: article ms.mktglfcycl: general ms.sitesec: library ms.localizationpriority: medium -ms.date: 11/05/2018 --- # Frequently Asked Questions (FAQs) for IT Pros >Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile -**Q: Why is the Sync settings option under Settings \> Accounts \> Sync your settings permanently disabled? +## How can I get the next major version of Microsoft Edge, based on Chromium? +In December 2018, Microsoft [announced](https://blogs.windows.com/windowsexperience/2018/12/06/microsoft-edge-making-the-web-better-through-more-open-source-collaboration/#8jv53blDvL6TIKuS.97) our intention to adopt the Chromium open source project in the development of Microsoft Edge on the desktop, to create better web compatibility for our customers and less fragmentation of the web for all web developers. You can get more information at the [Microsoft Edge Insiders site](https://www.microsoftedgeinsider.com/). -**A:** In the Windows 10 Anniversary Update, domain-joined users who connected their Microsoft Account (MSA) could roam settings and data between Windows devices. A group policy to prevent users from connecting their MSAs exists, but this setting also prevents users from easily accessing their personal Microsoft services. Enterprises can still enable Enterprise State Roaming with Azure Active Directory. +## What’s the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use? +Microsoft Edge is the default browser for all Windows 10 devices. It’s built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](emie-to-improve-compatibility.md) to automatically send users to Internet Explorer 11. ->In a nutshell, any fresh install of Windows 10 Creators Update or higher does not support funtionality if it's under an Active Directory, but works for Azure Active Directory. +For more information on how Internet Explorer and Microsoft Edge work together to support your legacy web apps, while still defaulting to the higher security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97). -**Q: What is the size of the local storage for Microsoft Edge overall and per domain?** +## Does Microsoft Edge work with Enterprise Mode? +[Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) helps you run many legacy web applications with better backward compatibility. You can configure both Microsoft Edge and Internet Explorer to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. -**A:** The limits are 5MB per subdomain, 10MB per domain, and 50MB total. +## How do I customize Microsoft Edge and related settings for my organization? +You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals. -**Q: What is the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use?** +## Is Adobe Flash supported in Microsoft Edge? +Adobe Flash is currently supported as a built-in feature of Microsoft Edge on PCs running Windows 10. In July 2017, Adobe announced that Flash support will end after 2020. With this change to Adobe support, we’ve started to phase Flash out of Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting group policy](https://docs.microsoft.com/microsoft-edge/deploy/available-policies#configure-the-adobe-flash-click-to-run-setting) - this lets you control which websites can run Adobe Flash content. -**A:** Microsoft Edge is the default browser for all Windows 10 devices. It is built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites on the web that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility) to automatically send users to Internet Explorer 11 for those sites. +To learn more about Microsoft’s plan for phasing Flash out of Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). -For more information on how Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97). +## Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java? +No. Microsoft Edge doesn’t support ActiveX controls and BHOs like Silverlight or Java. If you’re running web apps that use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and standards support. -**Q: Does Microsoft Edge work with Enterprise Mode?** +## How often will Microsoft Edge be updated? +In Windows 10, we’re delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, while bigger feature updates are included in the Windows 10 releases on a semi-annual cadence. -**A:** [Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) offers better backward compatibility and enables customers to run many legacy web applications. Microsoft Edge and Internet Explorer can be configured to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. +## How can I provide feedback on Microsoft Edge? +Microsoft Edge is an evergreen browser - we’ll continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. +## Will Internet Explorer 11 continue to receive updates? +We’re committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it’s installed. For details, see [Lifecycle FAQ - Internet Explorer](https://support.microsoft.com/help/17454/). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge. -**Q: I have Windows 10, but I don’t seem to have Microsoft Edge. Why?** - -**A:** Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016 and Windows Server 2019, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality and can't be supported on systems running LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. - -**Q: How do I get the latest Canary/Beta/Preview version of Microsoft Edge?** - -**A:** You can access the latest preview version of Microsoft Edge by updating to the latest Windows 10 preview via the [Windows Insider Program](https://insider.windows.com/). To run the preview version of Microsoft Edge on a stable version of Windows 10 (or any other OS), you can download a [Virtual Machine](https://developer.microsoft.com/microsoft-edge/tools/vms/windows/) that we provide or use the upcoming RemoteEdge service. - -**Q: How do I customize Microsoft Edge and related settings for my organization?** - -**A:** You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/index) for a list of available policies for Microsoft Edge and configuration combinations. - -**Q: Is Adobe Flash supported in Microsoft Edge?** - -**A:** Currently, Adobe Flash is supported as a built-in feature of Microsoft Edge on devices running the desktop version of Windows 10. In July 2017, Adobe announced that Flash will no longer be supported after 2020. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting](available-policies.md#configure-the-adobe-flash-click-to-run-setting) group policy giving you a way to control the list of websites that have permission to run Adobe Flash content. - - - -To learn more about Microsoft’s plan for phasing out Flash from Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash]( https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). - - -**Q: Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java?** - -**A:** No. Microsoft Edge does not support ActiveX controls and BHOs such as Silverlight or Java. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. - - -**Q: How often will Microsoft Edge be updated?** - -**A:** In Windows 10, we are delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, and the bigger feature updates are currently pushed out with the Windows 10 releases on a semi-annual cadence. - -**Q: How can I provide feedback on Microsoft Edge?** - -**A:** Microsoft Edge is an evergreen browser and we will continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, you can use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. You can also provide feedback through the [Microsoft Edge Dev Twitter](https://twitter.com/MSEdgeDev) account. - -**Q: Will Internet Explorer 11 continue to receive updates?** - -**A:** We will continue to deliver security updates to Internet Explorer 11 through its supported lifespan. To ensure consistent behavior across Windows versions, we will evaluate Internet Explorer 11 bugs for servicing on a case by case basis. The latest features and platform updates will only be available in Microsoft Edge. - -**Q: I loaded a web page and Microsoft Edge sent me to Internet Explorer - what happened?** - -**A:** In some cases, Internet Explorer loads automatically for sites that still rely on legacy technologies such as ActiveX. For more information, read [Legacy web apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#uHpbs94kAaVsU1qB.97). - -**Q: Why is Do Not Track (DNT) off by default in Microsoft Edge?** - -**A:** When Microsoft first set the Do Not Track setting to “On” by default in Internet Explorer 10, industry standards had not yet been established. We are now making this default change as the World Wide Web Consortium (W3C) formalizes industry standards to recommend that default settings allow customers to actively indicate whether they want to enable DNT. As a result, DNT will not be enabled by default in upcoming versions of Microsoft’s browsers, but we will provide customers with clear information on how to turn this feature on in the browser settings should you wish to do so. - -**Q: How do I find out what version of Microsoft Edge I have?** - -**A:** Open Microsoft Edge. In the upper right corner click the ellipses icon (**…**), and then click **Settings**. Look in the **About this app** section to find your version. - -**Q: What is Microsoft EdgeHTML?** - -**A:** Microsoft EdgeHTML is the new web rendering engine that powers the Microsoft Edge web browser and Windows 10 web app platform, and that helps web developers build and maintain a consistent site across all modern browsers. The Microsoft EdgeHTML engine also helps to defend against hacking through support for the W3C standard for [Content Security Policy (CSP)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/content-Security-Policy), which can help web developers defend their sites against cross-site scripting attacks, and support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant), which helps ensure that connections to important sites, such as to your bank, are always secured. - -**Q: Will Windows 7 or Windows 8.1 users get Microsoft Edge or the new Microsoft EdgeHTML rendering engine?** - -**A:** No. Microsoft Edge has been designed and built to showcase Windows 10 features like Cortana, and is built on top of the Universal Windows Platform. +## How do I find out what version of Microsoft Edge I have? +In the upper right corner of Microsoft Edge, click the ellipses icon (**...**), and then click **Settings**. Look in the **About Microsoft Edge** section to find your version. +## What is Microsoft EdgeHTML? +Microsoft EdgeHTML is the web rendering engine that powers the current Microsoft Edge web browser and Windows 10 web app platform. (As opposed to *Microsoft Edge, based on Chromium*.) diff --git a/browsers/edge/microsoft-edge-forrester.md b/browsers/edge/microsoft-edge-forrester.md index af5edc25e9..46e097832b 100644 --- a/browsers/edge/microsoft-edge-forrester.md +++ b/browsers/edge/microsoft-edge-forrester.md @@ -1,15 +1,12 @@ --- -title: Microsoft Edge - Forrester Total Economic Impact +title: Forrester Total Economic Impact - Microsoft Edge description: Review the results of the Microsoft Edge study carried out by Forrester Research -ms.prod: browser-edge -layout: article +ms.prod: edge ms.topic: article -ms.manager: elizapo author: lizap ms.author: elizapo ms.localizationpriority: high --- - # Measuring the impact of Microsoft Edge - Total Economic Impact (TEI) of Microsoft Edge Forrester Research measures the return on investment (ROI) of Microsoft Edge in its latest TEI report and survey. Browse and download these free resources to learn about the impact Microsoft Edge can have in your organization, including significant cost savings in reduced browser help desk tickets and improved browser security, to increased speed, performance, and user productivity. diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md index a8f34188e6..81e06a0a9d 100644 --- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md +++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md @@ -236,7 +236,7 @@ In the following table, we show you the features available in both Microsoft Edg |---------------|:----------------:|:---------------:| | Print support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | | Multi-tab support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| Allow/Block URL support | ![Supported](images/148767.png)

*\*For Microsoft Edge kiosk mode use* [Windows Defender Firewall](#_*Windows_Defender_Firewall)*. Microsoft kiosk browser has custom policy support.* | ![Supported](images/148767.png) | +| Allow/Block URL support | ![Supported](images/148767.png)

*\*For Microsoft Edge kiosk mode use* Windows Defender Firewall*. Microsoft kiosk browser has custom policy support.* | ![Supported](images/148767.png) | | Configure Home Button | ![Supported](images/148767.png) | ![Supported](images/148767.png) | | Set Start page(s) URL | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*Same as Home button URL* | | Set New Tab page URL | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | diff --git a/browsers/edge/microsoft-edge.yml b/browsers/edge/microsoft-edge.yml index c1c094727a..1d5723ae94 100644 --- a/browsers/edge/microsoft-edge.yml +++ b/browsers/edge/microsoft-edge.yml @@ -33,7 +33,7 @@ sections: - type: markdown text: " Even if you still have legacy apps in your organization, you can default to the secure, modern experience of Microsoft Edge and provide a consistent level of compatibility with existing legacy applications.
- +

**Test your site on Microsoft Edge**
Test your site on Microsoft Edge for free instantly, with remote browser testing powered by BrowserStack. You can also use the linting tool sonarwhal to assess your site's accessibility, speed, security, and more.
Test your site on Microsoft Edge for free on BrowserStack
Use sonarwhal to improve your website.
**Improve compatibility with Enterprise Mode**
With Enterprise Mode you can use Microsoft Edge as your default browser, while ensuring apps continue working on IE11.
Use Enterprse mode to improve compatibility
Turn on Enterprise Mode and use a site list
Enterprise Site List Portal
Ultimate browser strategy on Windows 10
**Web Application Compatibility Lab Kit**
The Web Application Compatibility Lab Kit is a primer for the features and techniques used to provide web application compatibility during a typical enterprise migration to Microsoft Edge.
Find out more

**Test your site on Microsoft Edge**
Test your site on Microsoft Edge for free instantly, with remote browser testing powered by BrowserStack. You can also use the linting tool sonarwhal to assess your site's accessibility, speed, security, and more.
Test your site on Microsoft Edge for free on BrowserStack
Use sonarwhal to improve your website.
**Improve compatibility with Enterprise Mode**
With Enterprise Mode you can use Microsoft Edge as your default browser, while ensuring apps continue working on IE11.
Use Enterprse mode to improve compatibility
Turn on Enterprise Mode and use a site list
Enterprise Site List Portal
Ultimate browser strategy on Windows 10
**Web Application Compatibility Lab Kit**
The Web Application Compatibility Lab Kit is a primer for the features and techniques used to provide web application compatibility during a typical enterprise migration to Microsoft Edge.
Find out more
" - title: Security @@ -49,7 +49,7 @@ sections: - type: markdown text: " Find resources and learn about features to help you deploy Microsoft Edge in your organization to get your users up and running quickly.
- +

**Deployment**
Find resources, learn about features, and get answers to commonly asked questions to help you deploy Microsoft Edge in your organization.
Microsoft Edge deployment guide
Microsoft Edge FAQ
System requirements and language support
Group Policy and MDM settings in Microsoft Edge
Download the Web Application Compatibility Lab Kit
Microsoft Edge training and demonstrations
**End user readiness**
Help your users get started on Microsoft Edge quickly and learn about features like tab management, instant access to Office files, and more.
Quick Start: Microsoft Edge (PDF, .98 MB)
Find it faster with Microsoft Edge (PDF, 605 KB)
Use Microsoft Edge to collaborate (PDF, 468 KB)
Import bookmarks
Password management
Microsoft Edge tips and tricks (video, 20:26)

**Deployment**
Find resources, learn about features, and get answers to commonly asked questions to help you deploy Microsoft Edge in your organization.
Microsoft Edge deployment guide
Microsoft Edge FAQ
System requirements and language support
Group Policy and MDM settings in Microsoft Edge
Download the Web Application Compatibility Lab Kit
Microsoft Edge training and demonstrations
**End user readiness**
Help your users get started on Microsoft Edge quickly and learn about features like tab management, instant access to Office files, and more.
Quick Start: Microsoft Edge (PDF, .98 MB)
Find it faster with Microsoft Edge (PDF, 605 KB)
Use Microsoft Edge to collaborate (PDF, 468 KB)
Import bookmarks
Password management
Microsoft Edge tips and tricks (video, 20:26)
" - title: Stay informed diff --git a/browsers/edge/web-app-compat-toolkit.md b/browsers/edge/web-app-compat-toolkit.md index 03ce172837..f2742ca22d 100644 --- a/browsers/edge/web-app-compat-toolkit.md +++ b/browsers/edge/web-app-compat-toolkit.md @@ -1,7 +1,7 @@ --- title: Web Application Compatibility lab kit -ms.prod: browser-edge -layout: article +description: Learn how to use the web application compatibility toolkit for Microsoft Edge. +ms.prod: edge ms.topic: article ms.manager: elizapo author: lizap diff --git a/browsers/enterprise-mode/add-employees-enterprise-mode-portal.md b/browsers/enterprise-mode/add-employees-enterprise-mode-portal.md index 72e501af4b..808a874dba 100644 --- a/browsers/enterprise-mode/add-employees-enterprise-mode-portal.md +++ b/browsers/enterprise-mode/add-employees-enterprise-mode-portal.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Details about how to add employees to the Enterprise Mode Site List Portal. -author: eross-msft +author: jdeckerms ms.prod: ie11 title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library diff --git a/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md b/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md index 595d31fa6f..877885d8e6 100644 --- a/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md +++ b/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager. -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros) diff --git a/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md index c8077d0f92..4cdf9fe53e 100644 --- a/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md +++ b/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Add multiple sites to your Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2). -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: da659ff5-70d5-4852-995e-4df67c4871dd title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros) diff --git a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md index 6ebdd65d65..49b19fe506 100644 --- a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md +++ b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26 title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros) diff --git a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md index 4c6531c174..59729cbde1 100644 --- a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md +++ b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that''s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: 513e8f3b-fedf-4d57-8d81-1ea4fdf1ac0b title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros) diff --git a/browsers/enterprise-mode/administrative-templates-and-ie11.md b/browsers/enterprise-mode/administrative-templates-and-ie11.md index 8f22d23808..6adfc06b58 100644 --- a/browsers/enterprise-mode/administrative-templates-and-ie11.md +++ b/browsers/enterprise-mode/administrative-templates-and-ie11.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: security description: Administrative templates and Internet Explorer 11 -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3 title: Administrative templates and Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/enterprise-mode/approve-change-request-enterprise-mode-portal.md b/browsers/enterprise-mode/approve-change-request-enterprise-mode-portal.md index 24078753c7..d6f1772b59 100644 --- a/browsers/enterprise-mode/approve-change-request-enterprise-mode-portal.md +++ b/browsers/enterprise-mode/approve-change-request-enterprise-mode-portal.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal. -author: eross-msft +author: jdeckerms ms.prod: ie11 title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library diff --git a/browsers/enterprise-mode/check-for-new-enterprise-mode-site-list-xml-file.md b/browsers/enterprise-mode/check-for-new-enterprise-mode-site-list-xml-file.md index cf0a576c0e..417dc77cad 100644 --- a/browsers/enterprise-mode/check-for-new-enterprise-mode-site-list-xml-file.md +++ b/browsers/enterprise-mode/check-for-new-enterprise-mode-site-list-xml-file.md @@ -6,8 +6,8 @@ ms.prod: ie11 ms.mktglfcycl: deploy ms.pagetype: appcompat ms.sitesec: library -author: eross-msft -ms.author: lizross +author: jdeckerms +ms.author: dougkim ms.date: 08/14/2017 ms.localizationpriority: low --- diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md index 4752275c43..5329325698 100644 --- a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md +++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md @@ -2,7 +2,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6 title: Collect data using Enterprise Site Discovery diff --git a/browsers/enterprise-mode/configure-settings-enterprise-mode-portal.md b/browsers/enterprise-mode/configure-settings-enterprise-mode-portal.md index 36066de055..290b39d09d 100644 --- a/browsers/enterprise-mode/configure-settings-enterprise-mode-portal.md +++ b/browsers/enterprise-mode/configure-settings-enterprise-mode-portal.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Details about how the Administrator can use the Settings page to set up Groups and roles, the Enterprise Mode Site List Portal environment, and the freeze dates for production changes. -author: eross-msft +author: jdeckerms ms.prod: ie11 title: Use the Settings page to finish setting up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library diff --git a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md index 4dfb16435c..771b794761 100644 --- a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md +++ b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Details about how to create a change request within the Enterprise Mode Site List Portal. -author: eross-msft +author: jdeckerms ms.prod: ie11 title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library diff --git a/browsers/enterprise-mode/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md index 13fd5539cd..04ba74d178 100644 --- a/browsers/enterprise-mode/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md +++ b/browsers/enterprise-mode/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md @@ -3,7 +3,7 @@ ms.localizationpriority: low description: Delete a single site from your global Enterprise Mode site list. ms.pagetype: appcompat ms.mktglfcycl: deploy -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: 41413459-b57f-48da-aedb-4cbec1e2981a title: Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) diff --git a/browsers/enterprise-mode/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md index c6e03cadc0..f19c3e402a 100644 --- a/browsers/enterprise-mode/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md +++ b/browsers/enterprise-mode/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments. -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: 76aa9a85-6190-4c3a-bc25-0f914de228ea title: Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) diff --git a/browsers/enterprise-mode/enterprise-mode-overview-for-ie11.md b/browsers/enterprise-mode/enterprise-mode-overview-for-ie11.md index b7d9399d77..30ded77dda 100644 --- a/browsers/enterprise-mode/enterprise-mode-overview-for-ie11.md +++ b/browsers/enterprise-mode/enterprise-mode-overview-for-ie11.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Use the topics in this section to learn how to set up and use Enterprise Mode, Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal for your company. -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: d52ba8ba-b3c7-4314-ba14-0610e1d8456e title: Enterprise Mode for Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md b/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md index 52ada71083..ef400d46d7 100644 --- a/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md +++ b/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 7 or Windows 8.1 Update. -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: 17c61547-82e3-48f2-908d-137a71938823 title: Enterprise Mode schema v.1 guidance (Internet Explorer 11 for IT Pros) diff --git a/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md index ebc229a1db..2460a2a53d 100644 --- a/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md +++ b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 10. -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: 909ca359-5654-4df9-b9fb-921232fc05f5 title: Enterprise Mode schema v.2 guidance (Internet Explorer 11 for IT Pros) diff --git a/browsers/enterprise-mode/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md index 8e779574c1..929957a727 100644 --- a/browsers/enterprise-mode/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md +++ b/browsers/enterprise-mode/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file. -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: 9ee7c13d-6fca-4446-bc22-d23a0213a95d title: Export your Enterprise Mode site list from the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) diff --git a/browsers/enterprise-mode/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md index 963880eb75..7be8b574cc 100644 --- a/browsers/enterprise-mode/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md +++ b/browsers/enterprise-mode/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Instructions about how to clear all of the sites from your global Enterprise Mode site list. -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: 90f38a6c-e0e2-4c93-9a9e-c425eca99e97 title: Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) diff --git a/browsers/enterprise-mode/remove-sites-from-a-local-compatibililty-view-list.md b/browsers/enterprise-mode/remove-sites-from-a-local-compatibililty-view-list.md index 546fe2133e..37eb813af3 100644 --- a/browsers/enterprise-mode/remove-sites-from-a-local-compatibililty-view-list.md +++ b/browsers/enterprise-mode/remove-sites-from-a-local-compatibililty-view-list.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Instructions about how to remove sites from a local compatibility view list. -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: f6ecaa75-ebcb-4f8d-8721-4cd6e73c0ac9 title: Remove sites from a local compatibility view list (Internet Explorer 11 for IT Pros) diff --git a/browsers/enterprise-mode/remove-sites-from-a-local-enterprise-mode-site-list.md b/browsers/enterprise-mode/remove-sites-from-a-local-enterprise-mode-site-list.md index 8b15e9ddd5..ca2d5c72aa 100644 --- a/browsers/enterprise-mode/remove-sites-from-a-local-enterprise-mode-site-list.md +++ b/browsers/enterprise-mode/remove-sites-from-a-local-enterprise-mode-site-list.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Instructions about how to remove sites from a local Enterprise Mode site list. -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: c7d6dd0b-e264-42bb-8c9d-ac2f837018d2 title: Remove sites from a local Enterprise Mode site list (Internet Explorer 11 for IT Pros) diff --git a/browsers/enterprise-mode/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md index 7ec1867c5b..e41bd71f67 100644 --- a/browsers/enterprise-mode/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md +++ b/browsers/enterprise-mode/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems. -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: 254a986b-494f-4316-92c1-b089ee8b3e0a title: Save your site list to XML in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) diff --git a/browsers/enterprise-mode/schedule-production-change-enterprise-mode-portal.md b/browsers/enterprise-mode/schedule-production-change-enterprise-mode-portal.md index f49ad80a75..17ab2b26ac 100644 --- a/browsers/enterprise-mode/schedule-production-change-enterprise-mode-portal.md +++ b/browsers/enterprise-mode/schedule-production-change-enterprise-mode-portal.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Details about how Administrators can schedule approved change requests for production in the Enterprise Mode Site List Portal. -author: eross-msft +author: jdeckerms ms.prod: ie11 title: Schedule approved change requests for production using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library diff --git a/browsers/enterprise-mode/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md index 5292cf3570..17eed9cd2e 100644 --- a/browsers/enterprise-mode/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md +++ b/browsers/enterprise-mode/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Search to see if a specific site already appears in your global Enterprise Mode site list. -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: e399aeaf-6c3b-4cad-93c9-813df6ad47f9 title: Search your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md index b67d27b563..4dff80ce73 100644 --- a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md +++ b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Set up and turn on Enterprise Mode logging and data collection in your organization. -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: 2e98a280-f677-422f-ba2e-f670362afcde title: Set up Enterprise Mode logging and data collection (Internet Explorer 11 for IT Pros) diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-portal.md b/browsers/enterprise-mode/set-up-enterprise-mode-portal.md index fe5fe752fc..a3ec81f18b 100644 --- a/browsers/enterprise-mode/set-up-enterprise-mode-portal.md +++ b/browsers/enterprise-mode/set-up-enterprise-mode-portal.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Details about how to set up the Enterprise Mode Site List Portal for your organization. -author: eross-msft +author: jdeckerms ms.prod: ie11 title: Set up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library diff --git a/browsers/enterprise-mode/turn-off-enterprise-mode.md b/browsers/enterprise-mode/turn-off-enterprise-mode.md index 12a4ee7ffd..31c3feec2f 100644 --- a/browsers/enterprise-mode/turn-off-enterprise-mode.md +++ b/browsers/enterprise-mode/turn-off-enterprise-mode.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: How to turn Enteprrise Mode off temporarily while testing websites and how to turn it off completely if you no longer want to to use it. -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: 5027c163-71e0-49b8-9dc0-f0a7310c7ae3 title: Turn off Enterprise Mode (Internet Explorer 11 for IT Pros) diff --git a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md index 5781fe3fc0..74225acded 100644 --- a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md +++ b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Turn on local user control and logging for Enterprise Mode. -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: 6622ecce-24b1-497e-894a-e1fd5a8a66d1 title: Turn on local control and logging for Enterprise Mode (Internet Explorer 11 for IT Pros) diff --git a/browsers/enterprise-mode/use-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/use-the-enterprise-mode-site-list-manager.md index fbe6ddff8f..b85478da24 100644 --- a/browsers/enterprise-mode/use-the-enterprise-mode-site-list-manager.md +++ b/browsers/enterprise-mode/use-the-enterprise-mode-site-list-manager.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Manager. -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b title: Use the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) diff --git a/browsers/enterprise-mode/using-enterprise-mode.md b/browsers/enterprise-mode/using-enterprise-mode.md index 313a07e8e8..244e102f38 100644 --- a/browsers/enterprise-mode/using-enterprise-mode.md +++ b/browsers/enterprise-mode/using-enterprise-mode.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: security description: Use this section to learn about how to turn on and use IE7 Enterprise Mode or IE8 Enterprise Mode. -author: eross-msft +author: jdeckerms ms.prod: ie11 ms.assetid: 238ead3d-8920-429a-ac23-02f089c4384a title: Using IE7 Enterprise Mode or IE8 Enterprise Mode (Internet Explorer 11 for IT Pros) diff --git a/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md b/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md index 94de88ee4e..9ceeafb141 100644 --- a/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md +++ b/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Details about how to make sure your change request info is accurate within the pre-production environment of the Enterprise Mode Site List Portal. -author: eross-msft +author: jdeckerms ms.prod: ie11 title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library diff --git a/browsers/enterprise-mode/verify-changes-production-enterprise-mode-portal.md b/browsers/enterprise-mode/verify-changes-production-enterprise-mode-portal.md index 00fb099e3f..5ec5b93f66 100644 --- a/browsers/enterprise-mode/verify-changes-production-enterprise-mode-portal.md +++ b/browsers/enterprise-mode/verify-changes-production-enterprise-mode-portal.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Details about how the Requester makes sure that the change request update is accurate within the production environment using the Enterprise Mode Site List Portal. -author: eross-msft +author: jdeckerms ms.prod: ie11 title: Verify the change request update in the production environment using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library diff --git a/browsers/enterprise-mode/view-apps-enterprise-mode-site-list.md b/browsers/enterprise-mode/view-apps-enterprise-mode-site-list.md index 29d1d8afe9..8ed5e12491 100644 --- a/browsers/enterprise-mode/view-apps-enterprise-mode-site-list.md +++ b/browsers/enterprise-mode/view-apps-enterprise-mode-site-list.md @@ -3,7 +3,7 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat description: Details about how to view the active Enterprise Mode Site List from the Enterprise Mode Site List Portal. -author: eross-msft +author: jdeckerms ms.prod: ie11 title: View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index 323ba3e4bd..4446936eb1 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -27,13 +27,15 @@ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "Win.internet-explorer" + "depot_name": "Win.internet-explorer", + "folder_relative_path_in_docset": "./" } } }, "externalReference": [ ], "template": "op.html", - "dest": "edges/internet-explorer" + "dest": "edges/internet-explorer", + "markdownEngineName": "dfm" } -} \ No newline at end of file +} diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md index ae241bde6a..f0dbb0fe38 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md +++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md @@ -67,7 +67,7 @@ If you use Automatic Updates in your company, but want to stop your users from a - **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). >[!NOTE] - >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](#faq). + >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11). - **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit. diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index b314f85b52..6b1c835350 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -12,5 +12,6 @@ ## [Configure HoloLens using a provisioning package](hololens-provisioning.md) ## [Install apps on HoloLens](hololens-install-apps.md) ## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) +## [Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md) ## [How HoloLens stores data for spaces](hololens-spaces.md) ## [Change history for Microsoft HoloLens documentation](change-history-hololens.md) \ No newline at end of file diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md index 1fc820a243..315e2f8cc1 100644 --- a/devices/hololens/change-history-hololens.md +++ b/devices/hololens/change-history-hololens.md @@ -9,16 +9,17 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 11/05/2018 --- # Change history for Microsoft HoloLens documentation This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md). -## Windows 10 Holographic for Business, version 1809 +## April 2019 -The topics in this library have been updated for Windows 10 Holographic for Business, version 1809. +New or changed topic | Description +--- | --- +[Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md) | New ## November 2018 @@ -26,6 +27,10 @@ New or changed topic | Description --- | --- [How HoloLens stores data for spaces](hololens-spaces.md) | New +## Windows 10 Holographic for Business, version 1809 + +The topics in this library have been updated for Windows 10 Holographic for Business, version 1809. + ## October 2018 diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json index 7a67485a17..dddf3dbe50 100644 --- a/devices/hololens/docfx.json +++ b/devices/hololens/docfx.json @@ -40,7 +40,8 @@ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "Win.itpro-hololens" + "depot_name": "Win.itpro-hololens", + "folder_relative_path_in_docset": "./" } } }, @@ -48,6 +49,7 @@ "template": [ null ], - "dest": "devices/hololens" + "dest": "devices/hololens", + "markdownEngineName": "dfm" } } diff --git a/devices/hololens/hololens-install-localized.md b/devices/hololens/hololens-install-localized.md index 8e5a72150a..e3729388c3 100644 --- a/devices/hololens/hololens-install-localized.md +++ b/devices/hololens/hololens-install-localized.md @@ -28,6 +28,7 @@ In order to switch to the Chinese or Japanese version of HoloLens, you’ll need 8. Select **Install software** and follow the instructions to finish installing. 9. Once the build is installed, HoloLens setup will start automatically. Put on the device and follow the setup directions. +When you’re done with setup, go to **Settings -> Update & Security -> Windows Insider Program** and check that you’re configured to receive the latest preview builds. The Chinese/Japanese version of HoloLens will be kept up-to-date with the latest preview builds via the Windows Insider Program the same way the English version is. ## Note for language support diff --git a/devices/hololens/hololens-recovery.md b/devices/hololens/hololens-recovery.md new file mode 100644 index 0000000000..e5d185bf40 --- /dev/null +++ b/devices/hololens/hololens-recovery.md @@ -0,0 +1,60 @@ +--- +title: Restore HoloLens 2 using Advanced Recovery Companion +description: How to use Advanced Recovery Companion to flash an image to HoloLens 2. +ms.prod: hololens +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium +--- + +# Restore HoloLens 2 using Advanced Recovery Companion + +>[!TIP] +>If you're having issues with HoloLens (the first device released), see [Restart, reset, or recover HoloLens](https://support.microsoft.com/help/13452/hololens-restart-reset-or-recover-hololens). Advanced Recovery Companion is only supported for HoloLens 2. + +>[!WARNING] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The Advanced Recovery Companion is a new app in Microsoft Store that you can use to restore the operating system image to your HoloLens device. + +When your HoloLens 2 is unresponsive, not running properly, or is experiencing software or update problems, try these things in order: + +1. [Restart](#restart-hololens-2) the HoloLens 2. +2. [Reset](#reset-hololens-2) the HoloLens 2. +3. [Recover](#recover-hololens-2) the HoloLens 2. + +>[!IMPORTANT] +>Resetting or recovering your HoloLens will erase all of your personal data, including apps, games, photos, and settings. You won’t be able to restore a backup once the reset is complete. + +## Restart HoloLens 2 + +A device restart can often "fix" a computer issue. First, say "Hey Cortana, restart the device." + +If you’re still having problems, press the power button for 4 seconds, until all of the battery indicators fade out. Wait 1 minute, then press the power button again to turn on the device. + +If neither of those things works, force restart the device. Hold down the power button for 10 seconds. Release it and wait 30 seconds, then press the power button again to turn on the device. + +## Reset HoloLens 2 + +If the device is still having a problem after restart, use reset to return the HoloLens 2 to factory settings. + +To reset your HoloLens 2, go to **Settings > Update > Reset** and select **Reset device**. + +>[!NOTE] +>The battery needs at least 40 percent charge to reset. + +## Recover HoloLens 2 + +If the device is still having a problem after reset, you can use Advanced Recovery Companion to flash the device with a new image. + +1. On your computer, get [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from Microsoft Store. +2. Connect HoloLens 2 to your computer. +3. Start Advanced Recovery Companion. +4. On the **Welcome** page, select your device. +5. On the **Device info** page, select **Install software** to install the default package. (If you have a Full Flash Update (FFU) image that you want to install instead, select **Manual package selection**.) +6. Software installation will begin. Do not use the device or disconnect the cable during installation. When you see the **Installation finished** page, you can disconnect and use your device. + +>[!NOTE] +>[Learn about FFU image file formats.](https://docs.microsoft.com/windows-hardware/manufacture/desktop/wim-vs-ffu-image-file-formats) diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md index f4df822a14..058ddefab4 100644 --- a/devices/surface-hub/TOC.md +++ b/devices/surface-hub/TOC.md @@ -2,6 +2,7 @@ ## [What's new in Windows 10, version 1703 for Surface Hub?](surfacehub-whats-new-1703.md) ## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) ## [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md) +### [Surface Hub Site Readiness Guide](surface-hub-site-readiness-guide.md) ### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md) ### [Create and test a device account](create-and-test-a-device-account-surface-hub.md) #### [Online deployment](online-deployment-surface-hub-device-accounts.md) @@ -32,7 +33,7 @@ #### [Wireless network management](wireless-network-management-for-surface-hub.md) ### [Install apps on your Surface Hub](install-apps-on-surface-hub.md) ### [Configure Surface Hub Start menu](surface-hub-start-menu.md) -### [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) +### [Set up and use Microsoft Whiteboard](whiteboard-collaboration.md) ### [End a Surface Hub meeting with End session](i-am-done-finishing-your-surface-hub-meeting.md) ### [Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md) ### [Save your BitLocker key](save-bitlocker-key-surface-hub.md) @@ -40,11 +41,15 @@ ### [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md) ### [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md) ### [Using a room control system](use-room-control-system-with-surface-hub.md) +### [Implement Quality of Service on Surface Hub](surface-hub-qos.md) ### [Using the Surface Hub Recovery Tool](surface-hub-recovery-tool.md) +### [Surface Hub SSD replacement](surface-hub-ssd-replacement.md) ## [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) ## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) ## [Top support solutions for Surface Hub](support-solutions-surface-hub.md) ## [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) ## [Troubleshoot Miracast on Surface Hub](miracast-troubleshooting.md) ## [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) +## [Technical information for 55” Microsoft Surface Hub](surface-hub-technical-55.md) +## [Technical information for 84” Microsoft Surface Hub ](surface-hub-technical-84.md) ## [Change history for Surface Hub](change-history-surface-hub.md) \ No newline at end of file diff --git a/devices/surface-hub/admin-group-management-for-surface-hub.md b/devices/surface-hub/admin-group-management-for-surface-hub.md index 5771b3f3c5..05e00d56fe 100644 --- a/devices/surface-hub/admin-group-management-for-surface-hub.md +++ b/devices/surface-hub/admin-group-management-for-surface-hub.md @@ -64,8 +64,11 @@ Surface Hubs use Azure AD join to: - Grant admin rights to the appropriate users in your Azure AD tenant. - Backup the device's BitLocker recovery key by storing it under the account that was used to Azure AD join the device. See [Save your BitLocker key](save-bitlocker-key-surface-hub.md) for details. -> [!IMPORTANT] -> Surface Hub does not currently support automatic enrollment to Microsoft Intune through Azure AD join. If your organization automatically enrolls Azure AD joined devices into Intune, you must disable this policy for Surface Hub before joining the device to Azure AD. +### Automatic enrollment via Azure Active Directory join + +Surface Hub now supports the ability to automatically enroll in Intune by joining the device to Azure Active Directory. + +For more information, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment). ### Which should I choose? diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index 836ff19136..d105eef44f 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -7,7 +7,6 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 07/12/2018 ms.localizationpriority: medium --- @@ -15,6 +14,16 @@ ms.localizationpriority: medium This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md). +## April 2019 + +New or changed topic | Description +--- | --- +[Surface Hub Site Readiness Guide](surface-hub-site-readiness-guide.md) | New; previously available for download only +[Technical information for 55” Microsoft Surface Hub](surface-hub-technical-55.md) | New; previously available for download and on [Surface Hub Tech Spec](https://support.microsoft.com/help/4483539/surface-hub-tech-spec) +[Technical information for 84” Microsoft Surface Hub ](surface-hub-technical-84.md) | New; previously available for download and on [Surface Hub Tech Spec](https://support.microsoft.com/help/4483539/surface-hub-tech-spec) +[Surface Hub SSD replacement](surface-hub-ssd-replacement.md) | New; previously available for download only +[Implement Quality of Service on Surface Hub](surface-hub-qos.md) | New + ## July 2018 New or changed topic | Description diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md index dc313f8f5d..2d52e698c0 100644 --- a/devices/surface-hub/create-a-device-account-using-office-365.md +++ b/devices/surface-hub/create-a-device-account-using-office-365.md @@ -190,15 +190,15 @@ Enable the device account with Skype for Business. In order to enable Skype for Business, your environment will need to meet the following prerequisites: -- You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability. -- If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3). +- You'll need to have Skype for Business Online Standalone Plan 2 or higher in your O365 plan. The plan needs to support conferencing capability. +- If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Skype for Business Online Standalone Plan 3. - Your tenant users must have Exchange mailboxes. -- Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license. +- Your Surface Hub account does require a Skype for Business Online Standalone Plan 2 or Skype for Business Online Standalone Plan 3 license, but it does not require an Exchange Online license. 1. Start by creating a remote PowerShell session from a PC. ```PowerShell - Import-Module LyncOnlineConnector + Import-Module SkypeOnlineConnector $cssess=New-CsOnlineSession -Credential $cred Import-PSSession $cssess -AllowClobber ``` @@ -348,15 +348,15 @@ Enable the device account with Skype for Business. In order to enable Skype for Business, your environment will need to meet the following prerequisites: -- You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability. -- If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3). +- You'll need to have Skype for Business Online Standalone Plan 2 or higher in your O365 plan. The plan needs to support conferencing capability. +- If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Skype for Business Online Standalone Plan 3. - Your tenant users must have Exchange mailboxes. -- Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license. +- Your Surface Hub account does require a Skype for Business Online Standalone Plan 2 or Skype for Business Online Standalone Plan 3 license, but it does not require an Exchange Online license. 1. Start by creating a remote PowerShell session from a PC. ```PowerShell - Import-Module LyncOnlineConnector + Import-Module SkypeOnlineConnector $cssess=New-CsOnlineSession -Credential $cred Import-PSSession $cssess -AllowClobber ``` @@ -372,8 +372,7 @@ If you aren't sure what value to use for the `RegistrarPool` parameter in your e 3. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: ```PowerShell - Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool - "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress + Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress ``` diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md index 7fce01ab55..f562b84288 100644 --- a/devices/surface-hub/device-reset-surface-hub.md +++ b/devices/surface-hub/device-reset-surface-hub.md @@ -76,7 +76,7 @@ If the device account gets into an unstable state or the Admin account is runnin On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset or recover the device from [Windows RE](https://technet.microsoft.com/library/cc765966.aspx). -1. From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide (PDF)](https://download.microsoft.com/download/3/8/8/3883E991-DFDB-4E70-8D28-20B26045FC5B/Surface-Hub-Site-Readiness-Guide_EN.pdf) for help with locating the power switch. +1. From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide (PDF)](surface-hub-site-readiness-guide.md) for help with locating the power switch. 2. The device should automatically boot into Windows RE. 3. After the Surface Hub enters Windows RE, select **Recover from the cloud**. (Optionally, you can choose **Reset**, however **Recover from the cloud** is the recommended approach.) diff --git a/devices/surface-hub/docfx.json b/devices/surface-hub/docfx.json index 47f420a4d0..9feee3c192 100644 --- a/devices/surface-hub/docfx.json +++ b/devices/surface-hub/docfx.json @@ -29,13 +29,15 @@ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "Win.surface-hub" + "depot_name": "Win.surface-hub", + "folder_relative_path_in_docset": "./" } } }, "externalReference": [ ], "template": "op.html", - "dest": "devices/surface-hub" + "dest": "devices/surface-hub", + "markdownEngineName": "dfm" } -} \ No newline at end of file +} diff --git a/devices/surface-hub/images/35mm.png b/devices/surface-hub/images/35mm.png new file mode 100644 index 0000000000..7a414337b6 Binary files /dev/null and b/devices/surface-hub/images/35mm.png differ diff --git a/devices/surface-hub/images/analog.png b/devices/surface-hub/images/analog.png new file mode 100644 index 0000000000..1f1666903b Binary files /dev/null and b/devices/surface-hub/images/analog.png differ diff --git a/devices/surface-hub/images/caution.PNG b/devices/surface-hub/images/caution.PNG new file mode 100644 index 0000000000..0f87b07c0f Binary files /dev/null and b/devices/surface-hub/images/caution.PNG differ diff --git a/devices/surface-hub/images/dport.png b/devices/surface-hub/images/dport.png new file mode 100644 index 0000000000..2842f96ad4 Binary files /dev/null and b/devices/surface-hub/images/dport.png differ diff --git a/devices/surface-hub/images/dportio.png b/devices/surface-hub/images/dportio.png new file mode 100644 index 0000000000..02bf145d60 Binary files /dev/null and b/devices/surface-hub/images/dportio.png differ diff --git a/devices/surface-hub/images/dportout.png b/devices/surface-hub/images/dportout.png new file mode 100644 index 0000000000..4b6bb87663 Binary files /dev/null and b/devices/surface-hub/images/dportout.png differ diff --git a/devices/surface-hub/images/hdmi.png b/devices/surface-hub/images/hdmi.png new file mode 100644 index 0000000000..a2c69ace45 Binary files /dev/null and b/devices/surface-hub/images/hdmi.png differ diff --git a/devices/surface-hub/images/iec.png b/devices/surface-hub/images/iec.png new file mode 100644 index 0000000000..7ca6e9237b Binary files /dev/null and b/devices/surface-hub/images/iec.png differ diff --git a/devices/surface-hub/images/key-55.png b/devices/surface-hub/images/key-55.png new file mode 100644 index 0000000000..d0ee9a5d13 Binary files /dev/null and b/devices/surface-hub/images/key-55.png differ diff --git a/devices/surface-hub/images/qos-create.png b/devices/surface-hub/images/qos-create.png new file mode 100644 index 0000000000..7cd4726ddb Binary files /dev/null and b/devices/surface-hub/images/qos-create.png differ diff --git a/devices/surface-hub/images/qos-setting.png b/devices/surface-hub/images/qos-setting.png new file mode 100644 index 0000000000..d775d9a46f Binary files /dev/null and b/devices/surface-hub/images/qos-setting.png differ diff --git a/devices/surface-hub/images/replacement-port-55.PNG b/devices/surface-hub/images/replacement-port-55.PNG new file mode 100644 index 0000000000..5bf0b51b02 Binary files /dev/null and b/devices/surface-hub/images/replacement-port-55.PNG differ diff --git a/devices/surface-hub/images/replacement-port-84.PNG b/devices/surface-hub/images/replacement-port-84.PNG new file mode 100644 index 0000000000..45284b4ab9 Binary files /dev/null and b/devices/surface-hub/images/replacement-port-84.PNG differ diff --git a/devices/surface-hub/images/rj11.png b/devices/surface-hub/images/rj11.png new file mode 100644 index 0000000000..f044354caa Binary files /dev/null and b/devices/surface-hub/images/rj11.png differ diff --git a/devices/surface-hub/images/rj45.png b/devices/surface-hub/images/rj45.png new file mode 100644 index 0000000000..ca88423217 Binary files /dev/null and b/devices/surface-hub/images/rj45.png differ diff --git a/devices/surface-hub/images/sh-55-bottom.png b/devices/surface-hub/images/sh-55-bottom.png new file mode 100644 index 0000000000..3d718d1226 Binary files /dev/null and b/devices/surface-hub/images/sh-55-bottom.png differ diff --git a/devices/surface-hub/images/sh-55-clearance.png b/devices/surface-hub/images/sh-55-clearance.png new file mode 100644 index 0000000000..12fc35ec49 Binary files /dev/null and b/devices/surface-hub/images/sh-55-clearance.png differ diff --git a/devices/surface-hub/images/sh-55-front.png b/devices/surface-hub/images/sh-55-front.png new file mode 100644 index 0000000000..e1268ee328 Binary files /dev/null and b/devices/surface-hub/images/sh-55-front.png differ diff --git a/devices/surface-hub/images/sh-55-hand-rear.png b/devices/surface-hub/images/sh-55-hand-rear.png new file mode 100644 index 0000000000..b1ff007ec2 Binary files /dev/null and b/devices/surface-hub/images/sh-55-hand-rear.png differ diff --git a/devices/surface-hub/images/sh-55-hand.png b/devices/surface-hub/images/sh-55-hand.png new file mode 100644 index 0000000000..6f8d96ba8e Binary files /dev/null and b/devices/surface-hub/images/sh-55-hand.png differ diff --git a/devices/surface-hub/images/sh-55-rear.png b/devices/surface-hub/images/sh-55-rear.png new file mode 100644 index 0000000000..840b941e03 Binary files /dev/null and b/devices/surface-hub/images/sh-55-rear.png differ diff --git a/devices/surface-hub/images/sh-55-top.png b/devices/surface-hub/images/sh-55-top.png new file mode 100644 index 0000000000..f8c93f5d1b Binary files /dev/null and b/devices/surface-hub/images/sh-55-top.png differ diff --git a/devices/surface-hub/images/sh-84-bottom.png b/devices/surface-hub/images/sh-84-bottom.png new file mode 100644 index 0000000000..d7252537e4 Binary files /dev/null and b/devices/surface-hub/images/sh-84-bottom.png differ diff --git a/devices/surface-hub/images/sh-84-clearance.png b/devices/surface-hub/images/sh-84-clearance.png new file mode 100644 index 0000000000..8fd0cd2c32 Binary files /dev/null and b/devices/surface-hub/images/sh-84-clearance.png differ diff --git a/devices/surface-hub/images/sh-84-front.png b/devices/surface-hub/images/sh-84-front.png new file mode 100644 index 0000000000..8afa0de18b Binary files /dev/null and b/devices/surface-hub/images/sh-84-front.png differ diff --git a/devices/surface-hub/images/sh-84-hand-top.png b/devices/surface-hub/images/sh-84-hand-top.png new file mode 100644 index 0000000000..1e52446eb0 Binary files /dev/null and b/devices/surface-hub/images/sh-84-hand-top.png differ diff --git a/devices/surface-hub/images/sh-84-hand.png b/devices/surface-hub/images/sh-84-hand.png new file mode 100644 index 0000000000..3e84a8a434 Binary files /dev/null and b/devices/surface-hub/images/sh-84-hand.png differ diff --git a/devices/surface-hub/images/sh-84-rear.png b/devices/surface-hub/images/sh-84-rear.png new file mode 100644 index 0000000000..5837d4e185 Binary files /dev/null and b/devices/surface-hub/images/sh-84-rear.png differ diff --git a/devices/surface-hub/images/sh-84-side.png b/devices/surface-hub/images/sh-84-side.png new file mode 100644 index 0000000000..6b1ad8385b Binary files /dev/null and b/devices/surface-hub/images/sh-84-side.png differ diff --git a/devices/surface-hub/images/sh-84-top.png b/devices/surface-hub/images/sh-84-top.png new file mode 100644 index 0000000000..badc94af0b Binary files /dev/null and b/devices/surface-hub/images/sh-84-top.png differ diff --git a/devices/surface-hub/images/sh-84-wall.png b/devices/surface-hub/images/sh-84-wall.png new file mode 100644 index 0000000000..15d2e5a848 Binary files /dev/null and b/devices/surface-hub/images/sh-84-wall.png differ diff --git a/devices/surface-hub/images/ssd-click.PNG b/devices/surface-hub/images/ssd-click.PNG new file mode 100644 index 0000000000..5dfcc57c42 Binary files /dev/null and b/devices/surface-hub/images/ssd-click.PNG differ diff --git a/devices/surface-hub/images/ssd-lift-door.PNG b/devices/surface-hub/images/ssd-lift-door.PNG new file mode 100644 index 0000000000..d395ce91aa Binary files /dev/null and b/devices/surface-hub/images/ssd-lift-door.PNG differ diff --git a/devices/surface-hub/images/ssd-location.PNG b/devices/surface-hub/images/ssd-location.PNG new file mode 100644 index 0000000000..9b774456b1 Binary files /dev/null and b/devices/surface-hub/images/ssd-location.PNG differ diff --git a/devices/surface-hub/images/ssd-lock-tab.PNG b/devices/surface-hub/images/ssd-lock-tab.PNG new file mode 100644 index 0000000000..17c11dc7a2 Binary files /dev/null and b/devices/surface-hub/images/ssd-lock-tab.PNG differ diff --git a/devices/surface-hub/images/ssd-pull-tab.PNG b/devices/surface-hub/images/ssd-pull-tab.PNG new file mode 100644 index 0000000000..a306f08a13 Binary files /dev/null and b/devices/surface-hub/images/ssd-pull-tab.PNG differ diff --git a/devices/surface-hub/images/switch.png b/devices/surface-hub/images/switch.png new file mode 100644 index 0000000000..5ea0d21909 Binary files /dev/null and b/devices/surface-hub/images/switch.png differ diff --git a/devices/surface-hub/images/usb.png b/devices/surface-hub/images/usb.png new file mode 100644 index 0000000000..a743c6b634 Binary files /dev/null and b/devices/surface-hub/images/usb.png differ diff --git a/devices/surface-hub/images/vga.png b/devices/surface-hub/images/vga.png new file mode 100644 index 0000000000..016b42d1f4 Binary files /dev/null and b/devices/surface-hub/images/vga.png differ diff --git a/devices/surface-hub/images/~$rface-hub-site-readiness-guide-en-us.docx b/devices/surface-hub/images/~$rface-hub-site-readiness-guide-en-us.docx new file mode 100644 index 0000000000..1d44312447 Binary files /dev/null and b/devices/surface-hub/images/~$rface-hub-site-readiness-guide-en-us.docx differ diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md index f91b3e81bf..82f19b1a90 100644 --- a/devices/surface-hub/index.md +++ b/devices/surface-hub/index.md @@ -46,7 +46,7 @@ In some ways, adding your new Surface Hub is just like adding any other Microsof | [Top support solutions for Surface Hub](support-solutions-surface-hub.md) | These are the top Microsoft Support solutions for common issues experienced using Surface Hub. | | [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) | Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. | | [Troubleshoot Miracast on Surface Hub](miracast-troubleshooting.md) | Learn how to resolve Miracast issues. | -| [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) | This topic provides links to useful Surface Hub documents, such as product datasheets, the site readiness guide, and user's guide. | +| [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) | This topic provides links to useful Surface Hub documents. | | [Change history for Surface Hub](change-history-surface-hub.md) | This topic lists new and updated topics in the Surface Hub documentation library. | diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md index 9518232b8b..3761627ee5 100644 --- a/devices/surface-hub/manage-surface-hub.md +++ b/devices/surface-hub/manage-surface-hub.md @@ -32,7 +32,7 @@ Learn about managing and updating Surface Hub. | [Manage Surface Hub settings](manage-surface-hub-settings.md) |Topics related to managing Surface Hub settings: accessibility, device account, device reset, fully qualified domain name, Windows Update settings, and wireless network | | [Install apps on your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/install-apps-on-surface-hub) | Admins can install apps can from either the Microsoft Store or the Microsoft Store for Business.| [Configure Surface Hub Start menu](surface-hub-start-menu.md) | Use MDM to customize the Start menu for Surface Hub. -| [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) | Microsoft Whiteboard’s latest update includes the capability for two Surface Hubs to collaborate in real time on the same board. | +| [Set up and use Microsoft Whiteboard](whiteboard-collaboration.md) | Microsoft Whiteboard’s latest update includes the capability for two Surface Hubs to collaborate in real time on the same board. | | [End a meeting with End session](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting.| | [Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md) | You can sign in to a Surface Hub without a password using the Microsoft Authenticator app, available on Android and iOS. | | [Save your BitLocker key](https://technet.microsoft.com/itpro/surface-hub/save-bitlocker-key-surface-hub) | Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.| @@ -41,6 +41,7 @@ Learn about managing and updating Surface Hub. [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md) | 802.1x Wired Authentication MDM policies have been enabled on Surface Hub devices. | [Using a room control system](https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.| [Using the Surface Hub Recovery Tool](surface-hub-recovery-tool.md) | Use the Surface Hub Recovery Tool to re-image the Surface Hub SSD. +[Surface Hub SSD replacement](surface-hub-ssd-replacement.md) | Learn how to remove and replace the solid state drive in your Surface Hub. ## Related topics diff --git a/devices/surface-hub/physically-install-your-surface-hub-device.md b/devices/surface-hub/physically-install-your-surface-hub-device.md index f750d07a4f..9c22a5b744 100644 --- a/devices/surface-hub/physically-install-your-surface-hub-device.md +++ b/devices/surface-hub/physically-install-your-surface-hub-device.md @@ -15,7 +15,7 @@ ms.localizationpriority: medium # Physically install Microsoft Surface Hub -The Microsoft Surface Hub Readiness Guide will help make sure that your site is ready for the installation. You can download the Guide from the [Microsoft Download Center](https://go.microsoft.com/fwlink/?LinkId=718144). It includes planning information for both the 55" and 84" devices, as well as info on moving the Surface Hub from receiving to the installation location, mounting options, and a list of what's in the box. +The [Microsoft Surface Hub Readiness Guide](surface-hub-site-readiness-guide.md) will help make sure that your site is ready for the installation. It includes planning information for both the 55" and 84" devices, as well as info on moving the Surface Hub from receiving to the installation location, mounting options, and a list of what's in the box. You may also want to check out the Unpacking Guide. It will show you how to unpack the devices efficiently and safely. There are two guides, one for the 55" and one for the 84". A printed version of the Unpacking Guide is attached to the outside front of each unit's shipping crate. diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index 0ae8b338d8..6f1deba6b9 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -37,8 +37,8 @@ Additionally, note that Surface Hub requires the following open ports: If you are using Surface Hub with Skype for Business, you will need to open additional ports. Please follow the guidance below: - If you use Skype for Business Online, see [Office 365 IP URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). -- If you use Skype for Business Server, see [Skype for Business Server: Ports and protocols for internal servers](https://technet.microsoft.com/library/gg398833.aspx). -- If you use a hybrid of Skype for Business Online and Skype for Business Server, you need to open all documented ports from [Office 365 IP URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) and [Skype for Business Server: Ports and protocols for internal servers](https://technet.microsoft.com/library/gg398833.aspx). +- If you use Skype for Business Server, see [Skype for Business Server: Ports and protocols for internal servers](https://docs.microsoft.com/SkypeForBusiness/plan-your-deployment/network-requirements/ports-and-protocols). +- If you use a hybrid of Skype for Business Online and Skype for Business Server, you need to open all documented ports from [Office 365 IP URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) and [Skype for Business Server: Ports and protocols for internal servers](https://docs.microsoft.com/SkypeForBusiness/plan-your-deployment/network-requirements/ports-and-protocols?toc=/SkypeForBusiness/toc.json&bc=/SkypeForBusiness/breadcrumb/toc.json). Microsoft collects diagnostic data to help improve your Surface Hub experience. Add these sites to your allow list: - Diagnostic data client endpoint: `https://vortex.data.microsoft.com/` diff --git a/devices/surface-hub/provisioning-packages-for-surface-hub.md b/devices/surface-hub/provisioning-packages-for-surface-hub.md index ad3c3d7d7e..5698f985b0 100644 --- a/devices/surface-hub/provisioning-packages-for-surface-hub.md +++ b/devices/surface-hub/provisioning-packages-for-surface-hub.md @@ -8,7 +8,7 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 07/27/2017 +ms.date: 03/16/2019 ms.localizationpriority: medium --- @@ -267,13 +267,13 @@ If your build is successful, the name of the provisioning package, output direct ## Apply a provisioning package to Surface Hub -There are two options for deploying provisioning packages to a Surface Hub. You can apply a provisioning packing [during the first run wizard](#apply-a-provisioning-package-during-first-run), or using [Settings](#apply-a-package-using-settings). +There are two options for deploying provisioning packages to a Surface Hub. [During the first run wizard](#apply-a-provisioning-package-during-first-run), you can apply a provisioning package that installs certificates, or after the first-run program is complete, you can apply a provisioning package that configures settings, apps, and certificates by using [Settings](#apply-a-package-using-settings). ### Apply a provisioning package during first run > [!IMPORTANT] -> Only use provisioning packages to install certificates during first run. Use the **Settings** app to install apps and apply other settings. +> During the first-run program, you can only use provisioning packages to install certificates. Use the **Settings** app to install apps and apply other settings. 1. When you turn on the Surface Hub for the first time, the first-run program will display the [**Hi there page**](first-run-program-surface-hub.md#first-page). Make sure that the settings are properly configured before proceeding. diff --git a/devices/surface-hub/surface-hub-downloads.md b/devices/surface-hub/surface-hub-downloads.md index 689358891c..fd4d2c9332 100644 --- a/devices/surface-hub/surface-hub-downloads.md +++ b/devices/surface-hub/surface-hub-downloads.md @@ -12,16 +12,14 @@ ms.localizationpriority: medium # Useful downloads for Microsoft Surface Hub -This topic provides links to useful Surface Hub documents, such as product datasheets, the site readiness guide, and user's guide. +This topic provides links to useful Surface Hub documents, such as product datasheets and user's guide. | Link | Description | | --- | --- | -| [Surface Hub Site Readiness Guide (PDF)](https://download.microsoft.com/download/3/8/8/3883E991-DFDB-4E70-8D28-20B26045FC5B/Surface-Hub-Site-Readiness-Guide_EN.pdf) | Make sure your site is ready for Surface Hub, including structural and power requirements, and get technical specs for Surface Hub. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov) | | [Surface Hub Setup Guide (English, French, Spanish) (PDF)](https://download.microsoft.com/download/0/1/6/016363A4-8602-4F01-8281-9BE5C814DC78/Setup-Guide_EN-FR-SP.pdf) | Get a quick overview of how to set up the environment for your new Surface Hub. | | [Surface Hub Quick Reference Guide (PDF)](https://download.microsoft.com/download/9/E/E/9EE660F8-3FC6-4909-969E-89EA648F06DB/Surface%20Hub%20Quick%20Reference%20Guide_en-us.pdf) | Use this quick reference guide to get information about key features and functions of the Surface Hub. | | [Surface Hub User Guide (PDF)](https://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf) | Learn how to use Surface Hub in scheduled or ad-hoc meetings. Invite remote participants, use the built-in tools, save data from your meeting, and more. | | [Surface Hub Replacement PC Drivers](https://www.microsoft.com/download/details.aspx?id=52210) | The Surface Hub Replacement PC driver set is available for those customers who have chosen to disable the Surface Hub’s internal PC and use an external computer with their 84” or 55” Surface Hub. This download is meant to be used with the Surface Hub Admin Guide , which contains further details on configuring a Surface Hub Replacement PC. | -| [Surface Hub SSD Replacement Guide (PDF)](https://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf) | Learn how to replace the solid state drive (SSD) for the 55- and 84-inch Surface Hub. | | [Microsoft Surface Hub Rollout and Adoption Success Kit (ZIP)](https://download.microsoft.com/download/F/A/3/FA3ADEA4-4966-456B-8BDE-0A594FD52C6C/Surface_Hub_Adoption_Kit_Final_0519.pdf) | Best practices for generating awareness and implementing change management to maximize adoption, usage, and benefits of Microsoft Surface Hub. The Rollout and Adoption Success Kit zip file includes the Rollout and Adoption Success Kit detailed document, Surface Hub presentation, demo guidance, awareness graphics, and more. | | [Unpacking Guide for 84-inch Surface Hub (PDF)](https://download.microsoft.com/download/5/2/B/52B4007E-D8C8-4EED-ACA9-FEEF93F6055C/84_Unpacking_Guide_English_French-Spanish.pdf) | Learn how to unpack your 84-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/75/2b/752b73dc-6e9d-4692-8ba1-0f9fc03bff6b.mov?n=04.07.16_installation_video_03_unpacking_84.mov) | | [Unpacking Guide for 55-inch Surface Hub (PDF)](https://download.microsoft.com/download/2/E/7/2E7616A2-F936-4512-8052-1E2D92DFD070/55_Unpacking_Guide_English-French-Spanish.PDF) | Learn how to unpack your 55-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/a9/d6/a9d6b4d7-d33f-4e8b-be92-28f7fc2c06d7.mov?n=04.07.16_installation_video_02_unpacking_55.mov) | diff --git a/devices/surface-hub/surface-hub-qos.md b/devices/surface-hub/surface-hub-qos.md new file mode 100644 index 0000000000..39463f0d49 --- /dev/null +++ b/devices/surface-hub/surface-hub-qos.md @@ -0,0 +1,51 @@ +--- +title: Implement Quality of Service on Surface Hub +description: Learn how to configure QoS on Surface Hub. +ms.prod: surface-hub +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium +--- + +# Implement Quality of Service (QoS) on Surface Hub + +Quality of Service (QoS) is a combination of network technologies that allows the administrators to optimize the experience of real time audio/video and application sharing communications. + +Configuring [QoS for Skype for Business](https://docs.microsoft.com/windows/client-management/mdm/networkqospolicy-csp) on the Surface Hub can be done using your [mobile device management (MDM) provider](manage-settings-with-mdm-for-surface-hub.md) or through a [provisioning package](provisioning-packages-for-surface-hub.md). + + +This procedure explains how to configure QoS for Surface Hub using Microsoft Intune. + +1. In Intune, [create a custom policy](https://docs.microsoft.com/intune/custom-settings-configure). + + ![Screenshot of custom policy creation dialog in Intune](images/qos-create.png) + +2. In **Custom OMA-URI Settings**, select **Add**. For each setting that you add, you will enter a name, description (optional), data type, OMA-URI, and value. + + ![Screenshot of a blank OMA-URI setting dialog box](images/qos-setting.png) + +3. Add the following custom OMA-URI settings: + + Name | Data type | OMA-URI
./Device/Vendor/MSFT/NetworkQoSPolicy | Value + --- | --- | --- | --- + Audio Source Port | String | /HubAudio/SourcePortMatchCondition | Get the values from your Skype administrator + Audio DSCP | Integer | /HubAudio/DSCPAction | 46 + Video Source Port | String | /HubVideo/SourcePortMatchCondition | Get the values from your Skype administrator + Video DSCP | Integer | /HubVideo/DSCPAction | 34 + Audio Process Name | String | /HubAudio/AppPathNameMatchCondition | Microsoft.PPISkype.Windows.exe + Video Process Name | String | /HubVideo/AppPathNameMatchCondition | Microsoft.PPISkype.Windows.exe + + >[!IMPORTANT] + >Each **OMA-URI** path begins with `./Device/Vendor/MSFT/NetworkQoSPolicy`. The full path for the audio source port setting, for example, will be `./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/SourcePortMatchCondition`. + + + + +4. When the policy has been created, [deploy it to the Surface Hub.](manage-settings-with-mdm-for-surface-hub.md#manage-surface-hub-settings-with-mdm) + + +>[!WARNING] +>Currently, you cannot configure the setting **IPProtocolMatchCondition** in the [NetworkQoSPolicy CSP](https://docs.microsoft.com/windows/client-management/mdm/networkqospolicy-csp). If this setting is configured, the policy will fail to apply. + diff --git a/devices/surface-hub/surface-hub-recovery-tool.md b/devices/surface-hub/surface-hub-recovery-tool.md index 262bcc5d2a..866a2de12f 100644 --- a/devices/surface-hub/surface-hub-recovery-tool.md +++ b/devices/surface-hub/surface-hub-recovery-tool.md @@ -16,7 +16,7 @@ ms.localizationpriority: medium The [Microsoft Surface Hub Recovery Tool](https://www.microsoft.com/download/details.aspx?id=52210) helps you re-image your Surface Hub Solid State Drive (SSD) using a Windows 10 desktop device, without calling support or replacing the SSD. With this tool, you can reimage an SSD that has an unknown Administrator password, boot errors, was unable to complete a cloud recovery, or for a device that has an older version of the operating system. The tool will not fix physically damaged SSDs. -To re-image the Surface Hub SSD using the Recovery Tool, you'll need to remove the SSD from the Surface Hub, connect the drive to the USB-to-SATA cable, and then connect the cable to the desktop PC on which the Recovery Tool is installed. For more information on how to remove the existing drive from your Surface Hub, please refer to the [Surface Hub SSD Replacement Guide (PDF)](https://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf). +To re-image the Surface Hub SSD using the Recovery Tool, you'll need to remove the SSD from the Surface Hub, connect the drive to the USB-to-SATA cable, and then connect the cable to the desktop PC on which the Recovery Tool is installed. For more information on how to remove the existing drive from your Surface Hub, see [Surface Hub SSD replacement](surface-hub-ssd-replacement.md). >[!IMPORTANT] >Do not let the device go to sleep or interrupt the download of the image file. @@ -46,9 +46,9 @@ If the tool is unsuccessful in reimaging your drive, please contact [Surface Hub ## Download Surface Hub Recovery Tool -Surface Hub Recovery Tool is available for download from [Surface Hub Tools for IT](https://www.microsoft.com/download/details.aspx?id=52210) under the file name **SurfaceHub_Recovery_v1.4.137.0.msi**. +Surface Hub Recovery Tool is available for download from [Surface Hub Tools for IT](https://www.microsoft.com/download/details.aspx?id=52210) under the file name **SurfaceHub_Recovery_v1.14.137.0.msi**. -To start the download, click **Download**, choose **SurfaceHub_Recovery_v1.4.137.0.msi** from the list, and click **Next**. From the pop-up, choose one of the following: +To start the download, click **Download**, choose **SurfaceHub_Recovery_v1.14.137.0.msi** from the list, and click **Next**. From the pop-up, choose one of the following: - Click **Run** to start the installation immediately. - Click **Save** to copy the download to your computer for later installation. @@ -73,7 +73,8 @@ Install Surface Hub Recovery Tool on the host PC. ![Download the image?](images/shrt-download.png) -5. When the download is complete, the tool instructs you to connect an SSD drive. If the tool is unable to locate the attached drive, there is a good chance that the cable being used is not reporting the name of the SSD to Windows. The imaging tool must find the name of the drive as "LITEON L CH-128V2S USB Device" before it can continue. For more information on how to remove the existing drive from your Surface Hub, please refer to the [Surface Hub SSD Replacement Guide (PDF)](https://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf). +5. When the download is complete, the tool instructs you to connect an SSD drive. If the tool is unable to locate the attached drive, there is a good chance that the cable being used is not reporting the name of the SSD to Windows. The imaging tool must find the name of the drive as "LITEON L CH-128V2S USB Device" before it can continue. For more information on how to remove the existing drive from your Surface Hub, see [Surface Hub SSD replacement](surface-hub-ssd-replacement.md). + ![Connect SSD](images/shrt-drive.png) @@ -96,4 +97,4 @@ The reimaging process appears halted/frozen | It is safe to close and restart th The drive isn’t recognized by the tool | Verify that the Surface Hub SSD is enumerated as a Lite-On drive, "LITEON L CH-128V2S USB Device". If the drive is recognized as another named device, your current cable isn’t compatible. Try another cable or one of the tested cable listed above. Error: -2147024809 | Open Disk Manager and remove the partitions on the Surface Hub drive. Disconnect and reconnect the drive to the host machine. Restart the imaging tool again. -If the tool is unsuccessful in reimaging your drive, please contact [Surface Hub Support](https://support.microsoft.com/help/4037644/surface-contact-surface-warranty-and-software-support). \ No newline at end of file +If the tool is unsuccessful in reimaging your drive, please contact [Surface Hub Support](https://support.microsoft.com/help/4037644/surface-contact-surface-warranty-and-software-support). diff --git a/devices/surface-hub/surface-hub-site-readiness-guide.md b/devices/surface-hub/surface-hub-site-readiness-guide.md new file mode 100644 index 0000000000..2d6c5d82de --- /dev/null +++ b/devices/surface-hub/surface-hub-site-readiness-guide.md @@ -0,0 +1,135 @@ +--- +title: Surface Hub Site Readiness Guide +description: Use this Site Readiness Guide to help plan your Surface Hub installation. +ms.prod: surface-hub +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium +--- + +# Surface Hub Site Readiness Guide + +Use this Site Readiness Guide to help plan your Surface Hub installation. In this guide, you’ll find: +- Site readiness topics +- Detailed hardware specifications on power, ports, and cables +- Recommendations for moving and storage +- Links to guidance on unpacking and mounting + +## Site readiness planning + +The room needs to be large enough to provide good viewing angles, but small enough for the microphones to pick up clear signals from the people in the room. Most rooms that are about 22 feet (seven meters) long will provide a good meeting experience. In the conference area, mount Surface Hub where: + +- Everyone in the room can see it. +- People can reach all four edges of the touchscreen. +- The screen is not in direct sunlight, which could affect viewing or damage the screen. +- Ventilation openings are not blocked. +- Microphones are not affected by noise sources, such as fans or vents. +You can find more details in the [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md) sections. For cleaning, care, and safety information, see the mounting guides and user guide at http://www.microsoft.com/surface/support/surface-hub. + +### Hardware considerations + +Surface Hub arrives with: +- Two Microsoft Surface Hub pens +- A Microsoft wireless keyboard, customized for Surface Hub +- A 9-foot NEMA 5-15P (US Standard) to C13 power cable + +You’ll need to provide: +- Cat-5e or Cat-6 network cables +- Display cables (optional) +- Audio cable (optional) +- Type A to B USB cable (optional) + +For details about cable ports, see the [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md) sections. For details about cables, see [Wired Connect](#wired). + +Microsoft Surface Hub has an internal PC and does not require an external computer system. + +For power recommendations, see [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md). For power cable safety warnings, see the mounting guides at http://www.microsoft.com/surface/support/surface-hub. + +### Data and other connections + +To use Surface Hub, you need an active Ethernet port and a standard power outlet. In addition, you may want to: + +- Equip the conference table for Wired Connect. +- Expand the wall outlet configuration to include: + - Additional AC outlets + - Ethernetports + - Audio ports + - Video ports (DisplayPort, HDMI, VGA, etc.) + + +## When Surface Hub arrives + +Surface Hub is large and heavy, so let Receiving know when it will arrive and what they should do to handle it safely. For details on the packing weights and other specifications, see [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md). + +Consider the following: +- Wait to unpack Surface Hub from the shipping container until you’ve moved it to the conference area where you plan to install it. +- Make sure your loading dock can accept a shipment on a pallet and hold it securely until it can be installed. +- Check for local labor union rules that would require you to use union labor to unload or move Surface Hub. +- Do not leave Surface Hub in a hot or humid environment. As with any computer-based or display equipment, heat and humidity can damage Surface Hub. The recommended storage temperatures are 32°F to 95°F with a relative humidity of less than 70 percent. + +### Moving Surface Hub + +Before you move Surface Hub, make sure that all the doorways, thresholds, hallways, and elevators are big enough to accommodate it. For information on the dimensions and weight of your Surface Hub in its shipping container, see [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md). + +### Unpacking Surface Hub + +For unpacking information, refer to the unpacking guide included in the shipping container. You can open the unpacking instructions before you open the shipping container. These instructions can also be found here: http://www.microsoft.com/surface/support/surface-hub + +>[!IMPORTANT] +>Retain and store all Surface Hub shipping materials—including the pallet, container, and screws—in case you need to ship Surface Hub to a new location or send it +for repairs. For the 84” Surface Hub, retain the lifting handles. + +### Lifting Surface Hub + +The 55” Surface Hub requires two people to safely lift and mount. The 84” Surface Hub requires four people to safely lift and mount. Those assisting must be able to lift 70 pounds to waist height. Review the unpacking and mounting guide for details on lifting Surface Hub. You can find it at http://www.microsoft.com/surface/support/surface-hub. + +## Mounting and setup + +See the [Technical information]() section, or your mounting guide at http://www.microsoft.com/surface/support/surface-hub, for detailed instructions. + +There are three ways to mount your Surface Hub: + +- **Wall mount**: Lets you permanently hang Surface Hub on a conference space wall. +- **Floor support mount**: Supports Surface Hub on the floor while it is permanently anchored to a conference space wall. +- **Rolling stand**: Supports Surface Hub and lets you move it to other conference locations. For links to guides that provide details about each mounting method, including building requirements, see http://www.microsoft.com/surface/support/surface-hub. + + +## The Connect experience + +Connect lets people project their laptop, tablet, or phone to the Surface Hub screen. Connect allows wireless or wired connection types. + +#### Wireless connect + +Since wireless connect is based on Miracast, you don’t need cables or additional setup planning to use it. Your users can load Miracast on most Miracast-enabled Windows 8.1 and Windows 10 devices. Then they can project their display from their computer or phone to the Surface Hub screen. + + +#### Wired connect + +With wired connect, a cable transmits information from computers, tablets, or phones to Surface Hub. There are three video cable options, and they all use the same USB 2.0 cable. The cable bundle can include one or all of these connection options. + +- DisplayPort (DisplayPort cable + USB 2.0 cable) +- HDMI (HDMI cable + USB 2.0 cable) +- VGA (VGA cable + 3.5mm audio cable + USB 2.0 cable) + +For example, to provide audio, video, and touchback capability to all three video options, your Wired Connect cable bundle must include: + +- A DisplayPort cable +- An HDMI cable +- A VGA cable +- A USB 2.0 cable +- A 3.5mm cable + +When you create your wired connect cable bundles, check the [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md) sections for specific technical and physical details and port locations for each type of Surface Hub. Make the cables long enough to reach from Surface Hub to where the presenter will sit or stand. + +For details on Touchback and Inkback, see the user guide at http://www.microsoft.com/surface/support/surface-hub. + + + +## See also + +[Watch the video (opens in a pop-up media player)][http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov) + + + diff --git a/devices/surface-hub/surface-hub-ssd-replacement.md b/devices/surface-hub/surface-hub-ssd-replacement.md new file mode 100644 index 0000000000..277ceef816 --- /dev/null +++ b/devices/surface-hub/surface-hub-ssd-replacement.md @@ -0,0 +1,52 @@ +--- +title: Surface Hub SSD replacement +description: Learn how to replace the solid state drive in a Surface Hub. +ms.prod: surface-hub +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium +--- + +# Surface Hub SSD replacement + +You might need to remove the solid state drive (SSD) from your Surface Hub so that you can reimage it using the [Surface Hub Recovery Tool](surface-hub-recovery-tool.md) or because you've been sent a replacement drive. You would reimage your SSD when the operating system is no longer bootable, such as from a Windows update failure, BitLocker issues, reset failure, or hardware failure. + + +>[!WARNING] +>Make sure the Surface Hub is turned off at the AC switch. + +1. Locate the SSD compartment door on the rear, upper portion of the Surface Hub in the locations illustrated below. The door is identifiable as it doesn't have open ventilation slots. + + ![SSD compartment door](images/ssd-location.png) + + *Surface Hub hard drive locations* + +2. Locate the locking tab on the hard drive compartment door. On the Surface Hub 55, the locking tab will be located on the left-hand side of the door. On the Surface Hub 84, it will be on the right-hand side as shown in the illustration. + + ![SSD compartment locking tab](images/ssd-lock-tab.png) + + *Locking tab on hard drive compartment door* + +3. Lift open the compartment door to access the hard drive. + + ![Lift](images/ssd-lift-door.png) + + *Lift compartment door* + +4. Locate the pull tab, which may be partially hidden under the rear cover. Pull on the tab to eject the hard drive from the compartment. + + ![Pull](images/ssd-pull-tab.png) + + *Pull tab* + +5. Slide the replacement drive into place until you hear it click. + + ![Slide in drive](images/ssd-click.png) + + *Slide replacement drive into place* + +6. Close the compartment door. + +7. Apply power to the Surface Hub. diff --git a/devices/surface-hub/surface-hub-technical-55.md b/devices/surface-hub/surface-hub-technical-55.md new file mode 100644 index 0000000000..bfcca2c16f --- /dev/null +++ b/devices/surface-hub/surface-hub-technical-55.md @@ -0,0 +1,151 @@ +--- +title: Technical information for 55" Surface Hub +description: Specifications for the 55" Surface Hub +ms.prod: surface-hub +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium +--- + +# Technical information for 55" Surface Hub + +## Measurements + +| +--- | --- +Pricing | Starting at $8,999 +Size | 31.75” x 59.62” x 3.38” (806.4mm x 1514.3mm x 85.8mm) +Storage/RAM | SSD 128GB with 8GB RAM +Processor | 4th Generation Intel® Core™ i5 +Graphics | Intel® HD 4600 +Ports | **Internal PC**
• (1) USB 3.0 (bottom) + (1) USB 3.0 (side access)
• (2) USB 2.0
• Ethernet 1000 Base-T
• DisplayPort
• Video Output
• 3.5mm Stereo Out
• RJ11 Connector for system-level control
**Alternate PC**
• (2) USB 2.0 type B output
• Connection for Camera, Sensors, Microphone, Speakers
• (1) DisplayPort Video Input
**Guest PC**
• DisplayPort Video Input
• HDMI Video Input
• VGA Video Input
• 3.5mm Stereo Input
• (1) USB 2.0 type B Touchback™ Output +Sensors | (2) Passive Infrared Presence Sensors, Ambient Light Sensors +Speakers | (2) Front-facing stereo speakers +Microphone | High-Performance, 4-Element Array +Camera | (2) Wide angle HD cameras 1080p @ 30fps +Pen | (2) Powered, active, subpixel accuracy +Physical side buttons | Power, Input Select, Volume, Brightness +Software | Windows 10 + Office (Word, PowerPoint, Excel) +What’s in the box | • Surface Hub 55”
• (2) Surface Hub Pens
• Power Cable
• Setup Guide
• Start Guide
• Safety and Warranty documents
• Wireless All-in-One Keyboard +Mounting features | 4X VESA standard, 400mm x 400mm plus 1150mm x 400mm pattern, 8X M6 X 1.0 threaded mounting locations +Display height from floor | Recommended height of 55 inches (139.7 cm) to center of screen +Product weight | Approx. 105 lb. (47.6 kg) without accessories +Product shipping weight | Approx. 150 lb. (68 kg) +Product dimensions HxWxD | 31.63 x 59.62 x 3.2 inches (80.34 x 151.44 x 8.14 cm) +Product shipping dimensions HxWxD | 43 x 65 x 20 inches (109 x 165 x 51 cm) +Product thickness | Touch surface to mounting surface: ≤ 2.4 inches (6 cm) +Orientation | Landscape only. Display cannot be used in a portrait orientation. +BTU | 1706 BTU/h +Image resolution | 1920 x 1080 +Frame rate | 120Hz +EDID preferred timing, replacement PC | 1920 x 1080, 120Hz vertical refresh +EDID preferred timing, wired connect | 1920 x 1080, 60Hz vertical refresh +Input voltage | (50/60Hz) 110/230v nominal, 90-265v max +Input power, operating | 500W max +Input power, standby | 5W nominal + + +## Replacement PC connections + +Connector and location | Label | Description +--- | --- | --- +Switch, bottom I/O | ![](images/switch.png) | Switches the function between using internal PC or external PC. +Display port, bottom I/O | ![](images/dport.png) | Provides input for replacement PC. +USB type B, bottom I/O | ![](images/usb.png) | Provides USB connection for replacement PC to internal peripherals. +USB type B, bottom I/O | ![](images/usb.png) | Provides USB connection for integrated hub. + + +## Wired connect connections + +Connector and location | Label | Description +--- | --- | --- +Display port, bottom I/O | ![](images/dportio.png) | Provides input for wired connect PC. +HDMI, bottom I/O | ![](images/hdmi.png) | Provides HDMI input for wired connect PC. +VGA, bottom I/O | ![](images/vga.png) | Provides VGA input for wired connect PC. +3.5mm, bottom I/O | ![](images/35mm.png) | Provides analog audio input. +USB type B, bottom I/O | ![](images/usb.png) | Provides USB connection for video ingest touchback. + +## Additional connections + +Connector and location | Label | Description +--- | --- | --- +USB type A, side I/O | ![](images/usb.png) | Provides 1 USB 3.0 connection for USB devices. Wake-on USB capable. +USB type A, bottom I/O with blue insulator | ![](images/usb.png) | Provides USB 3.0 connection. +3.5mm, bottom I/O | ![](images/analog.png) | Provides analog audio out. +Display port, bottom I/O | ![](images/dportout.png) | Provides mirrored video out function to another display. +IEC/EN60320-C13 receptable with hard switch | ![](images/iec.png) | Provides AC input and compliance with EU power requirements. +RJ45, bottom I/O | ![](images/rj45.png) | Connects to Ethernet. +RJ11, bottom I/O | ![](images/rj11.png) | Connects to room control systems. + + + + + + + +## Diagrams of ports and clearances + +***Top view of 55" Surface Hub*** + +![](images/sh-55-top.png) + +--- + + +***Front view of 55" Surface Hub*** + +![](images/sh-55-front.png) + + +--- + +***Bottom view of 55" Surface Hub*** + +![](images/sh-55-bottom.png) + + +--- + +***Replacement PC ports on 55" Surface Hub*** + +![](images/sh-55-rpc-ports.png) + + +--- + +***Keypad on right side of 55" Surface Hub*** + +![](images/key-55.png) + + +--- + +***Rear view of 55" Surface Hub*** + +![](images/sh-55-rear.png) + + +--- + +***Clearances for 55" Surface Hub*** + +![](images/sh-55-clearance.png) + +--- + + +***Front and bottom handholds and clearances for 55" Surface Hub*** + +![](images/sh-55-hand.png) + + +--- + + +***Rear handholds and clearances for 55" Surface Hub*** + +![](images/sh-55-hand-rear.png) + + diff --git a/devices/surface-hub/surface-hub-technical-84.md b/devices/surface-hub/surface-hub-technical-84.md new file mode 100644 index 0000000000..b4c17e178c --- /dev/null +++ b/devices/surface-hub/surface-hub-technical-84.md @@ -0,0 +1,157 @@ +--- +title: Technical information for 84" Surface Hub +description: Specifications for the 84" Surface Hub +ms.prod: surface-hub +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium +--- + +# Technical information for 84" Surface Hub + +## Measurements + +| +--- | --- +Pricing | Starting at $21,999 +Size | 46.12” x 86.7” x 4.15” (1171.5mm x 2202.9mm x 105.4mm) +Storage/RAM | SSD 128GB with 8GB RAM +Processor | 4th Generation Intel® Core™ i7 +Graphics | NVIDIA Quadro K2200 +Ports | **Internal PC**
• (1) USB 3.0 (bottom) + (1) USB 3.0 (side access)
• (4) USB 2.0
• Ethernet 1000 Base-T
• DisplayPort Video Output
• 3.5mm Stereo Out
• RJ11 Connector for system-level control
**Alternate PC**
• (2) USB 2.0 type B output
• connection for Camera, Sensors, Microphone, Speakers
• (2) DisplayPort Video Input
**Guest PC**
• DisplayPort Video Input
• HDMI Video Input
• VGA Video Input
• 3.5mm Stereo Input
• (1) USB 2.0 type B Touchback™ Output +Sensors | (2) Passive Infrared Presence Sensors, Ambient Light Sensors +Speakers | (2) Front-facing stereo speakers +Microphone | High-Performance, 4-Element Array +Camera | (2) Wide angle HD cameras 1080p @ 30fps +Pen | (2) Powered, active, subpixel accuracy +Physical side buttons | Power, Input Select, Volume, Brightness +Software | Windows 10 + Office (Word, PowerPoint, Excel) +What’s in the box | • Surface Hub 84”
• (2) Surface Hub Pens
• Power Cable
• Setup Guide
• Safety and Warranty documents
• Wireless All-in-One Keyboard +Mounting features | 4X VESA standard, 1200mm x 600mm pattern, 8X M8 X 1.25 threaded mounting locations +Display height from floor | Recommended height of 54 inches (139.7 cm) to center of screen +Product weight | Approx. 280 lb. (127 kg.) +Product shipping weight | Approx. 580 lb. (263 kg.) +Product dimensions HxWxD | 46 x 86.9 x 4.1 inches (116.8 x 220.6 x 10.4 cm) +Product shipping dimensions HxWxD | 66.14 x 88.19 x 24.4 inches (168 x 224 x 62 cm) +Product thickness | Touch surface to mounting surface: ≤ 3.1 inches (7.8 cm) +Orientation | Landscape only. Display cannot be used in a portrait orientation. +BTU | 3070.8 BTU/h +Image resolution | 3840 x 2160 +Frame rate | 120Hz +Contrast Ratio | 1400:1 +EDID preferred timing, replacement PC | 3840 x 2140, 120Hz vertical refresh +EDID preferred timing, wired connect | 1920 x 1080, 60Hz vertical refresh +Input voltage | 110/230v nominal, 90-265v max +Input power, operating | 900W max +Input power, standby | 5W nominal, 1-10W max + + +## Replacement PC connections + +Connector and location | Label | Description +--- | --- | --- +Switch, bottom I/O | ![](images/switch.png) | Switches the function between using internal PC or external PC. +Display port, bottom I/O | ![](images/dport.png) | Provides input for replacement PC. +Display port, bottom I/O | ![](images/dport.png) | Provides second input for replacement PC. +USB type B, bottom I/O | ![](images/usb.png) | Provides USB connection for replacement PC to internal peripherals. +USB type B, bottom I/O | ![](images/usb.png) | Provides USB connection for integrated hub. + + +## Wired connect connections + +Connector and location | Label | Description +--- | --- | --- +Display port, bottom I/O | ![](images/dportio.png) | Provides input for wired connect PC. +HDMI, bottom I/O | ![](images/hdmi.png) | Provides HDMI input for wired connect PC. +VGA, bottom I/O | ![](images/vga.png) | Provides VGA input for wired connect PC. +3.5mm, bottom I/O | ![](images/35mm.png) | Provides analog audio input. +USB type B, bottom I/O | ![](images/usb.png) | Provides USB connection for video ingest touchback. + +## Additional connections + +Connector and location | Label | Description +--- | --- | --- +USB type A, side I/O | ![](images/usb.png) | Provides 1 USB 3.0 connection for USB devices. Wake-on USB capable. +USB type A, bottom I/O with blue insulator | ![](images/usb.png) | Provides USB 3.0 connection. +3.5mm, bottom I/O | ![](images/analog.png) | Provides analog audio out. +Display port, bottom I/O | ![](images/dportout.png) | Provides mirrored video out function to another display. +IEC/EN60320-C13 receptable with hard switch | ![](images/iec.png) | Provides AC input and compliance with EU power requirements. +RJ45, bottom I/O | ![](images/rj45.png) | Connects to Ethernet. +RJ11, bottom I/O | ![](images/rj11.png) | Connects to room control systems. + + + + + + + +## Diagrams of ports and clearances + +***Top view of 84" Surface Hub*** + +![](images/sh-84-top.png) + +--- + + +***Front view of 84" Surface Hub*** + +![](images/sh-84-front.png) + + +--- + +***Bottom view of 84" Surface Hub*** + +![](images/sh-84-bottom.png) + + +--- + +***Replacement PC ports on 84" Surface Hub*** + +![](images/sh-84-rpc-ports.png) + + + +--- + +***Rear view of 84" Surface Hub*** + +![](images/sh-84-rear.png) + + +--- + +***Clearances for 84" Surface Hub*** + +![](images/sh-84-clearance.png) + +--- + + +***Removable lifting handles on 84” Surface Hub *** + +![](images/sh-84-hand.png) + + +--- + + +***Wall mount threads on back of 84” Surface Hub *** + +![](images/sh-84-wall.png) + +--- +***Lifting handles in top view of 84” Surface Hub*** + +![](images/sh-84-hand-top.png) + +--- +***Side view of 84” Surface Hub*** + +![](images/sh-84-side.png) + + diff --git a/devices/surface-hub/surface-hub.yml b/devices/surface-hub/surface-hub.yml index 0a9e948ca5..dac70e8f37 100644 --- a/devices/surface-hub/surface-hub.yml +++ b/devices/surface-hub/surface-hub.yml @@ -34,7 +34,7 @@ sections: - type: markdown text: " Prepare to deploy Surface Hub in your organization. Explore site readiness, assembly, configuration, and Exchange and ActiveSync policies.
- +

**Get ready for Surface Hub**
Explore the steps you'll need to take to set up Surface Hub.
Surface Hub Site Readiness Guide (PDF, 1.48 MB)
Unpacking guides
**Assembly for Surface Hub**
Learn how to assemble your Surface Hub.
Surface Hub Setup Guide (PDF, 1.43 MB)
Mounting and assembling guides
**Prepare your environment**
Learn about setup dependencies and account requirements.
Prepare your environment
Create and test a device account

**Get ready for Surface Hub**
Explore the steps you'll need to take to set up Surface Hub.
Surface Hub Site Readiness Guide (PDF, 1.48 MB)
Unpacking guides
**Assembly for Surface Hub**
Learn how to assemble your Surface Hub.
Surface Hub Setup Guide (PDF, 1.43 MB)
Mounting and assembling guides
**Prepare your environment**
Learn about setup dependencies and account requirements.
Prepare your environment
Create and test a device account
" - title: Deploy diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md index 10f086f358..9a68506147 100644 --- a/devices/surface-hub/whiteboard-collaboration.md +++ b/devices/surface-hub/whiteboard-collaboration.md @@ -1,27 +1,29 @@ --- -title: Set up and use Whiteboard to Whiteboard collaboration +title: Set up and use Microsoft Whiteboard description: Microsoft Whiteboard’s latest update includes the capability for two Surface Hubs to collaborate in real time on the same board. ms.prod: surface-hub ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 07/12/2018 +ms.date: 03/18/2019 ms.localizationpriority: medium --- -# Set up and use Whiteboard to Whiteboard collaboration (Surface Hub) +# Set up and use Microsoft Whiteboard + -The Microsoft Whiteboard app includes the capability for two Surface Hubs to collaborate in real time on the same board. >[!IMPORTANT] ->A new Microsoft Whiteboard app was released on July 12, 2018. The existing Whiteboard app that comes installed on Surface Hub and is pinned to the Welcome screen cannot collaborate with the new version that can be installed on the PC. If people in your organization install the new Whiteboard on their PCs, you must install the new Whiteboard on Surface Hub to enable collaboration. To learn more about installing the new Whiteboard on your Surface Hub, see [Whiteboard on Surface Hub opt-in](https://go.microsoft.com/fwlink/p/?LinkId=2004277). +>A new Microsoft Whiteboard app was released on July 12, 2018. The existing Whiteboard app that comes installed on Surface Hub and is pinned to the Welcome screen has been renamed **Microsoft Whiteboard 2016**. Microsoft Whiteboard 2016 will be automatically upgraded by May 21, 2019, and the collaboration service for the legacy app will stop functioning after June 7, 2019. For more details, see [Enable Microsoft Whiteboard on Surface Hub](https://support.office.com/article/enable-microsoft-whiteboard-on-surface-hub-b5df4539-f735-42ff-b22a-0f5e21be7627?ui=en-US&rs=en-US&ad=US). + +The Microsoft Whiteboard app includes the capability for two Surface Hubs to collaborate in real time on the same board. By ensuring that your organization meets the prerequisites, users can then ink, collaborate, and ideate together. ![example of a whiteboard with collaborative inking](images/wb-collab-example.png) -## Prerequisites for Whiteboard to Whiteboard collaboration +## Prerequisites for Whiteboard to Whiteboard collaboration (Microsoft Whiteboard 2016) To get Whiteboard to Whiteboard collaboration up and running, you’ll need to make sure your organization meets the following requirements: @@ -36,7 +38,7 @@ To get Whiteboard to Whiteboard collaboration up and running, you’ll need to m >[!NOTE] >Collaborative sessions can only take place between users within the same tenant, so users outside of your organization won’t be able to join even if they have a Surface Hub. -## Using Whiteboard to Whiteboard collaboration +## Using Whiteboard to Whiteboard collaboration (Microsoft Whiteboard 2016) To start a collaboration session: diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index df57cb2c6d..c83a77a2bd 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -24,6 +24,7 @@ ## [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) ## [Manage Surface UEFI settings](manage-surface-uefi-settings.md) ### [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md) +### [Surface System SKU reference](surface-system-sku-reference.md) ## [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) ### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md) ### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) diff --git a/devices/surface/battery-limit.md b/devices/surface/battery-limit.md index dce83705cc..b1a34e4f19 100644 --- a/devices/surface/battery-limit.md +++ b/devices/surface/battery-limit.md @@ -19,7 +19,7 @@ Battery Limit option is a UEFI setting that changes how the Surface device batte Setting the device on Battery Limit changes the protocol for charging the device battery. When Battery Limit is enabled, the battery charge will be limited to 50% of its maximum capacity. The charge level reported in Windows will reflect this limit. Therefore, it will show that the battery is charged up to 50% and will not charge beyond this limit. If you enable Battery Limit while the device is above 50% charge, the Battery icon will show that the device is plugged in but discharging until the device reaches 50% of its maximum charge capacity. -Adding the Battery Limit option to Surface UEFI will require a [Surface UEFI firmware update](update.md), which will be made available through Windows Update or via the MSI driver and firmware packages on the Microsoft Download Center. Check [Enable "Battery Limit" for Surface devices that have to be plugged in for extended periods of time](https://support.microsoft.com/help/4464941) for the specific Surface UEFI version required for each device and supported devices. Currently, Battery Limit is only supported on Surface Pro 4 and Surface Pro 3. However, the setting will be available in the future on other Surface device models. +Adding the Battery Limit option to Surface UEFI requires a [Surface UEFI firmware update](update.md), available through Windows Update or via the MSI driver and firmware packages on the Microsoft Download Center. Check [Enable "Battery Limit" for Surface devices that have to be plugged in for extended periods of time](https://support.microsoft.com/help/4464941) for the specific Surface UEFI version required for each supported device. Currently, Battery Limit is supported on a subset of Surface devices and will be available in the future on other Surface device models. ## Enabling Battery Limit in Surface UEFI (Surface Pro 4 and later) diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index 9c34783c79..271b1cc5e2 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -13,6 +13,13 @@ ms.topic: article This topic lists new and updated topics in the Surface documentation library. +## March 2019 + +New or changed topic | Description +--- | --- +[Surface System SKU reference](surface-system-sku-reference.md) | New + + ## February 2019 New or changed topic | Description diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index 7f519a64e2..d0e16a8292 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -9,234 +9,59 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: brecords +ms.date: 11/15/2018 ms.author: jdecker ms.topic: article --- -# Download the latest firmware and drivers for Surface devices +# Deploying the latest firmware and drivers for Surface devices +Although Surface devices are typically automatically updated with the latest device drivers and firmware via Windows Update, sometimes it's necessary to download and install updates manually, such as during a Windows deployment. +## Downloading MSI files +To download MSI files, refer to the following Microsoft Support page: + +- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface)
+Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices. -This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device. +## Deploying MSI files +Driver and firmware updates for Surface devices containing all required cumulative updates are packaged in separate MSI files for specific versions of Windows 10. +In the name of each of these files you will find a Windows build number, this number indicates the minimum supported build required to install the drivers and firmware contained within. Refer to [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information) for a list of the build numbers for each version. For example, to install the drivers contained in SurfacePro6_Win10_16299_1900307_0.msi file you must have Windows 10 Fall Creators Update version 1709, or newer installed on your Surface Pro 6. -Although Surface devices are typically automatically updated with the latest device drivers and firmware via Windows Update, sometimes it's necessary to download and install updates manually, such as during a Windows deployment. If you need to install drivers and firmware separately from Windows Update, you can find the requisite files on the Microsoft Download Center. -On the Microsoft Download Center page for your device, you will find several files available. These files allow you to deploy drivers and firmware in various ways. You can read more about the different deployment methods for Surface drivers and firmware in [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md). +### Surface MSI naming convention +Each .MSI file is named in accordance with a formula that begins with the product and Windows release information, followed by the Windows build number and version number, and ending with the revision of version number. SurfacePro6_Win10_16299_1900307_0.msi is classified as follows: -Driver and firmware updates for Surface devices are **cumulative updates** which provide comprehensive roundups of all of the latest files for the Surface device running that version of Windows. +**Example:** +SurfacePro6_Win10_16299_1900307_0.msi : -Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices and are detailed here in this article. +| Product | Windows release | Build | Version | Revision of version | +| --- | --- | --- | --- | --- | +| SurfacePro6 | Win10 | 16299 | 1900307 | 0 | +| | | | Indicates key date and sequence information | Indicates release history of the MSI file | +| | | | **19:** Signifies the year (2019)
**003**: Signifies that it’s the third release of 2019
**07**: Signifies the product version number. (Surface Pro 6 is officially the seventh version of Surface Pro.) | **0:** Signifies it's the first release of version 1900307 and has not been re-released for any reason. | ->[!NOTE] ->Many of the filenames contain a placeholder denoted with *xxxxxx*, representing the latest version number listed in the Microsoft Download Center. A battery charge of 40 percent or greater is required before you install firmware to a Surface device. See [Microsoft Support article KB2909710](https://go.microsoft.com/fwlink/p/?LinkId=618106) for more information. +Look to the **version** number to determine the latest files that contain the most recent security updates. For example, you might need to install the newest file from the following list: -## Surface Laptop 2 -Download the following updates for [Surface Laptop 2 from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57515). -* SurfaceLaptop2_Win10_xxxxx_xxxxxxx_x.msi – Cumulative firmware and driver update package for Windows 10 +- SurfacePro6_Win10_16299_1900307_0.msi +- SurfacePro6_Win10_17134_1808507_3.msi +- SurfacePro6_Win10_17763_1808707_3.msi -## Surface Pro 6 +The first file — SurfacePro6_Win10_16299_1900307_0.msi — is the newest because its VERSION field has the newest build in 2019; the other files are from 2018. -Download the following updates for [Surface Pro 6 from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57514). - -* SurfacePro6_Win10_xxxxx_xxxxxxx_x.msi – Cumulative firmware and driver update package for Windows 10 - -## Surface Go - -Download the following updates for [Surface Go from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57439). -* SurfaceGO_Win10_xxxxx_xxxxxxx_x.msi - Cumulative firmware and driver update package for Windows 10 - -## Surface Go with LTE Advanced - -Download the following updates for [Surface Go with LTE Advanced from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57601). - -* SurfaceGo_Win10_xxxxx_xxxxxxx_LTE_1.msi - Cumulative firmware and driver update package for Windows 10 including optional WinTab drivers. - -## Surface Book 2 - -Download the following updates for [Surface Book 2 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=56261). -* SurfaceBook2_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 - -## Surface Laptop - -Download the following updates for [Surface Laptop from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55489). -* SurfaceLaptop_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 - -## Surface Pro - -Download the following updates for [Surface Pro (Model 1796) from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55484). - -* SurfacePro_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 - -## Surface Pro with LTE Advanced - -Download the following updates for [Surface Pro with LTE Advanced from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=56278). - -* SurfacePro_LTE_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 - -## Surface Pro 6 - -Download the following updates for [Surface Pro 6 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=57514). - -* SurfacePro6_Win10_xxxxx_xxxxxxx_x.msi - -## Surface Studio - - -Download the following updates for [Surface Studio from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=54311). - -* SurfaceStudio_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 - -## Surface Studio 2 - -Download the following updates for [Surface Studio 2 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=57593). - -* SurfaceStudio2_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 - -## Surface Book - - -Download the following updates [for Surface Book from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49497). - -- SurfaceBook_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 - -- SurfaceBook_Win10_xxxxx_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10 - -- Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1 - -## Surface Pro 4 - - -Download the following updates for [Surface Pro 4 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49498). - -- SurfacePro4_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 - -- SurfacePro4_Win10_xxxxx_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10 - -- Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1 - -## Surface Pro 3 - - -Download the following updates [for Surface Pro 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=38826). - -- SurfacePro3_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 - -- SurfacePro3_Win10_xxxxx_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10 - -- SurfacePro3_Win8x_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 8.1 Pro - -- SurfacePro3_Win8x_xxxxx_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro - -- Surface Firmware Tool.msi – Firmware tools for UEFI management - -- Surface Pro 3 AssetTag.zip – UEFI Asset Tag management tool - -- Surface Pro 3 KB2978002.zip – Update for Quick Note-Taking Experience feature in Windows 8.1 - -- Windows8.1-KB2969817-x64.msu – Fixes an issue that causes Surface devices to reboot twice after firmware updates are installed on all supported x64-based versions of Windows 8.1 - -- Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1 - -## Surface 3 - - -Download the following updates [for Surface 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49040). - -- Surface3_WiFi_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 - -- Surface3_WiFi_Win10_xxxxx_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10 - -- Surface3_WiFi_Win8x_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 8.1 Pro - -- Surface3_WiFi_Win8x_xxxxx_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro - -- Surface 3 AssetTag.zip – UEFI Asset Tag management tool - -- Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1 - -## Surface 3 LTE - - -Download the following updates [for AT&T 4G LTE versions of Surface 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49039). - -- Surface3_4GLTE-ATT_Win10_xxxxx_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 10 - -- Surface3_4GLTE-ATT_Win10_xxxxx_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 10 - -- Surface3_4GLTE-ATT_Win8x_xxxxx_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro - -- Surface3_4GLTE-ATT_Win8x_xxxxx_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro - -- Surface 3 AssetTag.zip – UEFI Asset Tag management tool - -- Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1 - -Download the following updates [for non-AT&T 4G LTE versions of Surface 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49037). - -- Surface3_4GLTE-NorthAmericaUnlocked_Win10_xxxxx_xxxxxx.msi – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 10 - -- Surface3_4GLTE-NorthAmericaUnlocked_Win10_xxxxx_xxxxxx.zip – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 10 - -- Surface3_4GLTE-NorthAmericaUnlocked_Win8x_xxxxx_xxxxxx.msi – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 8.1 Pro - -- Surface3_4GLTE-NorthAmericaUnlocked_Win8x_xxxxx_xxxxxx.zip – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 8.1 Pro - -- Surface 3 AssetTag.zip – UEFI Asset Tag management tool - -- Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1 - -Download the following updates [for 4G LTE Surface 3 versions for regions outside North America from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49041). - -- Surface3_4GLTE-RestOfTheWorld_Win10_xxxxx_xxxxxx.msi – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 10 - -- Surface3_4GLTE-RestOfTheWorld_Win10_xxxxx_xxxxxx.zip – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 10 - -- Surface3_4GLTE-RestOfTheWorld_Win8x_xxxxx_xxxxxx.msi – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 8.1 Pro - -- Surface3_4GLTE-RestOfTheWorld_Win8x_xxxxx_xxxxxx.zip – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 8.1 Pro - -- Surface 3 AssetTag.zip – UEFI Asset Tag management tool - -- Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1 - -## Surface Pro 2 - - -Download the following updates [for Surface Pro 2 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49042). - -- SurfacePro2\_Win10\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10 - -- SurfacePro2\_Win8x\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro - -- Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers - -- Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers - -- Windows8.1-KB2969817-x64.msu – Fixes an issue that causes Surface devices to reboot twice after firmware updates are installed on all supported x64-based versions of Windows 8.1 - -## Surface Pro - - -Download the following updates [for Surface Pro (Model 1514) from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49038). - -- SurfacePro\_Win10\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10 - -- Surface Pro 1 - xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro - -- Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers - -- Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers - -- Windows8.1-KB2969817-x64.msu – Fixes an issue that causes Surface devices to reboot twice after firmware updates are installed on all supported x64-based versions of Windows 8.1 - -## Surface devices with Windows RT +## Supported devices +Downloadable MSI files are available for Surface devices from Surface Pro 2 and later. +[!NOTE] There are no downloadable firmware or driver updates available for Surface devices with Windows RT, including Surface RT and Surface 2. Updates can only be applied using Windows Update. -If you have additional questions on the driver pack and updates, please contact [Microsoft Surface support for business](https://www.microsoft.com/surface/support/business). +For more information about deploying Surface drivers and firmware, refer to: + +- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates). + +- [Microsoft Surface support for business](https://www.microsoft.com/surface/support/business). -    diff --git a/devices/surface/docfx.json b/devices/surface/docfx.json index 8477cac86f..41fee61550 100644 --- a/devices/surface/docfx.json +++ b/devices/surface/docfx.json @@ -26,13 +26,15 @@ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "Win.surface" + "depot_name": "Win.surface", + "folder_relative_path_in_docset": "./" } } }, "externalReference": [ ], "template": "op.html", - "dest": "devices/surface" + "dest": "devices/surface", + "markdownEngineName": "dfm" } -} \ No newline at end of file +} diff --git a/devices/surface/surface-diagnostic-toolkit-business.md b/devices/surface/surface-diagnostic-toolkit-business.md index 7325a15492..0a73499333 100644 --- a/devices/surface/surface-diagnostic-toolkit-business.md +++ b/devices/surface/surface-diagnostic-toolkit-business.md @@ -60,7 +60,7 @@ SDT for Business is supported on Surface 3 and later devices, including: To create an SDT package that you can distribute to users in your organization, you first need to install SDT at a command prompt and set a custom flag to install the tool in admin mode. SDT contains the following install option flags: - `SENDTELEMETRY` sends telemetry data to Microsoft. The flag accepts `0` for disabled or `1` for enabled. The default value is `1` to send telemetry. -- `ADMINMODE` configures the tool to be installed in admin mode. The flag accepts `0` for Business client mode or `1` for Business Administrator mode. The default value is `0`. +- `ADMINMODE` configures the tool to be installed in admin mode. The flag accepts `0` for client mode or `1` for IT Administrator mode. The default value is `0`. **To install SDT in ADMINMODE:** diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md new file mode 100644 index 0000000000..cf5960ded6 --- /dev/null +++ b/devices/surface/surface-system-sku-reference.md @@ -0,0 +1,59 @@ +--- +title: System SKU reference (Surface) +description: See a reference of System Model and System SKU names. +keywords: uefi, configure, firmware, secure, semm +ms.prod: w10 +ms.mktglfcycl: manage +ms.pagetype: surface, devices, security +ms.sitesec: library +author: coveminer +ms.author: v-jokai +ms.topic: article +ms.date: 03/20/2019 +--- + +# System SKU reference + +This document provides a reference of System Model and System SKU names that you can use to quickly determine the machine state of a specific device using PowerShell or WMI. + +System Model and System SKU are variables stored in System Management BIOS (SMBIOS) tables in the UEFI layer of Surface devices. The System SKU name is required to differentiate between devices with the same System Model name, such as Surface Pro and Surface Pro with LTE Advanced. + +| Device | System Model | System SKU | +| ---------- | ----------- | -------------- | +| Surface 3 WiFI | Surface 3 | Surface_3 | +| Surface 3 LTE AT&T | Surface 3 | Surface_3_US1 | +| Surface 3 LTE Verizon | Surface 3 | Surface_3_US2 | +| Surface 3 LTE North America | Surface 3 | Surface_3_NAG | +| Surface 3 LTE Outside of North America and T-Mobile In Japan | Surface 3 | Surface_3_ROW | +| Surface Pro | Surface Pro | Surface_Pro_1796 | +| Surface Pro with LTE Advanced | Surface Pro | Surface_Pro_1807 | +| Surface Book 2 13inch | Surface Book 2 | Surface_Book_1832 | +| Surface Book 2 15inch | Surface Book 2 | Surface_Book_1793 | +| Surface Go Consumer | Surface Go | Surface_Go_1824_Consumer | +| Surface Go Commercial | Surface Go | Surface_Go_1824_Commercial | +| Surface Pro 6 Consumer | Surface Pro 6 | Surface_Pro_6_1796_Consumer | +| Surface Pro 6 Commercial | Surface Pro 6 | Surface_Pro_6_1796_Commercial | +| Surface Laptop 2 Consumer | Surface Laptop 2 | Surface_Laptop_2_1769_Consumer | +| Surface Laptop 2 Commercial | Surface Laptop 2 | Surface_Laptop_2_1769_Commercial | + +## Examples + +**PowerShell** + Use the following PowerShell command to pull System SKU: + + ``` +gwmi -namespace root\wmi -class MS_SystemInformation | select SystemSKU +``` + +**System Information** +You can also find the System SKU and System Model for a device in System Information. + +- Go to **Start** > **MSInfo32**. + +One example of how you could use this in Microsoft Deployment Toolkit (MDT) or System Center Configuration Manager is as part of a Task Sequence WMI Condition. For example: + +**Task Sequence WMI Condition** + + + - WMI Namespace – Root\WMI + - WQL Query – SELECT * FROM MS_SystemInformation WHERE SystemSKU = "Surface_Pro_1796" diff --git a/devices/surface/wake-on-lan-for-surface-devices.md b/devices/surface/wake-on-lan-for-surface-devices.md index c584cc40bb..907ab49ce6 100644 --- a/devices/surface/wake-on-lan-for-surface-devices.md +++ b/devices/surface/wake-on-lan-for-surface-devices.md @@ -23,17 +23,22 @@ Surface devices that run Windows 10, version 1607 (also known as Windows 10 Anni The following devices are supported for WOL: -* Surface Book 2 -* Surface Pro with LTE Advanced (Model 1807) -* Surface Pro (Model 1796) -* Surface Laptop -* Surface Book -* Surface Pro 4 -* Surface 3 -* Surface Pro 3 * Surface Ethernet adapter +* Surface USB-C to Ethernet and USB Adapter * Surface Dock * Surface Docking Station for Surface Pro 3 +* Surface 3 +* Surface Pro 3 +* Surface Pro 4 +* Surface Pro (5th Gen) +* Surface Pro (5th Gen) with LTE Advanced +* Surface Book +* Surface Laptop (1st Gen) +* Surface Pro 6 +* Surface Book 2 +* Surface Laptop 2 +* Surface Go +* Surface Go with LTE Advanced ## WOL driver diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md index 08390d3c46..baef69db7c 100644 --- a/devices/surface/windows-autopilot-and-surface-devices.md +++ b/devices/surface/windows-autopilot-and-surface-devices.md @@ -52,6 +52,9 @@ Enrolling Surface devices in Windows Autopilot at the time of purchase is a capa When you purchase Surface devices from a Surface partner enabled for Windows Autopilot, your new devices can be enrolled in your Windows Autopilot deployment for you by the partner. Surface partners enabled for Windows Autopilot include: -- [SHI](https://www.shi.com/Surface) -- [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface/windows-autopilot.html) - [Atea](https://www.atea.com/) +- [Connection](https://www.connection.com/brand/microsoft/microsoft-surface) +- [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface/windows-autopilot.html) +- [SHI](https://www.shi.com/Surface) + + diff --git a/education/docfx.json b/education/docfx.json index 227546b56a..aed16babee 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -26,13 +26,15 @@ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "Win.education" + "depot_name": "Win.education", + "folder_relative_path_in_docset": "./" } } }, "externalReference": [ ], "template": "op.html", - "dest": "education" + "dest": "education", + "markdownEngineName": "dfm" } } diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md index 49d37afbff..054ecc6647 100644 --- a/education/trial-in-a-box/itadmin-tib-get-started.md +++ b/education/trial-in-a-box/itadmin-tib-get-started.md @@ -137,7 +137,7 @@ If you've previously used Set up School PCs to provision student devices, you ca The provisioning package on your USB drive will be named SetUpSchoolPCs_*ABCDE* (Expires *MM-DD-YYYY*).ppkg, where *ABCDE* is the device name you added (if any), and *MM-DD-YYYY* is the month, day, and year when the package will expire. > [!NOTE] - > If you selected **Office 365 for Windows 10 S (Education Preview)**, this step will take about 30-45 minutes. You can jump ahead to task 3, [Express configure Intune for Education to manage devices, users, and policies](#task3), and then finish the rest of task 2 afterwards. + > If you selected **Office 365 for Windows 10 S (Education Preview)**, this step will take about 30-45 minutes. You can jump ahead to task 3, [Express configure Intune for Education to manage devices, users, and policies](#it-task3), and then finish the rest of task 2 afterwards. 12. Follow the instructions in the **Get the student PCs ready** page to start setting up **Device B**. 13. Follow the instructions in the **Install the package** page to apply the provisioning package to **Device B**. For more guidance, you can follow the steps in [Apply the provisioning package](#apply-the-provisioning-package). diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index b4d1febe79..2f77a266c0 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -34,7 +34,7 @@ Teachers and IT administrators can now get early access to **Minecraft: Educatio - **Minecraft: Education Edition** requires Windows 10. - Trials or subscriptions of **Minecraft: Education Edition** are offered to education tenants that are managed by Azure Active Directory (Azure AD). - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**. - * Office 365 Education, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/academic/office-365-education-plan) + * Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://products.office.com/academic/office-365-education-plan) * If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/library/windows/hardware/mt703369%28v=vs.85%29.aspx) diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md index ecfbf5b1fc..98cc4a6b9c 100644 --- a/education/windows/set-up-school-pcs-azure-ad-join.md +++ b/education/windows/set-up-school-pcs-azure-ad-join.md @@ -1,5 +1,5 @@ --- -title: Azure AD Join with Setup School PCs app +title: Azure AD Join with Set up School PCs app description: Describes how Azure AD Join is configured in the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 6a1a7946ef..ccd3cd06b7 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -122,7 +122,7 @@ To change an existing package's name, right-click the package folder on your dev 1. Select how you want to sign in. a. (Recommended) To enable student PCs to automatically be connect to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**. Then go to step 3. - b. To complete setup without signing in, click **Continue without account**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later. Continue to [Wireless network](use-set-up-school-pcs-app.md#Wireless-network). + b. To complete setup without signing in, click **Continue without account**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later. Continue to [Wireless network](#wireless-network). 2. In the new window, select the account you want to use throughout setup. ![Sign-in screen showing the option to "Use this account" or use a different "Work or school account."](images/1810_choose_account_suspc.png) diff --git a/gdpr/docfx.json b/gdpr/docfx.json index d426f781dc..2fd5e0e9f9 100644 --- a/gdpr/docfx.json +++ b/gdpr/docfx.json @@ -38,6 +38,7 @@ }, "fileMetadata": {}, "template": [], - "dest": "gdpr" + "dest": "gdpr", + "markdownEngineName": "dfm" } } \ No newline at end of file diff --git a/mdop/appv-v5/about-app-v-50-dynamic-configuration.md b/mdop/appv-v5/about-app-v-50-dynamic-configuration.md index 1ab5778707..87c3a92fd0 100644 --- a/mdop/appv-v5/about-app-v-50-dynamic-configuration.md +++ b/mdop/appv-v5/about-app-v-50-dynamic-configuration.md @@ -862,10 +862,10 @@ For more information about how to create the file using the App-V 5.0 Management To create the file manually, the information above in previous sections can be combined into a single file. We recommend you use files generated by the sequencer. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/about-app-v-50-reporting.md b/mdop/appv-v5/about-app-v-50-reporting.md index 42275f2c12..e8d03cb385 100644 --- a/mdop/appv-v5/about-app-v-50-reporting.md +++ b/mdop/appv-v5/about-app-v-50-reporting.md @@ -302,10 +302,10 @@ To retrieve report information and create reports using App-V 5.0 you must use o You should also ensure that the reporting server web service’s **Maximum Concurrent Connections** is set to a value that the server will be able to manage without impacting availability. The recommended number of **Maximum Concurrent Connections** for the **Reporting Web Service** is **10,000**. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/about-app-v-50-sp1.md b/mdop/appv-v5/about-app-v-50-sp1.md index f33f2f2a6c..7abef85fc1 100644 --- a/mdop/appv-v5/about-app-v-50-sp1.md +++ b/mdop/appv-v5/about-app-v-50-sp1.md @@ -36,10 +36,10 @@ This service pack contains the following changes: App-V 5.0 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is part of Microsoft Software Assurance. For more information about Microsoft Software Assurance and acquiring MDOP, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049). -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/about-app-v-50-sp2.md b/mdop/appv-v5/about-app-v-50-sp2.md index 0ea35eb3dd..bf06ad558b 100644 --- a/mdop/appv-v5/about-app-v-50-sp2.md +++ b/mdop/appv-v5/about-app-v-50-sp2.md @@ -160,10 +160,10 @@ App-V 5.0 SP2 provides updated documentation for the following scenarios: App-V 5.0 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is part of Microsoft Software Assurance. For more information about Microsoft Software Assurance and acquiring MDOP, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049). -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/about-app-v-50-sp3.md b/mdop/appv-v5/about-app-v-50-sp3.md index 6aa8082174..17c1fbf0a3 100644 --- a/mdop/appv-v5/about-app-v-50-sp3.md +++ b/mdop/appv-v5/about-app-v-50-sp3.md @@ -819,10 +819,10 @@ Client-Catalog Client-Integration Client-Orchestration Client-PackageConfig Clie App-V is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is part of Microsoft Software Assurance. For more information about Microsoft Software Assurance and acquiring MDOP, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049). -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/about-app-v-50.md b/mdop/appv-v5/about-app-v-50.md index c6818b20c0..53a5118e94 100644 --- a/mdop/appv-v5/about-app-v-50.md +++ b/mdop/appv-v5/about-app-v-50.md @@ -90,10 +90,10 @@ The following table displays some of the differences between App-V 4.6 and App-V App-V 5.0 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is part of Microsoft Software Assurance. For more information about Microsoft Software Assurance and acquiring MDOP, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049). -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/about-app-v-51-dynamic-configuration.md b/mdop/appv-v5/about-app-v-51-dynamic-configuration.md index 45009f6404..b208eda474 100644 --- a/mdop/appv-v5/about-app-v-51-dynamic-configuration.md +++ b/mdop/appv-v5/about-app-v-51-dynamic-configuration.md @@ -960,7 +960,7 @@ You can create the dynamic configuration file using one of three methods: either To create the file manually, the information above in previous sections can be combined into a single file. We recommend you use files generated by the sequencer. -## Got a suggestion for App-V? + - Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). - For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). diff --git a/mdop/appv-v5/about-app-v-51-reporting.md b/mdop/appv-v5/about-app-v-51-reporting.md index 531f168a70..f4114c9174 100644 --- a/mdop/appv-v5/about-app-v-51-reporting.md +++ b/mdop/appv-v5/about-app-v-51-reporting.md @@ -302,10 +302,10 @@ To retrieve report information and create reports using App-V 5.1 you must use o You should also ensure that the reporting server web service’s **Maximum Concurrent Connections** is set to a value that the server will be able to manage without impacting availability. The recommended number of **Maximum Concurrent Connections** for the **Reporting Web Service** is **10,000**. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/about-app-v-51.md b/mdop/appv-v5/about-app-v-51.md index 700251df9c..c942fd6e40 100644 --- a/mdop/appv-v5/about-app-v-51.md +++ b/mdop/appv-v5/about-app-v-51.md @@ -506,10 +506,10 @@ Previously, the 4.6 root folder was not recognized and could not be accessed by App-V is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is part of Microsoft Software Assurance. For more information about Microsoft Software Assurance and acquiring MDOP, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049). -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/about-client-configuration-settings.md b/mdop/appv-v5/about-client-configuration-settings.md index c39c867dbe..11e4f02114 100644 --- a/mdop/appv-v5/about-client-configuration-settings.md +++ b/mdop/appv-v5/about-client-configuration-settings.md @@ -460,10 +460,10 @@ The following table displays information about the App-V 5.0 client configuratio   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/about-client-configuration-settings51.md b/mdop/appv-v5/about-client-configuration-settings51.md index f26c4e4016..8ec20efe37 100644 --- a/mdop/appv-v5/about-client-configuration-settings51.md +++ b/mdop/appv-v5/about-client-configuration-settings51.md @@ -62,10 +62,10 @@ The following table displays information about the App-V 5.1 client configuratio | HideUI
**Important**  This setting is available only with App-V 5.0 SP2.| Not available. | Hides the publishing refresh progress bar. | 1 (Enabled), 0 (Disabled) | | | | ProcessesUsingVirtualComponents | Not available. | Specifies a list of process paths (that may contain wildcards), which are candidates for using dynamic virtualization (supported shell extensions, browser helper objects, and ActiveX controls). Only processes whose full path matches one of these items can use dynamic virtualization. | String | Virtualization\ProcessesUsingVirtualComponents | Empty string. | -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/about-the-connection-group-file.md b/mdop/appv-v5/about-the-connection-group-file.md index 38e84d391f..3719b1a019 100644 --- a/mdop/appv-v5/about-the-connection-group-file.md +++ b/mdop/appv-v5/about-the-connection-group-file.md @@ -273,10 +273,10 @@ The virtual application Microsoft Outlook is running in virtual environment **XY   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/about-the-connection-group-file51.md b/mdop/appv-v5/about-the-connection-group-file51.md index dc7e869f7d..4d840f5286 100644 --- a/mdop/appv-v5/about-the-connection-group-file51.md +++ b/mdop/appv-v5/about-the-connection-group-file51.md @@ -273,10 +273,10 @@ The virtual application Microsoft Outlook is running in virtual environment **XY   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/about-the-connection-group-virtual-environment.md b/mdop/appv-v5/about-the-connection-group-virtual-environment.md index b49f47a051..d53f043ea0 100644 --- a/mdop/appv-v5/about-the-connection-group-virtual-environment.md +++ b/mdop/appv-v5/about-the-connection-group-virtual-environment.md @@ -91,10 +91,10 @@ In the example above, when a virtualized application tries to find a specific fi - If a file named **bar.txt** exists in the virtual folder hierarchy of one application package, but not in the other, the first matching file is used. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/about-the-connection-group-virtual-environment51.md b/mdop/appv-v5/about-the-connection-group-virtual-environment51.md index 5a2e93ea4c..860efa5550 100644 --- a/mdop/appv-v5/about-the-connection-group-virtual-environment51.md +++ b/mdop/appv-v5/about-the-connection-group-virtual-environment51.md @@ -91,10 +91,10 @@ In the example above, when a virtualized application tries to find a specific fi - If a file named **bar.txt** exists in the virtual folder hierarchy of one application package, but not in the other, the first matching file is used. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/administering-app-v-50-virtual-applications-by-using-the-management-console.md b/mdop/appv-v5/administering-app-v-50-virtual-applications-by-using-the-management-console.md index 81060373c9..9a03e5912d 100644 --- a/mdop/appv-v5/administering-app-v-50-virtual-applications-by-using-the-management-console.md +++ b/mdop/appv-v5/administering-app-v-50-virtual-applications-by-using-the-management-console.md @@ -94,10 +94,10 @@ The main elements of the App-V 5.0 Management Console are:   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Other resources for this App-V 5.0 deployment diff --git a/mdop/appv-v5/administering-app-v-51-by-using-powershell.md b/mdop/appv-v5/administering-app-v-51-by-using-powershell.md index 3afbaf333b..9bc74c04be 100644 --- a/mdop/appv-v5/administering-app-v-51-by-using-powershell.md +++ b/mdop/appv-v5/administering-app-v-51-by-using-powershell.md @@ -120,10 +120,10 @@ Use the following table for information about App-V 5.1 PowerShell error handlin   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/administering-app-v-51-virtual-applications-by-using-the-management-console.md b/mdop/appv-v5/administering-app-v-51-virtual-applications-by-using-the-management-console.md index f96d69ce14..cdba1e3c73 100644 --- a/mdop/appv-v5/administering-app-v-51-virtual-applications-by-using-the-management-console.md +++ b/mdop/appv-v5/administering-app-v-51-virtual-applications-by-using-the-management-console.md @@ -93,10 +93,10 @@ JavaScript must be enabled on the browser that opens the Web Management Console.   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Other resources for this App-V 5.1 deployment diff --git a/mdop/appv-v5/administering-app-v-by-using-powershell.md b/mdop/appv-v5/administering-app-v-by-using-powershell.md index 05699ac77a..2e57a49140 100644 --- a/mdop/appv-v5/administering-app-v-by-using-powershell.md +++ b/mdop/appv-v5/administering-app-v-by-using-powershell.md @@ -115,10 +115,10 @@ Use the following table for information about App-V 5.0 PowerShell error handlin   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/app-v-50-capacity-planning.md b/mdop/appv-v5/app-v-50-capacity-planning.md index 58d36ab88f..f390bd34b8 100644 --- a/mdop/appv-v5/app-v-50-capacity-planning.md +++ b/mdop/appv-v5/app-v-50-capacity-planning.md @@ -936,10 +936,10 @@ Ignoring scaling requirements, the minimum number of servers necessary to provid Although there are a number of fault-tolerance strategies and technologies available, not all are applicable to a given service. Additionally, if App-V 5.0 roles are combined, certain fault-tolerance options may no longer apply due to incompatibilities. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/app-v-50-deployment-checklist.md b/mdop/appv-v5/app-v-50-deployment-checklist.md index 54ba7ffcdf..07e3aaa3b1 100644 --- a/mdop/appv-v5/app-v-50-deployment-checklist.md +++ b/mdop/appv-v5/app-v-50-deployment-checklist.md @@ -72,10 +72,10 @@ This checklist outlines the recommended steps and a high-level list of items to   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/app-v-50-planning-checklist.md b/mdop/appv-v5/app-v-50-planning-checklist.md index 4a26aa963b..58eeb4965b 100644 --- a/mdop/appv-v5/app-v-50-planning-checklist.md +++ b/mdop/appv-v5/app-v-50-planning-checklist.md @@ -78,10 +78,10 @@ This checklist outlines the recommended steps and a high-level list of items to   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/app-v-50-prerequisites.md b/mdop/appv-v5/app-v-50-prerequisites.md index 986a0450c7..122f51ecd4 100644 --- a/mdop/appv-v5/app-v-50-prerequisites.md +++ b/mdop/appv-v5/app-v-50-prerequisites.md @@ -422,10 +422,10 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/app-v-50-security-considerations.md b/mdop/appv-v5/app-v-50-security-considerations.md index 70bcefc977..bc02f92332 100644 --- a/mdop/appv-v5/app-v-50-security-considerations.md +++ b/mdop/appv-v5/app-v-50-security-considerations.md @@ -145,10 +145,10 @@ During App-V 5.0 Setup, setup log files are created in the **%temp%** folder of []() -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/app-v-50-sp3-prerequisites.md b/mdop/appv-v5/app-v-50-sp3-prerequisites.md index da61af1bfa..b3b1e67d35 100644 --- a/mdop/appv-v5/app-v-50-sp3-prerequisites.md +++ b/mdop/appv-v5/app-v-50-sp3-prerequisites.md @@ -635,10 +635,10 @@ Install the following prerequisite software for the App-V Remote Desktop Service   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/app-v-50-sp3-supported-configurations.md b/mdop/appv-v5/app-v-50-sp3-supported-configurations.md index fdd9c0c8ac..92d0906da7 100644 --- a/mdop/appv-v5/app-v-50-sp3-supported-configurations.md +++ b/mdop/appv-v5/app-v-50-sp3-supported-configurations.md @@ -442,10 +442,10 @@ The App-V client supports the following versions of System Center Configuration For more information about how Configuration Manager integrates with App-V, see [Planning for App-V Integration with Configuration Manager](https://technet.microsoft.com/library/jj822982.aspx). -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/app-v-50-supported-configurations.md b/mdop/appv-v5/app-v-50-supported-configurations.md index c45a8eda10..f2e59289eb 100644 --- a/mdop/appv-v5/app-v-50-supported-configurations.md +++ b/mdop/appv-v5/app-v-50-supported-configurations.md @@ -510,10 +510,10 @@ You can use Microsoft System Center 2012 Configuration Manager or System Cen For more information about how Configuration Manager integrates with App-V, see [Planning for App-V Integration with Configuration Manager](https://technet.microsoft.com/library/jj822982.aspx). -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/app-v-51-capacity-planning.md b/mdop/appv-v5/app-v-51-capacity-planning.md index bde914dcfc..7a95357504 100644 --- a/mdop/appv-v5/app-v-51-capacity-planning.md +++ b/mdop/appv-v5/app-v-51-capacity-planning.md @@ -936,10 +936,10 @@ Ignoring scaling requirements, the minimum number of servers necessary to provid Although there are a number of fault-tolerance strategies and technologies available, not all are applicable to a given service. Additionally, if App-V 5.1 roles are combined, certain fault-tolerance options may no longer apply due to incompatibilities. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/app-v-51-deployment-checklist.md b/mdop/appv-v5/app-v-51-deployment-checklist.md index 6758574cd0..2ba65578f0 100644 --- a/mdop/appv-v5/app-v-51-deployment-checklist.md +++ b/mdop/appv-v5/app-v-51-deployment-checklist.md @@ -72,10 +72,10 @@ This checklist outlines the recommended steps and a high-level list of items to   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/app-v-51-planning-checklist.md b/mdop/appv-v5/app-v-51-planning-checklist.md index 9de676494e..e5b4625455 100644 --- a/mdop/appv-v5/app-v-51-planning-checklist.md +++ b/mdop/appv-v5/app-v-51-planning-checklist.md @@ -78,10 +78,10 @@ This checklist outlines the recommended steps and a high-level list of items to   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/app-v-51-prerequisites.md b/mdop/appv-v5/app-v-51-prerequisites.md index f8078582a5..d1b12390d3 100644 --- a/mdop/appv-v5/app-v-51-prerequisites.md +++ b/mdop/appv-v5/app-v-51-prerequisites.md @@ -642,10 +642,10 @@ Install the following prerequisite software for the App-V Remote Desktop Service   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/app-v-51-security-considerations.md b/mdop/appv-v5/app-v-51-security-considerations.md index a1e53028bc..0129e9c720 100644 --- a/mdop/appv-v5/app-v-51-security-considerations.md +++ b/mdop/appv-v5/app-v-51-security-considerations.md @@ -127,10 +127,10 @@ The following will help you plan how to ensure that virtualized packages are sec During App-V 5.1 Setup, setup log files are created in the **%temp%** folder of the installing user. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/app-v-51-supported-configurations.md b/mdop/appv-v5/app-v-51-supported-configurations.md index b60c43d593..edb7f51bfb 100644 --- a/mdop/appv-v5/app-v-51-supported-configurations.md +++ b/mdop/appv-v5/app-v-51-supported-configurations.md @@ -520,10 +520,10 @@ The following App-V and System Center Configuration Manager version matrix shows For more information about how Configuration Manager integrates with App-V, see [Planning for App-V Integration with Configuration Manager](https://technet.microsoft.com/library/jj822982.aspx). -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/application-publishing-and-client-interaction.md b/mdop/appv-v5/application-publishing-and-client-interaction.md index b3bd9b1dbb..8671541943 100644 --- a/mdop/appv-v5/application-publishing-and-client-interaction.md +++ b/mdop/appv-v5/application-publishing-and-client-interaction.md @@ -1617,10 +1617,10 @@ There are three specific categories of events recorded described below. **Virtual Application**: Logs virtual application launches and use of virtualization subsystems. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/application-publishing-and-client-interaction51.md b/mdop/appv-v5/application-publishing-and-client-interaction51.md index dfaa56d9c0..0f95287f8c 100644 --- a/mdop/appv-v5/application-publishing-and-client-interaction51.md +++ b/mdop/appv-v5/application-publishing-and-client-interaction51.md @@ -1617,10 +1617,10 @@ There are three specific categories of events recorded described below. **Virtual Application**: Logs virtual application launches and use of virtualization subsystems. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/creating-and-managing-app-v-50-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-50-virtualized-applications.md index 69af0d0e77..354f623a8c 100644 --- a/mdop/appv-v5/creating-and-managing-app-v-50-virtualized-applications.md +++ b/mdop/appv-v5/creating-and-managing-app-v-50-virtualized-applications.md @@ -321,10 +321,10 @@ The App-V 5.0 Sequencer can detect common sequencing issues during sequencing. T You can also find additional information about sequencing errors using the Windows Event Viewer. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Other resources for the App-V 5.0 sequencer diff --git a/mdop/appv-v5/deploying-app-v-50-packages-by-using-electronic-software-distribution--esd-.md b/mdop/appv-v5/deploying-app-v-50-packages-by-using-electronic-software-distribution--esd-.md index 74f663cc7c..ff5df535b5 100644 --- a/mdop/appv-v5/deploying-app-v-50-packages-by-using-electronic-software-distribution--esd-.md +++ b/mdop/appv-v5/deploying-app-v-50-packages-by-using-electronic-software-distribution--esd-.md @@ -32,10 +32,10 @@ Explains how to configure the App-V client to enable only administrators to publ [How to Enable Only Administrators to Publish Packages by Using an ESD](how-to-enable-only-administrators-to-publish-packages-by-using-an-esd.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Other resources for using an ESD and App-V 5.0 diff --git a/mdop/appv-v5/deploying-app-v-50.md b/mdop/appv-v5/deploying-app-v-50.md index 19b19dfd9a..770bd500c6 100644 --- a/mdop/appv-v5/deploying-app-v-50.md +++ b/mdop/appv-v5/deploying-app-v-50.md @@ -44,10 +44,10 @@ Microsoft Application Virtualization (App-V) 5.0 (App-V 5.0) supports a number o - [Troubleshooting App-V 5.0](troubleshooting-app-v-50.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/deploying-app-v-51-packages-by-using-electronic-software-distribution--esd-.md b/mdop/appv-v5/deploying-app-v-51-packages-by-using-electronic-software-distribution--esd-.md index 567d2252a3..04909d257a 100644 --- a/mdop/appv-v5/deploying-app-v-51-packages-by-using-electronic-software-distribution--esd-.md +++ b/mdop/appv-v5/deploying-app-v-51-packages-by-using-electronic-software-distribution--esd-.md @@ -32,10 +32,10 @@ Explains how to configure the App-V client to enable only administrators to publ [How to Enable Only Administrators to Publish Packages by Using an ESD](how-to-enable-only-administrators-to-publish-packages-by-using-an-esd51.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Other resources for using an ESD and App-V 5.1 diff --git a/mdop/appv-v5/deploying-app-v-51.md b/mdop/appv-v5/deploying-app-v-51.md index c3f71fdcd4..0ba705d646 100644 --- a/mdop/appv-v5/deploying-app-v-51.md +++ b/mdop/appv-v5/deploying-app-v-51.md @@ -46,10 +46,10 @@ Microsoft Application Virtualization (App-V) 5.1 supports a number of different - [Technical Reference for App-V 5.1](technical-reference-for-app-v-51.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/deploying-microsoft-office-2010-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2010-by-using-app-v.md index c948d0f95e..b079ba6b69 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2010-by-using-app-v.md +++ b/mdop/appv-v5/deploying-microsoft-office-2010-by-using-app-v.md @@ -297,10 +297,10 @@ The following table provides a full list of supported integration points for Off [About App-V 5.0 Dynamic Configuration](about-app-v-50-dynamic-configuration.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/deploying-microsoft-office-2010-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2010-by-using-app-v51.md index 25b2005356..add55ebcc0 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2010-by-using-app-v51.md +++ b/mdop/appv-v5/deploying-microsoft-office-2010-by-using-app-v51.md @@ -298,10 +298,10 @@ The following table provides a full list of supported integration points for Off [About App-V 5.1 Dynamic Configuration](about-app-v-51-dynamic-configuration.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md index 6a30148ca3..4563729fa2 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md +++ b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md @@ -875,10 +875,10 @@ The following table describes the requirements and options for deploying Visio 2 [About App-V 5.0 Dynamic Configuration](about-app-v-50-dynamic-configuration.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md index 8b3ad7e937..8ff13f6470 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md +++ b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md @@ -881,10 +881,10 @@ The following table describes the requirements and options for deploying Visio 2 [About App-V 5.1 Dynamic Configuration](about-app-v-51-dynamic-configuration.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md index f45c3a42c9..dc3be9799d 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md +++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md @@ -785,7 +785,7 @@ The following table describes the requirements and options for deploying Visio 2 [About App-V 5.1 Dynamic Configuration](about-app-v-51-dynamic-configuration.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md index 3cf91ddf99..be3dcbac56 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md +++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md @@ -784,7 +784,7 @@ The following table describes the requirements and options for deploying Visio 2 [About App-V 5.1 Dynamic Configuration](about-app-v-51-dynamic-configuration.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + diff --git a/mdop/appv-v5/deploying-the-app-v-50-sequencer-and-client.md b/mdop/appv-v5/deploying-the-app-v-50-sequencer-and-client.md index 8004f0026d..9124dd0305 100644 --- a/mdop/appv-v5/deploying-the-app-v-50-sequencer-and-client.md +++ b/mdop/appv-v5/deploying-the-app-v-50-sequencer-and-client.md @@ -107,10 +107,10 @@ In App-V 5.0 SP3, some logs have been consolidated. See [About App-V 5.0 SP3](ab [Planning for App-V 5.0](planning-for-app-v-50-rc.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/deploying-the-app-v-50-server.md b/mdop/appv-v5/deploying-the-app-v-50-server.md index 4d086c9b5e..5381037f48 100644 --- a/mdop/appv-v5/deploying-the-app-v-50-server.md +++ b/mdop/appv-v5/deploying-the-app-v-50-server.md @@ -111,10 +111,10 @@ Use the following link for more information [About App-V 5.0 Reporting](about-ap [Deploying App-V 5.0](deploying-app-v-50.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/deploying-the-app-v-51-sequencer-and-client.md b/mdop/appv-v5/deploying-the-app-v-51-sequencer-and-client.md index 13f68827b2..4e19a4e5ab 100644 --- a/mdop/appv-v5/deploying-the-app-v-51-sequencer-and-client.md +++ b/mdop/appv-v5/deploying-the-app-v-51-sequencer-and-client.md @@ -105,10 +105,10 @@ You can use the App-V 5.1 Sequencer log information to help troubleshoot the Seq [Planning for App-V 5.1](planning-for-app-v-51.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/deploying-the-app-v-51-server.md b/mdop/appv-v5/deploying-the-app-v-51-server.md index 95deacfadd..aff7bdb99b 100644 --- a/mdop/appv-v5/deploying-the-app-v-51-server.md +++ b/mdop/appv-v5/deploying-the-app-v-51-server.md @@ -111,10 +111,10 @@ Use the following link for more information [About App-V 5.1 Reporting](about-ap [Deploying App-V 5.1](deploying-app-v-51.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/evaluating-app-v-50.md b/mdop/appv-v5/evaluating-app-v-50.md index ff10fbf937..972342d307 100644 --- a/mdop/appv-v5/evaluating-app-v-50.md +++ b/mdop/appv-v5/evaluating-app-v-50.md @@ -45,10 +45,10 @@ Use the following link for more information about creating and managing virtuali - [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](how-to-configure-the-client-to-receive-package-and-connection-groups-updates-from-the-publishing-server-beta.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/evaluating-app-v-51.md b/mdop/appv-v5/evaluating-app-v-51.md index 11ce2c4b97..41aad1077c 100644 --- a/mdop/appv-v5/evaluating-app-v-51.md +++ b/mdop/appv-v5/evaluating-app-v-51.md @@ -45,10 +45,10 @@ Use the following link for more information about creating and managing virtuali - [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](how-to-configure-the-client-to-receive-package-and-connection-groups-updates-from-the-publishing-server-51.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/getting-started-with-app-v-50--rtm.md b/mdop/appv-v5/getting-started-with-app-v-50--rtm.md index bb9c37193f..621eb9a3f4 100644 --- a/mdop/appv-v5/getting-started-with-app-v-50--rtm.md +++ b/mdop/appv-v5/getting-started-with-app-v-50--rtm.md @@ -132,10 +132,10 @@ This section of the App-V 5.0 Administrator’s Guide includes high-level inform - [Troubleshooting App-V 5.0](troubleshooting-app-v-50.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/getting-started-with-app-v-51.md b/mdop/appv-v5/getting-started-with-app-v-51.md index 7c6e9d1eaf..5729e3b1ac 100644 --- a/mdop/appv-v5/getting-started-with-app-v-51.md +++ b/mdop/appv-v5/getting-started-with-app-v-51.md @@ -122,10 +122,10 @@ This section of the App-V 5.1 Administrator’s Guide includes high-level inform - [Technical Reference for App-V 5.1](technical-reference-for-app-v-51.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/high-level-architecture-for-app-v-50.md b/mdop/appv-v5/high-level-architecture-for-app-v-50.md index 468e3cd99e..3f7b38c37a 100644 --- a/mdop/appv-v5/high-level-architecture-for-app-v-50.md +++ b/mdop/appv-v5/high-level-architecture-for-app-v-50.md @@ -68,10 +68,10 @@ If you are using App-V 5.0 with Electronic Software Distribution (ESD) you are n   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/high-level-architecture-for-app-v-51.md b/mdop/appv-v5/high-level-architecture-for-app-v-51.md index bad74e4444..dc5140b458 100644 --- a/mdop/appv-v5/high-level-architecture-for-app-v-51.md +++ b/mdop/appv-v5/high-level-architecture-for-app-v-51.md @@ -68,10 +68,10 @@ If you are using App-V 5.1 with Electronic Software Distribution (ESD) you are n   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v.md b/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v.md index 3cb0a94237..a3969a0d7f 100644 --- a/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v.md +++ b/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v.md @@ -34,7 +34,13 @@ You must configure the package converter to always save the package ingredients 1. Install the App-V Sequencer on a computer in your environment. For information about how to install the Sequencer, see [How to Install the Sequencer](how-to-install-the-sequencer-beta-gb18030.md). -2. +2. Import the required Powershell Module + +```powershell +Import-Module AppVPkgConverter +``` + +3. The following cmdlets are available: diff --git a/mdop/appv-v5/how-to-make-a-connection-group-ignore-the-package-version.md b/mdop/appv-v5/how-to-make-a-connection-group-ignore-the-package-version.md index cb834b9255..ab28dd48a0 100644 --- a/mdop/appv-v5/how-to-make-a-connection-group-ignore-the-package-version.md +++ b/mdop/appv-v5/how-to-make-a-connection-group-ignore-the-package-version.md @@ -89,10 +89,10 @@ To upgrade a package in earlier versions of App-V, you had to perform several st   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/how-to-make-a-connection-group-ignore-the-package-version51.md b/mdop/appv-v5/how-to-make-a-connection-group-ignore-the-package-version51.md index 7ad72e75ea..13df4fafc6 100644 --- a/mdop/appv-v5/how-to-make-a-connection-group-ignore-the-package-version51.md +++ b/mdop/appv-v5/how-to-make-a-connection-group-ignore-the-package-version51.md @@ -89,10 +89,10 @@ To upgrade a package in some earlier versions of App-V, you had to perform sever   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups.md b/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups.md index c441baefdb..91b56c8a74 100644 --- a/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups.md +++ b/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups.md @@ -278,10 +278,10 @@ Review the following requirements before using optional packages in connection g   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups51.md b/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups51.md index 8cc9502a28..c43e18358d 100644 --- a/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups51.md +++ b/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups51.md @@ -277,10 +277,10 @@ Review the following requirements before using optional packages in connection g   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/index.md b/mdop/appv-v5/index.md index 9ffe0cc1ce..ca33b4be38 100644 --- a/mdop/appv-v5/index.md +++ b/mdop/appv-v5/index.md @@ -44,10 +44,10 @@ Learn about the latest MDOP information and resources. [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447). -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/maintaining-app-v-50.md b/mdop/appv-v5/maintaining-app-v-50.md index 48aa786de9..0abd36efa4 100644 --- a/mdop/appv-v5/maintaining-app-v-50.md +++ b/mdop/appv-v5/maintaining-app-v-50.md @@ -30,10 +30,10 @@ Independent software vendors (ISV) who want to determine if an application is ru Additionally, ISV’s who want to explicitly virtualize or not virtualize calls on specific API’s with App-V 5.0 and above, can use the **VirtualizeCurrentThread()** and **CurrentThreadIsVirtualized()** functions implemented in the AppEntSubsystems32.dll module. These provide a way of hinting at a downstream component that the call should or should not be virtualized. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Other resources for maintaining App-V 5.0 diff --git a/mdop/appv-v5/maintaining-app-v-51.md b/mdop/appv-v5/maintaining-app-v-51.md index cbacf9759a..94b2057911 100644 --- a/mdop/appv-v5/maintaining-app-v-51.md +++ b/mdop/appv-v5/maintaining-app-v-51.md @@ -30,10 +30,10 @@ Independent software vendors (ISV) who want to determine if an application is ru Additionally, ISV’s who want to explicitly virtualize or not virtualize calls on specific API’s with App-V 5.1 and above, can use the **VirtualizeCurrentThread()** and **CurrentThreadIsVirtualized()** functions implemented in the AppEntSubsystems32.dll module. These provide a way of hinting at a downstream component that the call should or should not be virtualized. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Other resources for maintaining App-V 5.1 diff --git a/mdop/appv-v5/managing-connection-groups.md b/mdop/appv-v5/managing-connection-groups.md index 241719b9c7..a1c4180e77 100644 --- a/mdop/appv-v5/managing-connection-groups.md +++ b/mdop/appv-v5/managing-connection-groups.md @@ -58,10 +58,10 @@ In previous versions of App-V 5.0, connection groups were referred to as Dynamic   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Other resources for App-V 5.0 connection groups diff --git a/mdop/appv-v5/managing-connection-groups51.md b/mdop/appv-v5/managing-connection-groups51.md index 90eb98b154..c325456217 100644 --- a/mdop/appv-v5/managing-connection-groups51.md +++ b/mdop/appv-v5/managing-connection-groups51.md @@ -58,10 +58,10 @@ In some previous versions of App-V, connection groups were referred to as Dynami   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Other resources for App-V 5.1 connection groups diff --git a/mdop/appv-v5/microsoft-application-virtualization-50-administrators-guide.md b/mdop/appv-v5/microsoft-application-virtualization-50-administrators-guide.md index 62fd3a60df..a1be89fa9a 100644 --- a/mdop/appv-v5/microsoft-application-virtualization-50-administrators-guide.md +++ b/mdop/appv-v5/microsoft-application-virtualization-50-administrators-guide.md @@ -10,43 +10,46 @@ ms.prod: w10 ms.date: 06/16/2016 --- - # Microsoft Application Virtualization 5.0 Administrator's Guide - The Microsoft Application Virtualization (App-V) 5.0 Administrator’s Guide provides information and step-by-step procedures to help you administer the App-V 5.0 system and its components. This information will be valuable for system administrators who manage large installations with many servers and clients and for support personnel who interact directly with the computers or the end users. -[Getting Started with App-V 5.0](getting-started-with-app-v-50--rtm.md) - -[About App-V 5.0](about-app-v-50.md)**|**[About App-V 5.0 SP1](about-app-v-50-sp1.md)**|**[About App-V 5.0 SP2](about-app-v-50-sp2.md)**|**[About App-V 5.0 SP3](about-app-v-50-sp3.md)**|**[Evaluating App-V 5.0](evaluating-app-v-50.md)**|**[High Level Architecture for App-V 5.0](high-level-architecture-for-app-v-50.md)**|**[Accessibility for App-V 5.0](accessibility-for-app-v-50.md) - -[Planning for App-V 5.0](planning-for-app-v-50-rc.md) - -[Preparing Your Environment for App-V 5.0](preparing-your-environment-for-app-v-50.md)**|**[App-V 5.0 Prerequisites](app-v-50-prerequisites.md)**|**[App-V 5.0 SP3 Supported Configurations](app-v-50-sp3-supported-configurations.md)**|**[Planning to Deploy App-V](planning-to-deploy-app-v.md)**|**[App-V 5.0 Supported Configurations](app-v-50-supported-configurations.md)**||**App-V 5.0 SP3 Supported Configurations[App-V 5.0 Planning Checklist](app-v-50-planning-checklist.md) - -[Deploying App-V 5.0](deploying-app-v-50.md) - -[Deploying the App-V 5.0 Sequencer and Client](deploying-the-app-v-50-sequencer-and-client.md)**|**[Deploying the App-V 5.0 Server](deploying-the-app-v-50-server.md)**|**[App-V 5.0 Deployment Checklist](app-v-50-deployment-checklist.md)**|**[Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v.md)**|**[Deploying Microsoft Office 2010 by Using App-V](deploying-microsoft-office-2010-by-using-app-v.md) - -[Operations for App-V 5.0](operations-for-app-v-50.md) - -[Creating and Managing App-V 5.0 Virtualized Applications](creating-and-managing-app-v-50-virtualized-applications.md)**|**[Administering App-V 5.0 Virtual Applications by Using the Management Console](administering-app-v-50-virtual-applications-by-using-the-management-console.md)**|**[Managing Connection Groups](managing-connection-groups.md)**|**[Deploying App-V 5.0 Packages by Using Electronic Software Distribution (ESD)](deploying-app-v-50-packages-by-using-electronic-software-distribution--esd-.md)**|**[Using the App-V 5.0 Client Management Console](using-the-app-v-50-client-management-console.md)**|**[Migrating from a Previous Version](migrating-from-a-previous-version-app-v-50.md)**|**[Maintaining App-V 5.0](maintaining-app-v-50.md)**|**[Administering App-V by Using PowerShell](administering-app-v-by-using-powershell.md) - -[Troubleshooting App-V 5.0](troubleshooting-app-v-50.md) - -[Technical Reference for App-V 5.0](technical-reference-for-app-v-50.md) - -[Performance Guidance for Application Virtualization 5.0](performance-guidance-for-application-virtualization-50.md)**|**[Application Publishing and Client Interaction](application-publishing-and-client-interaction.md)**|**[Viewing App-V Server Publishing Metadata](viewing-app-v-server-publishing-metadata.md)**|**[Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications.md) - -### Got a suggestion for App-V? - -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). - -  - -  - - - +- [Getting Started with App-V 5.0](getting-started-with-app-v-50--rtm.md) + - [About App-V 5.0](about-app-v-50.md) + - [About App-V 5.0 SP1](about-app-v-50-sp1.md) + - [About App-V 5.0 SP2](about-app-v-50-sp2.md) + - [About App-V 5.0 SP3](about-app-v-50-sp3.md) + - [Evaluating App-V 5.0](evaluating-app-v-50.md) + - [High Level Architecture for App-V 5.0](high-level-architecture-for-app-v-50.md) + - [Accessibility for App-V 5.0](accessibility-for-app-v-50.md) +- [Planning for App-V 5.0](planning-for-app-v-50-rc.md) + - [Preparing Your Environment for App-V 5.0](preparing-your-environment-for-app-v-50.md) + - [Planning to Deploy App-V](planning-to-deploy-app-v.md) + - [App-V 5.0 Planning Checklist](app-v-50-planning-checklist.md) +- [Deploying App-V 5.0](deploying-app-v-50.md) + - [Deploying the App-V 5.0 Sequencer and Client](deploying-the-app-v-50-sequencer-and-client.md) + - [Deploying the App-V 5.0 Server](deploying-the-app-v-50-server.md) + - [App-V 5.0 Deployment Checklist](app-v-50-deployment-checklist.md) + - [Deploying Microsoft Office 2016 by Using App-V](deploying-microsoft-office-2016-by-using-app-v.md) + - [Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v.md) + - [Deploying Microsoft Office 2010 by Using App-V](deploying-microsoft-office-2010-by-using-app-v.md) +- [Operations for App-V 5.0](operations-for-app-v-50.md) + - [Creating and Managing App-V 5.0 Virtualized Applications](creating-and-managing-app-v-50-virtualized-applications.md) + - [Administering App-V 5.0 Virtual Applications by Using the Management Console](administering-app-v-50-virtual-applications-by-using-the-management-console.md) + - [Managing Connection Groups](managing-connection-groups.md) + - [Deploying App-V 5.0 Packages by Using Electronic Software Distribution (ESD)](deploying-app-v-50-packages-by-using-electronic-software-distribution--esd-.md) + - [Using the App-V 5.0 Client Management Console](using-the-app-v-50-client-management-console.md) + - [Migrating from a Previous Version](migrating-from-a-previous-version-app-v-50.md) + - [Maintaining App-V 5.0](maintaining-app-v-50.md) + - [Administering App-V by Using PowerShell](administering-app-v-by-using-powershell.md) +- [Troubleshooting App-V 5.0](troubleshooting-app-v-50.md) +- [Technical Reference for App-V 5.0](technical-reference-for-app-v-50.md) + - [Performance Guidance for Application Virtualization 5.0](performance-guidance-for-application-virtualization-50.md) + - [Application Publishing and Client Interaction](application-publishing-and-client-interaction.md) + - [Viewing App-V Server Publishing Metadata](viewing-app-v-server-publishing-metadata.md) + - [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications.md) +# +- Add or vote on suggestions on the ["Microsoft Application Virtualization" forum on UserVoice.com](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). +- For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). diff --git a/mdop/appv-v5/microsoft-application-virtualization-51-administrators-guide.md b/mdop/appv-v5/microsoft-application-virtualization-51-administrators-guide.md index 35a1f17856..4df47b66b2 100644 --- a/mdop/appv-v5/microsoft-application-virtualization-51-administrators-guide.md +++ b/mdop/appv-v5/microsoft-application-virtualization-51-administrators-guide.md @@ -10,43 +10,42 @@ ms.prod: w10 ms.date: 06/16/2016 --- - # Microsoft Application Virtualization 5.1 Administrator's Guide - The Microsoft Application Virtualization (App-V) 5.1 Administrator’s Guide provides information and step-by-step procedures to help you administer the App-V 5.1 system and its components. This information will be valuable for system administrators who manage large installations with many servers and clients and for support personnel who interact directly with the computers or the end users. -[Getting Started with App-V 5.1](getting-started-with-app-v-51.md) - -[About App-V 5.1](about-app-v-51.md)**|**[Evaluating App-V 5.1](evaluating-app-v-51.md)**|**[High Level Architecture for App-V 5.1](high-level-architecture-for-app-v-51.md)**|**[Accessibility for App-V 5.1](accessibility-for-app-v-51.md) - -[Planning for App-V 5.1](planning-for-app-v-51.md) - -[Preparing Your Environment for App-V 5.1](preparing-your-environment-for-app-v-51.md)**|**[App-V 5.1 Prerequisites](app-v-51-prerequisites.md)**|**[Planning to Deploy App-V](planning-to-deploy-app-v51.md)**|**[App-V 5.1 Supported Configurations](app-v-51-supported-configurations.md)**|**[App-V 5.1 Planning Checklist](app-v-51-planning-checklist.md) - -[Deploying App-V 5.1](deploying-app-v-51.md) - -[Deploying the App-V 5.1 Sequencer and Client](deploying-the-app-v-51-sequencer-and-client.md)**|**[Deploying the App-V 5.1 Server](deploying-the-app-v-51-server.md)**|**[App-V 5.1 Deployment Checklist](app-v-51-deployment-checklist.md)**|**[Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v51.md)**|**[Deploying Microsoft Office 2010 by Using App-V](deploying-microsoft-office-2010-by-using-app-v51.md) - -[Operations for App-V 5.1](operations-for-app-v-51.md) - -[Creating and Managing App-V 5.1 Virtualized Applications](creating-and-managing-app-v-51-virtualized-applications.md)**|**[Administering App-V 5.1 Virtual Applications by Using the Management Console](administering-app-v-51-virtual-applications-by-using-the-management-console.md)**|**[Managing Connection Groups](managing-connection-groups51.md)**|**[Deploying App-V 5.1 Packages by Using Electronic Software Distribution (ESD)](deploying-app-v-51-packages-by-using-electronic-software-distribution--esd-.md)**|**[Using the App-V 5.1 Client Management Console](using-the-app-v-51-client-management-console.md)**|**[Migrating to App-V 5.1 from a Previous Version](migrating-to-app-v-51-from-a-previous-version.md)**|**[Maintaining App-V 5.1](maintaining-app-v-51.md)**|**[Administering App-V 5.1 by Using PowerShell](administering-app-v-51-by-using-powershell.md) - -[Troubleshooting App-V 5.1](troubleshooting-app-v-51.md) - -[Technical Reference for App-V 5.1](technical-reference-for-app-v-51.md) - -[Performance Guidance for Application Virtualization 5.1](performance-guidance-for-application-virtualization-51.md)**|**[Application Publishing and Client Interaction](application-publishing-and-client-interaction51.md)**|**[Viewing App-V Server Publishing Metadata](viewing-app-v-server-publishing-metadata51.md)**|**[Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications51.md) - -### Got a suggestion for App-V? - -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). - -  - -  - - - +- [Getting Started with App-V 5.1](getting-started-with-app-v-51.md) + - [About App-V 5.1](about-app-v-51.md) + - [Evaluating App-V 5.1](evaluating-app-v-51.md) + - [High Level Architecture for App-V 5.1](high-level-architecture-for-app-v-51.md) + - [Accessibility for App-V 5.1](accessibility-for-app-v-51.md) +- [Planning for App-V 5.1](planning-for-app-v-51.md) + - [Preparing Your Environment for App-V 5.1](preparing-your-environment-for-app-v-51.md) + - [Planning to Deploy App-V](planning-to-deploy-app-v51.md) +- [Deploying App-V 5.1](deploying-app-v-51.md) + - [Deploying the App-V 5.1 Sequencer and Client](deploying-the-app-v-51-sequencer-and-client.md) + - [Deploying the App-V 5.1 Server](deploying-the-app-v-51-server.md) + - [App-V 5.1 Deployment Checklist](app-v-51-deployment-checklist.md) + - [Deploying Microsoft Office 2016 by Using App-V](deploying-microsoft-office-2016-by-using-app-v51.md) + - [Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v51.md) + - [Deploying Microsoft Office 2010 by Using App-V](deploying-microsoft-office-2010-by-using-app-v51.md) +- [Operations for App-V 5.1](operations-for-app-v-51.md) + - [Creating and Managing App-V 5.1 Virtualized Applications](creating-and-managing-app-v-51-virtualized-applications.md) + - [Administering App-V 5.1 Virtual Applications by Using the Management Console](administering-app-v-51-virtual-applications-by-using-the-management-console.md) + - [Managing Connection Groups](managing-connection-groups51.md) + - [Deploying App-V 5.1 Packages by Using Electronic Software Distribution (ESD)](deploying-app-v-51-packages-by-using-electronic-software-distribution--esd-.md) + - [Using the App-V 5.1 Client Management Console](using-the-app-v-51-client-management-console.md) + - [Migrating to App-V 5.1 from a Previous Version](migrating-to-app-v-51-from-a-previous-version.md) + - [Maintaining App-V 5.1](maintaining-app-v-51.md) + - [Administering App-V 5.1 by Using PowerShell](administering-app-v-51-by-using-powershell.md) +- [Troubleshooting App-V 5.1](troubleshooting-app-v-51.md) +- [Technical Reference for App-V 5.1](technical-reference-for-app-v-51.md) + - [Performance Guidance for Application Virtualization 5.1](performance-guidance-for-application-virtualization-51.md) + - [Application Publishing and Client Interaction](application-publishing-and-client-interaction51.md) + - [Viewing App-V Server Publishing Metadata](viewing-app-v-server-publishing-metadata51.md) + - [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications51.md) +# +- Add or vote on suggestions on the ["Microsoft Application Virtualization" forum on UserVoice.com](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). +- For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). diff --git a/mdop/appv-v5/migrating-from-a-previous-version-app-v-50.md b/mdop/appv-v5/migrating-from-a-previous-version-app-v-50.md index f4488ba203..210fd210db 100644 --- a/mdop/appv-v5/migrating-from-a-previous-version-app-v-50.md +++ b/mdop/appv-v5/migrating-from-a-previous-version-app-v-50.md @@ -174,10 +174,10 @@ You can also perform additional migration tasks such as reconfiguring end points [How to Revert Extension Points From an App-V 5.0 Package to an App-V 4.6 Package for a Specific User](how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Other resources for performing App-V migration tasks diff --git a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md index 9a943e6330..325d571bbf 100644 --- a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md +++ b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md @@ -310,10 +310,10 @@ You can also perform additional migration tasks such as reconfiguring end points [How to Revert Extension Points From an App-V 5.1 Package to an App-V 4.6 Package for a Specific User](how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-package-for-a-specific-user.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Other resources for performing App-V migration tasks diff --git a/mdop/appv-v5/operations-for-app-v-50.md b/mdop/appv-v5/operations-for-app-v-50.md index 86e639c9bc..c5bd02a3de 100644 --- a/mdop/appv-v5/operations-for-app-v-50.md +++ b/mdop/appv-v5/operations-for-app-v-50.md @@ -47,10 +47,10 @@ This section of the App-V 5.0 Administrator’s Guide includes information about Describes the set of Windows PowerShell cmdlets available for administrators performing various App-V 5.0 server tasks. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Other Resources for App-V Operations diff --git a/mdop/appv-v5/operations-for-app-v-51.md b/mdop/appv-v5/operations-for-app-v-51.md index 981269ffe0..e289af08ec 100644 --- a/mdop/appv-v5/operations-for-app-v-51.md +++ b/mdop/appv-v5/operations-for-app-v-51.md @@ -47,10 +47,10 @@ This section of the Microsoft Application Virtualization (App-V) 5.1 Administrat Describes the set of Windows PowerShell cmdlets available for administrators performing various App-V 5.1 server tasks. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Other Resources for App-V Operations diff --git a/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md b/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md index bbc5378d44..538d1e5db2 100644 --- a/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md +++ b/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md @@ -736,10 +736,10 @@ The following terms are used when describing concepts and actions related to App - **User Profile Management** – The controlled and structured approach to managing user components associated with the environment. For example, user profiles, preference and policy management, application control and application deployment. You can use scripting or third-party solutions configure the environment as needed. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md b/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md index 2f09ab6f22..978deed7ea 100644 --- a/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md +++ b/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md @@ -743,10 +743,10 @@ The following terms are used when describing concepts and actions related to App - **User Profile Management** – The controlled and structured approach to managing user components associated with the environment. For example, user profiles, preference and policy management, application control and application deployment. You can use scripting or third-party solutions configure the environment as needed. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/planning-for-app-v-50-rc.md b/mdop/appv-v5/planning-for-app-v-50-rc.md index 2546435ca5..79444cbce4 100644 --- a/mdop/appv-v5/planning-for-app-v-50-rc.md +++ b/mdop/appv-v5/planning-for-app-v-50-rc.md @@ -31,10 +31,10 @@ Use this information to plan how to deploy Microsoft Application Virtualization Planning checklist that can be used to assist in App-V 5.0 deployment planning. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Other resources for App-V 5.0 Planning diff --git a/mdop/appv-v5/planning-for-app-v-51.md b/mdop/appv-v5/planning-for-app-v-51.md index 321373b383..d42ae9c0bf 100644 --- a/mdop/appv-v5/planning-for-app-v-51.md +++ b/mdop/appv-v5/planning-for-app-v-51.md @@ -31,10 +31,10 @@ Use this information to plan how to deploy Microsoft Application Virtualization Planning checklist that can be used to assist in App-V 5.1 deployment planning. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Other resources for App-V 5.1 Planning diff --git a/mdop/appv-v5/planning-for-high-availability-with-app-v-51.md b/mdop/appv-v5/planning-for-high-availability-with-app-v-51.md index 89efccc8de..f6b15844ca 100644 --- a/mdop/appv-v5/planning-for-high-availability-with-app-v-51.md +++ b/mdop/appv-v5/planning-for-high-availability-with-app-v-51.md @@ -138,10 +138,10 @@ Click any of the following links for more information: The App-V 5.1 management server database supports deployments to computers running Microsoft SQL Server with the **Always On** configuration. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v.md b/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v.md index 111265456f..054ef35b28 100644 --- a/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v.md +++ b/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v.md @@ -122,10 +122,10 @@ Before migrating a package, created using App-V 4.6 SP3 or earlier, to App-V 5 For more information about using the package converter to convert a package, see [How to Convert a Package Created in a Previous Version of App-V](how-to-convert-a-package-created-in-a-previous-version-of-app-v.md). After you convert the file, you can deploy it to target computers that run the App-V 5.0 client. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v51.md b/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v51.md index ccdd275962..231df856fe 100644 --- a/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v51.md +++ b/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v51.md @@ -127,10 +127,10 @@ Before migrating a package, created using App- 4.6 SP2 or earlier, to App-V 5. For more information about using the package converter to convert a package, see [How to Convert a Package Created in a Previous Version of App-V](how-to-convert-a-package-created-in-a-previous-version-of-app-v51.md). After you convert the file, you can deploy it to target computers that run the App-V 5.1 client. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/planning-for-the-app-v-50-sequencer-and-client-deployment.md b/mdop/appv-v5/planning-for-the-app-v-50-sequencer-and-client-deployment.md index 73ddf67a18..04f45a5dbf 100644 --- a/mdop/appv-v5/planning-for-the-app-v-50-sequencer-and-client-deployment.md +++ b/mdop/appv-v5/planning-for-the-app-v-50-sequencer-and-client-deployment.md @@ -84,10 +84,10 @@ The following list displays some of the benefits of using the App-V 5.0 shared c [How to Install the App-V 5.0 Client for Shared Content Store Mode](how-to-install-the-app-v-50-client-for-shared-content-store-mode.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Other resources for the App-V 5.0 deployment diff --git a/mdop/appv-v5/planning-for-the-app-v-50-server-deployment.md b/mdop/appv-v5/planning-for-the-app-v-50-server-deployment.md index 661dfcedd4..9099adcfe8 100644 --- a/mdop/appv-v5/planning-for-the-app-v-50-server-deployment.md +++ b/mdop/appv-v5/planning-for-the-app-v-50-server-deployment.md @@ -96,10 +96,10 @@ The following displays information about server-related protocols used by the Ap   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/planning-for-the-app-v-51-sequencer-and-client-deployment.md b/mdop/appv-v5/planning-for-the-app-v-51-sequencer-and-client-deployment.md index 078f827126..c99f940821 100644 --- a/mdop/appv-v5/planning-for-the-app-v-51-sequencer-and-client-deployment.md +++ b/mdop/appv-v5/planning-for-the-app-v-51-sequencer-and-client-deployment.md @@ -76,10 +76,10 @@ The following list displays some of the benefits of using the App-V 5.1 shared c - Simplified profile management -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Other resources for the App-V 5.1 deployment diff --git a/mdop/appv-v5/planning-for-the-app-v-51-server-deployment.md b/mdop/appv-v5/planning-for-the-app-v-51-server-deployment.md index 86dada8179..89bcb718f8 100644 --- a/mdop/appv-v5/planning-for-the-app-v-51-server-deployment.md +++ b/mdop/appv-v5/planning-for-the-app-v-51-server-deployment.md @@ -96,10 +96,10 @@ The following displays information about server-related protocols used by the Ap   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/planning-for-using-app-v-with-office.md b/mdop/appv-v5/planning-for-using-app-v-with-office.md index 83ae379e97..e294521ae9 100644 --- a/mdop/appv-v5/planning-for-using-app-v-with-office.md +++ b/mdop/appv-v5/planning-for-using-app-v-with-office.md @@ -380,10 +380,10 @@ The Office 2013 App-V package supports the following integration points with the   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/planning-for-using-app-v-with-office51.md b/mdop/appv-v5/planning-for-using-app-v-with-office51.md index 2058a48f3a..7dc75eda7b 100644 --- a/mdop/appv-v5/planning-for-using-app-v-with-office51.md +++ b/mdop/appv-v5/planning-for-using-app-v-with-office51.md @@ -317,10 +317,10 @@ The Office 2013 App-V package supports the following integration points with the   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/planning-to-deploy-app-v-50-with-an-electronic-software-distribution-system.md b/mdop/appv-v5/planning-to-deploy-app-v-50-with-an-electronic-software-distribution-system.md index 27127d430e..094d3b8da9 100644 --- a/mdop/appv-v5/planning-to-deploy-app-v-50-with-an-electronic-software-distribution-system.md +++ b/mdop/appv-v5/planning-to-deploy-app-v-50-with-an-electronic-software-distribution-system.md @@ -44,10 +44,10 @@ Review the following component and architecture requirements options that apply   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/planning-to-deploy-app-v-51-with-an-electronic-software-distribution-system.md b/mdop/appv-v5/planning-to-deploy-app-v-51-with-an-electronic-software-distribution-system.md index ab36ff9ab2..4379f770b5 100644 --- a/mdop/appv-v5/planning-to-deploy-app-v-51-with-an-electronic-software-distribution-system.md +++ b/mdop/appv-v5/planning-to-deploy-app-v-51-with-an-electronic-software-distribution-system.md @@ -44,10 +44,10 @@ Review the following component and architecture requirements options that apply   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v.md b/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v.md index a1f34fddf2..965c5d7d71 100644 --- a/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v.md +++ b/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v.md @@ -176,10 +176,10 @@ The following table describes how folder redirection works when %AppData% is red   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v51.md b/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v51.md index 83456b984c..1da6047c3f 100644 --- a/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v51.md +++ b/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v51.md @@ -176,10 +176,10 @@ The following table describes how folder redirection works when %AppData% is red   -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/preparing-your-environment-for-app-v-50.md b/mdop/appv-v5/preparing-your-environment-for-app-v-50.md index 1b60134351..3bc788d92f 100644 --- a/mdop/appv-v5/preparing-your-environment-for-app-v-50.md +++ b/mdop/appv-v5/preparing-your-environment-for-app-v-50.md @@ -37,10 +37,10 @@ There are a number of different deployment configurations and prerequisites that Describes accounts, groups, log files, and other considerations for securing your App-V environment. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Other resources for App-V 5.0 Planning diff --git a/mdop/appv-v5/preparing-your-environment-for-app-v-51.md b/mdop/appv-v5/preparing-your-environment-for-app-v-51.md index f34fb1f8f6..b72ed1d762 100644 --- a/mdop/appv-v5/preparing-your-environment-for-app-v-51.md +++ b/mdop/appv-v5/preparing-your-environment-for-app-v-51.md @@ -30,10 +30,10 @@ There are a number of different deployment configurations and prerequisites that Describes accounts, groups, log files, and other considerations for securing your App-V environment. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Other resources for App-V 5.1 Planning diff --git a/mdop/appv-v5/release-notes-for-app-v-50-sp1.md b/mdop/appv-v5/release-notes-for-app-v-50-sp1.md index 6c2b2934d8..6074975fb7 100644 --- a/mdop/appv-v5/release-notes-for-app-v-50-sp1.md +++ b/mdop/appv-v5/release-notes-for-app-v-50-sp1.md @@ -51,10 +51,10 @@ Microsoft, Active Directory, ActiveX, Bing, Excel, Silverlight, SQL Server, Win -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/release-notes-for-app-v-50-sp2.md b/mdop/appv-v5/release-notes-for-app-v-50-sp2.md index d4e5afaf67..c5b1e8f26c 100644 --- a/mdop/appv-v5/release-notes-for-app-v-50-sp2.md +++ b/mdop/appv-v5/release-notes-for-app-v-50-sp2.md @@ -147,10 +147,10 @@ Microsoft, Active Directory, ActiveX, Bing, Excel, Silverlight, SQL Server, Win -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/release-notes-for-app-v-50-sp3.md b/mdop/appv-v5/release-notes-for-app-v-50-sp3.md index 2fcfd69810..10f588bb25 100644 --- a/mdop/appv-v5/release-notes-for-app-v-50-sp3.md +++ b/mdop/appv-v5/release-notes-for-app-v-50-sp3.md @@ -36,10 +36,10 @@ When you receive updated packages by querying Active Directory Domain Services f **Workaround**: Wait until the user logs off and then logs back on before you query for updated group memberships. Do not use the registry key, described in [Hotfix Package 2 for Microsoft Application Virtualization 5.0 Service Pack 1](https://support.microsoft.com/kb/2897087), to query for updated group memberships. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/release-notes-for-app-v-50.md b/mdop/appv-v5/release-notes-for-app-v-50.md index 6ea5039162..53b1e5ba8b 100644 --- a/mdop/appv-v5/release-notes-for-app-v-50.md +++ b/mdop/appv-v5/release-notes-for-app-v-50.md @@ -63,10 +63,10 @@ Microsoft, Active Directory, ActiveX, Bing, Excel, Silverlight, SQL Server, Win -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/release-notes-for-app-v-51.md b/mdop/appv-v5/release-notes-for-app-v-51.md index 846068b26f..e74981af10 100644 --- a/mdop/appv-v5/release-notes-for-app-v-51.md +++ b/mdop/appv-v5/release-notes-for-app-v-51.md @@ -182,10 +182,10 @@ Occassionally when mounting a package, a "File Not Found" (0x80070002) error is -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications.md b/mdop/appv-v5/running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications.md index 951a544882..09f1efd097 100644 --- a/mdop/appv-v5/running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications.md +++ b/mdop/appv-v5/running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications.md @@ -172,10 +172,10 @@ If you don’t know the exact name of your package, use the command line **Get-A This method lets you launch any command within the context of an App-V package, regardless of whether the package is currently running. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications51.md b/mdop/appv-v5/running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications51.md index 8a9e026051..2dfb9a76cf 100644 --- a/mdop/appv-v5/running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications51.md +++ b/mdop/appv-v5/running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications51.md @@ -172,10 +172,10 @@ If you don’t know the exact name of your package, use the command line **Get-A This method lets you launch any command within the context of an App-V package, regardless of whether the package is currently running. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/technical-reference-for-app-v-50.md b/mdop/appv-v5/technical-reference-for-app-v-50.md index 9e0cc51619..0d8c094017 100644 --- a/mdop/appv-v5/technical-reference-for-app-v-50.md +++ b/mdop/appv-v5/technical-reference-for-app-v-50.md @@ -27,10 +27,10 @@ This section provides reference information related to managing App-V 5.0. Describes how the following App-V client operations affect the local operating system: App-V files and data storage locations, package registry, package store behavior, roaming registry and data, client application lifecycle management, integration of App-V packages, dynamic configuration, side-by-side assemblies, and client logging. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/technical-reference-for-app-v-51.md b/mdop/appv-v5/technical-reference-for-app-v-51.md index 0f766d73fa..54e325ba1a 100644 --- a/mdop/appv-v5/technical-reference-for-app-v-51.md +++ b/mdop/appv-v5/technical-reference-for-app-v-51.md @@ -27,10 +27,10 @@ This section provides reference information related to managing App-V 5.1. Describes how the following App-V client operations affect the local operating system: App-V files and data storage locations, package registry, package store behavior, roaming registry and data, client application lifecycle management, integration of App-V packages, dynamic configuration, side-by-side assemblies, and client logging. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/troubleshooting-app-v-50.md b/mdop/appv-v5/troubleshooting-app-v-50.md index 76f24b7d03..6e168ec818 100644 --- a/mdop/appv-v5/troubleshooting-app-v-50.md +++ b/mdop/appv-v5/troubleshooting-app-v-50.md @@ -79,10 +79,10 @@ If you have a troubleshooting tip or a best practice to share that is not alread - [Operations for App-V 5.0](operations-for-app-v-50.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/troubleshooting-app-v-51.md b/mdop/appv-v5/troubleshooting-app-v-51.md index 32614aa840..98f87e4069 100644 --- a/mdop/appv-v5/troubleshooting-app-v-51.md +++ b/mdop/appv-v5/troubleshooting-app-v-51.md @@ -79,10 +79,10 @@ If you have a troubleshooting tip or a best practice to share that is not alread - [Operations for App-V 5.1](operations-for-app-v-51.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +   diff --git a/mdop/appv-v5/using-the-app-v-50-client-management-console.md b/mdop/appv-v5/using-the-app-v-50-client-management-console.md index 947ee41302..5895a83355 100644 --- a/mdop/appv-v5/using-the-app-v-50-client-management-console.md +++ b/mdop/appv-v5/using-the-app-v-50-client-management-console.md @@ -73,10 +73,10 @@ The client management console contains the following described main tabs. [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](how-to-configure-the-client-to-receive-package-and-connection-groups-updates-from-the-publishing-server-beta.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/using-the-app-v-51-client-management-console.md b/mdop/appv-v5/using-the-app-v-51-client-management-console.md index 2e7da99787..a7c2241534 100644 --- a/mdop/appv-v5/using-the-app-v-51-client-management-console.md +++ b/mdop/appv-v5/using-the-app-v-51-client-management-console.md @@ -73,10 +73,10 @@ The client management console contains the following described main tabs. [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](how-to-configure-the-client-to-receive-package-and-connection-groups-updates-from-the-publishing-server-51.md) -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/viewing-app-v-server-publishing-metadata.md b/mdop/appv-v5/viewing-app-v-server-publishing-metadata.md index 3f5111ff89..512ce4468b 100644 --- a/mdop/appv-v5/viewing-app-v-server-publishing-metadata.md +++ b/mdop/appv-v5/viewing-app-v-server-publishing-metadata.md @@ -236,10 +236,10 @@ The Publishing server communicates with the Management server to determine which You can view the metadata for each request in an Internet browser by using a query that is in the context of the specific user or computer. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/viewing-app-v-server-publishing-metadata51.md b/mdop/appv-v5/viewing-app-v-server-publishing-metadata51.md index cdafcc2360..f1506ca3e6 100644 --- a/mdop/appv-v5/viewing-app-v-server-publishing-metadata51.md +++ b/mdop/appv-v5/viewing-app-v-server-publishing-metadata51.md @@ -246,10 +246,10 @@ The Publishing server communicates with the Management server to determine which You can view the metadata for each request in an Internet browser by using a query that is in the context of the specific user or computer. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/whats-new-in-app-v-50-sp1.md b/mdop/appv-v5/whats-new-in-app-v-50-sp1.md index ebd0974f59..d2f510a0eb 100644 --- a/mdop/appv-v5/whats-new-in-app-v-50-sp1.md +++ b/mdop/appv-v5/whats-new-in-app-v-50-sp1.md @@ -40,10 +40,10 @@ The following list contains more information about the new Language Packs: **Microsoft Office 2010 Sequencing Kit for Application Virtualization 5.0** – helps provide users with a consistent experience using a virtualized version of Microsoft Office 2010. The **Microsoft Office 2010 Sequencing Kit for Application Virtualization 5.0** is used in conjunction with the **Microsoft Office 2010 Deployment Kit for App-V** and also provides the required Microsoft Office 2010 licensing service. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/appv-v5/whats-new-in-app-v-50.md b/mdop/appv-v5/whats-new-in-app-v-50.md index 4102a04796..6b82f04ffb 100644 --- a/mdop/appv-v5/whats-new-in-app-v-50.md +++ b/mdop/appv-v5/whats-new-in-app-v-50.md @@ -151,10 +151,10 @@ The application and licensing functionality has been removed in App-V 5.0. The a There is no file or application cache available with App-V 5.0. -## Got a suggestion for App-V? -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + + ## Related topics diff --git a/mdop/docfx.json b/mdop/docfx.json index 530722278f..60c7cbf596 100644 --- a/mdop/docfx.json +++ b/mdop/docfx.json @@ -27,13 +27,15 @@ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "Win.mdop" + "depot_name": "Win.mdop", + "folder_relative_path_in_docset": "./" } } }, "externalReference": [ ], "template": "op.html", - "dest": "mdop" + "dest": "mdop", + "markdownEngineName": "dfm" } -} \ No newline at end of file +} diff --git a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md index 698d549d6c..703010dfa2 100644 --- a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md +++ b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md @@ -14,7 +14,7 @@ ms.date: 04/23/2017 # How to Enable BitLocker by Using MBAM as Part of a Windows Deployment -This topic explains how to enable BitLocker on an end user's computer by using MBAM as part of your Windows imaging and deployment process. If you see a black screen at restart (after Install phase concludes) indicating that the drive cannot be unlocked, see [Windows versions prior Windows 10 build 1511 fail to start after "Setup Windows and Configuration Manager" step when Pre-Provision BitLocker is used with Windows PE 10.0.586.0 (1511)](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2016/03/30/windows-versions-prior-windows-10-build-1511-fail-to-start-after-setup-windows-and-configuration-manager-step-when-pre-provision-bitlocker-is-used-with-windows-pe-10-0-586-0-1511/). +This topic explains how to enable BitLocker on an end user's computer by using MBAM as part of your Windows imaging and deployment process. If you see a black screen at restart (after Install phase concludes) indicating that the drive cannot be unlocked, see [Earlier Windows versions don't start after "Setup Windows and Configuration Manager" step if Pre-Provision BitLocker is used with Windows 10, version 1511](https://support.microsoft.com/en-us/help/4494799/earlier-windows-versions-don-t-start-after-you-use-pre-provision-bitlo). **Prerequisites:** @@ -47,7 +47,7 @@ This topic explains how to enable BitLocker on an end user's computer by using M - Escrow TPM OwnerAuth For Windows 7, MBAM must own the TPM for escrow to occur. For Windows 8.1, Windows 10 RTM and Windows 10 version 1511, escrow of TPM OwnerAuth is supported. - For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://technet.microsoft.com/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. + For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/en-us/windows/security/hardware-protection/tpm/change-the-tpm-owner-password) for further details. - Escrow recovery keys and recovery key packages @@ -66,7 +66,7 @@ This topic explains how to enable BitLocker on an end user's computer by using M **MBAM\_Machine WMI Class** **PrepareTpmAndEscrowOwnerAuth:** Reads the TPM OwnerAuth and sends it to the MBAM recovery database by using the MBAM recovery service. If the TPM is not owned and auto-provisioning is not on, it generates a TPM OwnerAuth and takes ownership. If it fails, an error code is returned for troubleshooting. - **Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://technet.microsoft.com/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. + **Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/en-us/windows/security/hardware-protection/tpm/change-the-tpm-owner-password) for further details. | Parameter | Description | | -------- | ----------- | @@ -179,7 +179,7 @@ Here are a list of common error messages: 3. Name the step **Persist TPM OwnerAuth** 4. Set the command line to `cscript.exe "%SCRIPTROOT%/SaveWinPETpmOwnerAuth.wsf"` - **Note:** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://technet.microsoft.com/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. + **Note:** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/en-us/windows/security/hardware-protection/tpm/change-the-tpm-owner-password) for further details. 3. In the **State Restore** folder, delete the **Enable BitLocker** task. @@ -330,4 +330,4 @@ Here are a list of common error messages: ## Got a suggestion for MBAM? - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). -- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). \ No newline at end of file +- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). diff --git a/mdop/uev-v1/index.md b/mdop/uev-v1/index.md index 0eacccc566..49e6e8a74c 100644 --- a/mdop/uev-v1/index.md +++ b/mdop/uev-v1/index.md @@ -13,6 +13,9 @@ ms.date: 04/19/2017 # Microsoft User Experience Virtualization (UE-V) 1.0 +>[!NOTE] +>This documentation is a for version of UE-V that was included in the Microsoft Desktop Optimization Pack (MDOP). For information about the latest version of UE-V which is included in Windows 10 Enterprise, see [Get Started with UE-V](https://docs.microsoft.com/windows/configuration/ue-v/uev-getting-started). + Microsoft User Experience Virtualization (UE-V) captures and centralizes application settings and Windows operating system settings for the user. These settings are then applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions. diff --git a/mdop/uev-v2/accessibility-for-ue-v-2x-both-uevv2.md b/mdop/uev-v2/accessibility-for-ue-v-2x-both-uevv2.md index 783e1c769e..7c04b3654e 100644 --- a/mdop/uev-v2/accessibility-for-ue-v-2x-both-uevv2.md +++ b/mdop/uev-v2/accessibility-for-ue-v-2x-both-uevv2.md @@ -81,10 +81,10 @@ Microsoft Support Services are subject to the prices, terms, and conditions in p For more information about how accessible technology for computers can help to improve the lives of people with disabilities, see the [Microsoft Accessibility website](https://go.microsoft.com/fwlink/p/?linkid=8431). -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + + ## Related topics diff --git a/mdop/uev-v2/administering-ue-v-2x-new-uevv2.md b/mdop/uev-v2/administering-ue-v-2x-new-uevv2.md index d94d580f24..117459cd87 100644 --- a/mdop/uev-v2/administering-ue-v-2x-new-uevv2.md +++ b/mdop/uev-v2/administering-ue-v-2x-new-uevv2.md @@ -71,10 +71,10 @@ You can use UE-V with Microsoft Application Virtualization (App-V) to share sett - [Technical Reference for UE-V 2.x](technical-reference-for-ue-v-2x-both-uevv2.md) -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + +   diff --git a/mdop/uev-v2/administering-ue-v-2x-with-windows-powershell-and-wmi-both-uevv2.md b/mdop/uev-v2/administering-ue-v-2x-with-windows-powershell-and-wmi-both-uevv2.md index f2eaf57cca..d714ca370b 100644 --- a/mdop/uev-v2/administering-ue-v-2x-with-windows-powershell-and-wmi-both-uevv2.md +++ b/mdop/uev-v2/administering-ue-v-2x-with-windows-powershell-and-wmi-both-uevv2.md @@ -35,10 +35,10 @@ After you create and deploy UE-V settings location templates, you can manage tho [Managing UE-V 2.x Settings Location Templates Using Windows PowerShell and WMI](managing-ue-v-2x-settings-location-templates-using-windows-powershell-and-wmi-both-uevv2.md) -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + + ## Related topics diff --git a/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md b/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md index 5178ad8c46..951b805b9f 100644 --- a/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md +++ b/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md @@ -1865,10 +1865,10 @@ Here is the SettingsLocationTemplate.xsd file showing its elements, child elemen ``` -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + + ## Related topics diff --git a/mdop/uev-v2/changing-the-frequency-of-ue-v-2x-scheduled-tasks-both-uevv2.md b/mdop/uev-v2/changing-the-frequency-of-ue-v-2x-scheduled-tasks-both-uevv2.md index bb9871946c..917cdf3a2b 100644 --- a/mdop/uev-v2/changing-the-frequency-of-ue-v-2x-scheduled-tasks-both-uevv2.md +++ b/mdop/uev-v2/changing-the-frequency-of-ue-v-2x-scheduled-tasks-both-uevv2.md @@ -312,10 +312,10 @@ The following additional information applies to UE-V scheduled tasks: - The Monitor Application Settings scheduled task will update Windows app (AppX) settings in real time, based on Windows app program setting triggers built into each app. -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + + ## Related topics diff --git a/mdop/uev-v2/configuring-the-company-settings-center-for-ue-v-2x-both-uevv2.md b/mdop/uev-v2/configuring-the-company-settings-center-for-ue-v-2x-both-uevv2.md index 11cc48b9b5..545c246391 100644 --- a/mdop/uev-v2/configuring-the-company-settings-center-for-ue-v-2x-both-uevv2.md +++ b/mdop/uev-v2/configuring-the-company-settings-center-for-ue-v-2x-both-uevv2.md @@ -75,10 +75,10 @@ The Company Settings Center can include a hyperlink that users can click to get 3. Deploy settings to users’ computers by using the management tool. -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + +   diff --git a/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md b/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md index 112b193c14..951fd1dd2e 100644 --- a/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md +++ b/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md @@ -225,10 +225,10 @@ To distribute a new Notepad template, you would perform these steps: The UE-V Configuration Pack for Configuration Manager 2012 SP1 or later can be downloaded [here](https://go.microsoft.com/fwlink/?LinkId=317263). -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + + ## Related topics diff --git a/mdop/uev-v2/deploy-required-features-for-ue-v-2x-new-uevv2.md b/mdop/uev-v2/deploy-required-features-for-ue-v-2x-new-uevv2.md index 80cd44d2e9..2917322ed7 100644 --- a/mdop/uev-v2/deploy-required-features-for-ue-v-2x-new-uevv2.md +++ b/mdop/uev-v2/deploy-required-features-for-ue-v-2x-new-uevv2.md @@ -436,10 +436,10 @@ msiexec.exe /f "" /quiet /norestart /l*v "%temp%\UE-VAgentInst You can then retry the uninstall process or upgrade by installing the newer version of the UE-V Agent. -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + + ## Related topics diff --git a/mdop/uev-v2/deploy-ue-v-2x-for-custom-applications-new-uevv2.md b/mdop/uev-v2/deploy-ue-v-2x-for-custom-applications-new-uevv2.md index 6d433b417b..f1bafcb23e 100644 --- a/mdop/uev-v2/deploy-ue-v-2x-for-custom-applications-new-uevv2.md +++ b/mdop/uev-v2/deploy-ue-v-2x-for-custom-applications-new-uevv2.md @@ -319,10 +319,10 @@ Templates that are deployed by using an ESD system or Group Policy Objects must   -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + + ## Related topics diff --git a/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md b/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md index 70d85ed710..2c31ff321d 100644 --- a/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md +++ b/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md @@ -251,10 +251,10 @@ You can change the settings in Computer B back to the original Computer A settin - [Technical Reference for UE-V 2.x](technical-reference-for-ue-v-2x-both-uevv2.md) -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + +   diff --git a/mdop/uev-v2/index.md b/mdop/uev-v2/index.md index 8932147ff3..cf1d9adb63 100644 --- a/mdop/uev-v2/index.md +++ b/mdop/uev-v2/index.md @@ -13,6 +13,9 @@ ms.date: 04/19/2017 # Microsoft User Experience Virtualization (UE-V) 2.x +>[!NOTE] +>This documentation is a for version of UE-V that was included in the Microsoft Desktop Optimization Pack (MDOP). For information about the latest version of UE-V which is included in Windows 10 Enterprise, see [Get Started with UE-V](https://docs.microsoft.com/windows/configuration/ue-v/uev-getting-started). + Capture and centralize your users’ application settings and Windows OS settings by implementing Microsoft User Experience Virtualization (UE-V) 2.0 or 2.1. Then, apply these settings to the devices users access in your enterprise, like desktop computers, laptops, or virtual desktop infrastructure (VDI) sessions. @@ -307,10 +310,10 @@ Learn about the latest MDOP information and resources. [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447). -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + +   diff --git a/mdop/uev-v2/manage-administrative-backup-and-restore-in-ue-v-2x-new-topic-for-21.md b/mdop/uev-v2/manage-administrative-backup-and-restore-in-ue-v-2x-new-topic-for-21.md index b0d0ef4e43..2ce8a8a4cf 100644 --- a/mdop/uev-v2/manage-administrative-backup-and-restore-in-ue-v-2x-new-topic-for-21.md +++ b/mdop/uev-v2/manage-administrative-backup-and-restore-in-ue-v-2x-new-topic-for-21.md @@ -160,10 +160,10 @@ WMI and Windows PowerShell commands let you restore application and Windows sett   -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + + ## Related topics diff --git a/mdop/uev-v2/manage-configurations-for-ue-v-2x-new-uevv2.md b/mdop/uev-v2/manage-configurations-for-ue-v-2x-new-uevv2.md index c20f2c7664..7158058f74 100644 --- a/mdop/uev-v2/manage-configurations-for-ue-v-2x-new-uevv2.md +++ b/mdop/uev-v2/manage-configurations-for-ue-v-2x-new-uevv2.md @@ -71,10 +71,10 @@ Here are some examples of UE-V configuration settings: - **Custom Contact IT Hyperlink:** Defines the path, text, and description for the **Contact IT** hyperlink in the Company Settings Center. -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + + ## Related topics diff --git a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--20-release-notesuevv2.md b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--20-release-notesuevv2.md index 681806fa2d..ac6a555603 100644 --- a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--20-release-notesuevv2.md +++ b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--20-release-notesuevv2.md @@ -32,55 +32,55 @@ This section contains release notes for User Experience Virtualization. When a computer has an application that is installed through both Application Virtualization (App-V) and a locally with a Windows Installer (.msi) file, the registry-based settings do not synchronize between the technologies. -WORKAROUND: To resolve this problem, run the application by selecting one of the two technologies, but not both. +**WORKAROUND:** To resolve this problem, run the application by selecting one of the two technologies, but not both. ### Settings do not synchronization when network share is outside user’s domain When Windows® 8 attempts operating system settings synchronization, the synchronization fails with the following error message: **boost::filesystem::exists::Incorrect user name or password**. This error can indicate that the network share is outside the user’s domain or a domain with a trust relationship to that domain. To check for operational log events, open the **Event Viewer** and navigate to **Applications and Services Logs** / **Microsoft** / **User Experience Virtualization** / **Logging** / **Operational**. Network shares that are used for UE-V settings storage locations should reside in the same Active Directory domain as the user or a trusted domain of the user’s domain. -WORKAROUND: Use network shares from the same Active Directory domain as the user. +**WORKAROUND:** Use network shares from the same Active Directory domain as the user. ### Unpredictable results with both Office 2010 and Office 2013 installed When a user has both Office 2010 and Office 2013 installed, any common settings between the two versions of Office are roamed by UE-V. This could cause the Office 2010 package size to be quite large or result in unpredictable conflicts with 2013, particularly if Office 365 is used. -WORKAROUND: Install only one version of Office or limit which settings are synchronized by UE-V. +**WORKAROUND:** Install only one version of Office or limit which settings are synchronized by UE-V. ### Uninstall and re-install of Windows 8 app reverts settings to initial state While using UE-V settings synchronization for a Windows 8 app, if the user uninstalls the app and then reinstalls the app, the app’s settings revert to their default values.  This happens because the uninstall removes the local (cached) copy of the app’s settings but does not remove the local UE-V settings package.  When the app is reinstalled and launched, UE-V gather the app settings that were reset to the app defaults and then uploads the default settings to the central storage location.  Other computers running the app then download the default settings.  This behavior is identical to the behavior of desktop applications. -WORKAROUND: None. +**WORKAROUND:** None. ### Email signature roaming for Outlook 2010 UE-V will roam the Outlook 2010 signature files between devices. However, the default signature options for new messages and replies or forwards are not synchronized. These two settings are stored in the Outlook profile, which UE-V does not roam. -WORKAROUND: None. +**WORKAROUND:** None. ### UE-V does not support roaming settings between 32-bit and 64-bit versions of Microsoft Office -We recommend that you install the 32-bit version of Microsoft Office for both 32-bit and 64-bit operating systems. To choose the Microsoft Office version that you need, click here. ([http://office.microsoft.com/word-help/choose-the-32-bit-or-64-bit-version-of-microsoft-office-HA010369476.aspx](https://go.microsoft.com/fwlink/?LinkID=247623)). UE-V supports roaming settings between identical architecture versions of Office. For example, 32-bit Office settings will roam between all 32-bit Office instances. UE-V does not support roaming settings between 32-bit and 64-bit versions of Office. +We recommend that you install the 64-bit version of Microsoft Office for modern computers. To determine which version you need, [click here](https://support.office.com/article/choose-between-the-64-bit-or-32-bit-version-of-office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261?ui=en-US&rs=en-US&ad=US#32or64Bit=Newer_Versions). UE-V supports roaming settings between identical architecture versions of Office. For example, 32-bit Office settings will roam between all 32-bit Office instances. UE-V does not support roaming settings between 32-bit and 64-bit versions of Office. -WORKAROUND: None +**WORKAROUND:** None ### MSI’s are not localized UE-V 2.0 includes a localized setup program for both the UE-V Agent and UE-V generator. These MSI files are still available but the user interface is minimized and the MSI’s only display in English. Despite the file being in English, the setup program installs all supported languages during the installation. -WORKAROUND: None +**WORKAROUND:** None ### Favicons that are associated with Internet Explorer 9 favorites do not roam The favicons that are associated with Internet Explorer 9 favorites are not roamed by User Experience Virtualization and do not appear when the favorites first appear on a new computer. -WORKAROUND: Favicons will appear with their associated favorites once the bookmark is used and cached in the Internet Explorer 9 browser. +**WORKAROUND:** Favicons will appear with their associated favorites once the bookmark is used and cached in the Internet Explorer 9 browser. ### File settings paths are stored in registry Some application settings store the paths of their configuration and settings files as values in the registry. The files that are referenced as paths in the registry must be synchronized when settings are roamed between computers. -WORKAROUND: Use folder redirection or some other technology to ensure that any files that are referenced as file settings paths are present and placed in the same location on all computers where settings roam. +**WORKAROUND:** Use folder redirection or some other technology to ensure that any files that are referenced as file settings paths are present and placed in the same location on all computers where settings roam. ### Long Settings Storage Paths could cause an error @@ -90,25 +90,25 @@ Keep settings storage paths as short as possible. Long paths could prevent resol To check the operational log events, open the Event Viewer and navigate to Applications and Services Logs / Microsoft / User Experience Virtualization / Logging / Operational. -WORKAROUND: None. +**WORKAROUND:** None. ### Some operating system settings only roam between like operating system versions Operating system settings for Narrator and currency characters specific to the locale (i.e. language and regional settings) will only roam across like operating system versions of Windows. For example, currency characters will not roam between Windows 7 and Windows 8. -WORKAROUND: None +**WORKAROUND:** None ### Windows 8 apps do not sync settings when the app restarts after closing unexpectedly If a Windows 8 app closes unexpectedly soon after startup, settings for the application may not be synchronized when the application is restarted. -WORKAROUND: Close the Windows 8 app, close and restart the UevAppMonitor.exe application (can use TaskManager), and then restart the Windows 8 app. +**WORKAROUND:** Close the Windows 8 app, close and restart the UevAppMonitor.exe application (can use TaskManager), and then restart the Windows 8 app. ### UE-V 1 agent generates errors when running UE-V 2 templates If a UE-V 2 settings location template is distributed to a computer installed with a UE-V 1 agent, some settings fail to synchronize between computers and the agent reports errors in the event log. -WORKAROUND: When migrating from UE-V 1 to UE-V 2 and it is likely you’ll have computers running the previous version of the agent, create a separate UE-V 2.0 catalog to support the UE-V 2.0 Agent and templates. +**WORKAROUND:** When migrating from UE-V 1 to UE-V 2 and it is likely you’ll have computers running the previous version of the agent, create a separate UE-V 2.0 catalog to support the UE-V 2.0 Agent and templates. ## Hotfixes and Knowledge Base articles for UE-V 2.0 diff --git a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-release-notesuevv21.md b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-release-notesuevv21.md index fda04bf393..c59140995e 100644 --- a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-release-notesuevv21.md +++ b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-release-notesuevv21.md @@ -215,10 +215,10 @@ This section contains hotfixes and KB articles for UE-V 2.1.   -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + +   diff --git a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md index f14cbf3910..de4f1b1e7b 100644 --- a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md +++ b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md @@ -226,10 +226,10 @@ This section contains hotfixes and KB articles for UE-V 2.1 SP1.   -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + +   diff --git a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md index 8c8ee9c750..8c85680256 100644 --- a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md +++ b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md @@ -790,10 +790,10 @@ The UE-V Generator must be installed on a computer that uses an NTFS file system - [Technical Reference for UE-V 2.x](technical-reference-for-ue-v-2x-both-uevv2.md) -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + +   diff --git a/mdop/uev-v2/security-considerations-for-ue-v-2x-both-uevv2.md b/mdop/uev-v2/security-considerations-for-ue-v-2x-both-uevv2.md index d82e263f02..be09b357cf 100644 --- a/mdop/uev-v2/security-considerations-for-ue-v-2x-both-uevv2.md +++ b/mdop/uev-v2/security-considerations-for-ue-v-2x-both-uevv2.md @@ -120,10 +120,10 @@ We strongly recommend that you do not pre-create folders. Instead, let the UE-V If you redirect UE-V settings to a user’s home directory or a custom Active Directory (AD) directory, ensure that the permissions on the directory are set appropriately for your organization. -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + + ## Related topics diff --git a/mdop/uev-v2/sync-methods-for-ue-v-2x-both-uevv2.md b/mdop/uev-v2/sync-methods-for-ue-v-2x-both-uevv2.md index 752d0190eb..095f82e79c 100644 --- a/mdop/uev-v2/sync-methods-for-ue-v-2x-both-uevv2.md +++ b/mdop/uev-v2/sync-methods-for-ue-v-2x-both-uevv2.md @@ -87,10 +87,10 @@ You can configure the sync method in these ways: - After installation of the UE-V Agent, by using [Windows PowerShell or Windows Management Instrumentation (WMI)](https://technet.microsoft.com/library/dn458937.aspx) -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + + ## Related topics diff --git a/mdop/uev-v2/sync-trigger-events-for-ue-v-2x-both-uevv2.md b/mdop/uev-v2/sync-trigger-events-for-ue-v-2x-both-uevv2.md index 349fdff40a..c58d24cbd9 100644 --- a/mdop/uev-v2/sync-trigger-events-for-ue-v-2x-both-uevv2.md +++ b/mdop/uev-v2/sync-trigger-events-for-ue-v-2x-both-uevv2.md @@ -105,10 +105,10 @@ The following table explains the trigger events for classic applications and Win   -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + + ## Related topics diff --git a/mdop/uev-v2/synchronizing-office-2013-with-ue-v-20-both-uevv2.md b/mdop/uev-v2/synchronizing-office-2013-with-ue-v-20-both-uevv2.md index f81fd70279..62fd122e29 100644 --- a/mdop/uev-v2/synchronizing-office-2013-with-ue-v-20-both-uevv2.md +++ b/mdop/uev-v2/synchronizing-office-2013-with-ue-v-20-both-uevv2.md @@ -115,10 +115,10 @@ You can deploy UE-V settings location template with the following methods: - **Registering template via Configuration Manager**. If you use Configuration Manager to manage your UE-V settings storage templates, then recreate the Template Baseline CAB, import it into Configuration Manager, and then deploy the baseline to your clients. For more information, see the guidance provided in the documentation for the [System Center 2012 Configuration Pack for Microsoft User Experience Virtualization 2](https://go.microsoft.com/fwlink/?LinkId=317263). -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + +   diff --git a/mdop/uev-v2/technical-reference-for-ue-v-2x-both-uevv2.md b/mdop/uev-v2/technical-reference-for-ue-v-2x-both-uevv2.md index 8e0a8b28f2..3f0dd6974e 100644 --- a/mdop/uev-v2/technical-reference-for-ue-v-2x-both-uevv2.md +++ b/mdop/uev-v2/technical-reference-for-ue-v-2x-both-uevv2.md @@ -56,10 +56,10 @@ This technical reference section includes additional technical documentation abo - [Troubleshooting UE-V 2.x](troubleshooting-ue-v-2x-both-uevv2.md) -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + +   diff --git a/mdop/uev-v2/troubleshooting-ue-v-2x-both-uevv2.md b/mdop/uev-v2/troubleshooting-ue-v-2x-both-uevv2.md index 0d9717a68a..2bc7e08ad1 100644 --- a/mdop/uev-v2/troubleshooting-ue-v-2x-both-uevv2.md +++ b/mdop/uev-v2/troubleshooting-ue-v-2x-both-uevv2.md @@ -77,10 +77,10 @@ If you have a troubleshooting tip or a best practice to share that is not alread - [Technical Reference for UE-V 2.x](technical-reference-for-ue-v-2x-both-uevv2.md) -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + +   diff --git a/mdop/uev-v2/using-ue-v-2x-with-application-virtualization-applications-both-uevv2.md b/mdop/uev-v2/using-ue-v-2x-with-application-virtualization-applications-both-uevv2.md index bf222f4c11..9a038522f3 100644 --- a/mdop/uev-v2/using-ue-v-2x-with-application-virtualization-applications-both-uevv2.md +++ b/mdop/uev-v2/using-ue-v-2x-with-application-virtualization-applications-both-uevv2.md @@ -36,10 +36,10 @@ UE-V monitors when an application opens by the program name and, optionally, by 4. Start the App-V package. -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + + ## Related topics diff --git a/mdop/uev-v2/whats-new-in-ue-v-20-new-uevv2.md b/mdop/uev-v2/whats-new-in-ue-v-20-new-uevv2.md index f619670ed4..7f84bd8f45 100644 --- a/mdop/uev-v2/whats-new-in-ue-v-20-new-uevv2.md +++ b/mdop/uev-v2/whats-new-in-ue-v-20-new-uevv2.md @@ -61,10 +61,10 @@ You can provide your users with some control over which settings are synchronize Company Settings Center displays which settings are synchronized and lets users see the synchronization status of UE-V. If you let them, users can use Company Settings Center to select which settings to synchronize. They can also click the **Sync Now** button to synchronize all settings immediately. -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + + ## Related topics diff --git a/mdop/uev-v2/whats-new-in-ue-v-21-new-uevv2.md b/mdop/uev-v2/whats-new-in-ue-v-21-new-uevv2.md index 881a2d0c8b..d9d06dbd1b 100644 --- a/mdop/uev-v2/whats-new-in-ue-v-21-new-uevv2.md +++ b/mdop/uev-v2/whats-new-in-ue-v-21-new-uevv2.md @@ -87,10 +87,10 @@ You can restore additional settings when a user adopts a new device by putting a UE-V now synchronizes touch keyboard personalization, the spelling dictionary, and enables the App Switching for recent apps and screen edge settings to synchronize between Windows 8 and Windows 8.1 devices. -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + + ## Related topics diff --git a/mdop/uev-v2/whats-new-in-ue-v-21-sp1uevv21-sp1.md b/mdop/uev-v2/whats-new-in-ue-v-21-sp1uevv21-sp1.md index 6677e1864c..b90480b137 100644 --- a/mdop/uev-v2/whats-new-in-ue-v-21-sp1uevv21-sp1.md +++ b/mdop/uev-v2/whats-new-in-ue-v-21-sp1uevv21-sp1.md @@ -75,10 +75,10 @@ To enable settings synchronization using UE-V 2.1, do one of the following: UE-V 2.1 ships [Office 2013 and Office 2010 templates](https://technet.microsoft.com/library/dn458932.aspx#autosyncsettings). This release removes the Office 2007 templates. Users can still use Office 2007 templates from UE-V 2.0 or earlier and can still get the templates from the UE-V template gallery located [here](https://go.microsoft.com/fwlink/p/?LinkID=246589). -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + + ## Related topics diff --git a/mdop/uev-v2/working-with-custom-ue-v-2x-templates-and-the-ue-v-2x-generator-new-uevv2.md b/mdop/uev-v2/working-with-custom-ue-v-2x-templates-and-the-ue-v-2x-generator-new-uevv2.md index 1bfb3b6b04..b1b19388d5 100644 --- a/mdop/uev-v2/working-with-custom-ue-v-2x-templates-and-the-ue-v-2x-generator-new-uevv2.md +++ b/mdop/uev-v2/working-with-custom-ue-v-2x-templates-and-the-ue-v-2x-generator-new-uevv2.md @@ -150,10 +150,10 @@ Before you share a settings location template on the UE-V template gallery, ensu Before you deploy any settings location template that you have downloaded from the UE-V gallery, you should first test the template to ensure that the application settings synchronize settings correctly in a test environment. -## Got a suggestion for UE-V? -Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev). + + ## Related topics diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md index db464151f8..9e0b8c0154 100644 --- a/smb/cloud-mode-business-setup.md +++ b/smb/cloud-mode-business-setup.md @@ -167,7 +167,7 @@ Microsoft Intune provides mobile device management, app management, and PC manag ![Microsoft Intune management portal](images/intune_portal_home.png) -Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Microsoft Store for Business for app distribution](#17-configure-windows-store-for-business-for-app-distribution). +Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Microsoft Store for Business for app distribution](#17-configure-microsoft-store-for-business-for-app-distribution). ### 1.4 Add Azure AD to your domain Microsoft Azure is an open and flexible cloud platform that enables you to quickly build, deploy, and manage apps across a global network of Microsoft-managed datacenters. In this walkthrough, we won't be using the full power of Azure and we'll primarily use it to create groups that we then use for provisioning through Intune. diff --git a/smb/docfx.json b/smb/docfx.json index 181bf75fda..b86df232d5 100644 --- a/smb/docfx.json +++ b/smb/docfx.json @@ -36,12 +36,14 @@ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "TechNet.smb" + "depot_name": "TechNet.smb", + "folder_relative_path_in_docset": "./" } } }, "fileMetadata": {}, "template": [], - "dest": "smb" + "dest": "smb", + "markdownEngineName": "dfm" } -} \ No newline at end of file +} diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md index d383fa3117..e42cdb492c 100644 --- a/store-for-business/TOC.md +++ b/store-for-business/TOC.md @@ -8,16 +8,16 @@ ### [Settings reference: Microsoft Store for Business and Education](settings-reference-microsoft-store-for-business.md) ## [Find and acquire apps](find-and-acquire-apps-overview.md) ### [Apps in the Microsoft Store for Business and Education](apps-in-microsoft-store-for-business.md) -### [Acquire apps in the Microsoft Store for Business and Education](acquire-apps-microsoft-store-for-business.md) +### [Acquire apps](acquire-apps-microsoft-store-for-business.md) ### [Working with line-of-business apps](working-with-line-of-business-apps.md) -## [Distribute apps to your employees from the Microsoft Store for Business and Education](distribute-apps-to-your-employees-microsoft-store-for-business.md) +## [Distribute apps](distribute-apps-to-your-employees-microsoft-store-for-business.md) ### [Distribute apps using your private store](distribute-apps-from-your-private-store.md) ### [Assign apps to employees](assign-apps-to-employees.md) ### [Distribute apps with a management tool](distribute-apps-with-management-tool.md) ### [Distribute offline apps](distribute-offline-apps.md) ## [Manage products and services](manage-apps-microsoft-store-for-business-overview.md) -### [App inventory managemement for Microsoft Store for Business and Education](app-inventory-management-microsoft-store-for-business.md) -### [Manage app orders in Microsoft Store for Business and Education](manage-orders-microsoft-store-for-business.md) +### [App inventory managemement](app-inventory-management-microsoft-store-for-business.md) +### [Manage orders](manage-orders-microsoft-store-for-business.md) ### [Manage access to private store](manage-access-to-private-store.md) ### [Manage private store settings](manage-private-store-settings.md) ### [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md) @@ -25,13 +25,17 @@ ### [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md) ### [Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business](manage-mpsa-software-microsoft-store-for-business.md) ### [Working with solution providers in Microsoft Store for Business](work-with-partner-microsoft-store-business.md) +## [Billing and payments](billing-payments-overview.md) +### [Understand your invoice](billing-understand-your-invoice-msfb.md) +### [Payment methods](payment-methods.md) +### [Understand billing profiles](billing-profile.md) +## [Manage settings in the Microsoft Store for Business and Education](manage-settings-microsoft-store-for-business.md) +### [Update account settings](update-microsoft-store-for-business-account-settings.md) +### [Manage user accounts ](manage-users-and-groups-microsoft-store-for-business.md) ## [Device Guard signing portal](device-guard-signing-portal.md) ### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md) ### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md) -## [Manage settings in the Microsoft Store for Business and Education](manage-settings-microsoft-store-for-business.md) -### [Update Microsoft Store for Business and Microsoft Store for Education account settings](update-microsoft-store-for-business-account-settings.md) -### [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md) -## [Troubleshoot Microsoft Store for Business](troubleshoot-microsoft-store-for-business.md) -## [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md) -## [Change history for Microsoft Store for Business and Education](sfb-change-history.md) +## [Troubleshoot](troubleshoot-microsoft-store-for-business.md) +## [Notifications](notifications-microsoft-store-business.md) +## [Change history](sfb-change-history.md) diff --git a/store-for-business/billing-payments-overview.md b/store-for-business/billing-payments-overview.md new file mode 100644 index 0000000000..e3c23bf86e --- /dev/null +++ b/store-for-business/billing-payments-overview.md @@ -0,0 +1,26 @@ +--- +title: Billing and payments overview +description: Find topics about billing and payment support in Microsoft Store for Business. +keywords: billing, payment methods, invoices, credit card, debit card +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: store +author: TrudyHa +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium +ms.date: 03/01/2019 +--- + +# Billing and payments + +Access invoices and managed your payment methods. + +## In this section + +| Topic | Description | +| ----- | ----------- | +| [Understand your invoice](billing-understand-your-invoice-msfb.md) | Information about invoices provided by Microsoft Store for Business. | +| [Understand billing profiles](billing-profile.md) | Information about billing profiles and how they relate to invoices. | +| [Payment methods](payment-methods.md) | Information about managing payment methods. | \ No newline at end of file diff --git a/store-for-business/billing-profile.md b/store-for-business/billing-profile.md new file mode 100644 index 0000000000..56a0be9b64 --- /dev/null +++ b/store-for-business/billing-profile.md @@ -0,0 +1,43 @@ +--- +title: Understand billing profiles +description: Learn how billing profiles support invoices +keywords: billing profile, invoices, charges, managed charges +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: store +author: trudyha +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium +ms.date: 03/01/2019 +--- + +# Understand billing profiles +For commercial customers purchasing software or hardware products from Microsoft using a Microsoft customer agreement, billing profiles let you customeize what products are included on your invoice, and how you pay your invoices. + +Billing profiles include: +- **Payment methods** – Credit cards or check/wire transfer +- **Contact info** - Billing address and a contact name +- **Permissions** – Permissions that allow you to change the billing profile, pay bills, or use the payment method on the billing profile to make purchases + +Use billing profiles to control your purchases and customize your invoice. A monthly invoice is generated for the products bought using the billing profile. You can customize the invoice such as update the purchase order number and email invoice preference. + +A billing profile is automatically created for your billing account during your first purchase. You can create new billing profiles to set up additional invoices when you make a purchase. For example, you use different billing profiles when you make purchases for each department in your organization. On your next billing date, you'll receive an invoice for each billing profile. + +Roles on the billing profiles have permissions to control purchases, and view and manage invoices. Assign these roles to users who track, organize, and pay invoices like members of the procurement team in your organization. + +## View billing profile +**To view billing profiles** +1. Sign in to [Microsoft Store for Business]( https://businessstore.microsoft.com/), or M365 admin center. +2. Select **Manage**, and then select **Billing and payments**. +3. Select **Billing profiles**, and then select a billing profile from the list to see details. + - On **Overview**, you can edit billing profile details, and turn on or off sending an invoice by email. + - On **Permissions**, you can assign roles to users to pay invoices. + - On **Azure credit balance**, Azure customers can see transaction balance history for the azure credits used by that billing profile. + - On **Azure credits**, Azure customers can see a list of Azure credits associated with that billing profile, and their expiration dates. + +## Need help? Contact us. +If you have questions or need help with your Azure charges, [create a support request with Azure support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest). + +If you have questions or need help with your invoice in Microsoft Store for Business, [create a support request with Store for Business support](https://businessstore.microsoft.com). diff --git a/store-for-business/billing-understand-your-invoice-msfb.md b/store-for-business/billing-understand-your-invoice-msfb.md new file mode 100644 index 0000000000..d477d66085 --- /dev/null +++ b/store-for-business/billing-understand-your-invoice-msfb.md @@ -0,0 +1,118 @@ +--- +title: Understand your Microsoft Customer Agreement invoice +description: Learn how to read and understand your MCA bill +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: store +author: trudyha +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium +ms.date: 03/01/2019 +--- + +# Understand your Microsoft Customer Agreement invoice + +The invoice provides a summary of your charges and provides instructions for payment. It’s available for +download in the Portable Document Format (.pdf) for commercial customers from Microsoft Store for Business [Microsoft Store for Business - Invoice](https://businessstore.microsoft.com/manage/payments-billing/invoices) or can be sent via email. This article applies to invoices generated for a Microsoft Customer Agreement billing account. Check if you have a [Microsoft Customer Agreement](https://businessstore.microsoft.com/manage/organization/agreements). + +## General invoice information +Invoices are your bill from Microsoft. A few things to note: + +- **Invoice schedule** - You’re invoiced on a monthly basis. You can find out which day of the month you receive invoices by checking invoice date under billing profile overview in [Microsoft Store for Business](https://businessstore.microsoft.com/manage/payments-billing/billing-profiles). Charges that occur between the end of the billing period and the invoice date are included in the next month's invoice, since they are in the next billing period. The billing period start and end dates for each invoice are listed in the invoice PDF above **Billing Summary**. +- **Billing profile** - Billing profiles are created during your purchase. Invoices are created for each billing profile. Billing profiles let you customize what products are purchased, how you pay for them, and who can make purchases. For more information, see [Understand billing profiles](billing-profile.md) +- **Items included** - Your invoice includes total charges for all first and third-party software and hardware products purchased under a Microsoft Customer Agreement. That includes items purchased from Microsoft Store for Business and Azure Marketplace. +- **Charges** - Your invoice provides information about products purchased and their related charges and taxes. Purchases are aggregated to provide a concise view of your bill. +- **International customers** - Charges on invoices for international customers are converted to their local currencies. Exchange rate information is listed at the bottom of the invoice. + +## Online invoice +For Store for Business customers, invoices are also available online. A few things to note: +- **Link to online invoice** - Available from your PDF invoice, and from an email notification. +- **Invoice details** - Expandable view of the charges on your invoice, so you can see more details for each item. +- **Pricing details** - Additional information including discounting and pricing details. +- **Pay online** - Option to make a payment online from the invoice. +- **Azure cost management** - For Azure customers, online invoices include a link to Azure cost management. + +**To view your online invoice** +1. Sign in to [Microsoft Store for Business]( https://businessstore.microsoft.com/). +2. Select **Manage**, and then select **Billing and payments**. +3. Select an invoice from the list to view your online invoice. + +## Detailed terms and descriptions of your invoice +The following sections list the important terms that you see on your +invoice and descriptions for each term. + +### Understand the invoice summary + +The **Invoice Summary** is on the top of the first page and shows information about your billing profile and how you pay. + +![Invoice summary section](images/invoicesummary.png) + + +| Term | Description | +| --- | --- | +| Sold to |Address of your legal entity, found in billing account properties| +| Bill to |Billing address of the billing profile receiving the invoice, found in billing profile properties| +| Billing Profile |The name of the billing profile receiving the invoice | +| P.O. number |An optional purchase order number, assigned by you for tracking | +| Invoice number |A unique, Microsoft-generated invoice number used for tracking purposes | +| Invoice date |Date that the invoice is generated, typically five to 12 days after end of the Billing cycle. You can check your invoice date in billing profile properties.| +| Payment terms |How you pay for your Microsoft bill. *Net 30 days* means you pay by following instructions on your invoice, within 30 days of the invoice date. | + +### Understand the billing summary +The **Billing Summary** shows the charges against the billing profile since the previous billing period, any credits that were applied, tax, and the total amount due. + + +![Billing summary section](images/billingsummary.png) + +| Term | Description | +| --- | --- | +| Charges|Total number of Microsoft charges for this billing profile since the last billing period | +| Credits |Credits you received from returns | +| Azure credits applied |Your Azure credits that are automatically applied to Azure charges each billing period | +| Subtotal |The pre-tax amount due | +| Tax |The type and amount of tax that you pay, depending on the country of your billing profile. If you don't have to pay tax, then you won't see tax on your invoice. | +| Estimated total savings |The estimated total amount you saved from effective discounts. If applicable, effective discount rates are listed beneath the purchase line items in Details by Invoice Section. | + +### Understand your charges +You'll see the charges, tax, and the total amount due. Azure customers will also see the amount of Azure credits applied. + +`Total = Charges - Azure Credit + Tax` + +The details show the cost broken down by product order name. For Azure customers, this might be organized by invoice section. For more information about how invoice sections are used with Azure products, see [Understand invoice sections](https://docs.microsoft.com/azure/billing/billing-mca-overview#understand-invoice-sections). +Within each product order, cost is broken down by service family. + +The total amount due for each service family is calculated by subtracting Azure credits from credits/charges and adding tax: + +`Total = Charges/Credits - Azure Credit + Tax` + +![Details by invoice section](images/invoicesectiondetails.png) + +| Term |Description | +| --- | --- | +| Unit price | The effective unit price of the service (in pricing currency) that is used to the rate the usage. This is unique for a product, service family, meter, and offer. | +| Qty | Quantity purchased or consumed during the billing period | +| Charges/Credits | Net amount of charges after credits/refunds are applied | +| Azure Credit | The amount of Azure credits applied to the Charges/Credits| +| Tax rate | Tax rate(s) depending on country | +| Tax amount | Amount of tax applied to purchase based on tax rate | +| Total | The total amount due for the purchase | + +### How to pay +At the bottom of the invoice, there are instructions for paying your bill. You can pay by wire or online. If you pay online, you can use a credit or debit card, or Azure credits, if applicable. + +### Publisher information +If you have third-party services in your bill, the name and address of each publisher is listed at the bottom of your invoice. + +### Exchange rate +If prices were converted to your local currency, the exchange rates are listed in this section at the bottom of the invoice. All Azure charges are priced in USD and third-party services are priced in the seller's currency. + +## Next steps +If there are Azure charges on your invoice that you would like more details on, see [Understand the Azure charges on your Microsoft Customer Agreement invoice](https://docs.microsoft.com/en-us/azure/billing/billing-understand-your-invoice-mca). + +## Need help? Contact us. + +If you have questions or need help with your Azure charges, [create a support request with Azure support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest). + +If you have questions or need help with your invoice in Microsoft Store for Business, [create a support request with Store for Business support](https://businessstore.microsoft.com/manage/support/summary). diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md index eefb7fd379..c9b1df28bd 100644 --- a/store-for-business/distribute-offline-apps.md +++ b/store-for-business/distribute-offline-apps.md @@ -63,9 +63,12 @@ There are several items to download or create for offline-licensed apps. The app **To download an offline-licensed app** 1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, and then choose **Apps & software**. -3. Refine results by **License type** to show apps with offline licenses. -4. Find the app you want to download, click the ellipses under **Actions**, and then choose **Download for offline use**. +2. Click **Manage**. +3. Under **Shopping Experience**, set **Show offline apps** to **On**. +4. Click **Shop for my group**. Search for the required inbox-app, select it, change the License type to **Offline**, and click **Get the app**, which will add the app to your inventory. +5. Click **Manage**. You now have access to download the appx bundle package metadata and license file. +6. Go to **Products & services**, and select **Apps & software**. (The list may be empty, but it will auto-populate after some time.) + - **To download app metadata**: Choose the language for the app metadata, and then click **Download**. Save the downloaded app metadata. This is optional. - **To download app package**: Click to expand the package details information, choose the Platform and Architecture combination that you need for your organization, and then click **Download**. Save the downloaded app package. This is required. - **To download an app license**: Choose either **Encoded**, or **Unencoded**, and then click **Generate license**. Save the downloaded license. This is required. diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json index d739d26b28..c36c5dff04 100644 --- a/store-for-business/docfx.json +++ b/store-for-business/docfx.json @@ -43,12 +43,14 @@ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "MSDN.store-for-business" + "depot_name": "MSDN.store-for-business", + "folder_relative_path_in_docset": "./" } } }, "fileMetadata": {}, "template": [], - "dest": "store-for-business" + "dest": "store-for-business", + "markdownEngineName": "dfm" } -} \ No newline at end of file +} diff --git a/store-for-business/images/billing-acct-roles.png b/store-for-business/images/billing-acct-roles.png new file mode 100644 index 0000000000..6977bef250 Binary files /dev/null and b/store-for-business/images/billing-acct-roles.png differ diff --git a/store-for-business/images/billingsummary.png b/store-for-business/images/billingsummary.png new file mode 100644 index 0000000000..9f45179ead Binary files /dev/null and b/store-for-business/images/billingsummary.png differ diff --git a/store-for-business/images/invoicesectiondetails.png b/store-for-business/images/invoicesectiondetails.png new file mode 100644 index 0000000000..cdaac8423e Binary files /dev/null and b/store-for-business/images/invoicesectiondetails.png differ diff --git a/store-for-business/images/invoicesummary.png b/store-for-business/images/invoicesummary.png new file mode 100644 index 0000000000..c17e7f0713 Binary files /dev/null and b/store-for-business/images/invoicesummary.png differ diff --git a/store-for-business/images/purchasing-roles.png b/store-for-business/images/purchasing-roles.png new file mode 100644 index 0000000000..e45d9294f5 Binary files /dev/null and b/store-for-business/images/purchasing-roles.png differ diff --git a/store-for-business/manage-settings-microsoft-store-for-business.md b/store-for-business/manage-settings-microsoft-store-for-business.md index 995d597ff5..77cce4033a 100644 --- a/store-for-business/manage-settings-microsoft-store-for-business.md +++ b/store-for-business/manage-settings-microsoft-store-for-business.md @@ -10,7 +10,7 @@ author: TrudyHa ms.author: TrudyHa ms.topic: conceptual ms.localizationpriority: medium -ms.date: 10/17/2017 +ms.date: 2/19/2018 --- # Manage settings for Microsoft Store for Business and Education @@ -28,5 +28,6 @@ You can add users and groups, as well as update some of the settings associated | ----- | ----------- | | [Update Microsoft Store for Business and Education account settings](update-microsoft-store-for-business-account-settings.md) | **Billing - Account profile** in Microsoft Store for Business shows information about your organization that you can update. Payment options can be managed on **Billing - Payment methods**, and offline license settings can be managed on **Settings - Shop**. | | [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md) | Microsoft Store for Business manages permissions with a set of roles. You can [assign these roles to individuals in your organization](roles-and-permissions-microsoft-store-for-business.md) and to groups.| +| [Understand your invoice](billing-understand-your-invoice-msfb.md) | Information on invoices for products and services bought under the Microsoft Customer Agreement.| diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md index 276c980fae..0bf1fdc2d4 100644 --- a/store-for-business/microsoft-store-for-business-overview.md +++ b/store-for-business/microsoft-store-for-business-overview.md @@ -360,7 +360,7 @@ Customers in these markets can use Microsoft Store for Business and Education to - Ukraine ### Support to only manage products -Customers in these markets can use Microsoft Store for Business and Education only to manage products that they've purchased from other channels. For example, they might have purchased products through Volume Licensing Service Center. However, they can't purhcase apps directly from Microsoft Store for Business and Education. +Customers in these markets can use Microsoft Store for Business and Education only to manage products that they've purchased from other channels. For example, they might have purchased products through Volume Licensing Service Center. However, they can't purchase apps directly from Microsoft Store for Business and Education. - Puerto Rico This table summarize what customers can purchase, depending on which Microsoft Store they are using. diff --git a/store-for-business/payment-methods.md b/store-for-business/payment-methods.md new file mode 100644 index 0000000000..e67c02d7b6 --- /dev/null +++ b/store-for-business/payment-methods.md @@ -0,0 +1,51 @@ +--- +title: Payment methods for commercial customers +description: Learn what payment methods are available in Store for Business and M365 admin center +keywords: payment method, credit card, debit card, add credit card, update payment method +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: store +author: trudyha +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium +ms.date: 03/01/2019 +--- + +# Payment methods +You can purchase products and services from Microsoft Store for Business using your credit card. You can enter your credit card information on **Payment methods**, or when you purchase an app. We currently accept these credit cards: +- VISA +- MasterCard +- Discover +- American Express +- Japan Commercial Bureau (JCB) + +> [!NOTE] +> Not all cards available in all countries. When you add a payment option, Microsoft Store for Business shows which cards are available in your region. + +## Add a payment method +**To add a new payment option** + +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). +2. Select **Manage**, select **Billing & payments**, and then select **Payments methods**. +3. Select **Add a payment options**, and then select the type of credit card that you want to add. +4. Add information to required fields, and then select **Add**. + +Once you select **Add**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any issues. + +> [!NOTE] +> When adding credit or debit cards, you may be prompted to enter a CVV. The CVV is only used for verification purposes and is not stored in our systems after validation. + +## Edit payment method +**To update a payment option** + +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). +2. Click **Manage**, click **Billing & payments**, and then click **Payments methods**. +3. Select the payment option that you want to update, select the ellipses, and then choose **Edit payment method**. +4. Enter any updated information in the appropriate fields, and then se;ect**Save**. + +Once you click **Update**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems. + +> [!NOTE] +> Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time, or have a low balance. \ No newline at end of file diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md index 22e03ceda8..48a7bcf332 100644 --- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md +++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md @@ -1,6 +1,7 @@ --- title: Roles and permissions in Microsoft Store for Business and Education (Windows 10) description: The first person to sign in to Microsoft Store for Business or Microsoft Store for Education must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees. +keywords: roles, permissions ms.assetid: CB6281E1-37B1-4B8B-991D-BC5ED361F1EE ms.prod: w10 ms.mktglfcycl: manage @@ -10,17 +11,10 @@ author: TrudyHa ms.author: TrudyHa ms.topic: conceptual ms.localizationpriority: medium -ms.date: 8/7/2018 +ms.date: 03/01/2019 --- # Roles and permissions in Microsoft Store for Business and Education - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - The first person to sign in to Microsoft Store for Business or Microsoft Store for Education must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees. Microsoft Store for Business and Education has a set of roles that help admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access the Store. Global Administrators and global user accounts that are used with other Microsoft services, such as Azure, or Office 365 can sign in to Microsoft Store. Global user accounts have some permissions in Microsoft Store, and Microsoft Store has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. @@ -33,69 +27,60 @@ This table lists the global user accounts and the permissions they have in Micro | ------------------------------ | --------------------- | --------------------- | | Sign up for Microsoft Store for Business and Education | X | | Modify company profile settings | X | | -| Acquire apps | X | X | +| Purchase apps | X | X | | Distribute apps | X | X | | Purchase subscription-based software | X | X |   -- **Global Administrator** - IT Pros with this account have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store. +**Global Administrator** - IT Pros with this account have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store. -- **Billing Administrator** - IT Pros with this account have the same permissions as Microsoft Store Purchaser role. +**Billing Administrator** - IT Pros with this account have the same permissions as Microsoft Store Purchaser role. -## Microsoft Store roles and permissions - -Microsoft Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store. +## Billing account roles and permissions +There are a set of roles, managed at your billing account level, that help IT admins and employees manage access to and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store for Business. This table lists the roles and their permissions. -| | Admin | Purchaser | Device Guard signer | -| ------------------------------ | ------ | -------- | ------------------- | -| Assign roles | X | | | -| Manage Microsoft Store for Business and Education settings | X | | | -| Acquire apps | X | X | | -| Distribute apps | X | X | | -| Sign policies and catalogs | X | | | -| Sign Device Guard changes | X | | X | - +| Role | Buy from

Microsoft Store | Assign

roles | Edit

account | Sign

agreements | View

account | +| ------------------------| ------ | -------- | ------ | -------| -------- | +| Billing account owner | X | X | X | X | X | +| Billing account contributor | | | X | X | X | +| Billing account reader | | | | | X | +| Signatory | | | | X | X | + +## Purchasing roles and permissions +There are also a set of roles for purchasing and managing items bought. +This table lists the roles and their permissions. + +| Role | Buy from

Microsoft Store | Manage all items | Manage items

I buy | +| ------------| ------ | -------- | ------ | +| Purchaser | X | X | | +| Basic purchaser | X | | X | + +## Assign roles **To assign roles to people** -1. Sign in to Microsoft Store for Business or Microsoft Store for Education. +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com). >[!Note] - >You need to be a Global Administrator, or have the Microsoft Store Admin role to access the **Permissions** page.  + >You need to be a Global Administrator, or have the Billing account owner role to access **Permissions**.  - To assign roles, you need to be a Global Administrator or a Store Administrator. - -2. Click **Settings**, and then choose **Permissions**. - - OR - - Click **Manage**, and then click **Permissions** on the left-hand menu. - - - -3. Click **Add people**, type a name, choose the role you want to assign, and click **Save** . - - - -4. If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md). - +2. Select **Manage**, and then select **Permissions**. +3. On **Roles**, or **Purchasing roles**, select **Assign roles**. +4. Enter a name, choose the role you want to assign, and select **Save**. + If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts](manage-users-and-groups-microsoft-store-for-business.md). diff --git a/store-for-business/settings-reference-microsoft-store-for-business.md b/store-for-business/settings-reference-microsoft-store-for-business.md index 04db2ea942..8109fc1389 100644 --- a/store-for-business/settings-reference-microsoft-store-for-business.md +++ b/store-for-business/settings-reference-microsoft-store-for-business.md @@ -10,29 +10,23 @@ author: TrudyHa ms.author: TrudyHa ms.topic: conceptual ms.localizationpriority: medium -ms.date: 11/01/2017 +ms.date: 03/01/2019 --- # Settings reference: Microsoft Store for Business and Education - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - The Microsoft Store for Business and Education has a group of settings that admins use to manage the store. | Setting | Description | Location under **Manage** | | ------- | ----------- | ------------------------------ | -| Account information | Manage organization information. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-microsoft-store-for-business-account-settings.md).| **Billing - Account profile** | -| Payment options | Manage payment options. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-microsoft-store-for-business-account-settings.md#payment-options).| **Billing - Payment methods** | +| Billing account information | Manage organization information. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-microsoft-store-for-business-account-settings.md).| **Billing accounts** | +| Payment options | Manage payment options. For more information, see [Manage settings for the Microsoft Store for Business and Education](payment-methods.md).| **Billing & payments - Payment methods** | | Private store | Update the name for your private store. The new name will be displayed on a tab in the Store. For more information, see [Manage private store settings](manage-private-store-settings.md). | **Settings - Distribute** | | Offline licensing | Configure whether or not to make offline-licensed apps available in the Microsoft Store for Business and Education. For more information, see [Distribute offline apps](distribute-offline-apps.md). | **Settings - Shop** | | Allow users to shop | Configure whether or not people in your organization or school can see and use the shop function in Store for Business or Store for Education. For more information, see [Allow users to shop](acquire-apps-microsoft-store-for-business.md#allow-users-to-shop). | **Settings - Shop** | -| Make everyone a Basic Purchaser | Allow everyone in your organization to automatically become a Basic Purchaser. This allows them to purchase apps and manage them. For more information, see [Make everyone a Basic Purchaser](https://docs.microsoft.com/education/windows/education-scenarios-store-for-business#basic-purchaser-role).
**Make everyone a Basic Purchaser** is only available in Microsoft Store for Education. | **Settings - Shop** | -| App request | Configure whether or not people in your organization can request apps for admins to purchase. For more information, see [Distribute offline apps](acquire-apps-microsoft-store-for-business.md). | **Settings - Distribute** | +| Make everyone a Basic Purchaser | Allow everyone in your organization to automatically become a Basic Purchaser. This allows them to purchase apps and manage them. For more information, see [Make everyone a Basic Purchaser](https://docs.microsoft.com/education/windows/education-scenarios-store-for-business#basic-purchaser-role). | **Settings - Shop** | +| App request | Configure whether or not people in your organization can request apps for admins to purchase. For more information, see [Distribute offline apps](acquire-apps-microsoft-store-for-business.md). | **Settings - Shop** | | Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md). | **Settings - Distribute** | | Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | **Settings - Devices** | -| Permissions | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md). | **Permissions - Roles** and **Permissions - Blocked basic purchasers** | +| Permissions | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md). | **Permissions - Roles**, **Permissions - Purchasing roles**, and **Permissions - Blocked basic purchasers** | | Line-of-business (LOB) publishers | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). | **Permissions - Line-of-business apps** | diff --git a/store-for-business/sfb-change-history.md b/store-for-business/sfb-change-history.md index f4429a667f..eb426098c6 100644 --- a/store-for-business/sfb-change-history.md +++ b/store-for-business/sfb-change-history.md @@ -8,16 +8,20 @@ ms.pagetype: store author: TrudyHa ms.author: TrudyHa ms.topic: conceptual -ms.date: 4/26/2018 +ms.date: 3/2/2019 ms.localizationpriority: medium --- # Change history for Microsoft Store for Business and Microsoft Store for Education -**Applies to** - -- Windows 10 -- Windows 10 Mobile +## March 2019 +| New or changed topic | Description | +| --- | --- | +| [Understand your Microsoft Customer Agreement invoice](billing-understand-your-invoice-msfb.md) | New topic | +| [Understand billing profiles](billing-profile.md) | New topic | +| [Payment methods](payment-methods.md) | New topic | +| [Update Microsoft Store for Business and Microsoft Store for Education account settings](update-microsoft-store-for-business-account-settings.md) | Update with information on billing accounts. | +| [Roles and permissions in Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md) | Add info for purchasing roles and permissions. | ## April 2018 | New or changed topic | Description | diff --git a/store-for-business/update-microsoft-store-for-business-account-settings.md b/store-for-business/update-microsoft-store-for-business-account-settings.md index 3ac104dedf..212b62ecf0 100644 --- a/store-for-business/update-microsoft-store-for-business-account-settings.md +++ b/store-for-business/update-microsoft-store-for-business-account-settings.md @@ -1,6 +1,7 @@ --- -title: Update Microsoft Store for Business and Microsoft Store for Education account settings (Windows 10) -description: The Account information page in Microsoft Store for Business and Microsoft Store for Education shows information about your organization that you can update, including country or region, organization name, default domain, and language preference. +title: Update your Billing account settings +description: The billing account page in Microsoft Store for Business and Microsoft Store for Education, and M365 admin center shows information about your organization that you can update, including country or region, organization contact info, agreements with Microsoft and admin approvals. +keywords: billing accounts, organization info ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -9,17 +10,16 @@ author: TrudyHa ms.author: TrudyHa ms.topic: conceptual ms.localizationpriority: medium -ms.date: 10/17/2017 +ms.date: 03/18/2019 --- -# Update Microsoft Store for Business and Microsoft Store for Education account settings +# Update Billing account settings +A billing account contains defining information about your organization. -**Applies to** +>[!NOTE] +>Billing accounts are available in Microsoft Store for Business, and M365 admin center preview. For more infomation, see [aka.ms/aboutM365preview](https://aka.ms/aboutM365preview). -- Windows 10 -- Windows 10 Mobile - -The **Payments & billing** page in Microsoft Store for Business allows you to manage organization information, billing information, and payment options. The organization information and payment options are required before you can acquire apps that have a price. +The **Billing account** page allows you to manage organization information, purchasing agreements that you have with Microsoft, and admin approvals. The organization information and payment options are required before you can shop for products that have a price. ## Organization information @@ -27,17 +27,19 @@ We need your business address, email contact, and tax-exemption certificates tha ### Business address and email contact -Before purchasing apps that have a fee, you need to add or update your organization's business address, and contact email address. +Before purchasing apps that have a fee, you need to add or update your organization's business address, contact email address, and contact name. We use the Business address to calculate sales tax. If your organization's address has already been entered for other commercial purchases through Microsoft Store, or through other online purchases such as Office 365 or Azure subscriptions, then we’ll use the same address in Microsoft Store for Business and Microsoft Store for Education. If we don’t have an address, we’ll ask you to enter it during your first purchase. We need an email address in case we need to contact you about your Microsoft Store for Business and for Education account. This email account should reach the admin for your organization’s Office 365 or Azure AD tenant that is used with Microsoft Store. -**To update Organization information** +**To update billing account information** 1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com) -2. Click **Manage**, click **Billing**, **Account profile**, and then click **Edit**. +2. Select **Manage**, and then select **Billing accounts**. +3. On **Overview**, select **Edit billing account information**. +4. Make your updates, and then select **Save**. -## Organization tax information +### Organization tax information Taxes for Microsoft Store for Business purchases are determined by your business address. Businesses in these countries can provide their VAT number or local equivalent: - Austria - Belgium @@ -72,7 +74,7 @@ Taxes for Microsoft Store for Business purchases are determined by your business - Switzerland - United Kingdom -These countries can provide their VAT number or local equivalent in **Payments & billing**. +These countries can provide their VAT number or local equivalent on their **Billing account** information. |Market| Tax identifier | |------|----------------| @@ -90,7 +92,7 @@ If you qualify for tax-exempt status in your market, start a service request to **To start a service request** 1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com). -2. Click **Manage**, click **Support**, and then under **Store settings & configuration** click **Create technical support ticket**. +2. Select **Manage**, click **Support**, and then under **Store settings & configuration** select **Create technical support ticket**. You’ll need this documentation: @@ -101,7 +103,6 @@ You’ll need this documentation: | Ireland | 13B/56A Tax Exemption Certificate| | International organizations that hold tax exaemption | Certification / letter confirmation from local tax authorities | - ### Calculating tax Sales taxes are calculated against the unit price, and then aggregated. @@ -113,41 +114,15 @@ For example:
($1.29 X .095) X 100 = $12.25 -## Payment options -You can purchase apps from Microsoft Store for Business using your credit card. You can enter your credit card information on Account Information, or when you purchase an app. We currently accept these credit cards: -1. VISA -2. MasterCard -3. Discover -4. American Express -5. Japan Commercial Bureau (JCB) +## Agreements +Each billing account inculdes access to the purchasing agreements your organization has signed with Microsoft. This could include: +- Microsoft Enterprise Agreement +- Select agreements +- Open agreements +- Microsoft customer agreement -> [!NOTE] -> Not all cards available in all countries. When you add a payment option, Microsoft Store for Business shows which cards are available in your region. - -**To add a new payment option** - -1. Sign in to the [Store for Business](https://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, click **Billing**, and then click **Payments methods**. -3. Click **Add a payment options**, and then select the type of credit card that you want to add. -4. Add information to required fields, and then click **Next**. - -Once you click Next, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems. - -> [!NOTE] -> When adding credit or debit cards, you may be prompted to enter a CVV. The CVV is only used for verification purposes and is not stored in our systems after validation. - -**To update a payment option** - -1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, click **Billing**, and then click **Payments methods**. -3. Select the payment option that you want to update, and then click **Update**. -4. Enter any updated information in the appropriate fields, and then click **Next**. -Once you click **Next**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems. - -> [!NOTE] -> Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time, or have a low balance. - -## Offline licensing +If you there is an updated version of the Microsoft customer agreement for you to sign, you'll be prompted to on **Agreements**, or during a purchase. + \ No newline at end of file diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json index f27666d0fd..b394742538 100644 --- a/windows/access-protection/docfx.json +++ b/windows/access-protection/docfx.json @@ -38,7 +38,8 @@ "ms.author": "justinha", "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "MSDN.win-access-protection" + "depot_name": "MSDN.win-access-protection", + "folder_relative_path_in_docset": "./" } } }, @@ -46,4 +47,4 @@ "template": [], "dest": "win-access-protection" } -} \ No newline at end of file +} diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md index 3b11a9431b..9f0e645ab1 100644 --- a/windows/application-management/add-apps-and-features.md +++ b/windows/application-management/add-apps-and-features.md @@ -9,6 +9,7 @@ ms.author: elizapo author: lizap ms.localizationpriority: medium ms.date: 04/26/2018 +ms.topic: article --- # How to add apps and features to Windows 10 > Applies to: Windows 10 diff --git a/windows/application-management/app-v/appv-about-appv.md b/windows/application-management/app-v/appv-about-appv.md index eac656ed68..ed9e7d1801 100644 --- a/windows/application-management/app-v/appv-about-appv.md +++ b/windows/application-management/app-v/appv-about-appv.md @@ -1,12 +1,13 @@ --- title: What's new in App-V for Windows 10, version 1703 and earlier (Windows 10) description: Information about what's new in App-V for Windows 10, version 1703 and earlier. -author: eross-msft +author: jdeckerms ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 06/08/2018 +ms.topic: article --- # What's new in App-V for Windows 10, version 1703 and earlier @@ -59,9 +60,9 @@ For more information about how to configure an existing App-V installation after App-V supports System Center 2016 and System Center 2012 R2 Configuration Manager SP1. See [Planning for App-V Integration with Configuration Manager](https://technet.microsoft.com/library/jj822982.aspx) to learn more about how to integrate your App-V environment with Configuration Manager. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md index c5a7ad334d..dc50a4c884 100644 --- a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md +++ b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 06/08/2018 +ms.topic: article --- # How to add or remove an administrator by using the Management Console @@ -25,9 +26,9 @@ Use the following procedures to add or remove an administrator on the Microsoft 1. Open the Microsoft Application Virtualization (App-V) Management Console and select **Administrators** in the navigation pane. The navigation pane displays a list of AD users and groups that currently have administrative access to the Microsoft Application Virtualization (App-V) server. 2. Right-click the account to be removed from the list of administrators and select **Remove**. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md index 0ae1a703c8..65e751d061 100644 --- a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 06/08/2018 +ms.topic: article --- # How to add or upgrade packages by using the Management Console @@ -35,9 +36,9 @@ You can use the following procedure to add or upgrade a package to the App-V Man 5. Select **Close** to close the **Add or Upgrade Packages** page. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-administering-appv-with-powershell.md b/windows/application-management/app-v/appv-administering-appv-with-powershell.md index b6cf8bf3d3..e56d2e0b3a 100644 --- a/windows/application-management/app-v/appv-administering-appv-with-powershell.md +++ b/windows/application-management/app-v/appv-administering-appv-with-powershell.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 06/08/2018 +ms.topic: article --- # Administering App-V by using Windows PowerShell @@ -44,9 +45,9 @@ The following table describes Windows PowerShell error handling for App-V. |Using the **RollbackOnError** attribute with embedded scripts|When you use the **RollbackOnError** attribute with embedded scripts, the attribute is ignored for the following events:
- Removing a package
- Unpublishing a package
- Terminating a virtual environment
- Terminating a process| |Package name contains **$**|If a package name contains the character \$\, you must use a single-quote ( **'** ).
For example:
```Add-AppvClientPackage 'Contoso$App.appv'```| -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md index a7662c1689..496cc0b738 100644 --- a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md +++ b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 06/08/2018 +ms.topic: article --- # Administering App-V Virtual Applications by using the Management Console @@ -50,9 +51,9 @@ The main elements of the App-V Management Console are: >[!IMPORTANT] >The browser you're using to open the Web Management Console must have JavaScript enabled. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Other resources for this App-V deployment diff --git a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md index 36c4204881..cee9f0a966 100644 --- a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md +++ b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 06/08/2018 +ms.topic: article --- # How to allow only administrators to enable connection groups @@ -24,9 +25,9 @@ Use one of the following methods to allow only administrators to enable or disab |Group Policy setting|Enable the “Require publish as administrator” Group Policy setting, which is located in the following Group Policy Object node:

**Computer Configuration** > **Administrative Templates** > **System** > **App-V** > **Publishing**| |Windows PowerShell cmdlet|Run the **Set-AppvClientConfiguration** cmdlet with the *-RequirePublishAsAdmin* parameter.

Parameter values:
- **0** – False
- **1** – True

Example: ```Set-AppvClientConfiguration -RequirePublishAsAdmin 1```| -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md index 63d64c67b1..54a2eb8da6 100644 --- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md +++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 06/08/2018 +ms.topic: article --- # Application publishing and client interaction @@ -893,6 +894,5 @@ There are three specific categories of events recorded: - **Operational** logs the general App-V execution and usage of individual components, creating an audit log of the App-V Client's completed App-V operations. - **Virtual Application** logs virtual application launches and use of virtualization subsystems. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file + diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md index be2acfa151..457b84aa95 100644 --- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md +++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 06/15/2018 +ms.topic: article --- # How to apply the deployment configuration file by using Windows PowerShell @@ -37,9 +38,9 @@ Add-AppVClientPackage -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentCon > Set-AppVClientPackage -Name Myapp -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml > ``` -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md index 7f5e05afcd..8b1e2d8168 100644 --- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md +++ b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 06/15/2018 +ms.topic: article --- # How to apply the user configuration file by using Windows PowerShell @@ -36,9 +37,9 @@ Here's how to specify a user-specific configuration file: Publish-AppVClientPackage $pkg -DynamicUserConfigurationPath C:\Packages\Contoso\config.xml ``` -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md index 9a0407dafc..d40b868aa0 100644 --- a/windows/application-management/app-v/appv-auto-batch-sequencing.md +++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md @@ -1,12 +1,13 @@ --- title: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) description: How to automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer). -author: eross-msft +author: jdeckerms ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) @@ -99,6 +100,6 @@ There are 3 types of log files that occur when you sequence multiple apps at the - [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) - [Automatically clean up unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md index b4bd1c4426..6a74d97208 100644 --- a/windows/application-management/app-v/appv-auto-batch-updating.md +++ b/windows/application-management/app-v/appv-auto-batch-updating.md @@ -1,12 +1,13 @@ --- title: Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) description: How to automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer). -author: eross-msft +author: jdeckerms ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) @@ -153,6 +154,6 @@ There are three types of log files that occur when you sequence multiple apps at - [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) - [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md index 2495e28dd7..acf707a514 100644 --- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md +++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md @@ -1,12 +1,13 @@ --- title: Automatically clean up unpublished packages on the App-V client (Windows 10) description: How to automatically clean up any unpublished packages on your App-V client devices. -author: eross-msft +author: jdeckerms ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 06/15/2018 +ms.topic: article --- # Automatically clean up unpublished packages on the App-V client @@ -51,9 +52,9 @@ Using Group Policy, you can turn on the **Enable automatic cleanup of unused App After your Group Policy updates and you reset the client, the setting will clean up any unpublished App-V packages on the App-V client. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-auto-provision-a-vm.md b/windows/application-management/app-v/appv-auto-provision-a-vm.md index b71dacce5a..53a38b3f05 100644 --- a/windows/application-management/app-v/appv-auto-provision-a-vm.md +++ b/windows/application-management/app-v/appv-auto-provision-a-vm.md @@ -1,12 +1,13 @@ --- title: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) description: How to automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) PowerShell cmdlet or the user interface. -author: eross-msft +author: jdeckerms ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) @@ -125,6 +126,5 @@ After you sequence your packages, you can automatically clean up any unpublished - [How to install the App-V Sequencer](appv-install-the-sequencer.md) - [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server) -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file + diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md index acc5e6e812..3429a4b616 100644 --- a/windows/application-management/app-v/appv-available-mdm-settings.md +++ b/windows/application-management/app-v/appv-available-mdm-settings.md @@ -1,12 +1,13 @@ --- title: Available Mobile Device Management (MDM) settings for App-V (Windows 10) description: A list of the available MDM settings for App-V on Windows 10. -author: eross-msft +author: jdeckerms ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 06/15/2018 +ms.topic: article --- # Available Mobile Device Management (MDM) settings for App-V diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md index 8fef0869e5..250809b68c 100644 --- a/windows/application-management/app-v/appv-capacity-planning.md +++ b/windows/application-management/app-v/appv-capacity-planning.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # App-V Capacity Planning @@ -184,9 +185,9 @@ Ignoring scaling requirements, the minimum number of servers that a fault-tolera Although there are many fault-tolerance strategies and technologies you can use, not all are applicable to a given service. Additionally, if App-V roles are combined, the resulting incompatibilities could cause certain fault-tolerance options to stop working. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md index 1e827161ce..983ad32d49 100644 --- a/windows/application-management/app-v/appv-client-configuration-settings.md +++ b/windows/application-management/app-v/appv-client-configuration-settings.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # About Client Configuration Settings @@ -104,9 +105,9 @@ The following table provides information about App-V client configuration settin | **HidePublishingRefreshUI**
1 (Enabled), 0 (Disabled) | | | | **ProcessesUsingVirtualComponents**
String | Virtualization\\ProcessesUsingVirtualComponents | Empty string. | -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md index 3423d1c211..df14d062d7 100644 --- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 06/18/2018 +ms.topic: article --- # How to configure access to packages by using the Management Console @@ -51,9 +52,9 @@ Use the following procedure to configure access to virtualized packages. 3. Select **Close**. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md index 2fbf152ae4..2c4f458795 100644 --- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md +++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 06/18/2018 +ms.topic: article --- # How to make a connection group ignore the package version @@ -56,9 +57,9 @@ For more about adding or upgrading packages, see [How to add or upgrade packages For more information, see [How to manage App-V packages running on a stand-alone computer by using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md). -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md index 4c9e8afc25..ac9673baaf 100644 --- a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md +++ b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 06/25/2018 +ms.topic: article --- # How to configure the client to receive package and connection groups updates from the publishing server @@ -54,9 +55,9 @@ This article will tell you how to configure the App-V client to receive updates This cmdlet will query the publishing server for which packages and connection groups need to be added or removed for this particular client based on your configured entitlements for the packages and connection groups on the management server. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md index dc2e364c79..d19cfb0658 100644 --- a/windows/application-management/app-v/appv-connect-to-the-management-console.md +++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 06/25/2018 +ms.topic: article --- # How to connect to the Management Console @@ -20,9 +21,9 @@ Use the following procedure to connect to the App-V Management Console. 2. To view different sections of the console, select your desired section in the navigation pane. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-connection-group-file.md b/windows/application-management/app-v/appv-connection-group-file.md index ad317ada6d..284057363a 100644 --- a/windows/application-management/app-v/appv-connection-group-file.md +++ b/windows/application-management/app-v/appv-connection-group-file.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 06/25/2018 +ms.topic: article --- # About the connection group file @@ -133,9 +134,9 @@ App-V supports the following application connection configurations. After deployment, you can either create a single new Microsoft Office 2010 + Microsoft Lync 2010 package or keep and maintain them as separate packages and deploy them with a connection group. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md index 26a2f399c9..99932f11be 100644 --- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md +++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 06/25/2018 +ms.topic: article --- # About the connection group virtual environment @@ -60,9 +61,9 @@ When a virtualized application tries to find a specific file, App-V will first f - If a file named **test.txt** exists in the same virtual folder hierarchy in both application packages, App-V will use the first matching file. - If a file named **bar.txt** exists in the virtual folder hierarchy of one application package, but not in the other, App-V will use the first matching file. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md index 9ee866698b..36dcf56ffe 100644 --- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md +++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 07/10/2018 +ms.topic: article --- # How to convert a package created in a previous version of App-V @@ -84,9 +85,9 @@ The App-V package converter will save the App-V 4.6 installation root folder and - Other functionality—Windows PowerShell has other built-in functionality for features such as aliases, lazy-binding, .NET Object, and many others. These features can help you create advanced scenarios for the Package Converter. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md index 58ccffc7a8..2ecf79eaaf 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md +++ b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 07/10/2018 +ms.topic: article --- # How to create a connection croup with user-published and globally published packages @@ -54,9 +55,9 @@ Here are some important things to know before you get started: 3. Follow the instructions in [How to create a connection group](appv-create-a-connection-group.md) to create the connection group and add the user-published and globally published packages. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md index 661b95326d..f5353a4be2 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group.md +++ b/windows/application-management/app-v/appv-create-a-connection-group.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 07/10/2018 +ms.topic: article --- # How to create a connection group @@ -37,9 +38,9 @@ When you place packages in a connection group, their package root paths merge. I 6. After adding all the applications and configuring Active Directory access, select **Apply**. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md index a2d704e613..e27f48c14a 100644 --- a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md +++ b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 07/10/2018 +ms.topic: article --- # How to create a custom configuration file by using the App-V Management Console @@ -29,9 +30,9 @@ You can create a dynamic user configuration file with the App-V Management Conso >[!NOTE]   >If you want to export a configuration while running on Windows Server, make sure to disable the IE Enhanced Security Configuration setting. If this setting is enabled and set to block downloads, you won't be able to download anything from the App-V Server. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md index 7c228e7c4d..c9e6680de7 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 07/10/2018 +ms.topic: article --- # How to create a package accelerator by using Windows PowerShell @@ -38,9 +39,9 @@ App-V Package Accelerators automatically sequence large, complex applications. A - *AcceleratorDescriptionFile* specifies the path to user-created package accelerator instructions. The package accelerator instructions are **.txt** or **.rtf** description files that will be included in the package created by the package accelerator. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md index 49be3c2a97..1aa2fa75c3 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 07/10/2018 +ms.topic: article --- # How to create a package accelerator @@ -67,9 +68,9 @@ Use the following procedure to create a package accelerator. >[!IMPORTANT] >You should always digitally sign the package accelerator to ensure that it is secure and can be verified by a publisher during application. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md index 2742b4002f..48dfcaf890 100644 --- a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 07/10/2018 +ms.topic: article --- # How to create a virtual application package using an App-V Package Accelerator @@ -67,9 +68,9 @@ Use the following procedure to create a virtual application package with the App The package is now available in the Sequencer. To edit the package properties, select **Edit \[Package Name\]**. For more information about how to modify a package, see [How to modify an existing virtual application package](appv-modify-an-existing-virtual-application-package.md). -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md index 54c4e39515..762a8c3837 100644 --- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md +++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md @@ -1,12 +1,13 @@ --- title: Create and apply an App-V project template to a sequenced App-V package (Windows 10) description: Steps for how to create and apply an App-V project template (.appvt) to a sequenced App-V package. -author: eross-msft +author: jdeckerms ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 07/10/2018 +ms.topic: article --- # Create and apply an App-V project template to a sequenced App-V package @@ -54,6 +55,6 @@ After creating the template, you can apply it to all of your new virtual app pac - [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) - [Manually sequence a new app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md) -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md index e6c441feb7..dca1b3b048 100644 --- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md +++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Creating and managing App-V virtualized applications @@ -152,9 +153,9 @@ The App-V Sequencer can detect common sequencing issues during sequencing. The * You can also find additional information about sequencing errors using the Windows Event Viewer. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md index a364b60032..b6239f823f 100644 --- a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md +++ b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 07/10/2018 +ms.topic: article --- # How to customize virtual applications extensions for a specific AD group by using the Management Console @@ -28,9 +29,9 @@ Use the following procedure to customize the virtual application extensions for 5. To edit additional application extensions, modify the configuration file and select **Import and Overwrite this Configuration**. Select the modified file and select **Open**. In the dialog, select **Overwrite** to complete the process. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md index ee3f71058e..28ece19e12 100644 --- a/windows/application-management/app-v/appv-delete-a-connection-group.md +++ b/windows/application-management/app-v/appv-delete-a-connection-group.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 09/27/2018 +ms.topic: article --- # How to delete a connection group @@ -20,9 +21,9 @@ Use the following procedure to delete an existing App-V connection group. 2. Right-click the connection group to be removed and select **delete**. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md index 81a067b1eb..c1da202df9 100644 --- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md +++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 09/27/2018 +ms.topic: article --- # How to delete a package in the Management Console @@ -20,9 +21,9 @@ Use the following procedure to delete an App-V package. 2. Select or right-click the package, then select **Delete** to remove the package. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md index e719ae1710..c0a29eb10f 100644 --- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md +++ b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # How to deploy the App-V databases by using SQL scripts @@ -175,9 +176,9 @@ Steps to install "AppVReporting" schema in SQL SERVER. ScheduleReportingJob.sql ``` -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md index 29eafeeefa..8dde4cdf22 100644 --- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 09/27/2018 +ms.topic: article --- # How to deploy App-V packages using electronic software distribution @@ -36,9 +37,9 @@ Use one of the following methods to publish packages to App-V client computers w 3. After you create the virtual application, deploy the package by using your ESD solution. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md index a2b8ba9569..52f16c2759 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # How to deploy the App-V server using a script @@ -513,9 +514,9 @@ To use a custom instance of Microsoft SQL Server, use these parameters: | */EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE* | Specifies the name of the custom SQL instance that will be used. For example, ```/EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE="AppVManagement"```. If **/DB_PREDEPLOY_MANAGEMENT** isn't specified, this will be ignored. | | */EXISTING_MANAGEMENT_DB_NAME* | Specifies the name of the existing management database that should be used. For example, ```/EXISTING_MANAGEMENT_DB_NAME="AppVMgmtDB"```. If **/DB_PREDEPLOY_MANAGEMENT** isn't specified, this will be ignored. | -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md index a8035796ac..d3ef14b85d 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # How to Deploy the App-V Server (new installation) diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md index 1d2034eb89..b90d7a848e 100644 --- a/windows/application-management/app-v/appv-deploying-appv.md +++ b/windows/application-management/app-v/appv-deploying-appv.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Deploying App-V for Windows 10 @@ -41,6 +42,6 @@ The following sections describe how to use App-V to deliver Microsoft Office as * [Troubleshooting App-V](appv-troubleshooting.md) * [Technical reference for App-V](appv-technical-reference.md) -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md index ce2b61a864..42f86ce251 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Deploying Microsoft Office 2010 by Using App-V @@ -95,6 +96,5 @@ The following table provides a full list of supported integration points for Off * [About App-V Dynamic Configuration](appv-dynamic-configuration.md) -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file + diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md index ca909f8764..ef4a648b31 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Deploying Microsoft Office 2013 by Using App-V @@ -33,7 +34,7 @@ Before you deploy Office with App-V, review the following requirements. |Task|Requirement| |---|---| -|Packaging|All Office applications you wish to deploy to users must be in a single package.
In App-V and later, you must use the Office Deployment Tool to create packages. The Sequencer doesn't support package creation.
If you're deploying Microsoft Visio 2013 and Microsoft Project 2013 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2013 and Project 2013 with Office](#bkmk-deploy-visio-project).| +|Packaging|All Office applications you wish to deploy to users must be in a single package.
In App-V and later, you must use the Office Deployment Tool to create packages. The Sequencer doesn't support package creation.
If you're deploying Microsoft Visio 2013 and Microsoft Project 2013 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2013 and Project 2013 with Office](#deploying-visio-2013-and-project-2013-with-office).| |Publishing|You can only publish one Office package per client computer.
You must publish the Office package globally, not to the user.| |Deploying Office 365 ProPlus, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer using Remote Desktop Services.|You must enable [shared computer activation](https://docs.microsoft.com/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus).
You don’t need to use shared computer activation if you’re deploying a volume licensed product, such as Office Professional Plus 2013, Visio Professional 2013, or Project Professional 2013.| @@ -44,7 +45,7 @@ The following table describes the recommended methods for excluding specific Off |Task|Details| |---|---| |Use the **ExcludeApp** setting when you create the package by using the Office Deployment Tool.|Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.
For more information, see [ExcludeApp element](https://docs.microsoft.com/DeployOffice/configuration-options-for-the-office-2016-deployment-tool?ui=en-US&rs=en-US&ad=US#excludeapp-element).| -|Modify the **DeploymentConfig.xml** file|Modify the **DeploymentConfig.xml** file after creating the package. This file contains the default package settings for all users on a computer running the App-V Client.
For more information, see [Disabling Office 2013 applications](#bkmk-disable-office-apps).| +|Modify the **DeploymentConfig.xml** file|Modify the **DeploymentConfig.xml** file after creating the package. This file contains the default package settings for all users on a computer running the App-V Client.
For more information, see [Disabling Office 2013 applications](#disabling-office-2013-applications).| ## Creating an Office 2013 package for App-V with the Office Deployment Tool @@ -267,12 +268,12 @@ Add-AppvClientPackage | Publish-AppvClientPackage –glob To manage your Office App-V packages, use the same operations as you would for any other package, but there are a few exceptions, as outlined in the following sections. -* [Enabling Office plug-ins by using connection groups](#bkmk-enable-office-plugins) -* [Disabling Office 2013 applications](#bkmk-disable-office-apps) -* [Disabling Office 2013 shortcuts](#bkmk-disable-shortcuts) -* [Managing Office 2013 package upgrades](#bkmk-manage-office-pkg-upgrd) -* [Managing Office 2013 licensing upgrades](#bkmk-manage-office-lic-upgrd) -* [Deploying Visio 2013 and Project 2013 with Office](#bkmk-deploy-visio-project) +* [Enabling Office plug-ins by using connection groups](#enabling-office-plug-ins-by-using-connection-groups) +* [Disabling Office 2013 applications](#disabling-office-2013-applications) +* [Disabling Office 2013 shortcuts](#disabling-office-2013-shortcuts) +* [Managing Office 2013 package upgrades](#managing-office-2013-package-upgrades) +* [Managing Office 2013 licensing upgrades](#managing-office-2013-licensing-upgrades) +* [Deploying Visio 2013 and Project 2013 with Office](#deploying-visio-2013-and-project-2013-with-office) ### Enabling Office plug-ins by using connection groups @@ -432,6 +433,5 @@ This section describes the requirements and options for deploying Visio 2013 and * [About App-V Dynamic Configuration](appv-dynamic-configuration.md) -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file + diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md index 63932df3b0..f2caa3c9f0 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Deploying Microsoft Office 2016 by using App-V @@ -378,6 +379,5 @@ The following table describes the requirements and options for deploying Visio 2 * [Deploying Microsoft Office 2010 by using App-V](appv-deploying-microsoft-office-2010-wth-appv.md) * [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117) -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file + diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md index 05f4985ae8..4f205bf71e 100644 --- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 09/27/2018 +ms.topic: article --- # Deploying App-V packages by using electronic software distribution (ESD) @@ -29,6 +30,5 @@ To learn how to configure the App-V client to enable only administrators to publ - [App-V and Citrix integration](https://www.microsoft.com/en-us/download/details.aspx?id=40885) - [Operations for App-V](appv-operations.md) -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file + diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md index 638235a066..c50de9053a 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Deploying the App-V Sequencer and configuring the client @@ -88,6 +89,5 @@ You can use the App-V Sequencer log information to troubleshoot Sequencer instal >[!NOTE] >Sequencer-related events are prepended with **AppV\_Sequencer**. Client-related events are prepended with **AppV\_Client**. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file + diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md index 010925239a..a8483ea6cb 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Deploying the App-V server @@ -105,6 +106,6 @@ For more information, see [About App-V reporting](appv-reporting.md) and [How to * [Deploying App-V](appv-deploying-appv.md) -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md index 6efc162994..dbb94bed87 100644 --- a/windows/application-management/app-v/appv-deployment-checklist.md +++ b/windows/application-management/app-v/appv-deployment-checklist.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # App-V Deployment Checklist @@ -23,9 +24,9 @@ This checklist outlines the recommended steps and items to consider when deployi >[!NOTE] >Keep track of server names and associated URLs you create during installation. You'll need this information throughout the installation process. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md index 2669aedab4..3e900c1a4b 100644 --- a/windows/application-management/app-v/appv-dynamic-configuration.md +++ b/windows/application-management/app-v/appv-dynamic-configuration.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 09/27/2018 +ms.topic: article --- # About App-V dynamic configuration @@ -602,9 +603,9 @@ For more information about how to create the file using the App-V Management Con To create the file manually, you can combine the components listed in the previous sections into a single file. However, we recommend you use files generated by the sequencer instead of manually created ones. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md index 803d11d76e..ed48d628a2 100644 --- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 +ms.topic: article --- # How to enable only administrators to publish packages by using an ESD @@ -24,6 +25,6 @@ Here's how to enable only administrators to publish or unpublish packages: To instead use Windows PowerShell to set this item, see [Understanding pending packages: UserPending and GlobalPending](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#about-pending-packages-userpending-and-globalpending). -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md index b6df634063..9aa52bfd1c 100644 --- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md +++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 +ms.topic: article --- # How to Enable Reporting on the App-V Client by Using Windows PowerShell @@ -78,9 +79,9 @@ Use the following procedure to configure the App-V for reporting. Additionally, administrators can manually send the data back in an on-demand manner using the **Send-AppvClientReport** cmdlet. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). + +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md index 0696778b9f..29f36ee761 100644 --- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md +++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Enable the App-V in-box client @@ -37,6 +38,5 @@ Check out these articles for more information about how to configure the App-V c * [Using the client management console](appv-using-the-client-management-console.md) * [How to configure the client to receive package and connection group updates from the Publishing server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md) -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file + diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md index d055f0c12d..c17263348d 100644 --- a/windows/application-management/app-v/appv-evaluating-appv.md +++ b/windows/application-management/app-v/appv-evaluating-appv.md @@ -45,9 +45,6 @@ Use the following links for more information about creating and managing virtual - [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md) -## Have a suggestion for App-V? - -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md index 3642e254c5..efac1526d5 100644 --- a/windows/application-management/app-v/appv-for-windows.md +++ b/windows/application-management/app-v/appv-for-windows.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 09/27/2018 +ms.topic: article --- # Application Virtualization (App-V) for Windows 10 overview @@ -61,6 +62,5 @@ The topics in this section provide information and instructions to help you admi - [Viewing App-V Server publishing metadata](appv-viewing-appv-server-publishing-metadata.md) - [Running a locally installed application inside a virtual environment with virtualized applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md) -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file + diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md index 98794a0cb4..d18e707951 100644 --- a/windows/application-management/app-v/appv-getting-started.md +++ b/windows/application-management/app-v/appv-getting-started.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Getting started with App-V for Windows 10 diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md index 3b799fe1ab..6cd81600e8 100644 --- a/windows/application-management/app-v/appv-high-level-architecture.md +++ b/windows/application-management/app-v/appv-high-level-architecture.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # High-level architecture for App-V diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md index efc8ef2948..24405d012e 100644 --- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md +++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md @@ -137,9 +137,9 @@ Before attempting this procedure, you should read and understand the information **.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200”** -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). + +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics diff --git a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md index 3097201087..a67f0ea3de 100644 --- a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md +++ b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services @@ -68,9 +69,9 @@ Use the following procedure to install the database server and management server >For more information about modifying the required SIDs contained in the scripts see, [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md). 5. Run the scripts on the computer running Microsoft SQL Server. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md index 5a78399b06..7e82f64b5b 100644 --- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # How to install the Management Server on a Standalone Computer and Connect it to the Database @@ -30,9 +31,9 @@ To install the management server on a standalone computer and connect it to the 8. Select **Install**. 9. To confirm that the setup has completed successfully, open a web browser and enter the following URL: https://managementserver:portnumber/Console. If the installation was successful, you should see the **Management Console** appear without any error messages or warnings displayed. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md index a67700ab9a..a4d4a8ed1a 100644 --- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md +++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # How to install the publishing server on a remote computer @@ -52,9 +53,9 @@ Use the following procedure to install the publishing server on a separate compu ``` -## Have a suggestion for App-V? + + -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics diff --git a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md index edf22cbc3d..9c1a1b5066 100644 --- a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # How to install the reporting server on a standalone computer and connect it to the database @@ -34,9 +35,9 @@ Use the following procedure to install the reporting server on a standalone comp * For the **Port binding**, specify a unique, five-digit port number for App-V to use, such as **55555**. Make sure that the specified port isn't being used by another website. 8. Select **Install**. -## Have a suggestion for App-V? + + -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md index c799df5bae..59f1199d00 100644 --- a/windows/application-management/app-v/appv-install-the-sequencer.md +++ b/windows/application-management/app-v/appv-install-the-sequencer.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Install the App-V Sequencer @@ -48,9 +49,9 @@ You can also use the command line to install the App-V sequencer. The following For more information regarding the sequencer installation, you can view the error log in the **%temp%** folder. To review the log files, click **Start**, type **%temp%**, and then look for the **appv\_ log**. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md index 3292b74b3e..ae78cb69e8 100644 --- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md +++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 09/27/2018 +ms.topic: article --- # How to load the Windows PowerShell cmdlets for App-V and get cmdlet help @@ -90,6 +91,5 @@ To display help for a specific Windows PowerShell cmdlet: Get-Help Publish-AppvClientPackage ``` -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file + diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md index f98668cea5..eab387ff9a 100644 --- a/windows/application-management/app-v/appv-maintaining-appv.md +++ b/windows/application-management/app-v/appv-maintaining-appv.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 09/27/2018 +ms.topic: article --- # Maintaining App-V @@ -26,9 +27,9 @@ For example, let's say the process ID is 4052. If you can successfully open a na Additionally, ISVs who want to explicitly virtualize or not virtualize calls on specific APIs with App-V 5.1 and later can use the **VirtualizeCurrentThread()** and **CurrentThreadIsVirtualized()** functions implemented in the AppEntSubsystems32.dll module to hint to a downstream component whether the call should be virtualized or not. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Other resources for maintaining App-V diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md index f4a20fb696..4482877876 100644 --- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 09/24/2018 +ms.topic: article --- # How to manage App-V packages running on a stand-alone computer by using Windows PowerShell @@ -161,9 +162,9 @@ The pending task will run later, according to the following rules: For more information about pending tasks, see [Upgrading an in-use App-V package](appv-application-publishing-and-client-interaction.md#upgrading-an-in-use-app-v-package). -## Have a suggestion for App-V? + + -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md index 42df49b2c7..9e50ad3f0c 100644 --- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md @@ -126,9 +126,9 @@ This topic explains the following procedures: -## Have a suggestion for App-V? + -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md index 3f69438c95..db17fbe2a0 100644 --- a/windows/application-management/app-v/appv-managing-connection-groups.md +++ b/windows/application-management/app-v/appv-managing-connection-groups.md @@ -64,10 +64,10 @@ In some previous versions of App-V, connection groups were referred to as Dynami   -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). + +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Other resources for App-V connection groups diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md index e74aecb295..3776b26829 100644 --- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md +++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md @@ -247,10 +247,10 @@ There is no direct method to upgrade to a full App-V infrastructure. Use the inf -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). + +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Other resources for performing App-V migration tasks diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md index c3c5a98cac..e5e1aae356 100644 --- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md +++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md @@ -145,9 +145,9 @@ This topic explains how to: 13. On the **Completion** page, click **Close**. The package is now available in the sequencer. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). + +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md index 894c51e025..9f0295e52a 100644 --- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md +++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md @@ -28,9 +28,9 @@ Use the following procedure to configure the App-V client configuration. `Set-AppVClientConfiguration –Name1 MyConfig –Name2 "xyz"` -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). + +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md index fc39d7dc05..9cee0ac02c 100644 --- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md +++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md @@ -26,9 +26,9 @@ Follow these steps to create a new management server console: 2. After you have completed the installation, use the following link to connect it to the App-V database - [How to install the Management Server on a Standalone Computer and Connect it to the Database](appv-install-the-management-server-on-a-standalone-computer.md). -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). + +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md index 23b04fbff1..13775f5a7a 100644 --- a/windows/application-management/app-v/appv-operations.md +++ b/windows/application-management/app-v/appv-operations.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Operations for App-V @@ -47,6 +48,5 @@ This section of the Microsoft Application Virtualization (App-V) Administrator - [Troubleshooting App-V](appv-troubleshooting.md) - [Technical Reference for App-V](appv-technical-reference.md) -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file + diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md index 1d0c56f4bd..7c9215a248 100644 --- a/windows/application-management/app-v/appv-performance-guidance.md +++ b/windows/application-management/app-v/appv-performance-guidance.md @@ -733,9 +733,9 @@ The following terms are used when describing concepts and actions related to App - **User Profile Management** – The controlled and structured approach to managing user components associated with the environment. For example, user profiles, preference and policy management, application control and application deployment. You can use scripting or third-party solutions configure the environment as needed. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). + +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md index 9525003f91..fd5a908035 100644 --- a/windows/application-management/app-v/appv-planning-checklist.md +++ b/windows/application-management/app-v/appv-planning-checklist.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # App-V Planning Checklist @@ -26,9 +27,9 @@ This checklist can be used to help you plan for preparing your organization for |![Checklist box](../app-v/images/checklistbox.gif)|If applicable, review the options and steps for migrating from a previous version of App-V.|[Migrating to App-V from a previous version](appv-migrating-to-appv-from-a-previous-version.md)|| |![Checklist box](../app-v/images/checklistbox.gif)|Decide whether to configure App-V clients in Shared Content Store mode.|[Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md)|| -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md index 6bb1dfd140..eb7f2408b6 100644 --- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md +++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Planning to Use Folder Redirection with App-V @@ -56,6 +57,6 @@ The following table describes how folder redirection works when %AppData% is red |When the virtual environment starts.|The virtual file system (VFS) AppData folder is mapped to the local AppData folder (%LocalAppData%) instead of to the user’s roaming AppData folder (%AppData%).
- LocalAppData contains a local cache of the user’s roaming AppData folder for the package in use. The local cache is located under ```%LocalAppData%\Microsoft\AppV\Client\VFS\PackageGUID\AppData```
- The latest data from the user’s roaming AppData folder is copied to and replaces the data currently in the local cache.
- While the virtual environment is running, data continues to be saved to the local cache. Data is served only out of %LocalAppData% and is not moved or synchronized with %AppData% until the end user shuts down the computer.
- Entries to the AppData folder are made using the user context, not the system context.| |When the virtual environment shuts down.|The local cached data in AppData (roaming) is zipped up and copied to the “real” roaming AppData folder in %AppData%. A time stamp that indicates the last known upload is simultaneously saved as a registry key under ```HKCU\Software\Microsoft\AppV\Client\Packages\\AppDataTime```. App-V keeps the three most recent copies of the compressed data under %AppData% for redundancy.| -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + diff --git a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md index eb5dc60914..ba19107fe3 100644 --- a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Planning for the App-V server deployment @@ -49,9 +50,9 @@ The following table lists server-related protocols used by the App-V servers, an |IIS server|HTTP
HTTPS|This server-protocol combination requires a mechanism to synchronize content between the Management Server and the Streaming Server. When using HTTP or HTTPS, use an IIS server and a firewall to protect the server from exposure to the Internet.|Internal| |File|SMB|This server-protocol combination requires support to synchronize the content between the Management Server and the Streaming Server. Use a client computer that's capable of file sharing or streaming.|Internal| -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md index 6a3f8107da..826d77a491 100644 --- a/windows/application-management/app-v/appv-planning-for-appv.md +++ b/windows/application-management/app-v/appv-planning-for-appv.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Planning for App-V diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md index 0fa930006c..7f372f723d 100644 --- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md +++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Planning for high availability with App-V Server @@ -96,9 +97,9 @@ Click any of the following links for more information: The App-V management server database supports deployments to computers running Microsoft SQL Server with the **Always On** configuration. For more information, see [Always On Availability Groups (SQL Server)](https://docs.microsoft.com/sql/database-engine/availability-groups/windows/always-on-availability-groups-sql-server). -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md index 15b715780d..edeffdebaf 100644 --- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Planning for the App-V Sequencer and Client Deployment @@ -46,9 +47,9 @@ The following list displays some of the benefits of using App-V SCS: * Reduced deployment risk accelerates application deployment * Simplified profile management -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Other App-V deployment resources diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md index 84ec8aeb47..3a1420dd69 100644 --- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md +++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Planning for deploying App-V with Office @@ -127,9 +128,9 @@ The Office 2013 or Office 2016 App-V package supports the following integration |Shortcuts|| |Windows Search|| -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md index 857549b340..d8b89dd307 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Planning to Deploy App-V with an electronic software distribution system @@ -21,9 +22,9 @@ Review the following component and architecture requirements options that apply | The App-V Management server, Management database, and Publishing server are not required. | These functions are handled by the implemented ESD solution. | | You can deploy the App-V Reporting server and Reporting database side-by-side with the ESD. | The side-by-side deployment lets you collect data and generate reports.
If you enable the App-V client to send report information without using the App-V Reporting server, the reporting data will be stored in associated .xml files. | -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md index 7e9a2005e7..24becb67a5 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Planning to Deploy App-V for Windows 10 diff --git a/windows/application-management/app-v/appv-preparing-your-environment.md b/windows/application-management/app-v/appv-preparing-your-environment.md index 045ae3eac4..60612d1e5c 100644 --- a/windows/application-management/app-v/appv-preparing-your-environment.md +++ b/windows/application-management/app-v/appv-preparing-your-environment.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # Preparing your environment for App-V diff --git a/windows/application-management/app-v/appv-prerequisites.md b/windows/application-management/app-v/appv-prerequisites.md index f8f7d4b0e9..35032ce623 100644 --- a/windows/application-management/app-v/appv-prerequisites.md +++ b/windows/application-management/app-v/appv-prerequisites.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 +ms.topic: article --- # App-V for Windows 10 prerequisites diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md index cebbaac7ad..2e3e097e03 100644 --- a/windows/application-management/app-v/appv-publish-a-connection-group.md +++ b/windows/application-management/app-v/appv-publish-a-connection-group.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 09/27/2018 +ms.topic: article --- # How to Publish a Connection Group @@ -20,9 +21,9 @@ After you create a connection group, you must publish it to computers that run t 2. Right-click the connection group to be published, and select **publish**. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md index 8451509577..465bd880a0 100644 --- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 09/27/2018 +ms.topic: article --- # How to publish a package by using the Management console @@ -35,9 +36,9 @@ Use the following procedure to publish an App-V package. Once you publish a pack To instead use Windows PowerShell to set this item, see [Understanding pending packages: UserPending and GlobalPending](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#about-pending-packages-userpending-and-globalpending). -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md index c337d9ddd7..14f6f70cad 100644 --- a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md +++ b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md @@ -37,9 +37,9 @@ Use the following procedure to register or unregister a publishing server. 3. To unregister the server, right-click the computer name and select the computer name and select **unregister server**. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). + +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md index 96cb952b96..46c2626270 100644 --- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md +++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md @@ -1,7 +1,7 @@ --- title: Release Notes for App-V for Windows 10, version 1703 (Windows 10) description: A list of known issues and workarounds for App-V running on Windows 10, version 1703. -author: eross-msft +author: jdeckerms ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -113,8 +113,8 @@ For information that can help with troubleshooting App-V for Windows 10, see: - [App-V TechNet Forum](https://social.technet.microsoft.com/forums/en-us/home?forum=mdopappv) -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). + +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics - [What's new in App-V for Windows 10](appv-about-appv.md) diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md index ac04ab1fb4..0e199f9a53 100644 --- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md +++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md @@ -1,7 +1,7 @@ --- title: Release Notes for App-V for Windows 10, version 1607 (Windows 10) description: A list of known issues and workarounds for App-V running on Windows 10, version 1607. -author: eross-msft +author: jdeckerms ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -154,8 +154,8 @@ For information that can help with troubleshooting App-V for Windows 10, see: - [Technical Reference for App-V](https://technet.microsoft.com/itpro/windows/manage/appv-technical-reference) - [App-V TechNet Forum](https://social.technet.microsoft.com/forums/en-us/home?forum=mdopappv) -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). + +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). Help us to improve diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md index d72bc2f199..e7c4fe6c64 100644 --- a/windows/application-management/app-v/appv-reporting.md +++ b/windows/application-management/app-v/appv-reporting.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/16/2018 +ms.topic: article --- # About App-V reporting @@ -204,9 +205,9 @@ To retrieve report information and create reports using App-V you must use one o You should also ensure that the reporting server web service’s **Maximum Concurrent Connections** is set to a value that the server can manage without affecting availability. The recommended number of **Maximum Concurrent Connections** for the **Reporting Web Service** is **10,000**. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md index 16285b7ef5..491c148ac7 100644 --- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md +++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md @@ -152,10 +152,10 @@ If you don’t know the exact name of your package, use the command line For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). + +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md index e91afa8136..53cf04a9a4 100644 --- a/windows/application-management/app-v/appv-security-considerations.md +++ b/windows/application-management/app-v/appv-security-considerations.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/16/2018 +ms.topic: article --- # App-V security considerations diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md index ba31867ad8..7a7d54cfee 100644 --- a/windows/application-management/app-v/appv-sequence-a-new-application.md +++ b/windows/application-management/app-v/appv-sequence-a-new-application.md @@ -1,12 +1,13 @@ --- title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) description: How to manually sequence a new app using the App-V Sequencer -author: eross-msft +author: jdeckerms ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/16/2018 +ms.topic: article --- # Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) @@ -206,9 +207,9 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD >[!IMPORTANT] >After you have successfully created a virtual application package, you can't run the virtual application package on the computer that is running the sequencer. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + + ## Related topics diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md index 8a03631883..0a7aece481 100644 --- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md +++ b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md @@ -69,6 +69,6 @@ In Windows 10, version 1703, running the new-appvsequencerpackage or the update- - [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). \ No newline at end of file + +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). \ No newline at end of file diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md index 3a0c6514b4..a28d2875c7 100644 --- a/windows/application-management/app-v/appv-supported-configurations.md +++ b/windows/application-management/app-v/appv-supported-configurations.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/16/2018 +ms.topic: article --- # App-V Supported Configurations diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md index d8f814afcd..74aec92cad 100644 --- a/windows/application-management/app-v/appv-technical-reference.md +++ b/windows/application-management/app-v/appv-technical-reference.md @@ -36,10 +36,10 @@ This section provides reference information related to managing App-V. Describes reasons and methods for running a locally installed application in a virtual environment, alongside applications that have been virtualized by using Application Virtualization (App-V). -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). + +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics diff --git a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md index 242fdc9cf7..89e0d58328 100644 --- a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md +++ b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md @@ -27,9 +27,9 @@ Use the following procedure to transfer the access and default package configura If you select **transfer access and configurations from**, then all access permissions, as well as the configuration settings, will be copied. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). + +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics diff --git a/windows/application-management/app-v/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md index c3011b5f88..62e8e04338 100644 --- a/windows/application-management/app-v/appv-troubleshooting.md +++ b/windows/application-management/app-v/appv-troubleshooting.md @@ -40,6 +40,6 @@ For information that can help with troubleshooting App-V for Windows 10, see: - [Operations for App-V](appv-operations.md) -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). + +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md index 9331c1584b..7c30f8d1f3 100644 --- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md +++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md @@ -94,6 +94,6 @@ Type the following cmdlet in a Windows PowerShell window: `Unpublish-AppvClientPackage "ContosoApplication"` -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). \ No newline at end of file + +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). \ No newline at end of file diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md index e2244bcd6a..321ed70eaf 100644 --- a/windows/application-management/app-v/appv-using-the-client-management-console.md +++ b/windows/application-management/app-v/appv-using-the-client-management-console.md @@ -79,10 +79,10 @@ The client management console contains the following described main tabs. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). + +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics diff --git a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md index fdf7299db8..64e4b04a27 100644 --- a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md +++ b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md @@ -31,9 +31,9 @@ Use the following procedure to view and configure default package extensions. 5. To edit other application extensions, modify the configuration file and click **Import and Overwrite this Configuration**. Select the modified file and click **Open**. In the dialog box, click **Overwrite** to complete the process. -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). + +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md index 42f52aa7d4..3af98c9c73 100644 --- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md +++ b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md @@ -152,9 +152,9 @@ In your publishing metadata query, enter the string values that correspond to th -## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). + +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index afa48aee66..637e02d729 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -8,7 +8,7 @@ ms.pagetype: mobile ms.author: elizapo author: lizap ms.localizationpriority: medium -ms.date: 12/12/2018 +ms.topic: article --- # Understand the different apps included in Windows 10 @@ -25,7 +25,7 @@ Digging into the Windows apps, there are two categories: - Installed: Installed as part of the OS. - System apps - Apps that are installed in the C:\Windows\* directory. These apps are integral to the OS. -The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1607, 1703, and 1709, and indicate whether an app can be uninstalled through the UI. +The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1709, 1803, and 1809 and indicate whether an app can be uninstalled through the UI. Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running. @@ -61,7 +61,7 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an | Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | | x | x | x | No | -| Microsoft.SkreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | | | x | No | +| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | | | x | No | | Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | No | | Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.VP9VideoExtensions | | | | | x | No | @@ -93,7 +93,7 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an ## System apps -System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1703, 1709, and 1803. +System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1709, 1803, and 1809. > [!TIP] > You can list all system apps with this PowerShell command: @@ -103,57 +103,47 @@ System apps are integral to the operating system. Here are the typical system ap
-| Name | Package Name | 1703 | 1709 | 1803 | Uninstall through UI? | +| Name | Package Name | 1709 | 1803 | 1809 |Uninstall through UI? | |----------------------------------|---------------------------------------------|:-----:|:----:|:----:|-----------------------| -| File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | | x | No | -| File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | | x | No | -| App Resolver UX | E2A4F912-2574-4A75-9BB0-0D023378592B | | | x | No | -| Add Suggested Folders To Library | F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE | | | x | No | -| | InputApp | | x | x | No | -| Cortana UI | CortanaListenUIApp | x | | | No | -| | Desktop Learning | x | | | No | -| | DesktopView | x | | | No | -| | EnvironmentsApp | x | | | No | -| Mixed Reality + | HoloCamera | x | | | No | -| Mixed Reality + | HoloItemPlayerApp | x | | | No | -| Mixed Reality + | HoloShell | x | | | No | -| | Microsoft.AAD.Broker.Plugin | x | x | x | No | -| | Microsoft.AccountsControl | x | x | x | No | -| | Microsoft.AsyncTextService | | | x | No | +| File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | x | x | No | +| File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | x | x | No | +| App Resolver UX | E2A4F912-2574-4A75-9BB0-0D023378592B | | x | x | No | +| Add Suggested Folders To Library | F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE | | x | x | No | +| | InputApp | x | x | x | No | +| Microsoft.AAD.Broker.Plugin | Microsoft.AAD.Broker.Plugin | x | x | x | No | +| Microsoft.AccountsControl | Microsoft.AccountsControl | x | x | x | No | +| Microsoft.AsyncTextService | Microsoft.AsyncTextService | | x | x | No | | Hello setup UI | Microsoft.BioEnrollment | x | x | x | No | | | Microsoft.CredDialogHost | x | x | x | No | -| | Microsoft.ECApp | | x | x | No | +| | Microsoft.ECApp | x | x | x | No | | | Microsoft.LockApp | x | x | x | No | | Microsoft Edge | Microsoft.MicrosoftEdge | x | x | x | No | -| | Microsoft.MicrosoftEdgeDevToolsClient | | | x | No | -| | Microsoft.PPIProjection | x | x | | No | -| | Microsoft.Win32WebViewHost | | | x | No | +| | Microsoft.MicrosoftEdgeDevToolsClient | | x | x | No | +| | Microsoft.PPIProjection | x | x | x | No | +| | Microsoft.Win32WebViewHost | | x | x | No | | | Microsoft.Windows.Apprep.ChxApp | x | x | x | No | | | Microsoft.Windows.AssignedAccessLockApp | x | x | x | No | -| | Microsoft.Windows.CapturePicker | | | x | No | +| | Microsoft.Windows.CapturePicker | | x | x | No | | | Microsoft.Windows.CloudExperienceHost | x | x | x | No | | | Microsoft.Windows.ContentDeliveryManager | x | x | x | No | | Cortana | Microsoft.Windows.Cortana | x | x | x | No | | | Microsoft.Windows.Holographic.FirstRun | x | x | | No | -| | Microsoft.Windows.ModalSharePickerHost | x | | | No | | | Microsoft.Windows.OOBENetworkCaptivePort | x | x | x | No | | | Microsoft.Windows.OOBENetworkConnectionFlow | x | x | x | No | | | Microsoft.Windows.ParentalControls | x | x | x | No | -| People Hub | Microsoft.Windows.PeopleExperienceHost | | x | x | No | -| | Microsoft.Windows.PinningConfirmationDialog | | x | x | No | +| People Hub | Microsoft.Windows.PeopleExperienceHost | x | x | x | No | +| | Microsoft.Windows.PinningConfirmationDialog | x | x | x | No | | | Microsoft.Windows.SecHealthUI | x | x | x | No | -| | Microsoft.Windows.SecondaryTileExperience | x | x | | No | +| | Microsoft.Windows.SecondaryTileExperience | x | | | No | | | Microsoft.Windows.SecureAssessmentBrowser | x | x | x | No | | Start | Microsoft.Windows.ShellExperienceHost | x | x | x | No | -| Windows Feedback | Microsoft.WindowsFeedback | * | * | | No | +| Windows Feedback | Microsoft.WindowsFeedback | * | | | No | | | Microsoft.XboxGameCallableUI | x | x | x | No | -| | Windows.CBSPreview | | | x | No | -| Contact Support* | Windows.ContactSupport | x | * | | Via Settings App | +| | Windows.CBSPreview | | x | x | No | +| Contact Support* | Windows.ContactSupport | * | | | Via Settings App | | Settings | Windows.immersivecontrolpanel | x | x | x | No | -| Connect | Windows.MiracastView | x | | | No | -| Print 3D | Windows.Print3D | | x | | Yes | +| Print 3D | Windows.Print3D | | x | x | Yes | | Print UI | Windows.PrintDialog | x | x | x | No | -| Purchase UI | Windows.PurchaseDialog | | | | No | > [!NOTE] @@ -161,36 +151,34 @@ System apps are integral to the operating system. Here are the typical system ap ## Installed Windows apps -Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, and 1803. +Here are the typical installed Windows apps in Windows 10 versions 1709, 1803, and 1809. -| Name | Full name | 1703 | 1709 | 1803 |Uninstall through UI? | +| Name | Full name | 1709 | 1803 | 1809 | Uninstall through UI? | |--------------------|------------------------------------------|:----:|:----:|:----:|:---------------------:| -| Remote Desktop | Microsoft.RemoteDesktop | x | x | | Yes | -| PowerBI | Microsoft.Microsoft PowerBIforWindows | x | | | Yes | -| Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | x | Yes | -| Eclipse Manager | 46928bounde.EclipseManager | x | x | x | Yes | -| Pandora | PandoraMediaInc.29680B314EFC2 | x | x | x | Yes | -| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | x | Yes | -| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | x | x | x | Yes | +| Remote Desktop | Microsoft.RemoteDesktop | x | | x | Yes | +| Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | | Yes | +| Eclipse Manager | 46928bounde.EclipseManager | x | x | | Yes | +| Pandora | PandoraMediaInc.29680B314EFC2 | x | x | | Yes | +| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | | Yes | +| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | x | x | | Yes | | Network Speed Test | Microsoft.NetworkSpeedTest | x | x | x | Yes | | News | Microsoft.BingNews | x | x | x | Yes | -| Flipboard | | | | | Yes | -| | Microsoft.Advertising.Xaml | x | x | x | Yes | -| | Microsoft.NET.Native.Framework.1.2 | x | x | x | Yes | -| | Microsoft.NET.Native.Framework.1.3 | x | x | x | Yes | -| | Microsoft.NET.Native.Framework.1.6 | | x | x | Yes | -| | Microsoft.NET.Native.Framework.1.7 | | | x | Yes | -| | Microsoft.NET.Native.Framework.2.0 | | x | x | Yes | -| | Microsoft.NET.Native.Runtime.1.1 | | x | x | Yes | -| | Microsoft.NET.Native.Runtime.1.3 | x | x | | Yes | -| | Microsoft.NET.Native.Runtime.1.4 | x | x | x | Yes | -| | Microsoft.NET.Native.Runtime.1.6 | | x | x | Yes | -| | Microsoft.NET.Native.Runtime.1.7 | | | x | Yes | -| | Microsoft.NET.Native.Runtime.2.0 | | x | x | Yes | -| | Microsoft.Services.Store.Engagement | | x | x | Yes | -| | Microsoft.VCLibs.120.00 | x | x | x | Yes | +| Sway | Microsoft.Office.Sway | x | x | x | Yes | +| Microsoft.Advertising | Microsoft.Advertising.Xaml | x | x | x | Yes | +| | Microsoft.NET.Native.Framework.1.2 | x | x | | Yes | +| | Microsoft.NET.Native.Framework.1.3 | x | x | | Yes | +| | Microsoft.NET.Native.Framework.1.6 | x | x | x | Yes | +| | Microsoft.NET.Native.Framework.1.7 | | x | x | Yes | +| | Microsoft.NET.Native.Framework.2.0 | x | x | | Yes | +| | Microsoft.NET.Native.Runtime.1.1 | x | x | | Yes | +| | Microsoft.NET.Native.Runtime.1.3 | x | | | Yes | +| | Microsoft.NET.Native.Runtime.1.4 | x | x | | Yes | +| | Microsoft.NET.Native.Runtime.1.6 | x | x | x | Yes | +| | Microsoft.NET.Native.Runtime.1.7 | x | x | x | Yes | +| | Microsoft.NET.Native.Runtime.2.0 | x | x | | Yes | +| | Microsoft.Services.Store.Engagement | x | x | | Yes | +| | Microsoft.VCLibs.120.00 | x | x | | Yes | | | Microsoft.VCLibs.140.00 | x | x | x | Yes | -| | Microsoft.VCLibs.120.00.Universal | | x | | Yes | -| | Microsoft.VCLibs.140.00.UWPDesktop | | | x | Yes | -| | Microsoft.WinJS.2.0 | x | | | Yes | ---- \ No newline at end of file +| | Microsoft.VCLibs.120.00.Universal | x | | | Yes | +| | Microsoft.VCLibs.140.00.UWPDesktop | | x | | Yes | +--- diff --git a/windows/application-management/deploy-app-upgrades-windows-10-mobile.md b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md index 37099073f8..3dffa46062 100644 --- a/windows/application-management/deploy-app-upgrades-windows-10-mobile.md +++ b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md @@ -8,6 +8,7 @@ ms.pagetype: mobile ms.author: kaushika-ainapure author: kaushika-msft ms.date: 07/21/2017 +ms.topic: article --- # Deploy application upgrades on Windows 10 Mobile diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 5c20bbd8a7..cf14d39f29 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -41,12 +41,14 @@ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "MSDN.win-app-management" + "depot_name": "MSDN.win-app-management", + "folder_relative_path_in_docset": "./" } } }, "fileMetadata": {}, "template": [], - "dest": "win-app-management" + "dest": "win-app-management", + "markdownEngineName": "dfm" } -} \ No newline at end of file +} diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index 1ed3eec5da..74e71f0072 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -5,7 +5,7 @@ description: Allow enterprise background tasks unrestricted access to computer r ms.author: twhitney ms.date: 10/03/2017 ms.topic: article -ms.prod: windows +ms.prod: w10 ms.technology: uwp keywords: windows 10, uwp, enterprise, background task, resources --- diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md index 489c97927a..b41972de75 100644 --- a/windows/application-management/remove-provisioned-apps-during-update.md +++ b/windows/application-management/remove-provisioned-apps-during-update.md @@ -17,17 +17,20 @@ When you update a computer running Windows 10, version 1703 or 1709, you might s >[!NOTE] >* This issue only occurs after a feature update (from one version to the next), not monthly updates or security-related updates. >* This only applies to first-party apps that shipped with Windows 10. This doesn't apply to third-party apps, Microsoft Store apps, or LOB apps. +>* This issue can occur whether you removed the app using `Remove-appxprovisionedpackage` or `Get-AppxPackage -allusers | Remove-AppxPackage -Allusers`. -To remove a provisioned app, you need to remove the provisioning package. The apps might reappear if you removed the packages in one of the following ways: +To remove a provisioned app, you need to remove the provisioning package. The apps might reappear if you [removed the packages](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage) in one of the following ways: * If you removed the packages while the wim file was mounted when the device was offline. * If you removed the packages by running a PowerShell cmdlet on the device while Windows was online. Although the apps won't appear for new users, you'll still see the apps for the user account you signed in as. -When you remove a provisioned app, we create a registry key that tells Windows not to reinstall or update that app the next time Windows is updated. If the computer isn't online when you deprovision the app, then we don't create that registry key. (This behavior is fixed in Windows 10, version 1803. If you're running Windows 10, version 1709, apply the latest security update to fix it.) +When you [remove a provisioned app](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage), we create a registry key that tells Windows not to reinstall or update that app the next time Windows is updated. If the computer isn't online when you deprovision the app, then we don't create that registry key. (This behavior is fixed in Windows 10, version 1803. If you're running Windows 10, version 1709, apply the latest security update to fix it.) + >[!NOTE] >If you remove a provisioned app while Windows is online, it's only removed for *new users*—the user that you signed in as will still have that provisioned app. That's because the registry key created when you deprovision the app only applies to new users created *after* the key is created. This doesn't happen if you remove the provisioned app while Windows is offline. + To prevent these apps from reappearing at the next update, manually create a registry key for each app, then update the computer. ## Create registry keys for deprovisioned apps @@ -38,7 +41,7 @@ Use the following steps to create a registry key: 2. Create a .reg file to generate a registry key for each app. Use [this list of Windows 10, version 1709 registry keys](#registry-keys-for-provisioned-apps) as your starting point. 1. Paste the list of registry keys into Notepad (or a text editor). 2. Remove the registry keys belonging to the apps you want to keep. For example, if you want to keep the Bing Weather app, delete this registry key: - ``` + ```yaml HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\A ppxAllUserStore\Deprovisioned\Microsoft.BingWeather_8wekyb3d8bbwe] ``` 3. Save the file with a .txt extension, then right-click the file and change the extension to .reg. @@ -158,3 +161,9 @@ Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.ZuneVideo_8wekyb3d8bbwe] ``` + + + +[Get-AppxPackage](https://docs.microsoft.com/powershell/module/appx/get-appxpackage) +[Get-AppxPackage -allusers](https://docs.microsoft.com/powershell/module/appx/get-appxpackage) +[Remove-AppxPackage](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage) diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index 082c384d37..bab488fec7 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -8,6 +8,7 @@ ms.sitesec: library author: jdeckerms ms.localizationpriority: medium ms.date: 07/27/2017 +ms.topic: article --- # Administrative Tools in Windows 10 diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index 24681f6db4..2a6671c21f 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -8,6 +8,7 @@ ms.sitesec: library author: kaushika-msft ms.localizationpriority: medium ms.author: greg-lindsay +ms.topic: troubleshooting --- # Advanced troubleshooting 802.1X authentication diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md index 207d12b5d3..101ca103bc 100644 --- a/windows/client-management/advanced-troubleshooting-boot-problems.md +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -7,6 +7,7 @@ author: kaushika-msft ms.localizationpriority: medium ms.author: elizapo ms.date: 11/16/2018 +ms.topic: troubleshooting --- # Advanced troubleshooting for Windows boot problems diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md index 412bbb99bc..2581981101 100644 --- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md +++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md @@ -8,6 +8,7 @@ ms.sitesec: library author: kaushika-msft ms.localizationpriority: medium ms.author: greg-lindsay +ms.topic: troubleshooting --- # Advanced troubleshooting wireless network connectivity diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md index 91800241a0..12912a98f5 100644 --- a/windows/client-management/change-history-for-client-management.md +++ b/windows/client-management/change-history-for-client-management.md @@ -10,6 +10,7 @@ ms.localizationpriority: medium author: jdeckerMS ms.author: jdecker ms.date: 12/06/2018 +ms.topic: article --- # Change history for Client management diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 7c666a3977..7812898ee3 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -10,6 +10,7 @@ author: jdeckerms ms.localizationpriority: medium ms.author: jdecker ms.date: 08/02/2018 +ms.topic: article --- # Connect to remote Azure Active Directory-joined PC @@ -40,7 +41,7 @@ From its release, Windows 10 has supported remote connections to PCs that are jo >[!NOTE] >You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once and then running the following PowerShell cmdlet: > - >`net localgroup "Remote Desktop Users" /add "AzureAD\FirstnameLastname"`, where *FirstnameLastname* is the name of the user profile in C:\Users\, which is created based on DisplayName attribute in Azure AD. + >`net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"`, where *FirstnameLastname* is the name of the user profile in C:\Users\, which is created based on DisplayName attribute in Azure AD. > >In Windows 10, version 1709, the user does not have to sign in to the remote device first. > @@ -49,7 +50,7 @@ From its release, Windows 10 has supported remote connections to PCs that are jo 4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC. >[!TIP] - >When you connect to the remote PC, enter your account name in this format: `AzureADName\YourAccountName`. + >When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant. ## Supported configurations diff --git a/windows/client-management/data-collection-for-802-authentication.md b/windows/client-management/data-collection-for-802-authentication.md index b0f3faa4c1..cc14ac0242 100644 --- a/windows/client-management/data-collection-for-802-authentication.md +++ b/windows/client-management/data-collection-for-802-authentication.md @@ -8,6 +8,7 @@ ms.sitesec: library author: kaushika-msft ms.localizationpriority: medium ms.author: mikeblodge +ms.topic: troubleshooting --- # Data collection for troubleshooting 802.1X authentication diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index eab3b9f62e..54140237f9 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -40,12 +40,14 @@ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "MSDN.win-client-management" + "depot_name": "MSDN.win-client-management", + "folder_relative_path_in_docset": "./" } } }, "fileMetadata": {}, "template": [], - "dest": "win-client-management" + "dest": "win-client-management", + "markdownEngineName": "dfm" } -} \ No newline at end of file +} diff --git a/windows/client-management/group-policies-for-enterprise-and-education-editions.md b/windows/client-management/group-policies-for-enterprise-and-education-editions.md index 94d8c56785..38beb2bfcd 100644 --- a/windows/client-management/group-policies-for-enterprise-and-education-editions.md +++ b/windows/client-management/group-policies-for-enterprise-and-education-editions.md @@ -7,6 +7,7 @@ ms.sitesec: library author: brianlic-msft ms.localizationpriority: medium ms.date: 10/13/2017 +ms.topic: troubleshooting --- # Group Policy settings that apply only to Windows 10 Enterprise and Education Editions diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md index ca385d841a..19455fe9cd 100644 --- a/windows/client-management/img-boot-sequence.md +++ b/windows/client-management/img-boot-sequence.md @@ -2,6 +2,8 @@ description: A full-sized view of the boot sequence flowchart. title: Boot sequence flowchart ms.date: 11/16/2018 +ms.topic: article +ms.prod: w10 --- Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
diff --git a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md index 0d3b6b861f..18a5683f62 100644 --- a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md +++ b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md @@ -9,6 +9,7 @@ ms.pagetype: mobile author: jdeckerms ms.localizationpriority: medium ms.date: 09/21/2017 +ms.topic: article --- # Join Windows 10 Mobile to Azure Active Directory diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md index 66ebec76b8..4d37e28f84 100644 --- a/windows/client-management/manage-corporate-devices.md +++ b/windows/client-management/manage-corporate-devices.md @@ -10,6 +10,7 @@ ms.pagetype: devices author: jdeckerms ms.localizationpriority: medium ms.date: 09/21/2017 +ms.topic: article --- # Manage corporate devices diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md index 7b80381b7c..2f41baa313 100644 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ b/windows/client-management/manage-settings-app-with-group-policy.md @@ -6,6 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: brianlic-msft ms.date: 04/19/2017 +ms.topic: article --- **Applies to** diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 8581c76291..759f45080d 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -9,6 +9,7 @@ ms.pagetype: devices author: MariciaAlforque ms.localizationpriority: medium ms.date: 04/26/2018 +ms.topic: article --- # Manage Windows 10 in your organization - transitioning to modern management diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 0a91b0f2ad..2db6848263 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -8,6 +8,7 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.date: 10/02/2018 +ms.topic: article --- # Create mandatory user profiles diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index e6004a22a5..13f0987eca 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -895,6 +895,7 @@ Status Get + diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 2e0b0840bd..17e70ad2c6 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -101,7 +101,7 @@ The following diagram shows the BitLocker configuration service provider in tree cross mark - cross mark + check mark check mark check mark check mark @@ -149,7 +149,7 @@ The following diagram shows the BitLocker configuration service provider in tree cross mark - cross mark + check mark check mark check mark check mark @@ -227,7 +227,7 @@ The following diagram shows the BitLocker configuration service provider in tree cross mark - cross mark + check mark check mark check mark check mark @@ -324,7 +324,7 @@ The following diagram shows the BitLocker configuration service provider in tree cross mark - cross mark + check mark check mark check mark check mark @@ -393,7 +393,7 @@ The following diagram shows the BitLocker configuration service provider in tree cross mark - cross mark + check mark check mark check mark check mark @@ -429,7 +429,7 @@ The following diagram shows the BitLocker configuration service provider in tree

The possible values for 'xx' are:

- 0 = Empty -- 1 = Use default recovery message and URL. +- 1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input"). - 2 = Custom recovery message is set. - 3 = Custom recovery URL is set. - 'yy' = string of max length 900. @@ -474,7 +474,7 @@ The following diagram shows the BitLocker configuration service provider in tree cross mark - cross mark + check mark check mark check mark check mark @@ -572,7 +572,7 @@ The following diagram shows the BitLocker configuration service provider in tree cross mark - cross mark + check mark check mark check mark check mark @@ -671,7 +671,7 @@ The following diagram shows the BitLocker configuration service provider in tree cross mark - cross mark + check mark check mark check mark check mark @@ -733,7 +733,7 @@ The following diagram shows the BitLocker configuration service provider in tree cross mark - cross mark + check mark check mark check mark check mark @@ -814,7 +814,7 @@ The following diagram shows the BitLocker configuration service provider in tree cross mark - cross mark + check mark check mark check mark check mark diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index dfd6b9d464..8f8ef0ecd3 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2672,6 +2672,7 @@ The following list shows the configuration service providers supported in Window | Configuration service provider | Windows Holographic edition | Windows Holographic for Business edition | |--------|--------|------------| | [AccountManagement CSP](accountmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 | +| [Accounts CSP](accounts-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | [AppLocker CSP](applocker-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [AssignedAccess CSP](assignedaccess-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 | | [CertificateStore CSP](certificatestore-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)| diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index 4b9157ad49..17d1ddd6e7 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -338,7 +338,7 @@ Delete a provider ``` -**EtwLog/Collectors/*CollectorName*/Providers/*ProvderGUID*/TraceLevel** +**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/TraceLevel** Specifies the level of detail included in the trace log. The data type is an integer. @@ -407,7 +407,7 @@ Set provider **TraceLevel** ``` -**EtwLog/Collectors/*CollectorName*/Providers/*ProvderGUID*/Keywords** +**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/Keywords** Specifies the provider keywords to be used as MatchAnyKeyword for this provider. the data type is a string. @@ -461,7 +461,7 @@ Set provider **Keywords** ``` -**EtwLog/Collectors/*CollectorName*/Providers/*ProvderGUID*/State** +**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/State** Specifies if this provider is enabled in the trace session. The data type is a boolean. diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index a33799474c..0caa97871c 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -725,12 +725,12 @@ Required. Added in Windows 10, version 1803. This node allows the MDM to set cus Supported operations are Add, Get, Delete, and Replace. Value type is string. **Provider/*ProviderID*/FirstSyncStatus/SkipDeviceStatusPage** -Required. Device only. Added in Windows 10, version 1803. This node decides wheter or not the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE. +Required. Device only. Added in Windows 10, version 1803. This node decides whether or not the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE. Supported operations are Get and Replace. Value type is bool. **Provider/*ProviderID*/FirstSyncStatus/SkipUserStatusPage** -Required. Device only. Added in Windows 10, version 1803. This node decides wheter or not the MDM user progress page skips after Azure AD joined or DJ++ after user login. +Required. Device only. Added in Windows 10, version 1803. This node decides whether or not the MDM user progress page skips after Azure AD joined or DJ++ after user login. Supported operations are Get and Replace. Value type is bool. diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index fb26b71e0c..f6e7f9cc49 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -14,7 +14,7 @@ ms.date: 11/01/2017 This is a step-by-step guide to configuring ADMX-backed policies in MDM. -Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support expanded to allow access of select Group Policy administrative templates (ADMX-backed policies) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX-backed policies in Policy CSP is different from the typical way you configure a traditional MDM policy. +Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of select Group Policy administrative templates (ADMX-backed policies) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX-backed policies in Policy CSP is different from the typical way you configure a traditional MDM policy. Summary of steps to enable a policy: - Find the policy from the list ADMX-backed policies. @@ -22,6 +22,11 @@ Summary of steps to enable a policy: - Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy. - Create the data payload for the SyncML. +See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) for a walk-through using Intune. + +>[!TIP] +>Intune has added a number of ADMX-backed administrative templates in public preview. Check if the policy settings you need are available in a template before using the SyncML method described below. [Learn more about Intune's administrative templates.](https://docs.microsoft.com/intune/administrative-templates-windows) + ## Enable a policy 1. Find the policy from the list [ADMX-backed policies](policy-configuration-service-provider.md#admx-backed-policies). You need the following information listed in the policy description. @@ -50,7 +55,7 @@ Summary of steps to enable a policy: ![Enable App-V client](images/admx-appv-enableapp-vclient.png) -3. Create the SyncML to enable the policy that does not require any parameter. +3. Create the SyncML to enable the policy that does not require any parameter. In this example you configure **Enable App-V Client** to **Enabled**. @@ -82,7 +87,7 @@ Summary of steps to enable a policy: ## Enable a policy that requires parameters -1. Create the SyncML to enable the policy that requires parameters. +1. Create the SyncML to enable the policy that requires parameters. In this example, the policy is in **Administrative Templates > System > App-V > Publishing**. @@ -299,12 +304,3 @@ The \ payload is empty. Here an example to set AppVirtualization/Publishin ``` -## Video walkthrough - -Here is a video of how to create a custom xml to enable an ADMX-backed policy and deploy the XML in Intune. - -> [!VIDEO https://www.microsoft.com/showcase/video.aspx?uuid=bdc9b54b-11b0-4bdb-a022-c339d16e7121] - -Here is a video of how to import a custom ADMX file to a device using Intune. - -> [!VIDEO https://www.microsoft.com/showcase/video.aspx?uuid=a59888b1-429f-4a49-8570-c39a143d9a73] \ No newline at end of file diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 798680aa7c..f64d0cdc9d 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -277,6 +277,7 @@ Sample syncxml to provision the firewall settings to evaluate

If not specified, the default is All.

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+

The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later.

**FirewallRules/_FirewallRuleName_/Description**

Specifies the description of the rule.

@@ -306,7 +307,7 @@ Sample syncxml to provision the firewall settings to evaluate

Value type is integer. Supported operations are Get and Replace.

**FirewallRules/_FirewallRuleName_/Direction** -

Comma separated list. The rule is enabled based on the traffic direction as following. Supported values:

+

The rule is enabled based on the traffic direction as following. Supported values:

If not specified, the default is All.

Value type is string. Supported operations are Get and Replace.

diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md index 563f13334a..6a783571df 100644 --- a/windows/client-management/mdm/networkproxy-csp.md +++ b/windows/client-management/mdm/networkproxy-csp.md @@ -76,8 +76,8 @@ The data type is string. Supported operations are Get and Replace. Starting in W Specifies whether the proxy server should be used for local (intranet) addresses.  Valid values: The data type is int. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported. diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 52c8272547..b7d977b310 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -49,6 +49,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s - [Requirements to note for VPN certificates also used for Kerberos Authentication](#a-href%22%22-id%22kerberos%22arequirements-to-note-for-vpn-certificates-also-used-for-kerberos-authentication) - [Device management agent for the push-button reset is not working](#a-href%22%22-id%22pushbuttonreset%22adevice-management-agent-for-the-push-button-reset-is-not-working) - [Change history in MDM documentation](#change-history-in-mdm-documentation) + - [February 2019](#february-2019) - [January 2019](#january-2019) - [December 2018](#december-2018) - [September 2018](#september-2018) @@ -1778,6 +1779,12 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware ## Change history in MDM documentation +### February 2019 + +|New or updated topic | Description| +|--- | ---| +|[Policy CSP](policy-configuration-service-provider.md)|Updated supported policies for Holographic.| + ### January 2019 |New or updated topic | Description| diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index c0369b83bb..72df15b90d 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -13,7 +13,7 @@ ms.date: 06/26/2017 # OMA DM protocol support -The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This topic describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526). +The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This topic describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/OMA-TS-DM_Protocol-V1_2-20070209-A.pdf). ## In this topic @@ -62,7 +62,7 @@ The following table shows the OMA DM standards that Windows uses.

DM protocol commands

-

The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526).

+

The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).

diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md index 0045989a89..d44fb4db2e 100644 --- a/windows/deployment/update/waas-optimize-windows-10-updates.md +++ b/windows/deployment/update/waas-optimize-windows-10-updates.md @@ -8,6 +8,7 @@ author: jaimeo ms.localizationpriority: medium ms.author: jaimeo ms.date: 09/24/2018 +ms.topic: article --- # Optimize Windows 10 update delivery diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 3e82500cc3..3d46e34a86 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -9,6 +9,7 @@ author: Jaimeo ms.localizationpriority: medium ms.author: jaimeo ms.date: 09/24/2018 +ms.topic: article --- # Overview of Windows as a service @@ -116,8 +117,7 @@ The concept of servicing channels is new, but organizations can use the same man ### Semi-Annual Channel -In the Semi-Annual servicing channel, feature updates are available as soon as Microsoft releases them. Windows 10, version 1511, had few servicing tool options to delay feature updates, limiting the use of the Semi-Annual servicing channel. Windows 10, version 1607 and onward, includes more servicing tools that can delay feature updates for up to 365 days. This servicing modal is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as developers who need to work with the latest features immediately. -Once the latest release went through pilot deployment and testing, you choose the timing at which it goes into broad deployment. +In the Semi-Annual servicing channel, feature updates are available as soon as Microsoft releases them. Windows 10, version 1511, had few servicing tool options to delay feature updates, limiting the use of the Semi-Annual servicing channel. Windows 10, version 1607 and onward, includes more servicing tools that can delay feature updates for up to 365 days. This servicing model is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as developers who need to work with the latest features immediately. Once the latest release has gone through pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment. When Microsoft officially releases a feature update for Windows 10, it is made available to any PC not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the Semi-Annual Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools). @@ -145,7 +145,7 @@ Microsoft never publishes feature updates through Windows Update on devices that >[!NOTE] >Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products). -The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in Windows 10 Enterprise LTSB edition, even of you install by using sideloading. +The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in Windows 10 Enterprise LTSB edition, even if you install by using sideloading. >[!NOTE] >If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the Semi-Annual Channel, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports the Semi-Annual Channel. diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index ed003254cc..9ef541fce2 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -9,6 +9,7 @@ author: Jaimeo ms.localizationpriority: medium ms.author: jaimeo ms.date: 10/17/2018 +ms.topic: article --- # Quick guide to Windows as a service diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index 3a9036f170..13c1dce96d 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -8,6 +8,7 @@ author: jaimeo ms.localizationpriority: medium ms.author: jaimeo ms.date: 07/27/2017 +ms.topic: article --- # Manage device restarts after updates @@ -16,15 +17,15 @@ ms.date: 07/27/2017 **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 10 Mobile -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) You can use Group Policy settings, mobile device management (MDM) or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both. ## Schedule update installation -In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified installation time. +In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified installation time. To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installation will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**). @@ -39,7 +40,7 @@ For a detailed description of these registry keys, see [Registry keys used to ma When **Configure Automatic Updates** is enabled in Group Policy, you can enable one of the following additional policies to delay an automatic reboot after update installation: - **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours. -- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. +- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting. @@ -47,9 +48,9 @@ For a detailed description of these registry keys, see [Registry keys used to ma ## Configure active hours -*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours. +*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours. -By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually. +By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually. Starting with Windows 10, version 1703, you can also specify the max active hours range. The specified range will be counted from the active hours start time. @@ -88,7 +89,7 @@ For a detailed description of these registry keys, see [Registry keys used to ma With Windows 10, version 1703, administrators can specify the max active hours range users can set. This option gives you additional flexibility to leave some of the decision for active hours on the user's side, while making sure you allow enough time for updating. The max range is calculated from active hours start time. -To configure active hours max range through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Specify active hours range for auto-restarts**. +To configure active hours max range through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Specify active hours range for auto-restarts**. To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRange**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-activehoursmaxrange). @@ -102,9 +103,9 @@ In Windows 10, version 1703, we have added settings to control restart notificat ### Auto-restart notifications -Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically. +Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically. -To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it. +To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it. To configure this behavior through MDM, use [**Update/AutoRestartRequiredNotificationDismissal**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-AutoRestartRequiredNotificationDismissal) @@ -169,7 +170,7 @@ The following tables list registry values that correspond to the Group Policy se | Registry key | Key type | Value | | --- | --- | --- | | ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hour
starts with 12 AM (0) and ends with 11 PM (23) | -| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hour
starts with 12 AM (0) and ends with 11 PM (23) | +| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hour
starts with 12 AM (0) and ends with 11 PM (23) | | SetActiveHours | REG_DWORD | 0: disable automatic restart after updates outside of active hours
1: enable automatic restart after updates outside of active hours | **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** @@ -178,32 +179,24 @@ The following tables list registry values that correspond to the Group Policy se | --- | --- | --- | | AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time
1: enable automatic reboot after update installation at ascheduled time | | AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes | -| AUOptions | REG_DWORD | 2: notify for download and automatically install updates
3: automatically download and notify for instllation of updates
4: Automatically download and schedule installation of updates
5: allow the local admin to configure these settings
**Note:** To configure restart behavior, set this value to **4** | -| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on
1: do not reboot after an update installation if a user is logged on
**Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restarts in 5 minutes to complete the installation | +| AUOptions | REG_DWORD | 2: notify for download and notify for installation of updates
3: automatically download and notify for installation of updates
4: Automatically download and schedule installation of updates
5: allow the local admin to configure these settings
**Note:** To configure restart behavior, set this value to **4** | +| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on
1: do not reboot after an update installation if a user is logged on
**Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation | | ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour
starts with 12 AM (0) and ends with 11 PM (23) | There are 3 different registry combinations for controlling restart behavior: - To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range. - To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting. -- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**. +- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**. ## Related topics - [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) - [Configure Windows Update for Business](waas-configure-wufb.md) - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - - - - - - - - diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index aae22f0a1e..7a7dfcc5d0 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -8,6 +8,7 @@ author: jaimeo ms.localizationpriority: medium ms.author: jaimeo ms.date: 10/13/2017 +ms.topic: article --- # Assign devices to servicing channels for Windows 10 updates diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md index 27e3799565..20a86bd384 100644 --- a/windows/deployment/update/waas-servicing-differences.md +++ b/windows/deployment/update/waas-servicing-differences.md @@ -8,6 +8,8 @@ ms.sitesec: library author: KarenSimWindows ms.localizationpriority: medium ms.author: karensim +ms.topic: article +ms.collection: M365-modern-desktop --- # Understanding the differences between servicing Windows 10-era and legacy Windows operating systems @@ -51,7 +53,7 @@ This cumulative update model for Windows 10 has helped provide the Windows ecosy - [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in the Windows 10 LCU. They are separate packages with different behaviors depending on the version of .NET Framework being updated, and on which OS. As of October 2018, .NET Framework updates for Windows 10 will be separate and have their own cumulative update model. - For Windows 10, available update types vary by publishing channel: - For customers using Windows Server Update Services (WSUS) and for the Update Catalog, several different updates types for Windows 10 are rolled together for the core OS in a single LCU package, with exception of Servicing Stack Updates. - - Servicing Stack Updates (SSU) are available for download from the Update Catalog and can be imported through WSUS, but will not be automatically synced. (See this example for Windows 10, version 1709) For more information on Servicing Stack Updates, please see this blog. + - Servicing Stack Updates (SSU) are available for download from the Update Catalog and can be imported through WSUS. Servicing Stack Updates (SSU) will be synced automatically (See this example for Windows 10, version 1709). Learn more about [Servicing Stack Updates](https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates). - For customers connecting to Windows Update, the new cloud update architecture uses a database of updates which break out all the different update types, including Servicing Stack Updates (SSU) and Dynamic Updates (DU). The update scanning in the Windows 10 servicing stack on the client automatically takes only the updates that are needed by the device to be completely up to date. - Windows 7 and other legacy operating systems have cumulative updates that operate differently than in Windows 10 (see next section). diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md index 6041f964a6..ab220901a1 100644 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -8,6 +8,7 @@ author: Jaimeo ms.localizationpriority: medium ms.author: jaimeo ms.date: 11/02/2018 +ms.topic: article --- # Prepare servicing strategy for Windows 10 updates diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index b44107bdd2..7749569b04 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -8,6 +8,7 @@ author: jaimeo ms.localizationpriority: medium ms.author: jaimeo ms.date: 07/27/2017 +ms.topic: article --- # Manage additional Windows Update settings diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index c400740a30..706d1cc4a6 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -8,6 +8,7 @@ author: jaimeo ms.localizationpriority: medium ms.author: jaimeo ms.date: 07/27/2017 +ms.topic: article --- # Walkthrough: use Group Policy to configure Windows Update for Business diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md index f32cbbedeb..e65e9b8d2d 100644 --- a/windows/deployment/update/waas-wufb-intune.md +++ b/windows/deployment/update/waas-wufb-intune.md @@ -8,6 +8,7 @@ author: jaimeo ms.localizationpriority: medium ms.author: jaimeo ms.date: 07/27/2017 +ms.topic: article --- # Walkthrough: use Microsoft Intune to configure Windows Update for Business diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index c11042619d..c1f447026d 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -9,6 +9,8 @@ ms.pagetype: deploy author: jaimeo ms.author: jaimeo ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article --- # Frequently asked questions and troubleshooting Windows Analytics @@ -40,6 +42,8 @@ If you've followed the steps in the [Enrolling devices in Windows Analytics](win [Device names not appearing for Windows 10 devices](#device-names-not-appearing-for-windows-10-devices) +[Custom log queries using the AbnormalShutdownCount field of Device Health show zero or lower than expected results](#custom-log-queries-using-the-abnormalshutdowncount-field-of-device-health-show-zero-or-lower-than-expected-results) + [Disable Upgrade Readiness](#disable-upgrade-readiness) [Exporting large data sets](#exporting-large-data-sets) @@ -49,10 +53,10 @@ If you've followed the steps in the [Enrolling devices in Windows Analytics](win In Log Analytics, go to **Settings > Connected sources > Windows telemetry** and verify that you are subscribed to the Windows Analytics solutions you intend to use. -Even though devices can take 2-3 days after enrollment to show up due to latency in the system, you can now verify the status of your devices with a few hours of running the deployment script as described in [You can now check on the status of your computers within hours of running the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/05/12/wheres-my-data/) on the Windows Analytics blog. +Even though devices can take 2-3 days after enrollment to show up due to latency in the system, you can now verify the status of your devices within a few hours of running the deployment script as described in [You can now check on the status of your computers within hours of running the deployment script](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/You-can-now-check-on-the-status-of-your-computers-within-hours/ba-p/187213) on the Tech Community Blog. >[!NOTE] -> If you generate the status report and get an error message saying "Sorry! We’re not recognizing your Commercial Id," go to **Settings > Connected sources > Windows telemetry** and unsubscribe, wait a minute and then re-subscribe to Upgrade Readiness. +> If you generate the status report and get an error message saying "Sorry! We’re not recognizing your Commercial Id," go to **Settings > Connected sources > Windows telemetry** remove the Upgrade Readiness solution, and then re-add it. If devices are not showing up as expected, find a representative device and follow these steps to run the latest pilot version of the Upgrade Readiness deployment script on it to troubleshoot issues: @@ -76,13 +80,15 @@ If you have deployed images that have not been generalized, then many of them mi [![Device Reliability tile showing device count highlighted](images/device-reliability-device-count.png)](images/device-reliability-device-count.png) -If you have devices that appear in other solutions, but not Device Health, follow these steps to investigate the issue: -1. Confirm that the devices are running Windows10. -2. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551). -3. Confirm that devices have opted in to provide diagnostic data by checking in the registry that **AllowTelemetry** is set to 2 (Enhanced) or 3 (Full) in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which takes precedence if set). -4. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information. -5. Wait 48 hours for activity to appear in the reports. -6. If you need additional troubleshooting, contact Microsoft Support. +If you have devices that appear in other solutions, but not Device Health (the Device Health overview tile shows "Performing Assessment" or the device count is lower than expected), follow these steps to investigate the issue: +1. Using the Azure portal, remove the Device Health (appears as DeviceHealthProd on some pages) solution from your Log Analytics workspace. After completing this, add the Device Health solution to you workspace again. +2. Confirm that the devices are running Windows 10. +3. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551). +4. Confirm that devices have opted in to provide diagnostic data by checking in the registry that **AllowTelemetry** is set to 2 (Enhanced) or 3 (Full) in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which takes precedence if set). +5. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information. +6. Remove the Device Health (appears as DeviceHealthProd on some pages) from your Log Analytics workspace +7. Wait 48 hours for activity to appear in the reports. +8. If you need additional troubleshooting, contact Microsoft Support. ### Device crashes not appearing in Device Health Device Reliability @@ -197,6 +203,20 @@ Finally, Upgrade Readiness only collects IE site discovery data on devices that ### Device names not appearing for Windows 10 devices Starting with Windows 10, version 1803, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Allowing device names to be collected can make it easier for you to identify individual devices that report problems. Without the device name, Windows Analytics can only label devices by a GUID that it generates. +### Custom log queries using the AbnormalShutdownCount field of Device Health show zero or lower than expected results +This issue affects custom queries of the Device Health data by using the **Logs > Search page** or API. It does not impact any of the built-in tiles or reports of the Device Health solution. The **AbnormalShutdownCount** field of the **DHOSReliability** data table represents abnormal shutdowns other than crashes, such as sudden power loss or holding down the power button. + +We have identified an incompatibility between AbnormalShutdownCount and the Limited Enhanced diagnostic data level on Windows 10, versions 1709, 1803, and 1809. Such devices do not send the abnormal shutdown signal to Microsoft. You should not rely on AbnormalShutdownCount in your custom queries unless you use any one of the following workarounds: + + +- Upgrade devices to Windows 10, version 1903 when available. Participants in the Windows Insider program can preview this change using Windows Insider builds. +- Change the diagnostic data setting from devices running Windows 10, versions 1709, 1803, and 1809 normal Enhanced level instead of Limited Enhanced. +- Use alternative data from devices to track abnormal shutdowns. For example, you can forward abnormal shutdown events from the Windows Event Log to your Log Analytics workspace by using the Log Analytics agent. Suggested events to forward include: + - Log: System, ID: 41, Source: Kernel-Power + - Log System, ID: 6008, Source: EventLog + + + ### Disable Upgrade Readiness If you want to stop using Upgrade Readiness and stop sending diagnostic data to Microsoft, follow these steps: diff --git a/windows/deployment/update/windows-analytics-azure-portal.md b/windows/deployment/update/windows-analytics-azure-portal.md index 384738b8fa..bbca1ea487 100644 --- a/windows/deployment/update/windows-analytics-azure-portal.md +++ b/windows/deployment/update/windows-analytics-azure-portal.md @@ -9,6 +9,8 @@ ms.pagetype: deploy author: jaimeo ms.author: jaimeo ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article --- # Windows Analytics in the Azure Portal @@ -27,7 +29,7 @@ Go to the [Azure portal](https://portal.azure.com), select **All services**, and It's important to understand the difference between Azure Active Directory and an Azure subscription: -**Azure Active Directory** is the directory that Azure uses. Azure Active Directory (AD) is a separate service which sits by itself and is used by all of Azure and also Office 365. +**Azure Active Directory** is the directory that Azure uses. Azure Active Directory (Azure AD) is a separate service which sits by itself and is used by all of Azure and also Office 365. An **Azure subscription** is a container for billing, but also acts as a security boundary. Every Azure subscription has a trust relationship with at least one Azure AD instance. This means that a subscription trusts that directory to authenticate users, services, and devices. diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index 849127c525..f0ee52dd38 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -9,6 +9,8 @@ ms.pagetype: deploy author: jaimeo ms.author: jaimeo ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article --- # Enrolling devices in Windows Analytics @@ -149,7 +151,7 @@ When you run the deployment script, it initiates a full scan. The daily schedule ### Distribute the deployment script at scale -Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see [New version of the Upgrade Analytics Deployment Script available](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/) on the Upgrade Readiness blog. For information on how to deploy PowerShell scripts by using Windows Intune, see [Manage PowerShell scripts in Intune for Windows 10 devices](https://docs.microsoft.com/intune/intune-management-extension). +Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see [Upgrade Readiness deployment script](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-deployment-script). For information on how to deploy PowerShell scripts by using Windows Intune, see [Manage PowerShell scripts in Intune for Windows 10 devices](https://docs.microsoft.com/intune/intune-management-extension). ### Distributing policies at scale There are a number of policies that can be centrally managed to control Windows Analytics device configuration. All of these policies have *preference* registry key equivalents that can be set by using the deployment script. Policy settings override preference settings if both are set. @@ -167,7 +169,7 @@ These policies are under Microsoft\Windows\DataCollection: | CommercialDataOptIn (in Windows 7 and Windows 8) | 1 is required for Upgrade Readiness, which is the only solution that runs on Windows 7 or Windows 8. | -You can set these values by using Group Policy (in Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds) or by using Mobile Device Management (in Provider/ProviderID/CommercialID). For more information about deployment using MDM, see the [DMClient CSP](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp) topic in MDM documentation. +You can set these values by using Group Policy (in Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds) or by using Mobile Device Management (in Provider/*Provider ID*/CommercialID). (If you are using Microsoft Intune, use `MS DM Server` as the provider ID.) For more information about deployment using MDM, see the [DMClient CSP](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp) topic in MDM documentation. The corresponding preference registry values are available in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** and can be configured by the deployment script. If a given setting is configured by both preference registry settings and policy, the policy values will override. However, the **IEDataOptIn** setting is different--you can only set this with the preference registry keys: diff --git a/windows/deployment/update/windows-analytics-overview.md b/windows/deployment/update/windows-analytics-overview.md index d150f9e110..8ebb6a4bff 100644 --- a/windows/deployment/update/windows-analytics-overview.md +++ b/windows/deployment/update/windows-analytics-overview.md @@ -9,6 +9,8 @@ ms.pagetype: deploy author: jaimeo ms.author: jaimeo ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article --- # Windows Analytics overview @@ -49,4 +51,7 @@ Use Upgrade Readiness to get: - Application usage information, allowing targeted validation; workflow to track validation progress and decisions - Data export to commonly used software deployment tools, including System Center Configuration Manager -To get started with any of these solutions, visit the links for instructions to add it to Azure Portal. \ No newline at end of file +To get started with any of these solutions, visit the links for instructions to add it to Azure Portal. + +>[!NOTE] +> For details about licensing requirements and costs associated with using Windows Analytics solutions, see [What are the requirements and costs for Windows Analytics solutions?](windows-analytics-FAQ-troubleshooting.md#what-are-the-requirements-and-costs-for-windows-analytics-solutions). diff --git a/windows/deployment/update/windows-analytics-privacy.md b/windows/deployment/update/windows-analytics-privacy.md index 1ce1363b10..744f34d7a4 100644 --- a/windows/deployment/update/windows-analytics-privacy.md +++ b/windows/deployment/update/windows-analytics-privacy.md @@ -9,6 +9,8 @@ ms.pagetype: deploy author: jaimeo ms.author: jaimeo ms.localizationpriority: high +ms.collection: M365-analytics +ms.topic: article --- # Windows Analytics and privacy diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index ad022440c3..c020f63f0f 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -8,6 +8,7 @@ author: lizap ms.author: elizapo ms.date: 01/24/2019 ms.localizationpriority: high +ms.collection: M365-modern-desktop --- # Windows as a service @@ -17,39 +18,21 @@ Find the tools and resources you need to help deploy and support Windows as a se Find the latest and greatest news on Windows 10 deployment and servicing. -**Working to make Windows updates clear and transparent** -> [!VIDEO https://www.youtube-nocookie.com/embed/u5P20y39DrA] +**Discovering the Windows 10 Update history pages** +> [!VIDEO https://www.youtube-nocookie.com/embed/GADIXBf9R58] Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. The Windows update history page is for anyone looking to gain an immediate, precise understanding of particular Windows update issues. The latest news: [See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog). diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md index d507deedb3..8552724e85 100644 --- a/windows/deployment/update/windows-update-error-reference.md +++ b/windows/deployment/update/windows-update-error-reference.md @@ -8,6 +8,7 @@ author: kaushika-msft ms.localizationpriority: medium ms.author: elizapo ms.date: 09/18/2018 +ms.topic: article --- # Windows Update error codes by component diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index 25fd1a5279..d63d0500b4 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -8,6 +8,7 @@ author: kaushika-msft ms.localizationpriority: medium ms.author: elizapo ms.date: 09/18/2018 +ms.topic: article --- # Windows Update common errors and mitigation diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md index b202854a46..b65bcc0c93 100644 --- a/windows/deployment/update/windows-update-logs.md +++ b/windows/deployment/update/windows-update-logs.md @@ -8,6 +8,7 @@ author: kaushika-msft ms.localizationpriority: medium ms.author: elizapo ms.date: 09/18/2018 +ms.topic: article --- # Windows Update log files diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md index a89c60d9ec..18664e5161 100644 --- a/windows/deployment/update/windows-update-overview.md +++ b/windows/deployment/update/windows-update-overview.md @@ -8,6 +8,7 @@ author: kaushika-msft ms.localizationpriority: medium ms.author: elizapo ms.date: 09/18/2018 +ms.topic: article --- # Get started with Windows Update diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md index eeac6b3852..0066e48950 100644 --- a/windows/deployment/update/windows-update-resources.md +++ b/windows/deployment/update/windows-update-resources.md @@ -8,6 +8,7 @@ author: kaushika-msft ms.localizationpriority: medium ms.author: elizapo ms.date: 09/18/2018 +ms.topic: article --- # Windows Update - additional resources @@ -105,7 +106,7 @@ The following resources provide additional information about using Windows Updat - regsvr32.exe wuwebv.dll 7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER: ``` - netsh reset winsock + netsh winsock reset ``` 8. If you are running Windows XP or Windows Server 2003, you have to set the proxy settings. To do this, type the following command at a command prompt, and then press ENTER: ``` diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index c4202da9c9..5f09b45f16 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -8,6 +8,7 @@ author: kaushika-msft ms.localizationpriority: medium ms.author: elizapo ms.date: 09/18/2018 +ms.topic: article --- # Windows Update troubleshooting @@ -102,6 +103,7 @@ netsh winhttp set proxy ProxyServerName:PortNumber If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_MISMATCH error, or if you notice high CPU usage while updates are downloading, check the proxy configuration to permit HTTP RANGE requests to run. You may choose to apply a rule to permit HTTP RANGE requests for the following URLs: + *.download.windowsupdate.com *.dl.delivery.mp.microsoft.com *.emdl.ws.microsoft.com diff --git a/windows/deployment/update/wufb-autoupdate.md b/windows/deployment/update/wufb-autoupdate.md index d8cfc4631a..da64371629 100644 --- a/windows/deployment/update/wufb-autoupdate.md +++ b/windows/deployment/update/wufb-autoupdate.md @@ -8,6 +8,7 @@ author: lizap ms.localizationpriority: medium ms.author: elizapo ms.date: 06/20/2018 +ms.topic: article --- # Set up Automatic Update in Windows Update for Business with group policies diff --git a/windows/deployment/update/wufb-basics.md b/windows/deployment/update/wufb-basics.md index 899a052c51..6cdd0a1cc6 100644 --- a/windows/deployment/update/wufb-basics.md +++ b/windows/deployment/update/wufb-basics.md @@ -8,6 +8,7 @@ author: lizap ms.localizationpriority: medium ms.author: elizapo ms.date: 06/20/2018 +ms.topic: article --- # Configure the Basic group policy for Windows Update for Business diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md index 833ec9e014..5d1f0ea0d5 100644 --- a/windows/deployment/update/wufb-compliancedeadlines.md +++ b/windows/deployment/update/wufb-compliancedeadlines.md @@ -8,6 +8,7 @@ author: lizap ms.localizationpriority: medium ms.author: elizapo ms.date: 06/20/2018 +ms.topic: article --- # Enforcing compliance deadlines for updates diff --git a/windows/deployment/update/wufb-managedrivers.md b/windows/deployment/update/wufb-managedrivers.md index 5580d134d5..c49ed5ff8a 100644 --- a/windows/deployment/update/wufb-managedrivers.md +++ b/windows/deployment/update/wufb-managedrivers.md @@ -8,6 +8,7 @@ author: lizap ms.localizationpriority: medium ms.author: elizapo ms.date: 06/21/2018 +ms.topic: article --- # Managing drivers, dual-managed environments, and Delivery Optimization with group policies diff --git a/windows/deployment/update/wufb-manageupdate.md b/windows/deployment/update/wufb-manageupdate.md index 648f63e398..84aa983ea8 100644 --- a/windows/deployment/update/wufb-manageupdate.md +++ b/windows/deployment/update/wufb-manageupdate.md @@ -8,6 +8,7 @@ author: lizap ms.localizationpriority: medium ms.author: elizapo ms.date: 06/20/2018 +ms.topic: article --- # Manage feature and quality updates with group policies diff --git a/windows/deployment/update/wufb-onboard.md b/windows/deployment/update/wufb-onboard.md index dac150819b..022e4b177b 100644 --- a/windows/deployment/update/wufb-onboard.md +++ b/windows/deployment/update/wufb-onboard.md @@ -8,6 +8,7 @@ author: lizap ms.localizationpriority: medium ms.author: elizapo ms.date: 06/20/2018 +ms.topic: article --- # Onboarding to Windows Update for Business in Windows 10 diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index e68fbd4f41..a966f7ad8e 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -9,6 +9,7 @@ ms.pagetype: deploy author: greg-lindsay ms.date: 03/30/2018 ms.localizationpriority: medium +ms.topic: article --- # Log files @@ -54,7 +55,7 @@ Event logs: Generic rollbacks (0xC1900101) or unexpected reboots. ## Log entry structure -A setupact.log or setuperr.log entry includes the following elements: +A setupact.log or setuperr.log entry (files are located at C:\Windows) includes the following elements:
  1. The date and time - 2016-09-08 09:20:05. diff --git a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md index 73daaea76b..05ad622fed 100644 --- a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md +++ b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md @@ -4,6 +4,7 @@ description: Provides an overview of the process of managing Windows upgrades wi ms.prod: w10 author: greg-lindsay ms.date: 04/25/2017 +ms.topic: article --- # Manage Windows upgrades with Upgrade Readiness diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md index fd3ae2a1d7..d8b5c9b9e4 100644 --- a/windows/deployment/upgrade/quick-fixes.md +++ b/windows/deployment/upgrade/quick-fixes.md @@ -9,6 +9,7 @@ ms.pagetype: deploy author: greg-lindsay ms.date: 05/03/2018 ms.localizationpriority: medium +ms.topic: article --- # Quick fixes diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index 825c47fba7..3b660307e8 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -9,6 +9,7 @@ ms.pagetype: deploy author: greg-lindsay ms.date: 03/30/2018 ms.localizationpriority: medium +ms.topic: article --- # Resolution procedures diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md index 80c7484a85..3193a41095 100644 --- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md @@ -9,6 +9,7 @@ ms.pagetype: deploy author: greg-lindsay ms.date: 04/18/2018 ms.localizationpriority: medium +ms.topic: article --- # Resolve Windows 10 upgrade errors : Technical information for IT Pros diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index 8b8a90dcf1..9b97b16be8 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -9,6 +9,7 @@ ms.pagetype: deploy author: greg-lindsay ms.date: 12/18/2018 ms.localizationpriority: medium +ms.topic: article --- # SetupDiag diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md index e856e35e36..a3241982d6 100644 --- a/windows/deployment/upgrade/submit-errors.md +++ b/windows/deployment/upgrade/submit-errors.md @@ -9,6 +9,7 @@ ms.pagetype: deploy author: greg-lindsay ms.date: 03/16/2018 ms.localizationpriority: medium +ms.topic: article --- # Submit Windows 10 upgrade errors using Feedback Hub diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md index e363b4d807..e89aab650c 100644 --- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md +++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.localizationpriority: medium +ms.topic: article --- # Troubleshooting upgrade errors diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md index 00d8d41bb4..398c6de350 100644 --- a/windows/deployment/upgrade/upgrade-error-codes.md +++ b/windows/deployment/upgrade/upgrade-error-codes.md @@ -9,6 +9,7 @@ ms.pagetype: deploy author: greg-lindsay ms.date: 08/18/2018 ms.localizationpriority: medium +ms.topic: article --- # Upgrade error codes diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md index 74c4a1b565..7c3bfe6c23 100644 --- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md +++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md @@ -3,6 +3,8 @@ title: Upgrade Readiness - Additional insights description: Explains additional features of Upgrade Readiness. ms.prod: w10 author: jaimeo +ms.topic: article +ms.collection: M365-analytics --- # Upgrade Readiness - Additional insights diff --git a/windows/deployment/upgrade/upgrade-readiness-architecture.md b/windows/deployment/upgrade/upgrade-readiness-architecture.md index d0bf1ba221..bba456b2e9 100644 --- a/windows/deployment/upgrade/upgrade-readiness-architecture.md +++ b/windows/deployment/upgrade/upgrade-readiness-architecture.md @@ -3,6 +3,8 @@ title: Upgrade Readiness architecture (Windows 10) description: Describes Upgrade Readiness architecture. ms.prod: w10 author: jaimeo +ms.topic: article +ms.collection: M365-analytics --- # Upgrade Readiness architecture diff --git a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md index 5be4b56f53..9753f76d40 100644 --- a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md +++ b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md @@ -6,6 +6,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: jaimeo +ms.topic: article +ms.collection: M365-analytics --- # Upgrade Readiness data sharing diff --git a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md index 96332bb317..38f7cf60aa 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md +++ b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md @@ -3,6 +3,8 @@ title: Upgrade Readiness - Get a list of computers that are upgrade ready (Windo description: Describes how to get a list of computers that are ready to be upgraded in Upgrade Readiness. ms.prod: w10 author: jaimeo +ms.topic: article +ms.collection: M365-analytics --- # Upgrade Readiness - Step 3: Deploy Windows diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index ec7d59b862..e7440a2195 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -6,6 +6,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: jaimeo +ms.topic: article +ms.collection: M365-analytics --- # Upgrade Readiness deployment script @@ -15,7 +17,7 @@ To automate the steps provided in [Get started with Upgrade Readiness](upgrade-r >[!IMPORTANT] >Upgrade Readiness was previously called Upgrade Analytics. References to Upgrade Analytics in any scripts or online content pertain to the Upgrade Readiness solution. -For detailed information about using the Upgrade Readiness (also known as upgrade analytics) deployment script, see the [Upgrade Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/). +For detailed information about using the Upgrade Readiness (also known as upgrade analytics) deployment script, see the [Upgrade Analytics blog](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/New-version-of-the-Upgrade-Analytics-Deployment-Script-available/ba-p/187164?advanced=false&collapse_discussion=true&q=new%20version%20of%20the%20upgrade%20analytics%20deployment%20script%20available&search_type=thread). > The following guidance applies to version 11.11.16 or later of the Upgrade Readiness deployment script. If you are using an older version, download the latest from the [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409). diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index 89b0ca53fe..a796d396d4 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -9,6 +9,8 @@ ms.pagetype: deploy author: jaimeo ms.author: jaimeo ms.localizationpriority: medium +ms.topic: article +ms.collection: M365-analytics --- # Get started with Upgrade Readiness @@ -57,7 +59,7 @@ Upgrade Readiness is offered as a *solution* which you link to a new or existing - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. - For the resource group setting select **Create new** and use the same name you chose for your new workspace. - For the location setting, choose the Azure region where you would prefer the data to be stored. - - For the pricing tier select **Free**. + - For the pricing tier select **per GB**. 4. Now that you have selected a workspace, you can go back to the Upgrade Readiness blade and select **Create**. ![Azure portal showing workspace selected and with Create button highlighted](../images/UR-Azureportal4.png) 5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.CompatibilityAssessmentOMS' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear. diff --git a/windows/deployment/upgrade/upgrade-readiness-identify-apps.md b/windows/deployment/upgrade/upgrade-readiness-identify-apps.md index b089d65f7b..0d0bf625ef 100644 --- a/windows/deployment/upgrade/upgrade-readiness-identify-apps.md +++ b/windows/deployment/upgrade/upgrade-readiness-identify-apps.md @@ -3,6 +3,8 @@ title: Upgrade Readiness - Identify important apps (Windows 10) description: Describes how to prepare your environment so that you can use Upgrade Readiness to manage Windows upgrades. ms.prod: w10 author: jaimeo +ms.topic: article +ms.collection: M365-analytics --- # Upgrade Readiness - Step 1: Identify important apps diff --git a/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md b/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md index e1e0bb0a7d..f84da4c3eb 100644 --- a/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md +++ b/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md @@ -6,6 +6,8 @@ ms.localizationpriority: medium ms.prod: w10 author: jaimeo ms.author: jaimeo +ms.topic: article +ms.collection: M365-analytics --- # Upgrade Readiness - Step 4: Monitor diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md index e7f6a76085..9d4f85609f 100644 --- a/windows/deployment/upgrade/upgrade-readiness-requirements.md +++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md @@ -6,6 +6,8 @@ ms.prod: w10 author: jaimeo ms.author: jaimeo ms.localizationpriority: medium +ms.topic: article +ms.collection: M365-analytics --- # Upgrade Readiness requirements @@ -24,7 +26,8 @@ The compatibility update that sends diagnostic data from user computers to Micro If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center. -Note: Upgrade Readiness is designed to best support in-place upgrades. In-place upgrades do not support migrations from BIOS to UEFI or from 32-bit to 64-bit architecture. If you need to migrate computers in these scenarios, use the wipe-and-reload method. Upgrade Readiness insights are still valuable in this scenario, however, you can ignore in-place upgrade specific guidance. +> [!NOTE] +> Upgrade Readiness is designed to best support in-place upgrades. In-place upgrades do not support migrations from BIOS to UEFI or from 32-bit to 64-bit architecture. If you need to migrate computers in these scenarios, use the wipe-and-reload method. Upgrade Readiness insights are still valuable in this scenario, however, you can ignore in-place upgrade specific guidance. See [Windows 10 Specifications](https://www.microsoft.com/en-US/windows/windows-10-specifications) for additional information about computer system requirements. diff --git a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md index 3c73b1ceb3..d6d2f7af15 100644 --- a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md +++ b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md @@ -6,6 +6,8 @@ ms.prod: w10 author: jaimeo ms.author: jaimeo ms.localizationpriority: medium +ms.topic: article +ms.collection: M365-analytics --- # Upgrade Readiness - Step 2: Resolve app and driver issues diff --git a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md index 591cc06de3..24abb86fb6 100644 --- a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md +++ b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md @@ -3,6 +3,8 @@ title: Upgrade Readiness - Targeting a new operating system version description: Explains how to run Upgrade Readiness again to target a different operating system version or bulk-approve all apps from a given vendor ms.prod: w10 author: jaimeo +ms.topic: article +ms.collection: M365-analytics --- # Targeting a new operating system version diff --git a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md index d3560f85ac..fb74ebaab1 100644 --- a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md +++ b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md @@ -3,6 +3,8 @@ title: Upgrade Readiness - Upgrade Overview (Windows 10) description: Displays the total count of computers sharing data and upgraded. ms.prod: w10 author: jaimeo +ms.topic: article +ms.collection: M365-analytics --- # Upgrade Readiness - Upgrade overview diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md index 1954507487..d9763887fe 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md @@ -8,6 +8,7 @@ ms.localizationpriority: medium ms.mktglfcycl: deploy author: mtniehaus ms.date: 07/27/2017 +ms.topic: article --- # Perform an in-place upgrade to Windows 10 using Configuration Manager diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md index d6cdab7ce2..7986e2b587 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -10,6 +10,7 @@ ms.sitesec: library ms.pagetype: mdt author: mtniehaus ms.date: 07/27/2017 +ms.topic: article --- # Perform an in-place upgrade to Windows 10 with MDT diff --git a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md index 8c687c4309..ed314a0bb8 100644 --- a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md +++ b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library -ms.pagetype: mdt -author: Jamiejdt -ms.date: 07/27/2017 +ms.pagetype: mdm +author: greg-lindsay +ms.topic: article --- # Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management (MDM) @@ -18,9 +18,15 @@ ms.date: 07/27/2017 - Windows 10 Mobile ## Summary -This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using Mobile Device Management (MDM). To determine if the device is eligible for an upgrade, see the [How to determine whether an upgrade is available for a device](#howto-upgrade-available) topic in this article. -The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. For Enterprises, Microsoft is offering a centralized management solution through MDM that can push a management policy to each eligible device to perform the opt-in. +This article describes how system administrators can upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM). + +>[!IMPORTANT] +>If you are not a system administrator, see the [Windows 10 Mobile Upgrade & Updates](https://www.microsoft.com/windows/windows-10-mobile-upgrade) page for details about updating your Windows 8.1 Mobile device to Windows 10 Mobile using the [Upgrade Advisor](https://www.microsoft.com/store/p/upgrade-advisor/9nblggh0f5g4). + +## Upgrading with MDM + +The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. To determine if the device is eligible for an upgrade with MDM, see the [How to determine whether an upgrade is available for a device](#howto-upgrade-available) topic in this article. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. For Enterprises, Microsoft is offering a centralized management solution through MDM that can push a management policy to each eligible device to perform the opt-in. If you use a list of allowed applications (app whitelisting) with MDM, verify that system applications are whitelisted before you upgrade to Windows 10 Mobile. Also, be aware that there are [known issues](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whitelist) with app whitelisting that could adversely affect the device after you upgrade. @@ -89,7 +95,7 @@ The Windows 10 Mobile Upgrade Advisor app is not designed or intended for Enterp We recommend that enterprises use a pilot device with the Windows 10 Mobile Upgrade Advisor app installed. The pilot device provides the device model and MO used by the enterprise. When you run the app on the pilot device, it will tell you that either an upgrade is available, that the device is eligible for upgrade, or that an upgrade is not available for this device. -Note: The availability of Windows 10 Mobile as an update for existing Windows Phone 8.1 devices varies by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. To check for compatibility and other important installation information, see the [Windows 10 mobile](https://www.microsoft.com/en/mobile/windows10) page. +Note: The availability of Windows 10 Mobile as an update for existing Windows Phone 8.1 devices varies by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. To check for compatibility and other important installation information, see the [Windows 10 Mobile FAQ](https://support.microsoft.com/help/10599/windows-10-mobile-how-to-get) page. ### How to blacklist the Upgrade Advisor app diff --git a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md index 97bc60f3d0..5b149323f8 100644 --- a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md +++ b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md @@ -7,6 +7,7 @@ ms.prod: w10 author: jaimeo ms.author: jaimeo ms.date: 07/31/2018 +ms.topic: article --- # Use Upgrade Readiness to manage Windows upgrades diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index 469b80ff01..7183dcd91c 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -8,6 +8,7 @@ ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mobile author: greg-lindsay +ms.topic: article --- # Windows 10 edition upgrade diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index 91d6394973..6c780da774 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -7,6 +7,7 @@ ms.sitesec: library ms.localizationpriority: medium ms.pagetype: mobile author: greg-lindsay +ms.topic: article --- # Windows 10 upgrade paths @@ -42,7 +43,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar Windows 10 Pro Education Windows 10 Education Windows 10 Enterprise - Windows 10 Enterprise LTSC Windows 10 Mobile Windows 10 Mobile Enterprise @@ -264,17 +264,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - - Enterprise LTSC - - - - - ✔ - ✔ - - - Mobile diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md index 00ad7ccbf0..1b021674ca 100644 --- a/windows/deployment/upgrade/windows-error-reporting.md +++ b/windows/deployment/upgrade/windows-error-reporting.md @@ -9,6 +9,7 @@ ms.pagetype: deploy author: greg-lindsay ms.date: 03/30/2018 ms.localizationpriority: medium +ms.topic: article --- # Windows error reporting diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md index a16c0e1719..d5eff8daa4 100644 --- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md +++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 11/17/2017 +ms.topic: article --- # Windows upgrade and migration considerations diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md index 7414694368..060c4485ec 100644 --- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md +++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Getting Started with the User State Migration Tool (USMT) diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md index 8f7ffec7b1..f80bc67ba2 100644 --- a/windows/deployment/usmt/migrate-application-settings.md +++ b/windows/deployment/usmt/migrate-application-settings.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Migrate Application Settings diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md index 9d396de135..d019dc53f2 100644 --- a/windows/deployment/usmt/migration-store-types-overview.md +++ b/windows/deployment/usmt/migration-store-types-overview.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Migration Store Types Overview diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md index bb58e9867d..93bdc1523e 100644 --- a/windows/deployment/usmt/offline-migration-reference.md +++ b/windows/deployment/usmt/offline-migration-reference.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Offline Migration Reference diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md index b7c52607a1..0f29913dee 100644 --- a/windows/deployment/usmt/understanding-migration-xml-files.md +++ b/windows/deployment/usmt/understanding-migration-xml-files.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Understanding Migration XML Files diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md index 40967a0ee3..5d26845936 100644 --- a/windows/deployment/usmt/usmt-best-practices.md +++ b/windows/deployment/usmt/usmt-best-practices.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # USMT Best Practices diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md index 4551589ccd..fd3170f994 100644 --- a/windows/deployment/usmt/usmt-choose-migration-store-type.md +++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Choose a Migration Store Type diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md index 53367d6cb0..9d5968c09d 100644 --- a/windows/deployment/usmt/usmt-command-line-syntax.md +++ b/windows/deployment/usmt/usmt-command-line-syntax.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # User State Migration Tool (USMT) Command-line Syntax diff --git a/windows/deployment/usmt/usmt-common-issues.md b/windows/deployment/usmt/usmt-common-issues.md index 67ac98fcad..753055a44c 100644 --- a/windows/deployment/usmt/usmt-common-issues.md +++ b/windows/deployment/usmt/usmt-common-issues.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.date: 09/19/2017 author: greg-lindsay +ms.topic: article --- # Common Issues diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md index 0cf81e4fed..9610ddc0ca 100644 --- a/windows/deployment/usmt/usmt-common-migration-scenarios.md +++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Common Migration Scenarios diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md index 549a863089..7a81795919 100644 --- a/windows/deployment/usmt/usmt-configxml-file.md +++ b/windows/deployment/usmt/usmt-configxml-file.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Config.xml File diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md index 5facab35e2..835c365684 100644 --- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md +++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Conflicts and Precedence diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md index 69d78fbd54..7aa6d0c5d4 100644 --- a/windows/deployment/usmt/usmt-custom-xml-examples.md +++ b/windows/deployment/usmt/usmt-custom-xml-examples.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Custom XML Examples diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md index affa696a95..a07abab50d 100644 --- a/windows/deployment/usmt/usmt-customize-xml-files.md +++ b/windows/deployment/usmt/usmt-customize-xml-files.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Customize USMT XML Files diff --git a/windows/deployment/usmt/usmt-determine-what-to-migrate.md b/windows/deployment/usmt/usmt-determine-what-to-migrate.md index bdae639513..224a7d5a1b 100644 --- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md +++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Determine What to Migrate diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md index ac8107db57..670edce731 100644 --- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md +++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Estimate Migration Store Size diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md index 7f45010a75..3e8388b8b8 100644 --- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md +++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Exclude Files and Settings diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md index ff5a96e50d..90f1903e5d 100644 --- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md +++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Extract Files from a Compressed USMT Migration Store diff --git a/windows/deployment/usmt/usmt-faq.md b/windows/deployment/usmt/usmt-faq.md index 42ff54b6cf..70d6e1b2f5 100644 --- a/windows/deployment/usmt/usmt-faq.md +++ b/windows/deployment/usmt/usmt-faq.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Frequently Asked Questions diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md index 3cbed8dac0..ea9b591221 100644 --- a/windows/deployment/usmt/usmt-general-conventions.md +++ b/windows/deployment/usmt/usmt-general-conventions.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # General Conventions diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md index 6c3a39cbad..2de6572380 100644 --- a/windows/deployment/usmt/usmt-hard-link-migration-store.md +++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Hard-Link Migration Store diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md index f5ebecc8eb..956abe0554 100644 --- a/windows/deployment/usmt/usmt-how-it-works.md +++ b/windows/deployment/usmt/usmt-how-it-works.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # How USMT Works diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md index f3e4659b75..57faa88dd9 100644 --- a/windows/deployment/usmt/usmt-how-to.md +++ b/windows/deployment/usmt/usmt-how-to.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # User State Migration Tool (USMT) How-to topics diff --git a/windows/deployment/usmt/usmt-identify-application-settings.md b/windows/deployment/usmt/usmt-identify-application-settings.md index c924cce50b..134ae9d3a7 100644 --- a/windows/deployment/usmt/usmt-identify-application-settings.md +++ b/windows/deployment/usmt/usmt-identify-application-settings.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Identify Applications Settings diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md index ded6a59f34..5070fe03e4 100644 --- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md +++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Identify File Types, Files, and Folders diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md index 6695528a7c..28d95e4b3b 100644 --- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md +++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Identify Operating System Settings diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md index 58fe715cfb..5654585491 100644 --- a/windows/deployment/usmt/usmt-identify-users.md +++ b/windows/deployment/usmt/usmt-identify-users.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Identify Users diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md index 31cb94e46d..b3e26e37b3 100644 --- a/windows/deployment/usmt/usmt-include-files-and-settings.md +++ b/windows/deployment/usmt/usmt-include-files-and-settings.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Include Files and Settings diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md index 522972b99b..760fbb96ed 100644 --- a/windows/deployment/usmt/usmt-loadstate-syntax.md +++ b/windows/deployment/usmt/usmt-loadstate-syntax.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # LoadState Syntax diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md index ba63a86235..3c71bf52ca 100644 --- a/windows/deployment/usmt/usmt-log-files.md +++ b/windows/deployment/usmt/usmt-log-files.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Log Files diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md index ea1fda6f15..c38ad5f818 100644 --- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md +++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Migrate EFS Files and Certificates diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md index 5007823608..94224b2a0c 100644 --- a/windows/deployment/usmt/usmt-migrate-user-accounts.md +++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Migrate User Accounts @@ -24,7 +25,7 @@ By default, all users are migrated. The only way to specify which users to inclu - [To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain](#bkmk-migratemoveuserone) ## To migrate all user accounts and user settings - +Links to detailed explanations of commands are available in the Related Topics section. 1. Log on to the source computer as an administrator, and specify the following in a **Command-Prompt** window: @@ -48,7 +49,7 @@ By default, all users are migrated. The only way to specify which users to inclu   ## To migrate two domain accounts (User1 and User2) - +Links to detailed explanations of commands are available in the Related Topics section. 1. Log on to the source computer as an administrator, and specify: @@ -61,7 +62,7 @@ By default, all users are migrated. The only way to specify which users to inclu `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml` ## To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain - +Links to detailed explanations of commands are available in the Related Topics section. 1. Log on to the source computer as an administrator, and type the following at the command-line prompt: diff --git a/windows/deployment/usmt/usmt-migration-store-encryption.md b/windows/deployment/usmt/usmt-migration-store-encryption.md index f1e7205880..a177f4bccb 100644 --- a/windows/deployment/usmt/usmt-migration-store-encryption.md +++ b/windows/deployment/usmt/usmt-migration-store-encryption.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Migration Store Encryption diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md index 64dca2cedb..6cd2240e96 100644 --- a/windows/deployment/usmt/usmt-overview.md +++ b/windows/deployment/usmt/usmt-overview.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 10/16/2017 +ms.topic: article --- # User State Migration Tool (USMT) Overview diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md index d8cbeb6f28..aabd7f7072 100644 --- a/windows/deployment/usmt/usmt-plan-your-migration.md +++ b/windows/deployment/usmt/usmt-plan-your-migration.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Plan Your Migration diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md index e83a3bc015..7012dc5ff6 100644 --- a/windows/deployment/usmt/usmt-recognized-environment-variables.md +++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Recognized Environment Variables diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md index 782c80df15..6472bb3b6a 100644 --- a/windows/deployment/usmt/usmt-reference.md +++ b/windows/deployment/usmt/usmt-reference.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # User State Migration Toolkit (USMT) Reference diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md index 6166d21bcd..c4d78425d6 100644 --- a/windows/deployment/usmt/usmt-requirements.md +++ b/windows/deployment/usmt/usmt-requirements.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 05/03/2017 +ms.topic: article --- # USMT Requirements diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md index b34f25672c..9f146337b3 100644 --- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md +++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Reroute Files and Settings diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md index bd334fc553..c934bdd8eb 100644 --- a/windows/deployment/usmt/usmt-resources.md +++ b/windows/deployment/usmt/usmt-resources.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # USMT Resources diff --git a/windows/deployment/usmt/usmt-return-codes.md b/windows/deployment/usmt/usmt-return-codes.md index 287ac6ffc7..0ec3d9f0f8 100644 --- a/windows/deployment/usmt/usmt-return-codes.md +++ b/windows/deployment/usmt/usmt-return-codes.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Return Codes diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index 2443952b25..ca8aab7167 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # ScanState Syntax diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md index 352c1e7ae7..8386dcb426 100644 --- a/windows/deployment/usmt/usmt-technical-reference.md +++ b/windows/deployment/usmt/usmt-technical-reference.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # User State Migration Tool (USMT) Technical Reference diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md index 72194933a6..fd06ddddea 100644 --- a/windows/deployment/usmt/usmt-test-your-migration.md +++ b/windows/deployment/usmt/usmt-test-your-migration.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Test Your Migration diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md index ee6c7f1409..16bffa6816 100644 --- a/windows/deployment/usmt/usmt-topics.md +++ b/windows/deployment/usmt/usmt-topics.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # User State Migration Tool (USMT) Overview Topics diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md index b3588b8bab..a3c18ef846 100644 --- a/windows/deployment/usmt/usmt-troubleshooting.md +++ b/windows/deployment/usmt/usmt-troubleshooting.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # User State Migration Tool (USMT) Troubleshooting diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md index 7d636d1d1a..1f7f57ce3e 100644 --- a/windows/deployment/usmt/usmt-utilities.md +++ b/windows/deployment/usmt/usmt-utilities.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # UsmtUtils Syntax diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md index ab7bbe5661..90ad6b1407 100644 --- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md +++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 09/12/2017 +ms.topic: article --- # What does USMT migrate? diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md index 46ec2a4af2..edea901079 100644 --- a/windows/deployment/usmt/usmt-xml-elements-library.md +++ b/windows/deployment/usmt/usmt-xml-elements-library.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # XML Elements Library diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md index f613485b42..bf89e762e9 100644 --- a/windows/deployment/usmt/usmt-xml-reference.md +++ b/windows/deployment/usmt/usmt-xml-reference.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # USMT XML Reference diff --git a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md index 277b89ff90..273d230290 100644 --- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md +++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # Verify the Condition of a Compressed Migration Store diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md index a85b173f69..968c47e9bb 100644 --- a/windows/deployment/usmt/xml-file-requirements.md +++ b/windows/deployment/usmt/xml-file-requirements.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 04/19/2017 +ms.topic: article --- # XML File Requirements diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index 63031ebeaa..52d00d7f17 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -9,6 +9,8 @@ ms.sitesec: library ms.pagetype: mdt ms.date: 05/17/2018 author: greg-lindsay +ms.topic: article +ms.collection: M365-modern-desktop --- # Configure VDA for Windows 10 Subscription Activation diff --git a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md index 394e9dbac2..feaadc8e47 100644 --- a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md +++ b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # Activate by Proxy an Active Directory Forest diff --git a/windows/deployment/volume-activation/activate-forest-vamt.md b/windows/deployment/volume-activation/activate-forest-vamt.md index 9673148fa4..ea37d1ba1a 100644 --- a/windows/deployment/volume-activation/activate-forest-vamt.md +++ b/windows/deployment/volume-activation/activate-forest-vamt.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # Activate an Active Directory Forest Online diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index 66f3559c4f..03e0029f83 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -10,6 +10,7 @@ ms.pagetype: activation author: greg-lindsay ms.localizationpriority: medium ms.date: 07/27/2017 +ms.topic: article --- # Activate using Active Directory-based activation diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md index ebb0b5998f..dd8545387c 100644 --- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md +++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md @@ -10,6 +10,7 @@ ms.pagetype: activation author: jdeckerms ms.localizationpriority: medium ms.date: 10/16/2017 +ms.topic: article --- # Activate using Key Management Service diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md index e6dadebd76..2747cb444b 100644 --- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md +++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md @@ -10,6 +10,7 @@ ms.pagetype: activation author: jdeckerms ms.localizationpriority: medium ms.date: 07/27/2017 +ms.topic: article --- # Activate clients running Windows 10 diff --git a/windows/deployment/volume-activation/active-directory-based-activation-overview.md b/windows/deployment/volume-activation/active-directory-based-activation-overview.md index 80c66dec36..f217d8827c 100644 --- a/windows/deployment/volume-activation/active-directory-based-activation-overview.md +++ b/windows/deployment/volume-activation/active-directory-based-activation-overview.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: greg-lindsay ms.date: 12/07/2018 +ms.topic: article --- # Active Directory-Based Activation overview diff --git a/windows/deployment/volume-activation/add-manage-products-vamt.md b/windows/deployment/volume-activation/add-manage-products-vamt.md index d3f1736d57..3f226d854d 100644 --- a/windows/deployment/volume-activation/add-manage-products-vamt.md +++ b/windows/deployment/volume-activation/add-manage-products-vamt.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # Add and Manage Products diff --git a/windows/deployment/volume-activation/add-remove-computers-vamt.md b/windows/deployment/volume-activation/add-remove-computers-vamt.md index 14eb6d93b5..612916effe 100644 --- a/windows/deployment/volume-activation/add-remove-computers-vamt.md +++ b/windows/deployment/volume-activation/add-remove-computers-vamt.md @@ -8,6 +8,7 @@ ms.sitesec: library author: jdeckerms ms.pagetype: activation ms.date: 04/25/2017 +ms.topic: article --- # Add and Remove Computers diff --git a/windows/deployment/volume-activation/add-remove-product-key-vamt.md b/windows/deployment/volume-activation/add-remove-product-key-vamt.md index dbc43dacd5..0168f3de62 100644 --- a/windows/deployment/volume-activation/add-remove-product-key-vamt.md +++ b/windows/deployment/volume-activation/add-remove-product-key-vamt.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # Add and Remove a Product Key diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md index 63b927fef1..09daa5dffb 100644 --- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md @@ -10,7 +10,9 @@ ms.pagetype: activation author: jdeckerms ms.localizationpriority: medium ms.date: 07/27/2017 +ms.topic: article --- + # Appendix: Information sent to Microsoft during activation **Applies to** - Windows 10 diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md index bc6d81502b..ce4dae56e7 100644 --- a/windows/deployment/volume-activation/configure-client-computers-vamt.md +++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # Configure Client Computers diff --git a/windows/deployment/volume-activation/images/sql-instance.png b/windows/deployment/volume-activation/images/sql-instance.png new file mode 100644 index 0000000000..379935e01c Binary files /dev/null and b/windows/deployment/volume-activation/images/sql-instance.png differ diff --git a/windows/deployment/volume-activation/images/vamt-db.png b/windows/deployment/volume-activation/images/vamt-db.png new file mode 100644 index 0000000000..6c353fe835 Binary files /dev/null and b/windows/deployment/volume-activation/images/vamt-db.png differ diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md index 761457d1c2..6c5122845f 100644 --- a/windows/deployment/volume-activation/import-export-vamt-data.md +++ b/windows/deployment/volume-activation/import-export-vamt-data.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # Import and Export VAMT Data diff --git a/windows/deployment/volume-activation/install-configure-vamt.md b/windows/deployment/volume-activation/install-configure-vamt.md index 2f86348791..cd82ce78a4 100644 --- a/windows/deployment/volume-activation/install-configure-vamt.md +++ b/windows/deployment/volume-activation/install-configure-vamt.md @@ -9,6 +9,7 @@ ms.pagetype: activation author: jdeckerms ms.localizationpriority: medium ms.date: 07/27/2017 +ms.topic: article --- # Install and Configure VAMT diff --git a/windows/deployment/volume-activation/install-kms-client-key-vamt.md b/windows/deployment/volume-activation/install-kms-client-key-vamt.md index d5409b4409..2894ba4f88 100644 --- a/windows/deployment/volume-activation/install-kms-client-key-vamt.md +++ b/windows/deployment/volume-activation/install-kms-client-key-vamt.md @@ -9,6 +9,7 @@ ms.pagetype: activation author: jdeckerms ms.localizationpriority: medium ms.date: 07/27/2017 +ms.topic: article --- # Install a KMS Client Key diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md index 47904029b2..fb7df4b2e4 100644 --- a/windows/deployment/volume-activation/install-product-key-vamt.md +++ b/windows/deployment/volume-activation/install-product-key-vamt.md @@ -9,6 +9,7 @@ ms.pagetype: activation author: jdeckerms ms.localizationpriority: medium ms.date: 07/27/2017 +ms.topic: article --- # Install a Product Key diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index cacf7ac0d0..a4905eb8ae 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -8,7 +8,8 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.localizationpriority: medium -ms.date: 04/25/2018 +ms.date: 03/11/2019 +ms.topic: article --- # Install VAMT @@ -17,7 +18,7 @@ This topic describes how to install the Volume Activation Management Tool (VAMT) ## Install VAMT -You can install VAMT as part of the [Windows Assessment and Deployment Kit (ADK)](https://go.microsoft.com/fwlink/p/?LinkId=526740) for Windows 10. +You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10. >[!IMPORTANT]   >VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator.  @@ -25,24 +26,46 @@ You can install VAMT as part of the [Windows Assessment and Deployment Kit (ADK) >[!NOTE]   >The VAMT Microsoft Management Console snap-in ships as an x86 package. -To install SQL Server Express: -1. Install the Windows ADK. -2. Ensure that **Volume Activation Management Tool** is selected to be installed. -3. Click **Install**. +### Requirements + +- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access and all updates applied +- [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036) +- [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) + +### Install SQL Server 2017 Express + +1. Download and open the [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package. +2. Select **Basic**. +3. Accept the license terms. +4. Enter an install location or use the default path, and then select **Install**. +5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. + ![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png) + +### Install VAMT using the ADK + +1. Download and open the [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036) package. +2. Enter an install location or use the default path, and then select **Next**. +3. Select a privacy setting, and then select **Next**. +4. Accept the license terms. +5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.) +6. On the completion page, select **Close**. + +### Configure VAMT to connect to SQL Server 2017 Express + +1. Open **Volume Active Management Tool 3.1** from the Start menu. +2. Enter the server instance name and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example. + + ![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png) -## Select a Database -VAMT requires a SQL database. After you install VAMT, if you have a computer information list (CIL) that was created in a previous version of VAMT, you must import the list into a SQL database. If you do not have SQL installed, you can [download a free copy of Microsoft SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) and create a new database into which you can import the CIL. -You must configure SQL installation to allow remote connections and you must provide the corresponding server name in the format: *Machine Name\\SQL Server Name*. If a new VAMT database needs to be created, provide a name for the new database. ## Uninstall VAMT -To uninstall VAMT via the **Programs and Features** Control Panel: -1. Open the **Control Panel** and select **Programs and Features**. +To uninstall VAMT using the **Programs and Features** Control Panel: +1. Open **Control Panel** and select **Programs and Features**. 2. Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT. -## Related topics -- [Install and Configure VAMT](install-configure-vamt.md) +     diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md index d527c0e57a..da71484e83 100644 --- a/windows/deployment/volume-activation/introduction-vamt.md +++ b/windows/deployment/volume-activation/introduction-vamt.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # Introduction to VAMT diff --git a/windows/deployment/volume-activation/kms-activation-vamt.md b/windows/deployment/volume-activation/kms-activation-vamt.md index d399375158..9752481f0b 100644 --- a/windows/deployment/volume-activation/kms-activation-vamt.md +++ b/windows/deployment/volume-activation/kms-activation-vamt.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # Perform KMS Activation diff --git a/windows/deployment/volume-activation/local-reactivation-vamt.md b/windows/deployment/volume-activation/local-reactivation-vamt.md index 81d2deb8aa..c2c0095d04 100644 --- a/windows/deployment/volume-activation/local-reactivation-vamt.md +++ b/windows/deployment/volume-activation/local-reactivation-vamt.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # Perform Local Reactivation diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md index 29aee68fac..480d593d6d 100644 --- a/windows/deployment/volume-activation/manage-activations-vamt.md +++ b/windows/deployment/volume-activation/manage-activations-vamt.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # Manage Activations diff --git a/windows/deployment/volume-activation/manage-product-keys-vamt.md b/windows/deployment/volume-activation/manage-product-keys-vamt.md index 4e51082561..356b2adbca 100644 --- a/windows/deployment/volume-activation/manage-product-keys-vamt.md +++ b/windows/deployment/volume-activation/manage-product-keys-vamt.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # Manage Product Keys diff --git a/windows/deployment/volume-activation/manage-vamt-data.md b/windows/deployment/volume-activation/manage-vamt-data.md index b71b5629d9..f2a1b046c1 100644 --- a/windows/deployment/volume-activation/manage-vamt-data.md +++ b/windows/deployment/volume-activation/manage-vamt-data.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # Manage VAMT Data diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md index 1b8d6436f4..1b13e0e5ff 100644 --- a/windows/deployment/volume-activation/monitor-activation-client.md +++ b/windows/deployment/volume-activation/monitor-activation-client.md @@ -10,6 +10,7 @@ ms.pagetype: activation author: greg-lindsay ms.localizationpriority: medium ms.date: 07/27/2017 +ms.topic: article --- # Monitor activation diff --git a/windows/deployment/volume-activation/online-activation-vamt.md b/windows/deployment/volume-activation/online-activation-vamt.md index ec04a095dd..1342ffa177 100644 --- a/windows/deployment/volume-activation/online-activation-vamt.md +++ b/windows/deployment/volume-activation/online-activation-vamt.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # Perform Online Activation diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md index d1cdff4f2f..26eb638a78 100644 --- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md +++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md @@ -10,6 +10,7 @@ ms.pagetype: activation author: jdeckerms ms.localizationpriority: medium ms.date: 09/27/2017 +ms.topic: article --- # Plan for volume activation diff --git a/windows/deployment/volume-activation/proxy-activation-vamt.md b/windows/deployment/volume-activation/proxy-activation-vamt.md index 8b1fda4134..aab7a8768c 100644 --- a/windows/deployment/volume-activation/proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/proxy-activation-vamt.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # Perform Proxy Activation diff --git a/windows/deployment/volume-activation/remove-products-vamt.md b/windows/deployment/volume-activation/remove-products-vamt.md index 54d63f20f6..719e036af3 100644 --- a/windows/deployment/volume-activation/remove-products-vamt.md +++ b/windows/deployment/volume-activation/remove-products-vamt.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # Remove Products diff --git a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md index 1b3ee09ca7..74bb58d089 100644 --- a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # Scenario 3: KMS Client Activation diff --git a/windows/deployment/volume-activation/scenario-online-activation-vamt.md b/windows/deployment/volume-activation/scenario-online-activation-vamt.md index 04b2b6ea5d..ba55442b69 100644 --- a/windows/deployment/volume-activation/scenario-online-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-online-activation-vamt.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # Scenario 1: Online Activation diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md index a57fcad150..e83331d22e 100644 --- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # Scenario 2: Proxy Activation diff --git a/windows/deployment/volume-activation/update-product-status-vamt.md b/windows/deployment/volume-activation/update-product-status-vamt.md index 81108e69e4..a114a8e286 100644 --- a/windows/deployment/volume-activation/update-product-status-vamt.md +++ b/windows/deployment/volume-activation/update-product-status-vamt.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # Update Product Status diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md index 16b38ae4ee..68c4c3cd66 100644 --- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md +++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md @@ -10,6 +10,7 @@ ms.pagetype: activation author: jdeckerms ms.localizationpriority: medium ms.date: 07/27/2017 +ms.topic: article --- # Use the Volume Activation Management Tool diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md index ff1efca6bc..521f5ee32b 100644 --- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md +++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # Use VAMT in Windows PowerShell diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md index 99dd5123f7..19ce9dbba1 100644 --- a/windows/deployment/volume-activation/vamt-known-issues.md +++ b/windows/deployment/volume-activation/vamt-known-issues.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # VAMT Known Issues diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md index f595695c11..553111ae6f 100644 --- a/windows/deployment/volume-activation/vamt-requirements.md +++ b/windows/deployment/volume-activation/vamt-requirements.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # VAMT Requirements diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md index 7678851556..f057e3302e 100644 --- a/windows/deployment/volume-activation/vamt-step-by-step.md +++ b/windows/deployment/volume-activation/vamt-step-by-step.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # VAMT Step-by-Step Scenarios diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md index 17df92c0e9..172989517e 100644 --- a/windows/deployment/volume-activation/volume-activation-management-tool.md +++ b/windows/deployment/volume-activation/volume-activation-management-tool.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.date: 04/25/2017 +ms.topic: article --- # Volume Activation Management Tool (VAMT) Technical Reference diff --git a/windows/deployment/volume-activation/volume-activation-windows-10.md b/windows/deployment/volume-activation/volume-activation-windows-10.md index 00cf4068f1..ebf9a48213 100644 --- a/windows/deployment/volume-activation/volume-activation-windows-10.md +++ b/windows/deployment/volume-activation/volume-activation-windows-10.md @@ -10,6 +10,7 @@ ms.pagetype: activation author: jdeckerms ms.localizationpriority: medium ms.date: 07/27/2017 +ms.topic: article --- # Volume Activation for Windows 10 diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index 684ee94aa7..e9cd9edd07 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -9,6 +9,7 @@ ms.localizationpriority: medium ms.sitesec: library ms.date: 11/06/2018 author: greg-lindsay +ms.topic: article --- # Windows 10 deployment scenarios diff --git a/windows/deployment/windows-10-deployment-tools-reference.md b/windows/deployment/windows-10-deployment-tools-reference.md index 624e9bf703..0395575429 100644 --- a/windows/deployment/windows-10-deployment-tools-reference.md +++ b/windows/deployment/windows-10-deployment-tools-reference.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 07/12/2017 +ms.topic: article --- # Windows 10 deployment tools diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md index b9b4727e55..ec368c30f1 100644 --- a/windows/deployment/windows-10-deployment-tools.md +++ b/windows/deployment/windows-10-deployment-tools.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.date: 10/16/2017 +ms.topic: article --- # Windows 10 deployment tools diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index 950c8553a1..8419e4ccb1 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -9,13 +9,15 @@ ms.sitesec: library ms.pagetype: mdt ms.date: 08/24/2017 author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- # Windows 10 Enterprise E3 in CSP Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following: -- Windows 10 Pro, version 1607 (also known as Windows 10 Anniversary Update) or later installed on the devices to be upgraded +- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later, installed and activated, on the devices to be upgraded - Azure Active Directory (Azure AD) available for identity management Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro to Windows 10 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Windows 10 Enterprise device seamlessly steps back down to Windows 10 Pro. @@ -249,5 +251,5 @@ The Managed User Experience feature is a set of Windows 10 Enterprise edition f [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md)
    [Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/) -
    [Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) -
    [Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx) +
    [Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare) +
    [Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx) diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md index 73593356e4..767a8c0724 100644 --- a/windows/deployment/windows-10-enterprise-subscription-activation.md +++ b/windows/deployment/windows-10-enterprise-subscription-activation.md @@ -8,6 +8,10 @@ ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt author: greg-lindsay +ms.collection: M365-modern-desktop +search.appverid: +- MET150 +ms.topic: article --- # Windows 10 Subscription Activation diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md index 23489fb3dd..ab9ff889c0 100644 --- a/windows/deployment/windows-10-media.md +++ b/windows/deployment/windows-10-media.md @@ -8,6 +8,7 @@ ms.localizationpriority: medium ms.date: 10/20/2017 ms.sitesec: library author: greg-lindsay +ms.topic: article --- # Windows 10 volume license media diff --git a/windows/deployment/windows-10-missing-fonts.md b/windows/deployment/windows-10-missing-fonts.md index 46a39d7a66..708ffc8476 100644 --- a/windows/deployment/windows-10-missing-fonts.md +++ b/windows/deployment/windows-10-missing-fonts.md @@ -9,6 +9,7 @@ ms.localizationpriority: medium author: kaushika-msft ms.author: kaushika ms.date: 10/31/2017 +ms.topic: article --- # How to install fonts that are missing after upgrading to Windows 10 diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md index 789488af22..340920f673 100644 --- a/windows/deployment/windows-10-poc-mdt.md +++ b/windows/deployment/windows-10-poc-mdt.md @@ -9,6 +9,7 @@ keywords: deployment, automate, tools, configure, mdt ms.localizationpriority: medium ms.date: 10/11/2017 author: greg-lindsay +ms.topic: article --- diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 804e016464..a83edcf57d 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -9,6 +9,7 @@ keywords: deployment, automate, tools, configure, sccm ms.localizationpriority: medium ms.date: 10/11/2017 author: greg-lindsay +ms.topic: article --- # Deploy Windows 10 in a test lab using System Center Configuration Manager diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 27aa69d26a..08755c35c9 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -9,6 +9,7 @@ keywords: deployment, automate, tools, configure, mdt, sccm ms.localizationpriority: medium ms.date: 11/16/2017 author: greg-lindsay +ms.topic: article --- # Step by step guide: Configure a test lab to deploy Windows 10 diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md index 2c2a9c2a25..2e66746137 100644 --- a/windows/deployment/windows-10-pro-in-s-mode.md +++ b/windows/deployment/windows-10-pro-in-s-mode.md @@ -8,6 +8,8 @@ ms.prod: w10 ms.sitesec: library ms.pagetype: deploy author: jaimeo +ms.collection: M365-modern-desktop +ms.topic: article --- # Switch to Windows 10 Pro or Enterprise from S mode diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md index 05a2b022ab..06d9b89385 100644 --- a/windows/deployment/windows-adk-scenarios-for-it-pros.md +++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md @@ -8,6 +8,7 @@ ms.localizationpriority: medium ms.sitesec: library author: greg-lindsay ms.date: 07/27/2017 +ms.topic: article --- # Windows ADK for Windows 10 scenarios for IT Pros diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md index 32da345a29..35cd9c6cba 100644 --- a/windows/deployment/windows-autopilot/TOC.md +++ b/windows/deployment/windows-autopilot/TOC.md @@ -13,14 +13,15 @@ ### [Windows Autopilot Reset](windows-autopilot-reset.md) #### [Remote reset](windows-autopilot-reset-remote.md) #### [Local reset](windows-autopilot-reset-local.md) -## Administering Autopilot +## [Administering Autopilot](administer.md) ### [Configuring](configure-autopilot.md) #### [Adding devices](add-devices.md) #### [Creating profiles](profiles.md) #### [Enrollment status page](enrollment-status.md) #### [BitLocker encryption](bitlocker.md) -### [Administering Autopilot via Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles) +### [Administering Autopilot via Partner Center](https://docs.microsoft.com/en-us/partner-center/autopilot) ### [Administering Autopilot via Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot) +### [Administering Autopilot via Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles) ### [Administering Autopilot via Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa) ## Getting started ### [Demonstrate Autopilot deployment on a VM](demonstrate-deployment-on-vm.md) diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md index db20123f7a..853bcdd07b 100644 --- a/windows/deployment/windows-autopilot/add-devices.md +++ b/windows/deployment/windows-autopilot/add-devices.md @@ -9,8 +9,11 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Adding devices to Windows Autopilot **Applies to** @@ -50,7 +53,7 @@ To use this script, you can download it from the PowerShell Gallery and run it o ```powershell md c:\\HWID Set-Location c:\\HWID -Set-ExecutionPolicy Unrestricted +Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted Install-Script -Name Get-WindowsAutoPilotInfo Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv ``` diff --git a/windows/deployment/windows-autopilot/administer.md b/windows/deployment/windows-autopilot/administer.md new file mode 100644 index 0000000000..402c3a2f7d --- /dev/null +++ b/windows/deployment/windows-autopilot/administer.md @@ -0,0 +1,69 @@ +--- +title: Administering Autopilot +description: A short description of methods for configuring Autopilot +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Administering Autopilot + +**Applies to: Windows 10** + +Several platforms are available to register devices with Windows Autopilot. A summary of each platform's capabilities is provided below. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Platform/Portal +Register devices? +Create/Assign profile +Acceptable DeviceID +
    OEM Direct APIYES - 1000 at a time maxNOTuple or PKID
    Partner CenterYES - 1000 at a time max\*YESTuple or PKID or 4K HH
    IntuneYES - 175 at a time maxYES\*4K HH
    Microsoft Store for BusinessYES - 1000 at a time maxYES4K HH
    Microsoft Business 365YES - 1000 at a time maxYES4K HH
    + +>*Microsoft recommended platform to use \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md index 850f631e72..7399e75801 100644 --- a/windows/deployment/windows-autopilot/autopilot-faq.md +++ b/windows/deployment/windows-autopilot/autopilot-faq.md @@ -9,8 +9,11 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Windows Autopilot FAQ **Applies to: Windows 10** @@ -29,7 +32,7 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e | How does a customer authorize an OEM or Channel Partner to register Autopilot devices on the customer’s behalf? | Before an OEM or Channel Partner can register a device for Autopilot on behalf of a customer, the customer must first give them consent. The consent process begins with the OEM or Channel Partner sending a link to the customer, which directs the customer to a consent page in Microsoft Store for Business. The steps explaining this process are [here](registration-auth.md). | | Are there any restrictions if a business customer has registered devices in MSfB and later wants those devices to be managed by a CSP via the Partner Center? | The devices will need to be deleted in MSfB by the business customer before the CSP can upload and manage them in the Partner Center. | | Does Windows Autopilot support removing the option to enable a local administrator account? | Windows Autopilot doesn’t support removing the local admin account. However, it does support restricting the user performing AAD domain join in OOBE to a standard account (versus admin account by default).| -| How can I test the Windows Autopilot CSV file in the Partner Center? | Only CSP Partners have access to the Partner Center portal. If you are a CSP, you can create a Sales agent user account which has access to “Devices” for testing the file. This can be done today in the Partner Center.

    Go [here](https://msdn.microsoft.com/partner-center/createuseraccounts-and-set-permissions) for more information. | +| How can I test the Windows Autopilot CSV file in the Partner Center? | Only CSP Partners have access to the Partner Center portal. If you are a CSP, you can create a Sales agent user account which has access to “Devices” for testing the file. This can be done today in the Partner Center.

    Go [here](https://msdn.microsoft.com/partner-center/create-user-accounts-and-set-permissions) for more information. | | Must I become a Cloud Solution Provider (CSP) to participate in Windows Autopilot? | Top volume OEMs do not, as they can use the OEM Direct API. All others who choose to use MPC to register devices must become CSPs in order to access MPC. | | Do the different CSP levels have all the same capabilities when it comes to Windows Autopilot? | For purposes of Windows Autopilot, there are three different types of CSPs, each with different levels of authority an access:

    1. Direct CSP: Gets direct authorization from the customer to register devices.

    2. Indirect CSP Provider: Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center.

    3. Indirect CSP Reseller: Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. | diff --git a/windows/deployment/windows-autopilot/autopilot-support.md b/windows/deployment/windows-autopilot/autopilot-support.md index 65932a5cf6..370197bca0 100644 --- a/windows/deployment/windows-autopilot/autopilot-support.md +++ b/windows/deployment/windows-autopilot/autopilot-support.md @@ -10,6 +10,8 @@ ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay ms.date: 10/31/2018 +ms.collection: M365-modern-desktop +ms.topic: article --- # Windows Autopilot support information diff --git a/windows/deployment/windows-autopilot/bitlocker.md b/windows/deployment/windows-autopilot/bitlocker.md index ae47150794..cf06f0bc75 100644 --- a/windows/deployment/windows-autopilot/bitlocker.md +++ b/windows/deployment/windows-autopilot/bitlocker.md @@ -10,8 +10,11 @@ ms.pagetype: deploy ms.localizationpriority: medium author: greg-lindsay ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Setting the BitLocker encryption algorithm for Autopilot devices With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. This ensures that the default encrytion algorithm is not applied automatically when this is not the desired setting. Other BitLocker policies that must be applied prior to encryption can also be delivered before automatic BitLocker encryption begins. diff --git a/windows/deployment/windows-autopilot/configure-autopilot.md b/windows/deployment/windows-autopilot/configure-autopilot.md index 2a35ccf721..988b5d91f2 100644 --- a/windows/deployment/windows-autopilot/configure-autopilot.md +++ b/windows/deployment/windows-autopilot/configure-autopilot.md @@ -9,8 +9,11 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Configure Autopilot deployment **Applies to** diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index f47603c201..59fa406a68 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -9,8 +9,11 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Demonstrate Autopilot deployment on a VM **Applies to** @@ -25,7 +28,7 @@ In this topic you'll learn how to set-up a Windows Autopilot deployment for a Vi ## Prerequisites These are the thing you'll need on your device to get started: -* Installation media for the latest version of Windows 10 Professional or Enterprise (ISO file) +* Installation media for the [latest version of Windows 10 Professional or Enterprise (ISO file)](https://www.microsoft.com/software-download/windows10) * Internet access (see [Network connectivity requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot#network-connectivity-requirements)) * Hypervisor needs to be unoccupied, or used by Hyper-V, as we will be using Hyper-V to create the Virtual Machine diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md index 01a31ebad9..d2e6471454 100644 --- a/windows/deployment/windows-autopilot/enrollment-status.md +++ b/windows/deployment/windows-autopilot/enrollment-status.md @@ -10,8 +10,11 @@ ms.pagetype: deploy ms.localizationpriority: medium author: greg-lindsay ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Windows Autopilot Enrollment Status page The Windows Autopilot Enrollment Status page displaying the status of the complete device configuration process. Incorporating feedback from customers, this provides information to the user to show that the device is being set up and can be configured to prevent access to the desktop until the configuration is complete. @@ -59,7 +62,7 @@ The following types of policies and installations are not tracked: ## More information For more information on configuring the Enrollment Status page, see the [Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status).
    -For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP docuementation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
    +For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP documentation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
    For more information about blocking for app installation: - [Blocking for app installation using Enrollment Status Page](https://blogs.technet.microsoft.com/mniehaus/2018/12/06/blocking-for-app-installation-using-enrollment-status-page/). -- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514). \ No newline at end of file +- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514). diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md index 72bca7e019..0996810392 100644 --- a/windows/deployment/windows-autopilot/existing-devices.md +++ b/windows/deployment/windows-autopilot/existing-devices.md @@ -10,6 +10,8 @@ ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay ms.date: 11/05/2018 +ms.collection: M365-modern-desktop +ms.topic: article --- # Windows Autopilot for existing devices @@ -18,7 +20,7 @@ ms.date: 11/05/2018 Modern desktop management with Windows Autopilot enables you to easily deploy the latest version of Windows 10 to your existing devices. The apps you need for work can be automatically installed. Your work profile is synchronized, so you can resume working right away. -This topic describes how to convert Windows 7 domain-joined computers to Azure Active Directory-joined computers running Windows 10 by using Windows Autopilot. +This topic describes how to convert Windows 7 or Windows 8.1 domain-joined computers to Azure Active Directory-joined computers running Windows 10 by using Windows Autopilot. ## Prerequisites @@ -276,7 +278,7 @@ Next, ensure that all content required for the task sequence is deployed to dist ### Complete the client installation process -1. Open the Software Center on the target Windows 7 client computer. You can do this by clicking Start and then typing **software** in the search box, or by typing the following at a Windows PowerShell or command prompt: +1. Open the Software Center on the target Windows 7 or Windows 8.1 client computer. You can do this by clicking Start and then typing **software** in the search box, or by typing the following at a Windows PowerShell or command prompt: ``` C:\Windows\CCM\SCClient.exe diff --git a/windows/deployment/windows-autopilot/intune-connector.md b/windows/deployment/windows-autopilot/intune-connector.md index 50ee521951..f557867c0b 100644 --- a/windows/deployment/windows-autopilot/intune-connector.md +++ b/windows/deployment/windows-autopilot/intune-connector.md @@ -10,6 +10,8 @@ ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay ms.date: 11/26/2018 +ms.collection: M365-modern-desktop +ms.topic: article --- diff --git a/windows/deployment/windows-autopilot/profiles.md b/windows/deployment/windows-autopilot/profiles.md index 32455a34ad..8884be069a 100644 --- a/windows/deployment/windows-autopilot/profiles.md +++ b/windows/deployment/windows-autopilot/profiles.md @@ -9,8 +9,11 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Configure Autopilot profiles **Applies to** diff --git a/windows/deployment/windows-autopilot/registration-auth.md b/windows/deployment/windows-autopilot/registration-auth.md index 5a5dcf695d..563dc03e5f 100644 --- a/windows/deployment/windows-autopilot/registration-auth.md +++ b/windows/deployment/windows-autopilot/registration-auth.md @@ -9,8 +9,11 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Windows Autopilot customer consent **Applies to: Windows 10** diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md index 68138d4b86..be36013432 100644 --- a/windows/deployment/windows-autopilot/self-deploying.md +++ b/windows/deployment/windows-autopilot/self-deploying.md @@ -10,8 +10,11 @@ ms.pagetype: ms.localizationpriority: medium author: greg-lindsay ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Windows Autopilot Self-Deploying mode (Preview) **Applies to: Windows 10, version 1809 or later** diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md index 8a248dbf27..0d365a9cac 100644 --- a/windows/deployment/windows-autopilot/troubleshooting.md +++ b/windows/deployment/windows-autopilot/troubleshooting.md @@ -9,8 +9,11 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Troubleshooting Windows Autopilot **Applies to: Windows 10** @@ -82,10 +85,12 @@ On Windows 10 version 1703 and above, ETW tracing can be used to capture detaile The most common issue joining a device to Azure AD is related to Azure AD permissions. Ensure [the correct configuration is in place](windows-autopilot-requirements-configuration.md) to allow users to join devices to Azure AD. Errors can also happen if the user has exceeded the number of devices that they are allowed to join, as configured in Azure AD. -Error code 801C0003 will typically be reported on an error page titled "Something went wrong." This error means that the Azure AD join failed. +Error code 801C0003 will typically be reported on an error page titled "Something went wrong". This error means that the Azure AD join failed. ### Troubleshooting Intune enrollment issues See [this knowledge base article](https://support.microsoft.com/help/4089533/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for assistance with Intune enrollment issues. Common issues include incorrect or missing licenses assigned to the user or too many devices enrolled for the user. -Error code 80180018 will typiclaly be reported on an error page titled "Something went wrong." This error means that the MDM enrollment failed. +Error code 80180018 will typically be reported on an error page titled "Something went wrong". This error means that the MDM enrollment failed. + +If Autopilot Reset fails immediately with an error "Ran into trouble. Please sign in with an administrator account to see why and reset manually," see [Troubleshoot Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset#troubleshoot-autopilot-reset) for more help. diff --git a/windows/deployment/windows-autopilot/user-driven-aad.md b/windows/deployment/windows-autopilot/user-driven-aad.md index 50dd79e58e..2058c34488 100644 --- a/windows/deployment/windows-autopilot/user-driven-aad.md +++ b/windows/deployment/windows-autopilot/user-driven-aad.md @@ -9,8 +9,11 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Windows Autopilot user-driven mode for Azure Active Directory join **Applies to: Windows 10** diff --git a/windows/deployment/windows-autopilot/user-driven-hybrid.md b/windows/deployment/windows-autopilot/user-driven-hybrid.md index 895992424d..c084916d3e 100644 --- a/windows/deployment/windows-autopilot/user-driven-hybrid.md +++ b/windows/deployment/windows-autopilot/user-driven-hybrid.md @@ -9,9 +9,12 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Windows Autopilot user-driven mode for hybrid Azure Active Directory join **Applies to: Windows 10** @@ -29,6 +32,7 @@ To perform a user-driven hybrid AAD joined deployment using Windows Autopilot: - The device must be connected to the Internet and have access to an Active Directory domain controller. - The Intune Connector for Active Directory must be installed. - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. +- If using Proxy, WDAP Proxy settings option must be enabled and configured. **AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default. diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md index efe36198a5..eb34848a9d 100644 --- a/windows/deployment/windows-autopilot/user-driven.md +++ b/windows/deployment/windows-autopilot/user-driven.md @@ -10,8 +10,11 @@ ms.pagetype: deploy author: greg-lindsay ms.date: 11/07/2018 ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Windows Autopilot user-driven mode Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions: diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md index ed91b71732..9610dbb4af 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md @@ -9,8 +9,11 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Windows Autopilot configuration requirements **Applies to: Windows 10** diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md index f88d935d8c..aaae7ae596 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md @@ -9,8 +9,11 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Windows Autopilot licensing requirements **Applies to: Windows 10** diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md index 260b773472..f2b2c19fb8 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md @@ -9,8 +9,11 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Windows Autopilot networking requirements **Applies to: Windows 10** @@ -23,7 +26,12 @@ Windows Autopilot depends on a variety of internet-based services; access to the In environments that have more restrictive internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the needed services. For additional details about each of these services and their specific requirements, review the following details: -- **Windows Autopilot Deployment Service (and Windows Activation).**  After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service using the same services used for Windows Activation. See the following link for details: +- **Windows Autopilot Deployment Service (and Windows Activation).**  After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service. With Windows 10 builds 18204 and above, the following URLs are used: + + - https://ztd.dds.microsoft.com + - https://cs.dds.microsoft.com + + For all supported Windows 10 releases, Windows Autopilot also uses Windows Activation services. See the following link for details: - diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index ae16b100af..358e9fefd8 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -9,8 +9,11 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Windows Autopilot requirements **Applies to: Windows 10** @@ -19,16 +22,26 @@ Windows Autopilot depends on specific capabilities available in Windows 10, Azur - Windows 10 version 1703 (semi-annual channel) or higher is required. - The following editions are supported: - - Pro - - Pro Education - - Pro for Workstations - - Enterprise - - Education + - Windows 10 Pro + - Windows 10 Pro Education + - Windows 10 Pro for Workstations + - Windows 10 Enterprise + - Windows 10 Education + - Windows 10 Enterprise 2019 LTSC + + - If you're using Autopilot for Surface devices, note that only the following Surface devices support Autopilot: + - Surface Go + - Surface Go with LTE Advanced + - Surface Pro (5th gen) + - Surface Pro with LTE Advanced (5th gen) + - Surface Pro 6 + - Surface Laptop (1st gen) + - Surface Laptop 2 + - Surface Studio (1st gen) + - Surface Studio 2 + - Surface Book 2 -- Windows 10 Enterprise 2019 LTSC is also supported. - -See the following topics for details on licensing, network, and configuration requirements: -- [Licensing requirements](windows-autopilot-requirements-licensing.md) +See the following topics for details on network and configuration requirements: - [Networking requirements](windows-autopilot-requirements-network.md) - [Configuration requirements](windows-autopilot-requirements-configuration.md) - For details about specific configuration requirements to enable user-driven Hybrid Azure Active Directory join for Windows Autopilot, see [Intune Connector (preview) language requirements](intune-connector.md). This requirement is a temporary workaround, and will be removed in the next release of Intune Connector. diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md index 59ee22ba1a..ac25a597f7 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md @@ -10,8 +10,11 @@ ms.pagetype: ms.localizationpriority: medium author: greg-lindsay ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Reset devices with local Windows Autopilot Reset **Applies to: Windows 10, version 1709 and above diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md index 991d7dd424..30fb733eb0 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md @@ -10,8 +10,11 @@ ms.pagetype: ms.localizationpriority: medium author: greg-lindsay ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Reset devices with remote Windows Autopilot Reset (Preview) **Applies to: Windows 10, build 17672 or later** diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset.md b/windows/deployment/windows-autopilot/windows-autopilot-reset.md index 05d45ae57a..1a5c9e982d 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset.md @@ -10,8 +10,11 @@ ms.pagetype: ms.localizationpriority: medium author: greg-lindsay ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Windows Autopilot Reset **Applies to: Windows 10** diff --git a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md index e59b199a77..d73e7bb81f 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md @@ -9,8 +9,11 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Windows Autopilot scenarios **Applies to: Windows 10** diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md index e9043c8a72..bbbde28edc 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot.md +++ b/windows/deployment/windows-autopilot/windows-autopilot.md @@ -9,8 +9,11 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article --- + # Overview of Windows Autopilot **Applies to** diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index 6ac888a69b..2682bbad0b 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -8,6 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus ms.date: 07/12/2017 +ms.topic: article --- # Windows 10 deployment scenarios and tools diff --git a/windows/device-security/docfx.json b/windows/device-security/docfx.json index acfa4df08b..bac00186ea 100644 --- a/windows/device-security/docfx.json +++ b/windows/device-security/docfx.json @@ -39,7 +39,8 @@ "ms.date": "04/05/2017", "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "MSDN.win-device-security" + "depot_name": "MSDN.win-device-security", + "folder_relative_path_in_docset": "./" } } }, @@ -47,4 +48,4 @@ "template": [], "dest": "win-device-security" } -} \ No newline at end of file +} diff --git a/windows/docfx.json b/windows/docfx.json index 9ac35033eb..0e7c823b17 100644 --- a/windows/docfx.json +++ b/windows/docfx.json @@ -25,6 +25,7 @@ "externalReference": [ ], "template": "op.html", - "dest": "windows" + "dest": "windows", + "markdownEngineName": "dfm" } } diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index 8ef6442201..292438cfe3 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -44,12 +44,14 @@ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "MSDN.windows-hub" + "depot_name": "MSDN.windows-hub", + "folder_relative_path_in_docset": "./" } } }, "fileMetadata": {}, "template": [], - "dest": "windows-hub" + "dest": "windows-hub", + "markdownEngineName": "dfm" } -} \ No newline at end of file +} diff --git a/windows/hub/release-information.md b/windows/hub/release-information.md index 89d0606cfe..2aa38be1de 100644 --- a/windows/hub/release-information.md +++ b/windows/hub/release-information.md @@ -11,22 +11,15 @@ author: lizap ms.author: elizapo ms.localizationpriority: high --- -# Windows 10 - Release information +# Windows 10 release information ->[!IMPORTANT] -> The URL for the release information page has changed - update your bookmark! +Feature updates for Windows 10 are released twice a year, targeting March and September, via the Semi-Annual Channel (SAC) and will be serviced with monthly quality updates for 18 months from the date of the release. We recommend that you begin deployment of each SAC release immediately to devices selected for early adoption and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. -Microsoft has updated its servicing model. The Semi-Annual Channel (SAC) offers twice-per-year feature updates that release around March and September, with an 18-month servicing period for each release. Starting with Windows 10, version 1809, feature updates for Windows 10 Enterprise and Education editions with a targeted release month of September will be serviced for 30 months from their release date (more information can be found [here](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop/)). +Starting with Windows 10, version 1809, feature updates for Windows 10 Enterprise and Education editions with a targeted release month of September will be serviced for 30 months from their release date. For information about servicing timelines, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853). -If you are not using Windows Update for Business today, “Semi-Annual Channel (Targeted)” (SAC-T) has no impact on your devices (more information can be found [here](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747)), and we recommend you begin deployment of each Semi-Annual Channel release right away to devices selected for early adoption and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. +>[!NOTE] +>If you are not using Windows Update for Business today, the "Semi-Annual Channel (Targeted)" servicing option has no impact on when your devices will be updated. It merely reflects a milestone for the semi-annual release, the period of time during which Microsoft recommends that your IT team make the release available to specific, "targeted" devices for the purpose of validating and generating data in order to get to a broad deployment decision. For more information, see [this blog post](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523). -If you are using Windows Update for Business today, refer to the table below to understand when your device will be updated, based on which deferral period you have configured, SAC -T or SAC. - -**Notice: November 13, 2018:** All editions of Windows 10 October 2018 Update, version 1809, for Windows client and server have resumed. Customers currently running Windows 10, version 1809, will receive build 17763.134 as part of our regularly scheduled Update Tuesday servicing in November. If you update to the Window 10, version 1809, feature update you will receive build 17763.107. On the next automatic scan for updates, you’ll be taken to the latest cumulative update (build 17763.134 or higher). - -November 13 marks the revised start of the servicing timeline for the Semi-Annual Channel ("Targeted") and Long-Term Servicing Channel (LTSC) release for Windows 10, version 1809, Windows Server 2019, and Windows Server, version 1809. - -For information about the re-release and updates to the support lifecycle, refer to [John Cable's blog](https://blogs.windows.com/windowsexperience/2018/10/09/updated-version-of-windows-10-october-2018-update-released-to-windows-insiders/), [Windows 10 Update History](https://support.microsoft.com/help/4464619), and the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853).
    diff --git a/windows/hub/windows-10-landing.yml b/windows/hub/windows-10-landing.yml index 03923fa63f..9932c85367 100644 --- a/windows/hub/windows-10-landing.yml +++ b/windows/hub/windows-10-landing.yml @@ -57,7 +57,7 @@ sections: - type: markdown text: " Download recommended tools and get step-by-step guidance for in-place upgrades, dynamic provisioning, or traditional deployments.
    - +

    **In-place upgrade**
    The simplest way to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 is to do an in-place upgrade.
    Upgrade to Windows 10 with Configuration Manager
    Upgrade to Windows 10 with MDT
    **Traditional deployment**
    Some organizations may still need to opt for an image-based deployment of Windows 10.
    Deploy Windows 10 with Configuration Manager
    Deploy Windows 10 with MDT

    **Dynamic provisioning**
    With Windows 10 you can create provisioning packages that let you quickly configure a device without having to install a new image.
    Provisioning packages for Windows 10
    Build and apply a provisioning package
    Customize Windows 10 start and the taskbar
    **Other deployment scenarios**
    Get guidance on how to deploy Windows 10 for students, faculty, and guest users - and how to deploy line-of-business apps.
    Windows deployment for education environments
    Set up a shared or guest PC with Windows 10
    Sideload apps in Windows 10

    **In-place upgrade**
    The simplest way to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 is to do an in-place upgrade.
    Upgrade to Windows 10 with Configuration Manager
    Upgrade to Windows 10 with MDT
    **Traditional deployment**
    Some organizations may still need to opt for an image-based deployment of Windows 10.
    Deploy Windows 10 with Configuration Manager
    Deploy Windows 10 with MDT

    **Dynamic provisioning**
    With Windows 10 you can create provisioning packages that let you quickly configure a device without having to install a new image.
    Provisioning packages for Windows 10
    Build and apply a provisioning package
    Customize Windows 10 start and the taskbar
    **Other deployment scenarios**
    Get guidance on how to deploy Windows 10 for students, faculty, and guest users - and how to deploy line-of-business apps.
    Windows deployment for education environments
    Set up a shared or guest PC with Windows 10
    Sideload apps in Windows 10
    " - title: Management and security diff --git a/windows/keep-secure/docfx.json b/windows/keep-secure/docfx.json index c69d3e3f49..e7c4c32d2a 100644 --- a/windows/keep-secure/docfx.json +++ b/windows/keep-secure/docfx.json @@ -32,7 +32,8 @@ "globalMetadata": { "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "MSDN.keep-secure" + "depot_name": "MSDN.keep-secure", + "folder_relative_path_in_docset": "./" } } }, @@ -40,4 +41,4 @@ "template": [], "dest": "keep-secure" } -} \ No newline at end of file +} diff --git a/windows/manage/docfx.json b/windows/manage/docfx.json index eee8740627..36d3bfc69c 100644 --- a/windows/manage/docfx.json +++ b/windows/manage/docfx.json @@ -32,7 +32,8 @@ "globalMetadata": { "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "MSDN.windows-manage" + "depot_name": "MSDN.windows-manage", + "folder_relative_path_in_docset": "./" } } }, @@ -40,4 +41,4 @@ "template": [], "dest": "windows-manage" } -} \ No newline at end of file +} diff --git a/windows/plan/docfx.json b/windows/plan/docfx.json index 4a303a21bc..1a52d12cc9 100644 --- a/windows/plan/docfx.json +++ b/windows/plan/docfx.json @@ -32,7 +32,8 @@ "globalMetadata": { "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "MSDN.windows-plan" + "depot_name": "MSDN.windows-plan", + "folder_relative_path_in_docset": "./" } } }, @@ -40,4 +41,4 @@ "template": [], "dest": "windows-plan" } -} \ No newline at end of file +} diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index eaf8f033d0..ab42290c6b 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -4236,7 +4236,7 @@ The following fields are available: - **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -5132,7 +5132,7 @@ The following fields are available: - **RebootReason** Reason for the reboot. -## Windows Store events +## Microsoft Store events ### Microsoft.Windows.Store.Partner.ReportApplication diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 27fcd87f88..658324d8b4 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -4128,7 +4128,7 @@ The following fields are available: - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Unique revision number of Update - **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **SystemBIOSMajorRelease** Major version of the BIOS. - **SystemBIOSMinorRelease** Minor version of the BIOS. - **UpdateId** Unique Update ID @@ -4192,7 +4192,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -5298,7 +5298,7 @@ The following fields are available: - **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). -## Windows Store events +## Microsoft Store events ### Microsoft.Windows.Store.Partner.ReportApplication diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index e3c6418b17..55e5adf886 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -4934,7 +4934,7 @@ The following fields are available: - **FlightId** The specific id of the flight the device is getting - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **SystemBIOSMajorRelease** Major release version of the system bios - **SystemBIOSMinorRelease** Minor release version of the system bios - **UpdateId** Identifier associated with the specific piece of content @@ -4997,7 +4997,7 @@ The following fields are available: - **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -5988,7 +5988,7 @@ The following fields are available: - **PertProb** Constant used in algorithm for randomization. -## Windows Store events +## Microsoft Store events ### Microsoft.Windows.Store.StoreActivating diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 8916790a12..f8a042ef3d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -2637,75 +2637,6 @@ The following fields are available: ## Diagnostic data events -### TelClientSynthetic.AbnormalShutdown_0 - -This event sends data about boot IDs for which a normal clean shutdown was not observed, to help keep Windows up to date. - -The following fields are available: - -- **AbnormalShutdownBootId** BootId of the abnormal shutdown being reported by this event. -- **AcDcStateAtLastShutdown** Identifies if the device was on battery or plugged in. -- **BatteryLevelAtLastShutdown** The last recorded battery level. -- **BatteryPercentageAtLastShutdown** The battery percentage at the last shutdown. -- **CrashDumpEnabled** Indicates whether crash dumps are enabled. -- **CumulativeCrashCount** Cumulative count of operating system crashes since the BootId reset. -- **CurrentBootId** BootId at the time the abnormal shutdown event was being reported. -- **Firmwaredata->ResetReasonEmbeddedController** The reset reason that was supplied by the firmware. -- **Firmwaredata->ResetReasonEmbeddedControllerAdditional** Additional data related to reset reason provided by the firmware. -- **Firmwaredata->ResetReasonPch** The reset reason that was supplied by the hardware. -- **Firmwaredata->ResetReasonPchAdditional** Additional data related to the reset reason supplied by the hardware. -- **Firmwaredata->ResetReasonSupplied** Indicates whether the firmware supplied any reset reason or not. -- **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType. -- **HardwareWatchdogTimerGeneratedLastReset** Indicates whether the hardware watchdog timer caused the last reset. -- **HardwareWatchdogTimerPresent** Indicates whether hardware watchdog timer was present or not. -- **LastBugCheckBootId** bootId of the last captured crash. -- **LastBugCheckCode** Code that indicates the type of error. -- **LastBugCheckContextFlags** Additional crash dump settings. -- **LastBugCheckOriginalDumpType** The type of crash dump the system intended to save. -- **LastBugCheckOtherSettings** Other crash dump settings. -- **LastBugCheckParameter1** The first parameter with additional info on the type of the error. -- **LastBugCheckProgress** Progress towards writing out the last crash dump. -- **LastBugCheckVersion** The version of the information struct written during the crash. -- **LastSuccessfullyShutdownBootId** BootId of the last fully successful shutdown. -- **LongPowerButtonPressDetected** Identifies if the user was pressing and holding power button. -- **OOBEInProgress** Identifies if the Out-Of-Box-Experience is running. -- **OSSetupInProgress** Identifies if the operating system setup is running. -- **PowerButtonCumulativePressCount** Indicates the number of times the power button has been pressed ("pressed" not to be confused with "released"). -- **PowerButtonCumulativeReleaseCount** Indicates the number of times the power button has been released ("released" not to be confused with "pressed"). -- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record Power Button metrics (e.g.: due to a failure to lock/update the bootstat file). -- **PowerButtonLastPressBootId** BootId of the last time the Power Button was detected to have been pressed ("pressed" not to be confused with "released"). -- **PowerButtonLastPressTime** Date/time of the last time the Power Button was pressed ("pressed" not to be confused with "released"). -- **PowerButtonLastReleaseBootId** The Boot ID of the last time the Power Button was released ("released" not to be confused with "pressed"). -- **PowerButtonLastReleaseTime** The date and time the Power Button was most recently released ("released" not to be confused with "pressed"). -- **PowerButtonPressCurrentCsPhase** Represents the phase of Connected Standby exit when the power button was pressed. -- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the power button was pressed. -- **PowerButtonPressLastPowerWatchdogStage** The last stage completed when the Power Button was most recently pressed. -- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press. -- **ShutdownDeviceType** Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through a Kernel API. -- **SleepCheckpoint** Provides the last checkpoint when there is a failure during a sleep transition. -- **SleepCheckpointSource** Indicates whether the source is the EFI variable or bootstat file. -- **SleepCheckpointStatus** Indicates whether the checkpoint information is valid. -- **StaleBootStatData** Identifies if the data from bootstat is stale. -- **TransitionInfoBootId** The Boot ID of the captured transition information. -- **TransitionInfoCSCount** The total number of times the system transitioned from "Connected Standby" mode to "On" when the last marker was saved. -- **TransitionInfoCSEntryReason** Indicates the reason the device last entered "Connected Standby" mode ("entered" not to be confused with "exited"). -- **TransitionInfoCSExitReason** Indicates the reason the device last exited "Connected Standby" mode ("exited" not to be confused with "entered"). -- **TransitionInfoCSInProgress** Indicates whether the system was in or entering Connected Standby mode when the last marker was saved. -- **TransitionInfoLastReferenceTimeChecksum** The checksum of TransitionInfoLastReferenceTimestamp. -- **TransitionInfoLastReferenceTimestamp** The date and time that the marker was last saved. -- **TransitionInfoLidState** Describes the state of the laptop lid. -- **TransitionInfoPowerButtonTimestamp** The most recent date and time when the Power Button was pressed (collected via a different mechanism than PowerButtonLastPressTime). -- **TransitionInfoSleepInProgress** Indicates whether the system was in or entering Sleep mode when the last marker was saved. -- **TransitionInfoSleepTranstionsToOn** The total number of times the system transitioned from Sleep mode to on, when the last marker was saved. -- **TransitionInfoSystemRunning** Indicates whether the system was running when the last marker was saved. -- **TransitionInfoSystemShutdownInProgress** Indicates whether a device shutdown was in progress when the power button was pressed. -- **TransitionInfoUserShutdownInProgress** Indicates whether a user shutdown was in progress when the power button was pressed. -- **TransitionLatestCheckpointId** Represents a unique identifier for a checkpoint during the device state transition. -- **TransitionLatestCheckpointSeqNumber** Represents the chronological sequence number of the checkpoint. -- **TransitionLatestCheckpointType** Represents the type of the checkpoint, which can be the start of a phase, end of a phase, or just informational. -- **VirtualMachineId** If the operating system is on a virtual Machine, it gives the virtual Machine ID (GUID) that can be used to correlate events on the host. - - ### TelClientSynthetic.AuthorizationInfo_RuntimeTransition This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. @@ -4127,7 +4058,6 @@ The following fields are available: - **ProductVersion** The version associated with the Office add-in. - **ProgramId** The unique program identifier of the Microsoft Office add-in. - **Provider** Name of the provider for this add-in. -- **Usage** Data about usage for the add-in. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove @@ -4929,7 +4859,7 @@ The following fields are available: - **FlightId** The specific id of the flight the device is getting - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **SystemBIOSMajorRelease** Major release version of the system bios - **SystemBIOSMinorRelease** Minor release version of the system bios - **UpdateId** Identifier associated with the specific piece of content @@ -5005,7 +4935,7 @@ The following fields are available: - **RepeatFailCount** Indicates whether this specific content has previously failed. - **RepeatFailFlag** Indicates whether this specific content previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. - **SizeCalcTime** Time (in seconds) taken to calculate the total download size of the payload. @@ -5187,7 +5117,7 @@ The following fields are available: - **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. - **RepeatFailCount** Indicates whether this specific piece of content has previously failed. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. @@ -5247,7 +5177,7 @@ The following fields are available: - **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. - **RepeatFailCount** Indicates whether this specific piece of content previously failed. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. @@ -6053,7 +5983,7 @@ The following fields are available: - **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. -## Windows Store events +## Microsoft Store events ### Microsoft.Windows.Store.StoreActivating diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index da571eeaf2..3d87b25a9b 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -155,14 +155,18 @@ The following table defines the endpoints for Connected User Experiences and Tel Windows release | Endpoint --- | --- -Windows 10, versions 1703 and 1709 | Diagnostics data: v10.vortex-win.data.microsoft.com/collect/v1

    Functional: v20.vortex-win.data.microsoft.com/collect/v1
    Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com/collect/v1
    settings-win.data.microsoft.com -Windows 10, version 1607 | v10.vortex-win.data.microsoft.com

    settings-win.data.microsoft.com +Windows 10, versions 1703 or later, with the 2018-09 cumulative update installed| Diagnostics data: v10c.vortex-win.data.microsoft.com

    Functional: v20.vortex-win.data.microsoft.com
    Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com
    settings-win.data.microsoft.com +Windows 10, versions 1803 or later, without the 2018-09 cumulative update installed | Diagnostics data: v10.events.data.microsoft.com

    Functional: v20.vortex-win.data.microsoft.com
    Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com
    settings-win.data.microsoft.com +Windows 10, version 1709 or earlier | Diagnostics data: v10.vortex-win.data.microsoft.com

    Functional: v20.vortex-win.data.microsoft.com
    Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com
    settings-win.data.microsoft.com +Windows 7 and Windows 8.1 | vortex-win.data.microsoft.com The following table defines the endpoints for other diagnostic data services: | Service | Endpoint | | - | - | | [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com | +| | umwatsonc.events.data.microsoft.com | +| | kmwatsonc.events.data.microsoft.com | | | ceuswatcab01.blob.core.windows.net | | | ceuswatcab02.blob.core.windows.net | | | eaus2watcab01.blob.core.windows.net | @@ -170,7 +174,7 @@ The following table defines the endpoints for other diagnostic data services: | | weus2watcab01.blob.core.windows.net | | | weus2watcab02.blob.core.windows.net | | [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com | -| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 | +| OneDrive app for Windows 10 | vortex.data.microsoft.com | ### Data use and access @@ -356,9 +360,9 @@ You can turn on or turn off System Center diagnostic data gathering. The default The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server 2016 is **Enhanced**. -### Configure the operating system diagnostic data level +## Configure the operating system diagnostic data level -You can configure your operating system diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device. +You can configure your operating system diagnostic data settings using the management tools you’re already using, such as **Group Policy, MDM, or Windows Provisioning.** You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device. Use the appropriate value in the table below when you configure the management policy. @@ -388,7 +392,7 @@ Use the [Policy Configuration Service Provider (CSP)](https://msdn.microsoft.com ### Use Registry Editor to set the diagnostic data level -Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting. +Use Registry Editor to manually set the registry level on the devices in your organization, or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, the policy will replace the manually set registry level. 1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**. diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index f739985f3d..ec17064fc8 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -21,17 +21,17 @@ ms.date: 01/17/2018 **Applies to** - Windows 10, version 1809 -- Windows 10, version 1803 +- Windows 10, version 1803 ## Introduction -The Diagnostic Data Viewer is a Windows app that lets you review the diagnostic data your device is sending to Microsoft, grouping the info into simple categories based on how it's used by Microsoft. +The Diagnostic Data Viewer is a Windows app that lets you review the Windows diagnostic data your device is sending to Microsoft, grouping the info into simple categories based on how it's used by Microsoft. ## Install and Use the Diagnostic Data Viewer -You must turn on data viewing and download the app before you can use the Diagnostic Data Viewer to review your device's diagnostic data. +You must download the app before you can use the Diagnostic Data Viewer to review your device's diagnostic data. ### Turn on data viewing -Before you can use this tool, you must turn on data viewing in the **Settings** panel. Turning on data viewing lets Windows store your device's diagnostic data until you turn it off. Turning off data viewing stops Windows from collecting your diagnostic data and clears the existing diagnostic data from your device. +Before you can use this tool for viewing Windows diagnostic data, you must turn on data viewing in the **Settings** panel. Turning on data viewing lets Windows store your device's diagnostic data until you turn it off. Turning off data viewing stops Windows from collecting your diagnostic data and clears the existing diagnostic data from your device. Note that this setting does not affect your Office data viewing or history. **To turn on data viewing** 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. @@ -44,7 +44,7 @@ Before you can use this tool, you must turn on data viewing in the **Settings** Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/en-us/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. ### Start the Diagnostic Data Viewer -You must start this app from the **Settings** panel. +You can start this app from the **Settings** panel. **To start the Diagnostic Data Viewer** 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. @@ -58,26 +58,25 @@ You must start this app from the **Settings** panel. 3. Close the Diagnostic Data Viewer app, use your device as you normally would for a few days, and then open Diagnostic Data Viewer again to review the updated list of diagnostic data. >[!Important] - >Turning on data viewing can use up to 1GB of disk space on your system drive. We strongly recommend that your turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article. + >Turning on data viewing can use up to 1GB (by default) of disk space on your system drive. We strongly recommend that you turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article. ### Use the Diagnostic Data Viewer The Diagnostic Data Viewer provides you with the following features to view and filter your device's diagnostic data. -- **View your diagnostic events.** In the left column, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft. +- **View your Windows diagnostic events.** In the left column, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft. Selecting an event opens the detailed JSON view, which provides the exact details uploaded to Microsoft. Microsoft uses this info to continually improve the Windows operating system. - ![View your diagnostic events](images/ddv-event-view.png) + >[!Important] + >Seeing an event does not necessarily mean it has been uploaded yet. It’s possible that some events are still queued and will be uploaded at a later time. + + ![View your diagnostic events](images/ddv-event-view.jpg) - **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text. Selecting an event opens the detailed JSON view, with the matching text highlighted. -- **Filter your diagnostic event categories.** The apps Menu button opens the detailed menu. In here, you'll find a list of diagnostic event categories, which define how the events are used by Microsoft. - - Selecting a check box lets you filter between the diagnostic event categories. - - ![Filter your diagnostic event categories](images/ddv-event-view-filter.png) +- **Filter your diagnostic event categories.** The app's **Menu** button opens the detailed menu. In here, you'll find a list of diagnostic event categories, which define how the events are used by Microsoft. Selecting a check box lets you filter between the diagnostic event categories. - **Help to make your Windows experience better.** Microsoft only needs diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others. @@ -90,8 +89,20 @@ The Diagnostic Data Viewer provides you with the following features to view and >[!Important] >All content in the Feedback Hub is publicly viewable. Therefore, make sure you don't put any personal info into your feedback comments. +- **View a summary of the data you've shared with us over time.** Available for users on build 19H1+, 'About my data' in Diagnostic Data Viewer lets you see an overview of the Windows data you've shared with Microsoft. + + Through this feature, you can checkout how much data you send on average each day, the breakdown of your data by category, the top components and services that have sent data, and more. + + >[!Important] + >This content is a reflection of the history of Windows data the app has stored. If you'd like to have extended analyses, please modify the storage capacity of Diagnostic Data Viewer. + + ![Look at an overview of what data you've shared with Microsoft through the 'About my data' page in Diagnostic Data Viewer](images/ddv-analytics.png) + +## View Office Diagnostic Data +By default, Diagnostic Data Viewer shows you Windows data. You can also view Office diagnostic data by enabling the feature in the app settings page. To learn more about how to view Office diagnostic data, please visit this [page](https://go.microsoft.com/fwlink/?linkid=2023830). + ## Turn off data viewing -When you're done reviewing your diagnostic data, you should turn of data viewing. +When you're done reviewing your diagnostic data, you should turn of data viewing. This will also remove your Windows data history. Note that this setting does not affect your Office data viewing or history. **To turn off data viewing** 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. @@ -100,8 +111,24 @@ When you're done reviewing your diagnostic data, you should turn of data viewing ![Location to turn off data viewing](images/ddv-settings-off.png) +## Modifying the size of your data history +By default, Diagnostic Data Viewer shows you up to 1GB or 30 days of data (whichever comes first) for Windows diagnostic data. Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first. + + >[!Important] + >Note that if you have [Office diagnostic data viewing enabled](#view-office-diagnostic-data), the Office data history is fixed at 1 GB and cannot be modified. + +**Modify the size of your data history** + + To make changes to the size of your Windows diagnostic data history, visit the **app settings**, located at the bottom of the navigation menu. Data will be incrementally dropped with the oldest data points first once your chosen size or time limit is reached. + + >[!Important] + >Decreasing the maximum amount of diagnostic data viewable through the tool will remove all data history and requires a reboot of your device. Additionally, increasing the maximum amount of diagnostic data viewable by the tool may come with performance impacts to your machine. + + ![Change the size of your data history through the app settings](images/ddv-change-db-size.png) + ## View additional diagnostic data in the View problem reports tool Available on Windows 1809 and higher, you can review additional Windows Error Reporting diagnostic data in the **View problem reports** page within the Diagnostic Data Viewer. + This page provides you with a summary of various crash reports that are sent to Microsoft as part of Windows Error Reporting. We use this data to find and fix specific issues that are hard to replicate and to improve the Windows operating system. @@ -109,7 +136,7 @@ You can also use the Windows Error Reporting tool available in the Control Panel **To view your Windows Error Reporting diagnostic data using the Diagnostic Data Viewer** -Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer. +Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer. ![Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer](images/ddv-problem-reports.png) @@ -120,3 +147,4 @@ Go to **Start** and search for _Problem Reports_. The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft. ![View problem reports tool with report statuses](images/control-panel-problem-reports-screen.png) + diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json index 98296c6b76..9221109b4d 100644 --- a/windows/privacy/docfx.json +++ b/windows/privacy/docfx.json @@ -36,13 +36,19 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", - "feedback_system": "GitHub", + "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app" + "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.privacy", + "folder_relative_path_in_docset": "./" + } + } }, "fileMetadata": {}, "template": [], "dest": "privacy", "markdownEngineName": "markdig" } -} \ No newline at end of file +} diff --git a/windows/privacy/images/ddv-analytics.png b/windows/privacy/images/ddv-analytics.png new file mode 100644 index 0000000000..499a541b00 Binary files /dev/null and b/windows/privacy/images/ddv-analytics.png differ diff --git a/windows/privacy/images/ddv-event-view.jpg b/windows/privacy/images/ddv-event-view.jpg new file mode 100644 index 0000000000..0a6c2ef113 Binary files /dev/null and b/windows/privacy/images/ddv-event-view.jpg differ diff --git a/windows/privacy/images/ddv-event-view.png b/windows/privacy/images/ddv-event-view.png deleted file mode 100644 index 264add2d9c..0000000000 Binary files a/windows/privacy/images/ddv-event-view.png and /dev/null differ diff --git a/windows/privacy/images/ddv-problem-reports.png b/windows/privacy/images/ddv-problem-reports.png index 49ae0fffc0..bd3dc7ba7d 100644 Binary files a/windows/privacy/images/ddv-problem-reports.png and b/windows/privacy/images/ddv-problem-reports.png differ diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 75f9a40255..0cbf266f2a 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -18,7 +18,7 @@ ms.date: 06/05/2018 # Manage connections from Windows operating system components to Microsoft services -**Applies to** +**Applies to** - Windows 10 Enterprise, version 1607 and newer - Windows Server 2016 @@ -36,7 +36,7 @@ To help make it easier to deploy settings to restrict connections from Windows 1 This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. -Make sure should you've chosen the right settings configuration for your environment before applying. +Make sure you've chosen the right settings configuration for your environment before applying. You should not extract this package to the windows\\system32 folder because it will not apply correctly. >[!IMPORTANT] @@ -118,49 +118,50 @@ The following table lists management options for each setting, beginning with Wi | [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [16. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | -| [17. Settings > Privacy](#bkmk-settingssection) | | | | | | -|     [17.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)| ![Check mark](images/checkmark.png) | | -|     [17.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -|     [17.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [19. Storage Health](#bkmk-storage-health) | | ![Check mark](images/checkmark.png) | | | | -| [20. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [22. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [23. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [23.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [24. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | -| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [26.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | | | -| [27. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [29. License Manager](#bkmk-licmgr) | | | | ![Check mark](images/checkmark.png) | | +| [9. License Manager](#bkmk-licmgr) | | | | ![Check mark](images/checkmark.png) | | +| [10. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [12. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [13. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [17. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [18. Settings > Privacy](#bkmk-settingssection) | | | | | | +|     [18.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)| ![Check mark](images/checkmark.png) | | +|     [18.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +|     [18.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [20. Storage Health](#bkmk-storage-health) | | ![Check mark](images/checkmark.png) | | | | +| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [24. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [24.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [25. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [26. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [27. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [27.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | | | +| [28. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [29. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | + ### Settings for Windows Server 2016 with Desktop Experience @@ -175,19 +176,19 @@ See the following table for a summary of the management settings for Windows Ser | [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | | -| [17. Settings > Privacy](#bkmk-settingssection) | | | | | -|     [17.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [23. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [24. Windows Media Player](#bkmk-wmp) | | | | ![Check mark](images/checkmark.png) | -| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [26.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | | | -| [28. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [10. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [12. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | | +| [18. Settings > Privacy](#bkmk-settingssection) | | | | | +|     [18.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [20. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [24. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [25. Windows Media Player](#bkmk-wmp) | | | | ![Check mark](images/checkmark.png) | +| [27. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [27.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | | | +| [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ### Settings for Windows Server 2016 Server Core @@ -198,11 +199,11 @@ See the following table for a summary of the management settings for Windows Ser | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [6. Font streaming](#font-streaming) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [13. Network Connection Status Indicator](#bkmk-ncsi) | ![Check mark](images/checkmark.png) | | | -| [18. Software Protection Platform](#bkmk-spp) | ![Check mark](images/checkmark.png) | | | -| [21. Teredo](#bkmk-teredo) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [23. Windows Defender](#bkmk-defender) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [14. Network Connection Status Indicator](#bkmk-ncsi) | ![Check mark](images/checkmark.png) | | | +| [19. Software Protection Platform](#bkmk-spp) | ![Check mark](images/checkmark.png) | | | +| [22. Teredo](#bkmk-teredo) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +| [24. Windows Defender](#bkmk-defender) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [29. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ### Settings for Windows Server 2016 Nano Server @@ -212,8 +213,8 @@ See the following table for a summary of the management settings for Windows Ser | - | :-: | :-: | :-: | :-: | :-: | | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | -| [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | -| [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | | +| [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | +| [29. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | | ### Settings for Windows Server 2019 @@ -229,48 +230,48 @@ See the following table for a summary of the management settings for Windows Ser | [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [16. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | -| [17. Settings > Privacy](#bkmk-settingssection) | | | | | | -|     [17.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)| ![Check mark](images/checkmark.png) | | -|     [17.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -|     [17.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [17.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [19. Storage Health](#bkmk-storage-health) | | ![Check mark](images/checkmark.png) | | | | -| [20. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [22. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [23. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [23.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [24. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | -| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [26.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | | | -| [27. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +| [10. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [12. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [13. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [17. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [18. Settings > Privacy](#bkmk-settingssection) | | | | | | +|     [18.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)| ![Check mark](images/checkmark.png) | | +|     [18.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +|     [18.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [20. Storage Health](#bkmk-storage-health) | | ![Check mark](images/checkmark.png) | | | | +| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [24. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [24.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [25. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [26. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [27. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [27.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | | | +| [28. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [29. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | ## How to configure each setting @@ -341,8 +342,6 @@ You can also apply the Group Policies using the following registry keys: | Don't search the web or display web results in Search| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
    REG_DWORD: ConnectedSearchUseWeb
    Value: 0 | | Set what information is shared in Search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
    REG_DWORD: ConnectedSearchPrivacy
    Value: 3 | -In Windows 10, version 1507 and Windows 10, version 1511, when you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic. - >[!IMPORTANT] >These steps are not required for devices running Windows 10, version 1607 or Windows Server 2016. @@ -446,8 +445,6 @@ If you're running Windows 10, version 1607, Windows Server 2016, or later: - **true**. Font streaming is enabled. -If you're running Windows 10, version 1507 or Windows 10, version 1511, create a REG\_DWORD registry setting named **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters** with a value of 1. - > [!NOTE] > After you apply this policy, you must restart the device for it to take effect. @@ -541,7 +538,6 @@ You can also use registry entries to set these Group Policies. | Turn off background synchronization for feeds and Web Slices | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds
    REG_DWORD: BackgroundSyncStatus
    Value: 0| | Turn off Online Tips | HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
    REG_DWORD: AllowOnlineTips
    Value: 0| -1. HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!AllowOnlineTips, 0, Null, Fail To turn off the home page, enable the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Disable changing home page settings**, and set it to **about:blank**. @@ -564,7 +560,25 @@ You can turn this off by: For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/library/dn761713.aspx). -### 9. Live Tiles +### 9. License Manager + +You can turn off License Manager related traffic by setting the following registry entry: + +- Add a REG\_DWORD value named **Start** to **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\LicenseManager** and set the value to 4 + +- The value 4 is to disable the service. Here are the available options to set the registry: + + - **0x00000000** = Boot + + - **0x00000001** = System + + - **0x00000002** = Automatic + + - **0x00000003** = Manual + + - **0x00000004** = Disabled + +### 10. Live Tiles To turn off Live Tiles: @@ -576,7 +590,7 @@ To turn off Live Tiles: In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start. -### 10. Mail synchronization +### 11. Mail synchronization To turn off mail synchronization for Microsoft Accounts that are configured on a device: @@ -598,7 +612,7 @@ To turn off the Windows Mail app: - Create a REG\_DWORD registry setting named **ManualLaunchAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Mail** with a value of 0 (zero). -### 11. Microsoft Account +### 12. Microsoft Account To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). @@ -616,15 +630,14 @@ To disable the Microsoft Account Sign-In Assistant: - Change the Start REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\wlidsvc** to a value of **4**. -### 12. Microsoft Edge +### 13. Microsoft Edge Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682). -### 12.1 Microsoft Edge Group Policies +### 13.1 Microsoft Edge Group Policies Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**. - | Policy | Description | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| | Allow configuration updates for the Books Library | Choose whether configuration updates are done for the Books Library.
    Default: Enabled | @@ -637,19 +650,6 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g | Configure Start pages | Choose the Start page for domain-joined devices.
    Set this to **\** | | Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage.
    Set to: Enable | -The Windows 10, version 1511 Microsoft Edge Group Policy names are: - -| Policy | Description | -|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Allow address bar drop-down list suggestions | Choose whether employees can use Address Bar drop-down list suggestions.
    Default: Disabled | -| Turn off autofill | Choose whether employees can use autofill on websites.
    Default: Enabled | -| Allow employees to send Do Not Track headers | Choose whether employees can send Do Not Track headers.
    Default: Disabled | -| Turn off password manager | Choose whether employees can save passwords locally on their devices.
    Default: Enabled | -| Turn off Address Bar search suggestions | Choose whether the Address Bar shows search suggestions.
    Default: Enabled | -| Turn off the SmartScreen Filter | Choose whether SmartScreen is turned on or off.
    Default: Enabled | -| Open a new tab with an empty tab | Choose whether a new tab page appears.
    Default: Enabled | -| Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
    Set this to **about:blank** | - Alternatively, you can configure the Microsoft Group Policies using the following registry entries: | Policy | Registry path | @@ -666,7 +666,7 @@ Alternatively, you can configure the Microsoft Group Policies using the followin | Prevent the First Run webpage from opening on Microsoft Edge | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
    REG_DWORD name: PreventFirstRunPage
    Value: 1| -### 12.2 Microsoft Edge MDM policies +### 13.2 Microsoft Edge MDM policies The following Microsoft Edge MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). @@ -683,7 +683,7 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/available-policies). -### 13. Network Connection Status Indicator +### 14. Network Connection Status Indicator Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCSI, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx). @@ -702,7 +702,7 @@ You can turn off NCSI by doing one of the following: - Create a REG\_DWORD registry setting named **NoActiveProbe** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator** with a value of 1 (one). -### 14. Offline maps +### 15. Offline maps You can turn off the ability to download and update offline maps. @@ -724,11 +724,7 @@ You can turn off the ability to download and update offline maps. - Create a REG\_DWORD registry setting named **AllowUntriggeredNetworkTrafficOnSettingsPage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero). - -or- - -- In Windows 10, version 1703 and later, apply the Settings/PageVisibilityList MDM policy from the [Policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) with a value of "hide:maps;maps-downloadmaps". - -### 15. OneDrive +### 16. OneDrive To turn off OneDrive in your organization: @@ -746,7 +742,12 @@ To turn off OneDrive in your organization: - Create a REG\_DWORD registry setting named **PreventNetworkTrafficPreUserSignIn** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\OneDrive** with a value of 1 (one). -### 16. Preinstalled apps + -or- + +- Set the System/DisableOneDriveFileSync MDM policy from the [Policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-disableonedrivefilesync) to True (value 1) to disable OneDrive File Sync. + + +### 17. Preinstalled apps Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section. @@ -866,49 +867,49 @@ To remove the Sticky notes app: Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage** -### 17. Settings > Privacy +### 18. Settings > Privacy Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. -- [17.1 General](#bkmk-general) +- [18.1 General](#bkmk-general) -- [17.2 Location](#bkmk-priv-location) +- [18.2 Location](#bkmk-priv-location) -- [17.3 Camera](#bkmk-priv-camera) +- [18.3 Camera](#bkmk-priv-camera) -- [17.4 Microphone](#bkmk-priv-microphone) +- [18.4 Microphone](#bkmk-priv-microphone) -- [17.5 Notifications](#bkmk-priv-notifications) +- [18.5 Notifications](#bkmk-priv-notifications) -- [17.6 Speech, inking, & typing](#bkmk-priv-speech) +- [18.6 Speech, inking, & typing](#bkmk-priv-speech) -- [17.7 Account info](#bkmk-priv-accounts) +- [18.7 Account info](#bkmk-priv-accounts) -- [17.8 Contacts](#bkmk-priv-contacts) +- [18.8 Contacts](#bkmk-priv-contacts) -- [17.9 Calendar](#bkmk-priv-calendar) +- [18.9 Calendar](#bkmk-priv-calendar) -- [17.10 Call history](#bkmk-priv-callhistory) +- [18.10 Call history](#bkmk-priv-callhistory) -- [17.11 Email](#bkmk-priv-email) +- [18.11 Email](#bkmk-priv-email) -- [17.12 Messaging](#bkmk-priv-messaging) +- [18.12 Messaging](#bkmk-priv-messaging) -- [17.13 Radios](#bkmk-priv-radios) +- [18.13 Radios](#bkmk-priv-radios) -- [17.14 Other devices](#bkmk-priv-other-devices) +- [18.14 Other devices](#bkmk-priv-other-devices) -- [17.15 Feedback & diagnostics](#bkmk-priv-feedback) +- [18.15 Feedback & diagnostics](#bkmk-priv-feedback) -- [17.16 Background apps](#bkmk-priv-background) +- [18.16 Background apps](#bkmk-priv-background) -- [17.17 Motion](#bkmk-priv-motion) +- [18.17 Motion](#bkmk-priv-motion) -- [17.18 Tasks](#bkmk-priv-tasks) +- [18.18 Tasks](#bkmk-priv-tasks) -- [17.19 App Diagnostics](#bkmk-priv-diag) +- [18.19 App Diagnostics](#bkmk-priv-diag) -### 17.1 General +### 18.1 General **General** includes options that don't fall into other areas. @@ -1025,7 +1026,7 @@ To turn off **Let apps on my other devices use Bluetooth to open apps and contin - Turn off the feature in the UI. -### 17.2 Location +### 18.2 Location In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location. @@ -1084,7 +1085,7 @@ To turn off **Choose apps that can use your location**: - Turn off each app using the UI. -### 17.3 Camera +### 18.3 Camera In the **Camera** area, you can choose which apps can access a device's camera. @@ -1125,7 +1126,7 @@ To turn off **Choose apps that can use your camera**: - Turn off the feature in the UI for each app. -### 17.4 Microphone +### 18.4 Microphone In the **Microphone** area, you can choose which apps can access a device's microphone. @@ -1155,7 +1156,7 @@ To turn off **Choose apps that can use your microphone**: - Turn off the feature in the UI for each app. -### 17.5 Notifications +### 18.5 Notifications >[!IMPORTANT] >Disabling notifications will also disable the ability to manage the device through MDM. If you are using an MDM solution, make sure cloud notifications are enabled through one of the options below. @@ -1202,7 +1203,7 @@ To turn off **Let apps access my notifications**: - Create a REG\_DWORD registry setting named **LetAppsAccessNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two) -### 17.6 Speech, inking, & typing +### 18.6 Speech, inking, & typing In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees. @@ -1244,7 +1245,7 @@ Apply the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https:/ - Create a REG\_DWORD registry setting named **ModelDownloadAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Preferences** with a value of 0 (zero). -### 17.7 Account info +### 18.7 Account info In the **Account Info** area, you can choose which apps can access your name, picture, and other account info. @@ -1274,7 +1275,7 @@ To turn off **Choose the apps that can access your account info**: - Turn off the feature in the UI for each app. -### 17.8 Contacts +### 18.8 Contacts In the **Contacts** area, you can choose which apps can access an employee's contacts list. @@ -1300,7 +1301,7 @@ To turn off **Choose apps that can access contacts**: - Create a REG\_DWORD registry setting named **LetAppsAccessContacts** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). -### 17.9 Calendar +### 18.9 Calendar In the **Calendar** area, you can choose which apps have access to an employee's calendar. @@ -1330,7 +1331,7 @@ To turn off **Choose apps that can access calendar**: - Turn off the feature in the UI for each app. -### 17.10 Call history +### 18.10 Call history In the **Call history** area, you can choose which apps have access to an employee's call history. @@ -1356,7 +1357,7 @@ To turn off **Let apps access my call history**: - Create a REG\_DWORD registry setting named **LetAppsAccessCallHistory** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). -### 17.11 Email +### 18.11 Email In the **Email** area, you can choose which apps have can access and send email. @@ -1382,7 +1383,7 @@ To turn off **Let apps access and send email**: - Create a REG\_DWORD registry setting named **LetAppsAccessEmail** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). -### 17.12 Messaging +### 18.12 Messaging In the **Messaging** area, you can choose which apps can read or send messages. @@ -1422,7 +1423,7 @@ To turn off **Choose apps that can read or send messages**: - Set the **Allow Message Service Cloud** to **Disable**. -### 17.13 Phone calls +### 18.13 Phone calls In the **Phone calls** area, you can choose which apps can make phone calls. @@ -1453,7 +1454,7 @@ To turn off **Choose apps that can make phone calls**: - Turn off the feature in the UI for each app. -### 17.14 Radios +### 18.14 Radios In the **Radios** area, you can choose which apps can turn a device's radio on or off. @@ -1484,7 +1485,7 @@ To turn off **Choose apps that can control radios**: - Turn off the feature in the UI for each app. -### 17.15 Other devices +### 18.15 Other devices In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info. @@ -1527,7 +1528,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co - **1**. Force allow - **2**. Force deny -### 17.16 Feedback & diagnostics +### 18.16 Feedback & diagnostics In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. @@ -1614,7 +1615,7 @@ To turn off tailored experiences with relevant tips and recommendations by using - Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences** -### 17.17 Background apps +### 18.17 Background apps In the **Background Apps** area, you can choose which apps can run in the background. @@ -1643,7 +1644,7 @@ To turn off **Let apps run in the background**: > [!NOTE] > Some apps, including Cortana and Search, might not function as expected if you set **Let apps run in the background** to **Force Deny**. -### 17.18 Motion +### 18.18 Motion In the **Motion** area, you can choose which apps have access to your motion data. @@ -1667,7 +1668,7 @@ To turn off **Let Windows and your apps use your motion data and collect motion - Create a REG\_DWORD registry setting named **LetAppsAccessMotion** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). -### 17.19 Tasks +### 18.19 Tasks In the **Tasks** area, you can choose which apps have access to your tasks. @@ -1689,7 +1690,7 @@ To turn this off: - **1**. Force allow - **2**. Force deny -### 17.20 App Diagnostics +### 18.20 App Diagnostics In the **App diagnostics** area, you can choose which apps have access to your diagnostic information. @@ -1710,7 +1711,7 @@ To turn this off: - **2**. Force deny -### 18. Software Protection Platform +### 19. Software Protection Platform Enterprise customers can manage their Windows activation status with volume licensing using an on-premises Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following: @@ -1726,7 +1727,7 @@ For Windows 10: - Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one). -For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Core: +For Windows Server 2019 or later: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** @@ -1734,9 +1735,15 @@ For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Co - Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one). +For Windows Server 2016: +- Create a REG\_DWORD registry setting named **NoAcquireGT** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one). + +>[!NOTE] +>Due to a known issue the **Turn off KMS Client Online AVS Validation** group policy does not work as intended on Windows Server 2016, the **NoAcquireGT** value needs to be set instead. + The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. -### 19. Storage health +### 20. Storage health Enterprise customers can manage updates to the Disk Failure Prediction Model. @@ -1747,7 +1754,7 @@ For Windows 10: - Create a REG\_DWORD registry setting named **AllowDiskHealthModelUpdates** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\StorageHealth** with a value of 0. -### 20. Sync your settings +### 21. Sync your settings You can control if your settings are synchronized: @@ -1778,7 +1785,7 @@ To turn off Messaging cloud sync: - Set the Group Policy Allow Message Service Cloud to Disable. The Group Policy path is Computer Configuration\Administrative templates\Windows Components\Messaging\Allow Message Service Cloud - Create a REG\_DWORD registry setting named **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging** with a value of 0 (zero). -### 21. Teredo +### 22. Teredo You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](https://technet.microsoft.com/library/cc722030.aspx). @@ -1795,7 +1802,7 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command. - From an elevated command prompt, run **netsh interface teredo set state disabled** -### 22. Wi-Fi Sense +### 23. Wi-Fi Sense >[!IMPORTANT] >Beginning with Windows 10, version 1803, Wi-Fi Sense is no longer available. The following section only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://privacy.microsoft.com/en-us/windows-10-open-wi-fi-hotspots) for more details. @@ -1824,7 +1831,7 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. -### 23. Windows Defender +### 24. Windows Defender You can disconnect from the Microsoft Antimalware Protection Service. @@ -1884,7 +1891,7 @@ For Windows 10 only, you can stop Enhanced Notifications: You can also use the registry to turn off Malicious Software Reporting Tool diagnostic data by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1. -### 23.1 Windows Defender SmartScreen +### 24.1 Windows Defender SmartScreen To disable Windows Defender Smartscreen: @@ -1914,7 +1921,7 @@ To disable Windows Defender Smartscreen: - Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. -### 24. Windows Media Player +### 25. Windows Media Player To remove Windows Media Player on Windows 10: @@ -1928,7 +1935,7 @@ To remove Windows Media Player on Windows Server 2016: - Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** -### 25. Windows Spotlight +### 26. Windows Spotlight Windows Spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface, MDM policy, or through Group Policy. @@ -1963,9 +1970,6 @@ If you're not running Windows 10, version 1607 or later, you can use the other o - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Get fun facts, tips, tricks and more on your lock screen**. - > [!NOTE] - > In Windows 10, version 1507 and Windows 10, version 1511, this setting was named **Show me tips, tricks, and more on the lock screen**. - - **Personalization** > **Start** > **Occasionally show suggestions in Start**. - **System** > **Notifications & actions** > **Show me tips about Windows**. @@ -2004,7 +2008,7 @@ If you're not running Windows 10, version 1607 or later, you can use the other o For more info, see [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight). -### 26. Microsoft Store +### 27. Microsoft Store You can turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Microsoft Store will be disabled. @@ -2023,13 +2027,13 @@ On Windows Server 2016, this will block Microsoft Store calls from Universal Win - Create a new REG\_DWORD registry setting named **AutoDownload** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 2 (two). -### 26.1 Apps for websites +### 27.1 Apps for websites You can turn off apps for websites, preventing customers who visit websites that are registered with their associated app from directly launching the app. Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Configure web-to-app linking with URI handlers** -### 27. Windows Update Delivery Optimization +### 28. Windows Update Delivery Optimization Windows Update Delivery Optimization lets you get Windows updates and Microsoft Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. @@ -2039,13 +2043,13 @@ Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delive In Windows 10, version 1607, you can stop network traffic related to Windows Update Delivery Optimization by setting **Download Mode** to **Simple** (99) or **Bypass** (100), as described below. -### 27.1 Settings > Update & security +### 28.1 Settings > Update & security You can set up Delivery Optimization from the **Settings** UI. - Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. -### 27.2 Delivery Optimization Group Policies +### 28.2 Delivery Optimization Group Policies You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. @@ -2059,7 +2063,7 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con Set the Delivery Optimization Group Policy to "Bypass" to prevent traffic. Alternatively, you can set the **Download Mode** policy by creating a new REG\_DWORD registry setting named **DODownloadMode** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization** to a value of 100 (one hundred). -### 27.3 Delivery Optimization MDM policies +### 28.3 Delivery Optimization MDM policies The following Delivery Optimization MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). @@ -2072,7 +2076,7 @@ The following Delivery Optimization MDM policies are available in the [Policy CS | DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
    The default value is 0, which means unlimited possible bandwidth.| -### 27.4 Delivery Optimization Windows Provisioning +### 28.4 Delivery Optimization Windows Provisioning If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies @@ -2088,7 +2092,7 @@ Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windo For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730684). -### 28. Windows Update +### 29. Windows Update You can turn off Windows Update by setting the following registry entries: @@ -2135,23 +2139,5 @@ You can turn off automatic updates by doing one of the following. This is not re - **5**. Turn off automatic updates. - -### 29. License Manager - -You can turn off License Manager related traffic by setting the following registry entry: - -- Add a REG\_DWORD value named **Start** to **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\LicenseManager** and set the value to 4 - -- The value 4 is to disable the service. Here are the available options to set the registry: - - - **0x00000000** = Boot - - - **0x00000001** = System - - - **0x00000002** = Automatic - - - **0x00000003** = Manual - - - **0x00000004** = Disabled - To learn more, see [Device update management](https://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](https://technet.microsoft.com/library/cc720539.aspx). + diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md index 2b73716da2..dcf4d2be83 100644 --- a/windows/privacy/windows-diagnostic-data.md +++ b/windows/privacy/windows-diagnostic-data.md @@ -22,13 +22,13 @@ Applies to: - Windows 10, version 1803 - Windows 10, version 1709 -Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1803 Basic level diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields). +Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1809 Basic level diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields). In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology -- Cloud computing -- Cloud services and devices: Data flow, data categories and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard. The data covered in this article is grouped into the following types: -- Common data (diagnostic header information) +- Common data extensions (diagnostic header information) - Device, Connectivity, and Configuration data - Product and Service Usage data - Product and Service Performance data @@ -36,15 +36,15 @@ The data covered in this article is grouped into the following types: - Browsing History data - Inking, Typing, and Speech Utterance data -## Common data +## Common data extensions Most diagnostic events contain a header of common data. In each example, the info in parentheses provides the equivalent definition for ISO/IEC 19944:2017. -**Data Use for Common data** +**Data Use for Common data extensions** Header data supports the use of data associated with all diagnostic events. Therefore, Common data is used to [provide](#provide) Windows 10, and may be used to [improve](#improve), [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) Microsoft and third-party products and services, depending on the uses described in the **Data Use** statements for each data category. -### Data Description for Common data type +### Data Description for Common data extensions type -#### Common data type +#### Common data extensions type Information that is added to most diagnostic events, if relevant and available: @@ -506,6 +506,6 @@ Use of the specified data categories to promote a product or service in or on a Here are the list of data identification qualifiers and the ISO/IEC 19944:2017 reference: -- **Pseudonymized Data** 8.3.3 Pseudonymized data. Microsoft usage notes are as defined. -- **Anonymized Data** 8.3.5 Anonymized data. Microsoft usage notes are as defined. -- **Aggregated Data** 8.3.6 Aggregated data. Microsoft usage notes are as defined. \ No newline at end of file +- **Pseudonymized Data** 8.3.3 Pseudonymized data. Microsoft usage notes are as defined. +- **Anonymized Data** 8.3.5 Anonymized data. Microsoft usage notes are as defined. +- **Aggregated Data** 8.3.6 Aggregated data. Microsoft usage notes are as defined. \ No newline at end of file diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md index 370860330f..b6be3b5acd 100644 --- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md @@ -40,52 +40,52 @@ We used the following methodology to derive these network endpoints: | **Destination** | **Protocol** | **Description** | | --- | --- | --- | -|*.aria.microsoft.com* | HTTPS | Office Telemetry -|*.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. -|*.download.windowsupdate.com* | HTTP | Used to download operating system patches and updates. -|*.g.akamai.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. -|*.msn.com* |TLSv1.2/HTTPS | Windows Spotlight related traffic -|*.Skype.com | HTTP/HTTPS | Skype related traffic -|*.smartscreen.microsoft.com* | HTTPS | Windows Defender Smartscreen related traffic -|*.telecommand.telemetry.microsoft.com* | HTTPS | Used by Windows Error Reporting. -|*cdn.onenote.net* | HTTP | OneNote related traffic -|*displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. -|*emdl.ws.microsoft.com* | HTTP | Windows Update related traffic -|*geo-prod.do.dsp.mp.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update. -|*hwcdn.net* | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. -|*img-prod-cms-rt-microsoft-com.akamaized.net* | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). -|*maps.windows.com* | HTTPS | Related to Maps application. -|*msedge.net* | HTTPS | Used by OfficeHub to get the metadata of Office apps. -|*nexusrules.officeapps.live.com* | HTTPS | Office Telemetry -|*photos.microsoft.com* | HTTPS | Photos App related traffic -|*prod.do.dsp.mp.microsoft.com* |TLSv1.2/HTTPS | Used for Windows Update downloads of apps and OS updates. -|*wac.phicdn.net* | HTTP | Windows Update related traffic -|*windowsupdate.com* | HTTP | Windows Update related traffic -|*wns.windows.com* | HTTPS, TLSv1.2 | Used for the Windows Push Notification Services (WNS). -|*wpc.v0cdn.net* | | Windows Telemetry related traffic +|\*.aria.microsoft.com\* | HTTPS | Office Telemetry +|\*.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update. +|\*.download.windowsupdate.com\* | HTTP | Used to download operating system patches and updates. +|\*.g.akamai.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. +|\*.msn.com\* |TLSv1.2/HTTPS | Windows Spotlight related traffic +|\*.Skype.com | HTTP/HTTPS | Skype related traffic +|\*.smartscreen.microsoft.com\* | HTTPS | Windows Defender Smartscreen related traffic +|\*.telecommand.telemetry.microsoft.com\* | HTTPS | Used by Windows Error Reporting. +|\*cdn.onenote.net* | HTTP | OneNote related traffic +|\*displaycatalog.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. +|\*emdl.ws.microsoft.com\* | HTTP | Windows Update related traffic +|\*geo-prod.do.dsp.mp.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update. +|\*hwcdn.net* | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. +|\*img-prod-cms-rt-microsoft-com.akamaized.net* | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +|\*maps.windows.com\* | HTTPS | Related to Maps application. +|\*msedge.net* | HTTPS | Used by OfficeHub to get the metadata of Office apps. +|\*nexusrules.officeapps.live.com\* | HTTPS | Office Telemetry +|\*photos.microsoft.com\* | HTTPS | Photos App related traffic +|\*prod.do.dsp.mp.microsoft.com\* |TLSv1.2/HTTPS | Used for Windows Update downloads of apps and OS updates. +|\*wac.phicdn.net* | HTTP | Windows Update related traffic +|\*windowsupdate.com\* | HTTP | Windows Update related traffic +|\*wns.windows.com\* | HTTPS, TLSv1.2 | Used for the Windows Push Notification Services (WNS). +|\*wpc.v0cdn.net* | | Windows Telemetry related traffic |auth.gfx.ms/16.000.27934.1/OldConvergedLogin_PCore.js | | MSA related |evoke-windowsservices-tas.msedge* | HTTPS | The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -|fe2.update.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. -|fe3.*.mp.microsoft.com.* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. +|fe2.update.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. +|fe3.\*.mp.microsoft.com.\* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |fs.microsoft.com | | Font Streaming (in ENT traffic) -|g.live.com* | HTTPS | Used by OneDrive +|g.live.com\* | HTTPS | Used by OneDrive |iriscoremetadataprod.blob.core.windows.net | HTTPS | Windows Telemetry -|mscrl.micorosoft.com | | Certificate Revocation List related traffic. -|ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. +|mscrl.microsoft.com | | Certificate Revocation List related traffic. +|ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |officeclient.microsoft.com | HTTPS | Office related traffic. |oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. -|purchase.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. -|query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. -|ris.api.iris.microsoft.com* |TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata. +|purchase.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. +|query.prod.cms.rt.microsoft.com\* | HTTPS | Used to retrieve Windows Spotlight metadata. +|ris.api.iris.microsoft.com\* |TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata. |ris-prod-atm.trafficmanager.net | HTTPS | Azure traffic manager -|settings.data.microsoft.com* | HTTPS | Used for Windows apps to dynamically update their configuration. -|settings-win.data.microsoft.com* | HTTPS | Used for Windows apps to dynamically update their configuration. -|sls.update.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update. -|store*.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. -|storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. -|store-images.s-microsoft.com* | HTTP | Used to get images that are used for Microsoft Store suggestions. -|tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. -|tsfe.trafficshaping.dsp.mp.microsoft.com* |TLSv1.2 | Used for content regulation. +|settings.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration. +|settings-win.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration. +|sls.update.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update. +|store*.dsx.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. +|storecatalogrevocation.storequality.microsoft.com\* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. +|store-images.s-microsoft.com\* | HTTP | Used to get images that are used for Microsoft Store suggestions. +|tile-service.weather.microsoft.com\* | HTTP | Used to download updates to the Weather app Live Tile. +|tsfe.trafficshaping.dsp.mp.microsoft.com\* |TLSv1.2 | Used for content regulation. |v10.events.data.microsoft.com | HTTPS | Diagnostic Data |wdcp.microsoft.* |TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com | HTTPS | Windows Defender related traffic. @@ -111,7 +111,7 @@ We used the following methodology to derive these network endpoints: | ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | | location-inference-westus.cloudapp.net | HTTPS | Used for location data. | | modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | | ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | | tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | | tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | @@ -127,10 +127,10 @@ We used the following methodology to derive these network endpoints: | *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | | *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | | *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. | -| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. | +| *.tlu.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update. | +| *.windowsupdate.com\* | HTTP | Enables connections to Windows Update. | | *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. | +| au.download.windowsupdate.com\* | HTTP | Enables connections to Windows Update. | | cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | | client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | | config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | @@ -151,7 +151,7 @@ We used the following methodology to derive these network endpoints: | maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application | | modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | | ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | -| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | | oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | | settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | | sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | diff --git a/windows/release-information/TOC.yml b/windows/release-information/TOC.yml new file mode 100644 index 0000000000..b5ef71ac32 --- /dev/null +++ b/windows/release-information/TOC.yml @@ -0,0 +1,2 @@ +- name: Index + href: index.md \ No newline at end of file diff --git a/windows/release-information/breadcrumb/toc.yml b/windows/release-information/breadcrumb/toc.yml new file mode 100644 index 0000000000..61d8fca61e --- /dev/null +++ b/windows/release-information/breadcrumb/toc.yml @@ -0,0 +1,3 @@ +- name: Docs + tocHref: / + topicHref: / \ No newline at end of file diff --git a/windows/release-information/docfx.json b/windows/release-information/docfx.json new file mode 100644 index 0000000000..6a0fb3e804 --- /dev/null +++ b/windows/release-information/docfx.json @@ -0,0 +1,47 @@ +{ + "build": { + "content": [ + { + "files": [ + "**/*.md", + "**/*.yml" + ], + "exclude": [ + "**/obj/**", + "**/includes/**", + "_themes/**", + "_themes.pdf/**", + "README.md", + "LICENSE", + "LICENSE-CODE", + "ThirdPartyNotices" + ] + } + ], + "resource": [ + { + "files": [ + "**/*.png", + "**/*.jpg" + ], + "exclude": [ + "**/obj/**", + "**/includes/**", + "_themes/**", + "_themes.pdf/**" + ] + } + ], + "overwrite": [], + "externalReference": [], + "globalMetadata": { + "breadcrumb_path": "/release-information/breadcrumb/toc.json", + "extendBreadcrumb": true, + "feedback_system": "None" + }, + "fileMetadata": {}, + "template": [], + "dest": "release-information", + "markdownEngineName": "markdig" + } +} \ No newline at end of file diff --git a/windows/release-information/index.md b/windows/release-information/index.md new file mode 100644 index 0000000000..45697f0cda --- /dev/null +++ b/windows/release-information/index.md @@ -0,0 +1,3 @@ +# Welcome to release-information! + +test diff --git a/windows/security/docfx.json b/windows/security/docfx.json index 394ca15239..961279662e 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -38,11 +38,18 @@ "ms.topic": "article", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", - "ms.author": "justinha" + "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "ms.author": "justinha", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.security", + "folder_relative_path_in_docset": "./" + } + } }, "fileMetadata": {}, "template": [], - "dest": "security" + "dest": "security", + "markdownEngineName": "dfm" } -} \ No newline at end of file +} diff --git a/windows/security/identity-protection/TOC.md b/windows/security/identity-protection/TOC.md index 23991e4fc0..a3c24b5cf6 100644 --- a/windows/security/identity-protection/TOC.md +++ b/windows/security/identity-protection/TOC.md @@ -11,13 +11,12 @@ ### [Active Directory Security Groups](access-control/active-directory-security-groups.md) ### [Special Identities](access-control/special-identities.md) -## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) +### [User Account Control](user-account-control\user-account-control-overview.md) +#### [How User Account Control works](user-account-control\how-user-account-control-works.md) +#### [User Account Control security policy settings](user-account-control\user-account-control-security-policy-settings.md) +#### [User Account Control Group Policy and registry key settings](user-account-control\user-account-control-group-policy-and-registry-key-settings.md) -## [Enterprise Certificate Pinning](enterprise-certificate-pinning.md) - -## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) - -## [Windows Defender System Guard](how-hardware-based-containers-help-protect-windows.md) +## [Windows Hello for Business](hello-for-business/hello-identity-verification.md) ## [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) ### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md) @@ -43,11 +42,6 @@ #### [Smart Card Group Policy and Registry Settings](smart-cards/smart-card-group-policy-and-registry-settings.md) #### [Smart Card Events](smart-cards/smart-card-events.md) -### [User Account Control](user-account-control\user-account-control-overview.md) -#### [How User Account Control works](user-account-control\how-user-account-control-works.md) -#### [User Account Control security policy settings](user-account-control\user-account-control-security-policy-settings.md) -#### [User Account Control Group Policy and registry key settings](user-account-control\user-account-control-group-policy-and-registry-key-settings.md) - ### [Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-overview.md) #### [Understanding and Evaluating Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-understanding-and-evaluating.md) ##### [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-cards\virtual-smart-card-get-started.md) @@ -56,6 +50,13 @@ ##### [Evaluate Virtual Smart Card Security](virtual-smart-cards\virtual-smart-card-evaluate-security.md) #### [Tpmvscmgr](virtual-smart-cards\virtual-smart-card-tpmvscmgr.md) +## [Enterprise Certificate Pinning](enterprise-certificate-pinning.md) + +## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) + +## [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md) + +## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) ## [VPN technical guide](vpn\vpn-guide.md) ### [VPN connection types](vpn\vpn-connection-type.md) @@ -67,8 +68,4 @@ ### [VPN security features](vpn\vpn-security-features.md) ### [VPN profile options](vpn\vpn-profile-options.md) ### [How to configure Diffie Hellman protocol over IKEv2 VPN connections](vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md) -### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md) -### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md) - -## [Windows Hello for Business](hello-for-business/hello-identity-verification.md) - +### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md) \ No newline at end of file diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index 08a96a0f55..2fefc6e157 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -12,16 +12,17 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 12/10/2018 +ms.date: 02/28/2019 --- # Local Accounts **Applies to** - Windows 10 +- Windows Server 2019 - Windows Server 2016 -This reference topic for the IT professional describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server. This topic does not describe the default local user accounts for an Active Directory domain controller. +This reference topic for IT professionals describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server. ## About local user accounts @@ -37,6 +38,8 @@ This topic describes the following: - [HelpAssistant account (installed by using a Remote Assistance session)](#sec-helpassistant) + - [DefaultAccount](#defaultaccount) + - [Default local system accounts](#sec-localsystem) - [How to manage local accounts](#sec-manage-accounts) @@ -53,42 +56,29 @@ For information about security principals, see [Security Principals](security-pr ## Default local user accounts +The default local user accounts are built-in accounts that are created automatically when you install Windows. -The default local user accounts are built-in accounts that are created automatically when you install the Windows Server operating system on a stand-alone server or member server. The **Applies To** list at the beginning of this article designates the Windows operating systems to which this topic applies. - -After the Windows Server operating system is installed, the default local user accounts cannot be removed or deleted. In addition, default local user accounts do not provide access to network resources. +After Windows is installed, the default local user accounts cannot be removed or deleted. In addition, default local user accounts do not provide access to network resources. Default local user accounts are used to manage access to the local server’s resources based on the rights and permissions that are assigned to the account. The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC). Computer Management is a collection of administrative tools that you can use to manage a single local or remote computer. For more information, see [How to manage local accounts](#sec-manage-accounts) later in this topic. -The default local user accounts that are provided include the Administrator account, Guest account and HelpAssistant account. Each of these default local user accounts is described in the following sections. +Default local user accounts are described in the following sections. ### Administrator account -The default local Administrator account is a user account for the system administrator. Every computer has an Administrator account (SID S-1-5-*domain*-500, display name Administrator). The Administrator account is the first account that is created during the installation for all Windows Server operating systems, and for Windows client operating systems. +The default local Administrator account is a user account for the system administrator. Every computer has an Administrator account (SID S-1-5-*domain*-500, display name Administrator). The Administrator account is the first account that is created during the Windows installation. -For Windows Server operating systems, the Administrator account gives the user full control of the files, directories, services, and other resources that are under the control of the local server. The Administrator account can be used to create local users, and assign user rights and access control permissions. The Administrator account can also be used take control of local resources at any time simply by changing the user rights and permissions. +The Administrator account has full control of the files, directories, services, and other resources on the local computer. The Administrator account can create other local users, assign user rights, and assign permissions. The Administrator account can take control of local resources at any time simply by changing the user rights and permissions. The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled. -The default Administrator account is initially installed differently for Windows Server operating systems, and the Windows client operating systems. The following table provides a comparison. - -| Default restriction | Windows Server operating systems | Windows client operating systems | -|---------------------|----------------------------------|----------------------------------| -| Administrator account is disabled on installation | No | Yes | -| Administrator account is set up on first sign-in | Yes | No, keep disabled | -| Administrator account is used to set up the local server or client computer | Yes | No, use a local user account with **Run as administrator** to obtain administrative rights | -| Administrator account requires a strong password when it is enabled | Yes | Yes | -| Administrator account can be disabled, locked out, or renamed | Yes | Yes | - -In summary, for Windows Server operating systems, the Administrator account is used to set up the local server only for tasks that require administrative rights. The default Administrator account is set up by using the default settings that are provided on installation. Initially, the Administrator account is not associated with a password. After installation, when you first set up Windows Server, your first task is to set up the Administrator account properties securely. This includes creating a strong password and securing the **Remote control** and **Remote Desktop Services Profile** settings. You can also disable the Administrator account when it is not required. - -In comparison, for the Windows client operating systems, the Administrator account has access to the local system only. The default Administrator account is initially disabled by default, and this account is not associated with a password. It is a best practice to leave the Administrator account disabled. The default Administrator account is considered only as a setup and disaster recovery account, and it can be used to join the computer to a domain. When administrator access is required, do not sign in as an administrator. You can sign in to your computer with your local (non-administrator) credentials and use **Run as administrator**. +In Windows 10 and Windows Server 20016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the **Run as Administrator** option. Fast User Switching is more secure than using Runas or different-user elevation. **Account group membership** By default, the Administrator account is installed as a member of the Administrators group on the server. It is a best practice to limit the number of users in the Administrators group because members of the Administrators group on a local server have Full Control permissions on that computer. -The Administrator account cannot be deleted or removed from the Administrators group, but it can be renamed or disabled. +The Administrator account cannot be deleted or removed from the Administrators group, but it can be renamed. **Security considerations** @@ -122,53 +112,78 @@ By default, the Guest account is the only member of the default Guests group (SI **Security considerations** -When an administrator enables the Guest account, it is a best practice to create a strong password for this account. In addition, the administrator on the computer should also grant only limited rights and permissions for the Guest account. For security reasons, the Guest account should not be used over the network and made accessible to other computers. - -When a computer is shutting down or starting up, it is possible that a guest user or anyone with local access could gain unauthorized access to the computer. To help prevent this risk, do not grant the Guest account the [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system) user right. +When enabling the Guest account, only grant limited rights and permissions. For security reasons, the Guest account should not be used over the network and made accessible to other computers. In addition, the guest user in the Guest account should not be able to view the event logs. After the Guest account is enabled, it is a best practice to monitor the Guest account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user. -### HelpAssistant account (installed by using a Remote Assistance session) -The default HelpAssistant account is enabled when a Windows Remote Assistance session is run. The Windows Remote Assistance session can be used to connect from the server to another computer running the Windows operating system. For solicited remote assistance, a user initiates a Windows Remote Assistance session, and it is initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. +### DefaultAccount -After the user’s invitation for a Windows Remote Assistance session is accepted, the default HelpAssistant account is automatically created. The HelpAssistant account provides limited access to the computer to the person who provides assistance. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service. The HelpAssistant account is automatically deleted after there are no Remote Assistance requests are pending. +The DefaultAccount, also known as the Default System Managed Account (DSMA), is a built-in account introduced in Windows 10 version 1607 and Windows Server 2016. +The DMSA is a well-known user account type. +It is a user neutral account that can be used to run processes that are either multi-user aware or user-agnostic. +The DMSA is disabled by default on the desktop SKUs (full windows SKUs) and WS 2016 with the Desktop. -The security identifiers (SIDs) that pertain to the default HelpAssistant account include: +The DMSA has a well-known RID of 503. The security identifier (SID) of the DMSA will thus have a well-known SID in the following format: S-1-5-21--503 -- SID: S-1-5-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. +The DMSA is a member of the well-known group **System Managed Accounts Group**, which has a well-known SID of S-1-5-32-581. -- SID: S-1-5-14, display name Remote Interactive Logon. This group includes all users who sign in to the computer by using Remote Desktop Connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID. +The DMSA alias can be granted access to resources during offline staging even before the account itself has been created. The account and the group are created during first boot of the machine within the Security Accounts Manager (SAM). -For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used. +#### How Windows uses the DefaultAccount +From a permission perspective, the DefaultAccount is a standard user account. +The DefaultAccount is needed to run multi-user-manifested-apps (MUMA apps). +MUMA apps run all the time and react to users signing in and signing out of the devices. +Unlike Windows Desktop where apps run in context of the user and get terminated when the user signs off, MUMA apps run by using the DSMA. -In comparison, for the Windows client operating system, the HelpAssistant account is enabled on installation by default. +MUMA apps are functional in shared session SKUs such as Xbox. For example, Xbox shell is a MUMA app. +Today, Xbox automatically signs in as Guest account and all apps run in this context. +All the apps are multi-user-aware and respond to events fired by user manager. +The apps run as the Guest account. + +Similarly, Phone auto logs in as a “DefApps” account which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account. + +In the converged user model, the multi-user-aware apps and multi-user-aware brokers will need to run in a context different from that of the users. +For this purpose, the system creates DSMA. + +#### How the DefaultAccount gets created on domain controllers + +If the domain was created with domain controllers that run Windows Server 2016, the DefaultAccount will exist on all domain controllers in the domain. +If the domain was created with domain controllers that run an earlier version of Windows Server, the DefaultAccount will be created after the PDC Emulator role is transferred to a domain controller that runs Windows Server 2016. The DefaultAccount will then be replicated to all other domain controllers in the domain. + +#### Recommendations for managing the Default Account (DSMA) + +Microsoft does not recommend changing the default configuration, where the account is disabled. There is no security risk with having the account in the disabled state. Changing the default configuration could hinder future scenarios that rely on this account. ## Default local system accounts +### SYSTEM +The SYSTEM account is used by the operating system and by services that run under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM account’s user rights. It is an internal account that does not show up in User Manager, and it cannot be added to any groups. -The system account and the Administrator account of the Administrators group have the same file rights and permissions, but they have different functions. The system account is used by the operating system and by services that run under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The system account was designed for that purpose. It is an internal account that does not show up in User Manager, it cannot be added to any groups, and it cannot have user rights assigned to it. - -On the other hand, the system account does appear on an NTFS file system volume in File Manager in the **Permissions** portion of the **Security** menu. By default, the system account is granted Full Control permissions to all files on an NTFS volume. Here the system account has the same functional rights and permissions as the Administrator account. +On the other hand, the SYSTEM account does appear on an NTFS file system volume in File Manager in the **Permissions** portion of the **Security** menu. By default, the SYSTEM account is granted Full Control permissions to all files on an NTFS volume. Here the SYSTEM account has the same functional rights and permissions as the Administrator account. **Note**   -To grant the account Administrators group file permissions does not implicitly give permission to the system account. The system account's permissions can be removed from a file, but we do not recommend removing them. +To grant the account Administrators group file permissions does not implicitly give permission to the SYSTEM account. The SYSTEM account's permissions can be removed from a file, but we do not recommend removing them. -  +### NETWORK SERVICE +The NETWORK SERVICE account is a predefined local account used by the service control manager (SCM). A service that runs in the context of the NETWORK SERVICE account presents the computer's credentials to remote servers. For more information, see [NetworkService Account](https://docs.microsoft.com/windows/desktop/services/networkservice-account). + +### LOCAL SERVICE +The LOCAL SERVICE account is a predefined local account used by the service control manager. It has minimum privileges on the local computer and presents anonymous credentials on the network. For more information, see [LocalService Account](https://docs.microsoft.com/windows/desktop/services/localservice-account). ## How to manage local user accounts -The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC), a collection of administrative tools that you can use to manage a single local or remote computer. For more information about creating and managing local user accounts, see [Manage Local Users](https://technet.microsoft.com/library/cc731899.aspx). +The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in Local Users and Groups. For more information about creating and managing local user accounts, see [Manage Local Users](https://technet.microsoft.com/library/cc731899.aspx). You can use Local Users and Groups to assign rights and permissions on the local server, and that server only, to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a server, such as backing up files and folders or shutting down a server. An access permission is a rule that is associated with an object, usually a file, folder, or printer. It regulates which users can have access to an object on the server and in what manner. -You cannot use Local Users and Groups to view local users and groups after a member server is used as a domain controller. However, you can use Local Users and Groups on a domain controller to target remote computers that are not domain controllers on the network. +You cannot use Local Users and Groups on a domain controller. However, you can use Local Users and Groups on a domain controller to target remote computers that are not domain controllers on the network. **Note**   -You use Active Directory Users and Computers to manage users and groups in Active Directory. +You use Active Directory Users and Computers to manage users and groups in Active Directory.loca -  +You can also manage local users by using NET.EXE USER and manage local groups by using NET.EXE LOCALGROUP, or by using a variety of PowerShell cmdlets and other scripting technologies. ### Restrict and protect local accounts with administrative rights @@ -199,7 +214,7 @@ UAC makes it possible for an account with administrative rights to be treated as In addition, UAC can require administrators to specifically approve applications that make system-wide changes before those applications are granted permission to run, even in the administrator's user session. -For example, a default feature of UAC is shown when a local account signs in from a remote computer by using Network logon (for example, by using NET.EXE USE). In this instance, it is issued a standard user token with no administrative rights, but with the ability to request or receive elevation. Consequently, local accounts that sign in by using Network logon cannot access administrative shares such as C$, or ADMIN$, or perform any remote administration. +For example, a default feature of UAC is shown when a local account signs in from a remote computer by using Network logon (for example, by using NET.EXE USE). In this instance, it is issued a standard user token with no administrative rights, but without the ability to request or receive elevation. Consequently, local accounts that sign in by using Network logon cannot access administrative shares such as C$, or ADMIN$, or perform any remote administration. For more information about UAC, see [User Account Control](/windows/access-protection/user-account-control/user-account-control-overview). @@ -270,6 +285,9 @@ The following table shows the Group Policy and registry settings that are used t + +>[!NOTE] +>You can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates.   **To enforce local account restrictions for remote access** @@ -292,7 +310,7 @@ The following table shows the Group Policy and registry settings that are used t 6. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by doing the following: - 1. Navigate to the Computer Configuration\\Policies\\Windows Settings, and > **Security Options**. + 1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and > **Security Options**. 2. Double-click **User Account Control: Run all administrators in Admin Approval Mode** > **Enabled** > **OK**. @@ -374,8 +392,8 @@ The following table shows the Group Policy settings that are used to deny networ

    Policy setting

    -

    User name of the default Administrator account

    -

    (Might be renamed through policy.)

    +

    Local account and member of Administrators group

    +

    2

    @@ -390,8 +408,8 @@ The following table shows the Group Policy settings that are used to deny networ

    Policy setting

    -

    User name of the default Administrator account

    -

    (Might be renamed through policy).

    +

    Local account and member of Administrators group

    + @@ -416,35 +434,19 @@ The following table shows the Group Policy settings that are used to deny networ 6. Configure the user rights to deny network logons for administrative local accounts as follows: - 1. Navigate to the Computer Configuration\\Policies\\Windows Settings, and > **User Rights Assignment**. + 1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\, and > **User Rights Assignment**. - 2. Double-click **Deny access to this computer from the network**, and > **Define these policy settings**. + 2. Double-click **Deny access to this computer from the network**. - 3. Click **Add User or Group**, type the name of the default Administrator account, and > **OK**. The default name is Administrator on US English installations, but it can be renamed either by policy or manually. - - ![local accounts 9](images/localaccounts-proc2-sample3.png) - - **Important**   - In the **User and group names** box, type the user name of the account that you identified at the start of this process. Do not click **Browse** and do not type the domain name or the local computer name in this dialog box. For example, type only **Administrator**. If the text that you typed resolved to a name that is underlined, includes a computer name, or includes the domain, it restricts the wrong account and causes this mitigation to work incorrectly. Also, be careful that you do not enter the group name Administrator to prevent blocking domain accounts in that group. - -   - - 4. For any additional local accounts in the Administrators group on all of the workstations that you are configuring, click **Add User or Group**, type the user names of these accounts in the dialog box in the same manner as described in the previous step, and then click **OK**. + 3. Click **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**. 7. Configure the user rights to deny Remote Desktop (Remote Interactive) logons for administrative local accounts as follows: 1. Navigate to Computer Configuration\\Policies\\Windows Settings and Local Policies, and then click **User Rights Assignment**. - 2. Double-click **Deny log on through Remote Desktop Services**, and then select **Define these settings**. + 2. Double-click **Deny log on through Remote Desktop Services**. - 3. Click **Add User or Group**, type the user name of the default Administrator account, and > **OK**. (The default name is Administrator on US English installations, but it can be renamed either by policy or manually. - - **Important**   - In the **User and group names** box, type the user name of the account that you identified at the start of this process. Do not click **Browse** and do not type the domain name or the local computer name in this dialog box. For example, type only **Administrator**. If the text that you typed resolves to a name that is underlined or includes a domain name, it restricts the wrong account and causes this mitigation to work incorrectly. Also, be careful that you do not enter the group name Administrator because this also blocks domain accounts in that group. - -   - - 4. For any additional local accounts in the Administrators group on all of the workstations that you are setting up, click **Add User or Group**, type the user names of these accounts in the dialog box in the same manner as the previous step, and > **OK**. + 3. Click **Add User or Group**, type type **Local account and member of Administrators group**, and > **OK**. 8. Link the GPO to the first **Workstations** OU as follows: @@ -463,7 +465,6 @@ The following table shows the Group Policy settings that are used to deny networ **Note**   You might have to create a separate GPO if the user name of the default Administrator account is different on workstations and servers. -   ### Create unique passwords for local accounts with administrative rights diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index def101e7d1..626de0ca3e 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -12,7 +12,7 @@ ms.author: daniha manager: dansimp ms.collection: M365-identity-device-management ms.topic: article -ms.date: 09/04/2018 +ms.date: 03/01/2019 --- # Manage Windows Defender Credential Guard @@ -43,6 +43,14 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will To enforce processing of the group policy, you can run ```gpupdate /force```. +### Enable Windows Defender Credential Guard by using Intune + +1. From **Home** click **Microsoft Intune** +2. Click **Device configuration** +3. Click **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**. + +> [!NOTE] +> It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock. ### Enable Windows Defender Credential Guard by using the registry @@ -157,25 +165,19 @@ To disable Windows Defender Credential Guard, you can use the following set of p > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery. 3. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: + ``` syntax - mountvol X: /s - copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y - bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" - bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} - - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO - + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: - + bcdedit /set hypervisorlaunchtype off mountvol X: /d - ``` + 2. Restart the PC. 3. Accept the prompt to disable Windows Defender Credential Guard. 4. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard. @@ -183,6 +185,9 @@ To disable Windows Defender Credential Guard, you can use the following set of p > [!NOTE] > The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS +> [!NOTE] +> Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. These options will be made available with future Gen 2 VMs. + For more info on virtualization-based security and Windows Defender Device Guard, see [Windows Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). @@ -191,7 +196,7 @@ For more info on virtualization-based security and Windows Defender Device Guard You can also disable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). ``` -DG_Readiness_Tool_v3.5.ps1 -Disable -AutoReboot +DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot ``` #### Disable Windows Defender Credential Guard for a virtual machine diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index 68c7ae9ccb..01d5a2d5a7 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -39,7 +39,7 @@ To provide basic protections against OS level attempts to read Credential Manage The Virtualization-based security requires: - 64-bit CPU - CPU virtualization extensions plus extended page tables -- Windows hypervisor +- Windows hypervisor (does not require Hyper-V Windows Feature to be installed) ### Windows Defender Credential Guard deployment in virtual machines diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md index a763b76800..e6b69e32b2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md @@ -108,7 +108,7 @@ Sign in the domain controller with _domain administrator_ equivalent credentials ##### Add accounts to the Phonefactor Admins group 1. Open **Active Directory Users and Computers**. -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane. Right-click the **Phonefactors Admin** security group and select **Properties**. +2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane. Right-click the **Phonefactor Admins** security group and select **Properties**. 3. Click the **Members** tab. 4. Click **Add**. Click **Object Types..** In the **Object Types** dialog box, select **Computers** and click **OK**. Enter the following user and/or computers accounts in the **Enter the object names to select** box and then click **OK**. * The computer account for the primary MFA Server @@ -189,7 +189,7 @@ The User Portal and Mobile Application web services need to communicate with the Adding the WebServices SDK user account to the Phonefactor Admins group provides the user account with the proper authorization needed to access the configuration data on the primary MFA server using the WebServices SDK. 1. Open **Active Directory Users and Computers**. -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select **Users**. In the content pane. Right-click the **Phonefactors Admin** security group and select Properties. +2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select **Users**. In the content pane. Right-click the **Phonefactor Admins** security group and select Properties. 3. Click the Members tab. 4. Click **Add**. Click **Object Types..** Type the PFWSDK_ user name in the **Enter the object names to select** box and then click **OK**. * The computer account for the primary MFA Server diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index 1528aad8e3..aade96adc6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -35,9 +35,9 @@ On-premises certificate-based deployments of Windows Hello for Business needs th ## Enable Windows Hello for Business Group Policy -The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. +The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users. -You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. +If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. ## Use certificate for on-premises authentication diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index 789395a1bf..f07f4f199a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -15,7 +15,7 @@ localizationpriority: medium ms.date: 08/19/2018 --- # Windows Hello for Business Provisioning - + **Applies to:** - Windows 10 @@ -24,14 +24,14 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, - The Windows Hello for Business deployment type - If the environment is managed or federated -[Azure AD joined provisioning in a Managed environment](#Azure-AD-joined-provisioning-in-a-Managed-environment)
    -[Azure AD joined provisioning in a Federated environment](#Azure-AD-joined-provisioning-in-a-Federated-environment)
    -[Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed envrionment](#Hybrid-Azure-AD-joined-provisioning-in-a-Key-Trust-deployment-in-a-Managed-envrionment)
    -[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](#Hybrid-Azure-AD-joined-provisioning-in-a-Certificate-Trust-deployment-in-a-Managed-environment)
    -[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](#Hybrid-Azure-AD-joined-provisioning-in-a-synchronous-Certificate-Trust-deployment-in-a-Managed-environment)
    -[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](#Hybrid-Azure-AD-joined-provisioning-in-a-synchronous-Certificate-Trust-deployment-in-a-Federated-environment)
    -[Domain joined provisioning in an On-premises Key Trust deployment](#Domain-joined-provisioning-in-an-On-premises-Key-Trust-deployment)
    -[Domain joined provisioning in an On-premises Certificate Trust deployment](#Domain-joined-provisioning-in-an-On-premises-Certificate-Trust-deployment)
    +[Azure AD joined provisioning in a Managed environment](#azure-ad-joined-provisioning-in-a-managed-environment)
    +[Azure AD joined provisioning in a Federated environment](#azure-ad-joined-provisioning-in-a-federated-environment)
    +[Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)
    +[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-certificate-trust-deployment-in-a-managed-environment)
    +[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-managed-environment)
    +[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)
    +[Domain joined provisioning in an On-premises Key Trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)
    +[Domain joined provisioning in an On-premises Certificate Trust deployment](#domain-joined-provisioning-in-an-on-premises-certificate-trust-deployment)
    @@ -45,7 +45,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, |C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.| -[Return to top](#Windows-Hello-for-Business-Provisioning) +[Return to top](#windows-hello-for-business-provisioning) ## Azure AD joined provisioning in a Federated environment ![Azure AD joined provisioning in a Managed environment](images/howitworks/prov-aadj-federated.png) @@ -55,7 +55,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, |B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).| |C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns key ID to the application which signals the end of user provisioning and the application exits.| -[Return to top](#Windows-Hello-for-Business-Provisioning) +[Return to top](#windows-hello-for-business-provisioning) ## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed envrionment ![Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed ennvironment](images/howitworks/prov-haadj-keytrust-managed.png) @@ -71,7 +71,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, -[Return to top](#Windows-Hello-for-Business-Provisioning) +[Return to top](#windows-hello-for-business-provisioning) ## Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment ![Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](images/howitworks/prov-haadj-certtrust-managed.png) @@ -89,7 +89,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, > The newly provisionied user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory. -[Return to top](#Windows-Hello-for-Business-Provisioning) +[Return to top](#windows-hello-for-business-provisioning) ## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment ![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](images/howitworks/prov-haadj-instant-certtrust-managed.png) @@ -106,7 +106,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, > Synchronous certificate enrollment does not depend on Azure AD Connect to syncrhonize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Azure AD Connect continues to synchronize the public key to Active Directory, but is not show in this flow. -[Return to top](#Windows-Hello-for-Business-Provisioning) +[Return to top](#windows-hello-for-business-provisioning) ## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment ![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Fedeerated environment](images/howitworks/prov-haadj-instant-certtrust-federated.png) @@ -122,7 +122,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, > [!IMPORTANT] > Synchronous certificate enrollment does not depend on Azure AD Connect to syncrhonize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Azure AD Connect continues to synchronize the public key to Active Directory, but is not show in this flow. -[Return to top](#Windows-Hello-for-Business-Provisioning) +[Return to top](#windows-hello-for-business-provisioning) ## Domain joined provisioning in an On-premises Key Trust deployment ![Domain joined provisioning in an On-premises Key Trust deployment](images/howitworks/prov-onprem-keytrust.png) @@ -133,7 +133,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, |C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration. Enterprise DRS validates the MFA claim remains current. On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.| -[Return to top](#Windows-Hello-for-Business-Provisioning) +[Return to top](#windows-hello-for-business-provisioning) ## Domain joined provisioning in an On-premises Certificate Trust deployment ![Domain joined provisioning in an On-premises Certificate Trust deployment](images/howitworks/prov-onprem-certtrust.png) @@ -147,4 +147,4 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, |F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.| |G | The application receives the newly issued certificate and installs it into the Personal store of the user. This signals the end of provisioning.| -[Return to top](#Windows-Hello-for-Business-Provisioning) +[Return to top](#windows-hello-for-business-provisioning) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 936c4a59e4..e795b09887 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -187,7 +187,7 @@ Joining a device is an extension to registering a device. This means, it provide [Return to Top](hello-how-it-works-technology.md) ## Key Trust -The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The certificate trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers. +The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The key trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers. ### Related topics [Certificate Trust](#certificate-trust), [Deployment Type](#deployment-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Hybrid Deployment](#hybrid-deployment), [On-premises Deployment](#on-premises-deployment), [Trust Type](#trust-type) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 4ddd3e27d4..d231dc9a9c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -66,15 +66,21 @@ If you are interested in configuring your environment to use the Windows Hello f Certificate authorities write CRL distribution points in certificates as they are issued. If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CRL distribution point. The domain controller certificate is one the critical components of Azure AD joined devices authenticating to Active Directory -#### Why does Windows need to validate the domain controller certifcate? +#### Why does Windows need to validate the domain controller certificate? -Windows Hello for Business enforces the strict KDC validation security feature, which enforces a more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met: +Windows Hello for Business enforces the strict KDC validation security feature, which imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met: - The domain controller has the private key for the certificate provided. - The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**. +- Use the **Kerberos Authentication certificate template** instead of any other older template. - The domain controller's certificate has the **KDC Authentication** enhanced key usage. - The domain controller's certificate's subject alternate name has a DNS Name that matches the name of the domain. + +> [!Tip] +> If you are using Windows Server 2008, **Kerberos Authentication** is not the default template, so make sure to use the correct template when issuing or re-issuing the certificate. + + ## Configuring a CRL Distribution Point for an issuing certificate authority Use this set of procedures to update your certificate authority that issues your domain controller certificates to include an http-based CRL distribution point. @@ -164,7 +170,7 @@ These procedures configure NTFS and share permissions on the web server to allow 9. Click **Close** in the **cdp Properties** dialog box. -### Configure the new CRL distribution point and Publishing location in the issuing certifcate authority +### Configure the new CRL distribution point and Publishing location in the issuing certificate authority The web server is ready to host the CRL distribution point. Now, configure the issuing certificate authority to publish the CRL at the new location and to include the new CRL distribution point diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index c7fd156e98..5ea3bbbae9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -131,9 +131,9 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv 5. In the content pane, right-click the **NDES Service Rights** Group Policy object and click **Edit**. 6. In the navigation pane, expand **Policies** under **Computer Configuration**. 7. Expand **Windows Settings > Security Settings > Local Policies**. Select **User Rights Assignments**. -8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings**. and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice. -9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings**. and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice. -10. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings**. and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** three times. +8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice. +9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice. +10. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** three times. 11. Close the **Group Policy Management Editor**. ### Configure security for the NDES Service User Rights Group Policy object diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md index ed400300f7..2bfa7ac0bd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md @@ -30,7 +30,7 @@ Enterprises can use either a key or a certificate to provide single-sign on for When using a key, the on-premises environment needs an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. -When using a certificate, the on-premises environment can use Windows Server 2008 R2 and later domain controllers, which removes the Windows Server 2016 domain controller requirement. However, single-sign on using a key requires additional infrastructure to issue a certificate when the user enrolls for Windows Hello for Business. Azure AD joined devices enroll certificates using Microsoft Intune or a compatible Mobile Device Management (MDM). Microsoft Intune and Windows Hello for Business use the Network Device Enrollment Services (NDES) role and support Microsoft Intune connector. +When using a certificate, the on-premises environment can use Windows Server 2008 R2 and later domain controllers, which removes the Windows Server 2016 domain controller requirement. However, single-sign on using a certificate requires additional infrastructure to issue a certificate when the user enrolls for Windows Hello for Business. Azure AD joined devices enroll certificates using Microsoft Intune or a compatible Mobile Device Management (MDM). Microsoft Intune and Windows Hello for Business use the Network Device Enrollment Services (NDES) role and support Microsoft Intune connector. To deploy single sign-on for Azure AD joined devices using keys, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md). To deploy single sign-on for Azure AD joined devices using certificates, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) and then [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 71ad012ce7..5c60844b4e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -30,7 +30,7 @@ The distributed systems on which these technologies were built involved several * [Public Key Infrastucture](#public-key-infrastructure) * [Directory Synchronization](#directory-synchronization) * [Federation](#federation) -* [MultiFactor Authetication](#multifactor-authentication) +* [MultiFactor Authentication](#multifactor-authentication) * [Device Registration](#device-registration) ## Directories ## @@ -82,7 +82,7 @@ Organizations using older directory synchronization technology, such as DirSync
    ## Federation ## -Federating your on-premises Active Directory with Azure Active Directory ensures all identities have access to all resources regardless if they reside in cloud or on-premises. Windows Hello for Business hybrid certificate trust needs Windows Server 2016 Active Directory Federation Services. All nodes in the AD FS farm must run the same version of AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices. +Windows Hello for Business hybrid certificate trust requires Active Directory being federated with Azure Active Directory and needs Windows Server 2016 Active Directory Federation Services or newer. Windows Hello for Business hybrid certificate trust doesn’t support Managed Azure Active Directory using Pass-through authentication or password hash sync. All nodes in the AD FS farm must run the same version of AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices. The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) @@ -140,4 +140,4 @@ If your environment is already federated and supports Azure device registration, 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index 461d86ca82..5350a7e35a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -59,7 +59,7 @@ The remainder of the provisioning includes Windows Hello for Business requesting > Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization. > [!NOTE] -> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning. +> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning. The update needs to be installed on the federation servers. After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index aebc17a2ae..1993139da7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -62,7 +62,7 @@ The minimum required enterprise certificate authority that can be used with Wind > [!IMPORTANT] > For Azure AD joined device to authenticate to and use on-premises resources, ensure you: -> * Install the root certificate authority certificate for your organization in the user's trusted root certifcate store. +> * Install the root certificate authority certificate for your organization in the user's trusted root certificate store. > * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based url. ### Section Review diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 672ad0f33f..ae8da9280d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -50,7 +50,7 @@ The table shows the minimum requirements for each deployment. For key trust in a | Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**
    *Minimum:* Windows 10, version 1703
    *Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).
    **Azure AD Joined:**
    Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later | | Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema | | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level| Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level | -| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | +| Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | | N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),
    and
    Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service | | Azure MFA tenant, or
    AD FS w/Azure MFA adapter, or
    AD FS w/Azure MFA Server adapter, or
    AD FS w/3rd Party MFA Adapter| Azure MFA tenant, or
    AD FS w/Azure MFA adapter, or
    AD FS w/Azure MFA Server adapter, or
    AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
    AD FS w/Azure MFA adapter, or
    AD FS w/Azure MFA Server adapter, or
    AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
    AD FS w/Azure MFA adapter, or
    AD FS w/Azure MFA Server adapter, or
    AD FS w/3rd Party MFA Adapter | @@ -67,7 +67,7 @@ The table shows the minimum requirements for each deployment. | Windows 10, version 1703 or later | Windows 10, version 1703 or later | | Windows Server 2016 Schema | Windows Server 2016 Schema| | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | -| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | +| Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) | | AD FS with Azure MFA Server, or
    AD FS with 3rd Party MFA Adapter | AD FS with Azure MFA Server, or
    AD FS with 3rd Party MFA Adapter | diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index b95f3a6b88..04dc168342 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -75,9 +75,9 @@ It’s fundamentally important to understand which deployment model to use for a A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust. -The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during an in-box provisioning experience, which requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. +The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. -The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the in-box provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers. Users can authenticate using their certificate to any Windows Server 2008 R2 or later domain controller. +The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers. Users can authenticate using their certificate to any Windows Server 2008 R2 or later domain controller. #### Device registration @@ -85,11 +85,11 @@ All devices included in the Windows Hello for Business deployment must go throug #### Key registration -The in-box Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user’s credentials. The private key is protected by the device’s security modules; however, the credential is a user key (not a device key). The provisioning experience registers the user’s public key with the identity provider. For cloud only and hybrid deployments, the identity provider is Azure Active Directory. For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role. +The built-in Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user’s credentials. The private key is protected by the device’s security modules; however, the credential is a user key (not a device key). The provisioning experience registers the user’s public key with the identity provider. For cloud only and hybrid deployments, the identity provider is Azure Active Directory. For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role. #### Multifactor authentication -The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication. The in-box provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential. +The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication. The built-in provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential. Cloud only and hybrid deployments provide many choices for multi-factor authentication. On-premises deployments must use a multi-factor authentication that provides an AD FS multi-factor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multi-factor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information). >[!NOTE] @@ -105,7 +105,7 @@ Cloud only and hybrid deployments provide many choices for multi-factor authenti #### Directory synchronization -Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose. Hybrid deployments use Azure Active Directory Connect to synchronize Active Directory identities or credentials between itself and Azure Active Directory. This helps enable single sign-on to Azure Active Directory and its federated components. +Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose. Hybrid deployments use Azure Active Directory Connect to synchronize Active Directory identities or credentials between itself and Azure Active Directory. This helps enable single sign-on to Azure Active Directory and its federated components. On-premises deployments use directory synchronization to import users from Active Directory to the Azure MFA Server, which sends data to the Azure MFA cloud service to perform the verification. ### Management diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png index 454fe3df0a..8b003013f0 100644 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png and b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png index 7f9774389c..bc2fdb105b 100644 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png and b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png differ diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md index ec19abbc74..929535ee97 100644 --- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md @@ -9,6 +9,7 @@ author: DaniHalfin ms.localizationpriority: high ms.author: daniha ms.date: 10/16/2017 +ms.topic: article --- # How Windows Hello for Business works diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md index de55fa465e..c286b36226 100644 --- a/windows/security/identity-protection/hello-for-business/toc.md +++ b/windows/security/identity-protection/hello-for-business/toc.md @@ -1,6 +1,14 @@ # [Windows Hello for Business](hello-identity-verification.md) +##[Password-less Strategy](passwordless-strategy.md) + ## [Windows Hello for Business Overview](hello-overview.md) +## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) +## [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) + +## [Windows Hello for Business Features](hello-features.md) +### [Multifactor Unlock](feature-multifactor-unlock.md) + ## [How Windows Hello for Business works](hello-how-it-works.md) ### [Technical Deep Dive](hello-how-it-works.md#technical-deep-dive) #### [Technology and Terminology](hello-how-it-works-technology.md) @@ -8,17 +16,12 @@ #### [Provisioning](hello-how-it-works-provisioning.md) #### [Authentication](hello-how-it-works-authentication.md) -## [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -## [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -## [Windows Hello and password changes](hello-and-password-changes.md) -## [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -## [Event ID 300 - Windows Hello successfully created](hello-event-300.md) -## [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) - ## [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) +## [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) + ## [Windows Hello for Business Deployment Guide](hello-deployment-guide.md) + ### [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md) #### [Prerequisites](hello-hybrid-key-trust-prereqs.md) #### [New Installation Baseline](hello-hybrid-key-new-install.md) @@ -53,10 +56,11 @@ ##### [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md) #### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) -## [Windows Hello for Business Features](hello-features.md) -### [Multifactor Unlock](feature-multifactor-unlock.md) +## [Windows Hello and password changes](hello-and-password-changes.md) +## [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) ## [Windows Hello for Business Frequently Asked Questions (FAQ)](hello-faq.md) ### [Windows Hello for Business Videos](hello-videos.md) -##[Password-less Strategy](passwordless-strategy.md) \ No newline at end of file +## [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +## [Event ID 300 - Windows Hello successfully created](hello-event-300.md) \ No newline at end of file diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index d4040d63f5..ccafee06af 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -89,7 +89,7 @@ To use Windows Defender Remote Credential Guard, the Remote Desktop client and r The Remote Desktop client device: -- Must be running at least Windows 10, version 1703 to be able to supply credentials. +- Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine. - Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user’s signed-in credentials. This requires the user’s account be able to sign in to both the client device and the remote host. - Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard. - Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk. @@ -176,4 +176,4 @@ mstsc.exe /remoteGuard - No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own. -- The server and client must authenticate using Kerberos. \ No newline at end of file +- The server and client must authenticate using Kerberos. diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md index 4b0bf32fe5..3964a0f292 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md @@ -95,6 +95,7 @@ This policy setting controls whether the elevation request prompt is displayed o - **Enabled** (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. - **Disabled** All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. + ## User Account Control: Virtualize file and registry write failures to per-user locations This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software. diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index e69b8ed62c..69944937b7 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -10,7 +10,7 @@ ms.author: pashort manager: elizapo ms.reviewer: ms.localizationpriority: medium -ms.date: 01/26/2019 +ms.date: 03/21/2019 --- # VPN and conditional access @@ -32,11 +32,7 @@ Conditional Access Platform components used for Device Compliance include the fo - Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. -- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. - - Additional details regarding the Azure AD issued short-lived certificate: - - The default lifetime is 60 minutes and is configurable - - When that certificate expires, the client will again check with Azure AD so that continued health can be validated before a new certificate is issued allowing continuation of the connection +- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When that certificate expires, the client will again check with Azure AD for health validation before a new certificate is issued. - [Microsoft Intune device compliance policies](https://docs.microsoft.com/intune/deploy-use/introduction-to-device-compliance-policies-in-microsoft-intune) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things. diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md index 6750ea0cc6..f6f4fac5a3 100644 --- a/windows/security/information-protection/TOC.md +++ b/windows/security/information-protection/TOC.md @@ -31,13 +31,11 @@ ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md) ### [Create a WIP policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md) -#### [Create a WIP policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md) -##### [Deploy your WIP policy using the classic console for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md) -##### [Associate and deploy a VPN policy for WIP using the classic console for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md) #### [Create a WIP policy with MDM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md) ##### [Deploy your WIP policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md) ##### [Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md) -#### [Create a WIP policy with MAM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-mam-intune-azure.md) +#### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) +#### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md) ### [Create a WIP policy using System Center Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md) #### [Create and deploy a WIP policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md) #### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md index 89aeaf1312..fb5a32c9ae 100644 --- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md @@ -3,15 +3,17 @@ title: BCD settings and BitLocker (Windows 10) description: This topic for IT professionals describes the BCD settings that are used by BitLocker. ms.assetid: c4ab7ac9-16dc-4c7e-b061-c0b0deb2c4fa ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: justinha +ms.author: justinha manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/21/2017 +ms.date: 02/28/2019 --- # BCD settings and BitLocker @@ -103,12 +105,12 @@ The following table contains the default BCD validation profile used by BitLocke This following is a full list of BCD settings with friendly names which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker–protected operating system drive to be unlocked. > **Note:**  Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list. -  + | Hex Value | Prefix | Friendly Name | | - | - | - | -| 0x12000004 | all| description| -| 0x12000005| all| locale| -| 0x12000016| all| targetname| +| 0x12000004 | all | description | +| 0x12000005 | all | locale | +| 0x12000016 | all | targetname | | 0x12000019| all| busparams| | 0x1200001d| all| key| | 0x1200004a| all| fontpath| @@ -180,7 +182,7 @@ This following is a full list of BCD settings with friendly names which are igno | 0x25000061 | winload| numproc| | 0x25000063 | winload| configflags| | 0x25000066| winload| groupsize| -| 0x25000071 | winload| msi| +| 0x25000071 | winload| msi| | 0x25000072 | winload| pciexpress| | 0x25000080 | winload| safeboot| | 0x250000a6 | winload| tscsyncpolicy| diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md index ba3d34afe1..15a2f305ae 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md @@ -3,16 +3,17 @@ title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10) description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: justinha +ms.author: justinha manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 05/03/2018 +ms.date: 02/28/2019 --- # BitLocker and Active Directory Domain Services (AD DS) FAQ diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 592be01143..c9ba5464a6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -3,15 +3,17 @@ title: BitLocker basic deployment (Windows 10) description: This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. ms.assetid: 97c646cb-9e53-4236-9678-354af41151c4 ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: justinha +ms.author: justinha manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 02/28/2019 --- # BitLocker basic deployment diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index 2655d0474e..8f4bf8f1e5 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -3,15 +3,17 @@ title: BitLocker Countermeasures (Windows 10) description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key. ms.assetid: ebdb0637-2597-4da1-bb18-8127964686ea ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: justinha +ms.author: justinha manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/06/2018 +ms.date: 02/28/2019 --- # BitLocker Countermeasures diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md index 28ec21a3bf..4dddbd05fe 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md @@ -3,19 +3,20 @@ title: BitLocker frequently asked questions (FAQ) (Windows 10) description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: justinha +ms.author: justinha manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 06/25/2018 +ms.date: 02/28/2019 --- -# BitLocker Deployment and Administration FAQ +# BitLocker frequently asked questions (FAQ) **Applies to** - Windows 10 diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 0e713f66aa..2cb23707fe 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -2,11 +2,17 @@ title: Overview of BitLocker Device Encryption in Windows 10 description: This topic provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows 10. ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: Justinha -ms.date: 01/12/2019 +ms.localizationpriority: medium +author: justinha +ms.author: justinha +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 02/28/2019 --- # Overview of BitLocker Device Encryption in Windows 10 diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md index 26f1385795..8ffbf8ec53 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md +++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md @@ -3,16 +3,17 @@ title: BitLocker frequently asked questions (FAQ) (Windows 10) description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: justinha +ms.author: justinha manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 05/03/2018 +ms.date: 02/28/2019 --- # BitLocker frequently asked questions (FAQ) diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md index 5107934ed4..0b3297ec31 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md @@ -3,15 +3,17 @@ title: BitLocker Group Policy settings (Windows 10) description: This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption. ms.assetid: 4904e336-29fe-4cef-bb6c-3950541864af ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: justinha +ms.author: justinha manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/03/2017 +ms.date: 04/17/2019 --- # BitLocker Group Policy settings @@ -236,11 +238,11 @@ This policy setting is used to control which unlock options are available for op   **Reference** -If you want to use BitLocker on a computer without a TPM, select the **Allow BitLocker without a compatible TPM** check box. In this mode, a USB drive is required for startup. Key information that is used to encrypt the drive is stored on the USB drive, which creates a USB key. When the USB key is inserted, access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable, you need to use one of the BitLocker recovery options to access the drive. +If you want to use BitLocker on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive. -On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use: +On a computer with a compatible TPM, additional authentication methods can be used at startup to improve protection for encrypted data. When the computer starts, it can use: -- only the TPM for authentication +- only the TPM - insertion of a USB flash drive containing the startup key - the entry of a 4-digit to 20-digit personal identification number (PIN) - a combination of the PIN and the USB flash drive @@ -390,7 +392,7 @@ This policy setting allows you to block direct memory access (DMA) for all hot p | **Policy description** | This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys. | | **Introduced** | Windows 10, version 1703 | | **Drive type** | Operating system drives | -| **Policy path** | Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +| **Policy path** | Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| | **Conflicts** | None | | **When enabled** | Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again. | | **When disabled or not configured** | DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.| @@ -1165,7 +1167,8 @@ This policy controls how BitLocker reacts to systems that are equipped with encr

    When not configured

    -

    BitLocker uses hardware-based encryption with the encryption algorithm that is set for the drive. If hardware-based encryption is not available, BitLocker software-based encryption is used instead.

    +

    BitLocker software-based encryption is used irrespective of hardware-based encryption ability. +

    @@ -1219,7 +1222,7 @@ This policy controls how BitLocker reacts when encrypted drives are used as oper

    When not configured

    -

    BitLocker uses hardware-based encryption with the encryption algorithm that is set for the drive. If hardware-based encryption is not available, BitLocker software-based encryption is used instead.

    +

    BitLocker software-based encryption is used irrespective of hardware-based encryption ability.

    @@ -1275,7 +1278,7 @@ This policy controls how BitLocker reacts to encrypted drives when they are used

    When not configured

    -

    BitLocker uses hardware-based encryption with the encryption algorithm that is set for the drive. If hardware-based encryption is not available, BitLocker software-based encryption is used instead.

    +

    BitLocker software-based encryption is used irrespective of hardware-based encryption ability.

    diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md index e505fa5f8d..8f9df7aad6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md @@ -2,16 +2,18 @@ title: BitLocker How to deploy on Windows Server 2012 and later description: This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later ms.assetid: 91c18e9e-6ab4-4607-8c75-d983bbe2542f -ms.prod: windows-server-threshold -ms.mktglfcycl: deploy +ms.prod: w10 +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: justinha +ms.author: justinha manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/19/2019 +ms.date: 02/28/2019 --- # BitLocker: How to deploy on Windows Server 2012 and later diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 321a0ffe66..ed0dece280 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -3,11 +3,17 @@ title: BitLocker How to enable Network Unlock (Windows 10) description: This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. ms.assetid: be45bc28-47db-4931-bfec-3c348151d2e9 ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: brianlic-msft -ms.date: 02/20/2019 +ms.localizationpriority: medium +author: justinha +ms.author: justinha +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 02/28/2019 --- # BitLocker: How to enable Network Unlock diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md index 686e594e1e..52925ce212 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md @@ -3,16 +3,17 @@ title: BitLocker Key Management FAQ (Windows 10) description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: justinha +ms.author: justinha manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 05/03/2018 +ms.date: 02/28/2019 --- # BitLocker Key Management FAQ diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 38e4da5877..9879494122 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -1,18 +1,18 @@ --- title: BitLocker Management Recommendations for Enterprises (Windows 10) description: This topic explains recommendations for managing BitLocker. -ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2 ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: justinha +ms.author: justinha manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 01/26/2019 +ms.date: 02/28/2019 --- # BitLocker Management for Enterprises diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md index fbdf7d7e41..9710cd5603 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md @@ -1,18 +1,18 @@ --- title: BitLocker frequently asked questions (FAQ) (Windows 10) description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. -ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: justinha +ms.author: justinha manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 05/03/2018 +ms.date: 02/28/2019 --- # BitLocker Network Unlock FAQ diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md index ca512b92d3..96f2cf4b98 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md @@ -3,16 +3,17 @@ title: BitLocker overview and requirements FAQ (Windows 10) description: This topic for the IT professional answers frequently asked questions concerning the requirements to use BitLocker. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: justinha +ms.author: justinha manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/21/2019 +ms.date: 02/28/2019 --- # BitLocker Overview and Requirements FAQ diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 2c7235ba57..43aa2cefe9 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -3,14 +3,17 @@ title: BitLocker recovery guide (Windows 10) description: This topic for IT professionals describes how to recover BitLocker keys from AD DS. ms.assetid: d0f722e9-1773-40bf-8456-63ee7a95ea14 ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: justinha +ms.author: justinha manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual +ms.date: 02/28/2019 --- # BitLocker recovery guide diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md index 0b345c1349..2a2971042f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md @@ -3,16 +3,17 @@ title: BitLocker Security FAQ (Windows 10) description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: justinha +ms.author: justinha manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 06/12/2018 +ms.date: 02/28/2019 --- # BitLocker Security FAQ diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md index 1b10ce9876..4b09766a7c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md @@ -1,18 +1,18 @@ --- title: BitLocker Upgrading FAQ (Windows 10) description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. -ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: justinha +ms.author: justinha manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 05/03/2018 +ms.date: 02/28/2019 --- # BitLocker Upgrading FAQ diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index d65bc1e6ed..31674e2c0e 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -3,15 +3,17 @@ title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windo description: This topic for the IT professional describes how to use tools to manage BitLocker. ms.assetid: e869db9c-e906-437b-8c70-741dd61b5ea6 ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: justinha +ms.author: justinha manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/25/2017 +ms.date: 02/28/2019 --- # BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md index 84411a03ec..56d19b8cbc 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md @@ -3,15 +3,17 @@ title: BitLocker Use BitLocker Recovery Password Viewer (Windows 10) description: This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. ms.assetid: 04c93ac5-5dac-415e-b636-de81435753a2 ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: justinha +ms.author: justinha manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 02/28/2019 --- # BitLocker: Use BitLocker Recovery Password Viewer diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md index fb49f2d779..48020eea3e 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md @@ -3,16 +3,17 @@ title: Using BitLocker with other programs FAQ (Windows 10) description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: justinha +ms.author: justinha manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 07/10/2018 +ms.date: 02/28/2019 --- # Using BitLocker with other programs FAQ diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 658600d2ea..86ebe29111 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -3,15 +3,17 @@ title: Prepare your organization for BitLocker Planning and policies (Windows 10 description: This topic for the IT professional explains how can you plan your BitLocker deployment. ms.assetid: 6e3593b5-4e8a-40ac-808a-3fdbc948059d ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: justinha +ms.author: justinha manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 06/04/2018 +ms.date: 04/17/2019 --- # Prepare your organization for BitLocker: Planning and policies @@ -161,9 +163,9 @@ Full drive encryption means that the entire drive will be encrypted, regardless ## Active Directory Domain Services considerations -BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following Group Policy setting to enable backup of BitLocker recovery information: +BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following Group Policy setting for each drive type to enable backup of BitLocker recovery information: -Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Turn on BitLocker backup to Active Directory Domain Services +Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\*drive type*\\Choose how BitLocker protected drives can be recovered. By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](https://blogs.technet.microsoft.com/craigf/2011/01/26/delegating-access-in-ad-to-bitlocker-recovery-information/). diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 228b3241e9..22ebe4babb 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -3,15 +3,17 @@ title: Protecting cluster shared volumes and storage area networks with BitLocke description: This topic for IT pros describes how to protect CSVs and SANs with BitLocker. ms.assetid: ecd25a10-42c7-4d31-8a7e-ea52c8ebc092 ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +ms.localizationpriority: medium author: justinha +ms.author: justinha manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 06/19/2017 +ms.date: 02/28/2019 --- # Protecting cluster shared volumes and storage area networks with BitLocker diff --git a/windows/security/information-protection/encrypted-hard-drive.md b/windows/security/information-protection/encrypted-hard-drive.md index 97d7c8d5e6..700a3d2672 100644 --- a/windows/security/information-protection/encrypted-hard-drive.md +++ b/windows/security/information-protection/encrypted-hard-drive.md @@ -6,32 +6,29 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: justinha -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 04/19/2017 +author: brianlic-msft +ms.date: 04/02/2019 --- # Encrypted Hard Drive **Applies to** - Windows 10 +- Windows Server 2019 - Windows Server 2016 Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. -Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. In Windows 8, Windows Server 2012, and later you can install to these devices without additional modification. +Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. You can install Windows to Encrypted Hard Drives without additional modification beginning with Windows 8 and Windows Server 2012. -Some of the benefits of Encrypted Hard Drives include: +Encrypted Hard Drives provide: - **Better performance**: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation. - **Strong security based in hardware**: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system -- **Ease of use**: Encryption is transparent to the user because it is on by default. There is no user interaction needed to enable encryption. Encrypted Hard Drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive. -- **Lower cost of ownership**: There is no need for new infrastructure to manage encryption keys, since BitLocker leverages your Active Directory Domain Services infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process. +- **Ease of use**: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted Hard Drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive. +- **Lower cost of ownership**: There is no need for new infrastructure to manage encryption keys, since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process. Encrypted Hard Drives are supported natively in the operating system through the following mechanisms: @@ -41,20 +38,21 @@ Encrypted Hard Drives are supported natively in the operating system through the - **API**: API support for applications to manage Encrypted Hard Drives independently of BitLocker Drive Encryption (BDE) - **BitLocker support**: Integration with the BitLocker Control Panel provides a seamless BitLocker end user experience. ->**Warning:**  Self-Encrypting Hard Drives and Encrypted Hard Drives for Windows are not the same type of device. Encrypted Hard Drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-Encrypting Hard Drives do not have these requirements. It is important to confirm the device type is an Encrypted Hard Drive for Windows when planning for deployment. +>[!WARNING]   +>Self-Encrypting Hard Drives and Encrypted Hard Drives for Windows are not the same type of device. Encrypted Hard Drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-Encrypting Hard Drives do not have these requirements. It is important to confirm the device type is an Encrypted Hard Drive for Windows when planning for deployment.   If you are a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](https://msdn.microsoft.com/library/windows/hardware/dn653989.aspx). ## System Requirements -To use Encrypted Hard Drive, the following system requirements apply: +To use Encrypted Hard Drives, the following system requirements apply: -For Encrypted Hard Drives used as **data drives**: +For an Encrypted Hard Drive used as a **data drive**: - The drive must be in an uninitialized state. - The drive must be in a security inactive state. -For Encrypted Hard Drives used as **startup drives**: +For an Encrypted Hard Drive used as a **startup drive**: - The drive must be in an uninitialized state. - The drive must be in a security inactive state. @@ -62,7 +60,8 @@ For Encrypted Hard Drives used as **startup drives**: - The computer must have the Compatibility Support Module (CSM) disabled in UEFI. - The computer must always boot natively from UEFI. ->**Warning:**  All Encrypted Hard Drives must be attached to non-RAID controllers to function properly. +>[!WARNING]   +>All Encrypted Hard Drives must be attached to non-RAID controllers to function properly.   ## Technical overview @@ -77,7 +76,15 @@ Configuration of Encrypted Hard Drives as startup drives is done using the same - **Deploy from server**: This deployment method involves PXE booting a client with Encrypted Hard Drives present. Configuration of Encrypted Hard Drives happens automatically in this environment when the Enhanced Storage component is added to the PXE boot image. During deployment, the [TCGSecurityActivationDisabled](https://msdn.microsoft.com/library/windows/hardware/dn923247.aspx) setting in unattend.xml controls the encryption behavior of Encrypted Hard Drives. - **Disk Duplication**: This deployment method involves use of a previously configured device and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using at least Windows 8 or Windows Server 2012 for this configuration to work. Images made using disk duplicators will not work. -### Encrypted Hard Drive Architecture +## Configuring hardware-based encryption with Group Policy + +There are three related Group Policy settings that help you manage how BitLocker uses hardware-based envryption and which encryption algorithms to use. If these settings are not configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption: + +- [Configure use of hardware-based encryption for fixed data drives](bitlocker/bitlocker-group-policy-settings.md#a-href-idbkmk-hdefxdaconfigure-use-of-hardware-based-encryption-for-fixed-data-drives) +- [Configure use of hardware-based encryption for removable data drives](bitlocker/bitlocker-group-policy-settings.md#a-href-idbkmk-hderddaconfigure-use-of-hardware-based-encryption-for-removable-data-drives) +- [Configure use of hardware-based encryption for operating system drives](bitlocker/bitlocker-group-policy-settings.md#a-href-idbkmk-hdeosdaconfigure-use-of-hardware-based-encryption-for-operating-system-drives) + +## Encrypted Hard Drive Architecture Encrypted Hard Drives utilize two encryption keys on the device to control the locking and unlocking of data on the drive. These are the Data Encryption Key (DEK) and the Authentication Key (AK). diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 529d064913..bfded5408a 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -6,7 +6,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: aadake -ms.date: 12/20/2018 +ms.author: justinha +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 03/26/2019 --- # Kernel DMA Protection for Thunderbolt™ 3 @@ -94,13 +99,15 @@ In-market systems, released with Windows 10 version 1709 or earlier, will not su No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot. ### How can I check if a certain driver supports DMA-remapping? -DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the following Property GUID (highlighted in red in the image below) in the Details tab of a device in Device Manager. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping. +DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping. Please check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external). +*For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the following image. + ![Kernel DMA protection user experience](images/device-details-tab.png) ### What should I do if the drivers for my Thunderbolt™ 3 peripherals do not support DMA-remapping? -If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support this functionality. Details for driver compatibility requirements can be found here (add link to OEM documentation). +If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support this functionality. Details for driver compatibility requirements can be found at the [Microsoft Partner Center](https://partner.microsoft.com/dashboard/collaborate/packages/4142). ### Do Microsoft drivers support DMA-remapping? In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers and Storage NVMe Controllers support DMA-remapping. diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index 37232dee00..072e16abfe 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -78,7 +78,7 @@ All x86-based Certified For Windows 10 PCs must meet several requirements relat These requirements help protect you from rootkits while allowing you to run any operating system you want. You have three options for running non-Microsoft operating systems: -- **Use an operating system with a certified bootloader.** Because all Certified For Windows 10 PCs must trust Microsoft’s certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows 10 PCs. In fact, an [open source bootloader](http://mjg59.dreamwidth.org/20303.html) capable of loading Linux is already available. To begin the process of obtaining a certificate, go to . +- **Use an operating system with a certified bootloader.** Because all Certified For Windows 10 PCs must trust Microsoft’s certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows 10 PCs. In fact, an [open source bootloader](http://mjg59.dreamwidth.org/20303.html) capable of loading Linux is already available. To begin the process of obtaining a certificate, go to . - **Configure UEFI to trust your custom bootloader.** All Certified For Windows 10 PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any operating system, including homemade operating systems. - **Turn off Secure Boot.** All Certified For Windows 10 PCs allow you to turn off Secure Boot so that you can run any software. This does not help protect you from bootkits, however. diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md index 57322cf856..8508fd4dae 100644 --- a/windows/security/information-protection/tpm/manage-tpm-lockout.md +++ b/windows/security/information-protection/tpm/manage-tpm-lockout.md @@ -83,7 +83,7 @@ For information about mitigating dictionary attacks that use the lockout setting ## Use the TPM cmdlets -You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://technet.microsoft.com/library/jj603116.aspx). +You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/). ## Related topics diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index 752c36ecf3..4b46dd2dc1 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -13,7 +13,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/26/2019 +ms.date: 03/05/2019 --- # Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate @@ -46,7 +46,7 @@ The recovery process included in this topic only works for desktop devices. WIP >[!Important] >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. -4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune.md) or [System Center Configuration Manager](create-wip-policy-using-sccm.md). +4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [System Center Configuration Manager](create-wip-policy-using-sccm.md). ## Verify your data recovery certificate is correctly set up on a WIP client computer @@ -141,7 +141,7 @@ After signing in, the necessary WIP key info is automatically downloaded and emp - [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx) -- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) +- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md) - [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md deleted file mode 100644 index cd3a0e3848..0000000000 --- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md +++ /dev/null @@ -1,126 +0,0 @@ ---- -title: Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune (Windows 10) -description: After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy. -ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b -keywords: WIP, Enterprise Data Protection -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: justinha -ms.author: justinha -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 02/26/2019 ---- - -# Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune -**Applies to:** - -- Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later - -After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy. - -## Create your VPN policy using Microsoft Intune -Follow these steps to create the VPN policy you want to use with WIP. - -**To create your VPN policy** - -1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**. - -2. Go to **Windows**, click the **VPN Profile (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. - - ![Microsoft Intune, Create a new policy using the New Policy screen](images/intune-vpn-createpolicy.png) - -3. Type *Contoso_VPN_Win10* into the **Name** box, along with an optional description for your policy into the **Description** box. - - ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-titledescription.png) - -4. In the **VPN Settings** area, type the following info: - - - **VPN connection name.** This name is also what appears to your employees, so it's important that it be clear and understandable. - - - **Connection type.** Pick the connection type that matches your infrastructure. The options are **Pulse Secure**, **F5 Edge Client**, **Dell SonicWALL Mobile Connect**, or **Check Point Capsule VPN**. - - - **VPN server description.** A descriptive name for this connection. Only you will see it, but it should be unique and readable. - - - **Server IP address or FQDN.** The server's IP address or fully-qualified domain name (FQDN). - - ![Microsoft Intune: Fill in the VPN Settings area](images/intune-vpn-vpnsettings.png) - -5. In the **Authentication** area, choose the authentication method that matches your VPN infrastructure, either **Username and Password** or **Certificates**.

    -It's your choice whether you check the box to **Remember the user credentials at each logon**. - - ![Microsoft Intune, Choose the Authentication Method for your VPN system](images/intune-vpn-authentication.png) - -6. You can leave the rest of the default or blank settings, and then click **Save Policy**. - -## Deploy your VPN policy using Microsoft Intune -After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy. - -**To deploy your VPN policy** - -1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button. - -2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.

    -The added people move to the **Selected Groups** list on the right-hand pane. - - ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-deploy-vpn.png) - -3. After you've picked all of the employees and groups that should get the policy, click **OK**.

    -The policy is deployed to the selected users' devices. - -## Link your WIP and VPN policies and deploy the custom configuration policy -The final step to making your VPN configuration work with WIP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **EDPModeID** setting, and then deploying the policy to the same group you deployed your WIP and VPN policies - -**To link your VPN policy** - -1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**. - -2. Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. - - ![Microsoft Intune, Create a new policy from the New Policy screen](images/intune-vpn-customconfig.png) - -3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. - - ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-wipmodeid.png) - -4. In the **OMA-URI Settings** area, click **Add** to add your **EDPModeID** info. - -5. In the **OMA-URI Settings** area, type the following info: - - - **Setting name.** Type **EDPModeID** as the name. - - - **Data type.** Pick the **String** data type. - - - **OMA-URI.** Type `./Vendor/MSFT/VPNv2//EDPModeId`, replacing <*VPNProfileName*> with the name you gave to your VPN policy. For example, `./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/EDPModeId`. - - - **Value.** Your fully-qualified domain that should be used by the OMA-URI setting. - - ![Microsoft Intune: Fill in the OMA-URI Settings for the EMPModeID setting](images/intune-vpn-omaurisettings.png) - -6. Click **OK** to save your new OMA-URI setting, and then click **Save Policy.** - - - **To deploy your linked policy** - -1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button. - -2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**. The added people move to the **Selected Groups** list on the right-hand pane. - - ![Microsoft Intune, Manage Deployment box used to deploy your linked VPN policy](images/intune-groupselection_vpnlink.png) - -3. After you've picked all of the employees and groups that should get the policy, click **OK**. The policy is deployed to the selected users' devices. - - ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). - - - - - diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index e748a7ae20..7728af0c4f 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -5,80 +5,90 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium author: justinha ms.author: justinha manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/26/2019 +ms.date: 04/17/2019 --- -# Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune +# Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune **Applies to:** - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop) -Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. +Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune only manages the apps on a user's personal device. -## Alternative steps if you use MAM only (without device enrollment) +## Differences between MDM and MAM for WIP -This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, see [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md). +You can create an app protection policy in Intune either with device enrollment for MDM or without device enrollment for MAM. The process to create either policy is similar, but there are important differences: -If the same user and device are targeted for both MDM policy and MAM-only (without device enrollment) policy, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. +- If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. +- MAM supports only one user per device. +- MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md). +- MAM has additional **Access** settings for Windows Hello for Business. +- MAM can [selectively wipe company data](https://docs.microsoft.com/intune/apps-selective-wipe) from a user's personal device. +- MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). +- An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. -Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. +## Prerequisites -## Add a WIP policy -Follow these steps to add a WIP policy using Intune. +Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. -**To add a WIP policy** -1. Open Microsoft Intune and click **Client apps**. +## Configure the MDM or MAM provider - ![Open Client apps](images/open-mobile-apps.png) +1. Sign in to the Azure portal. +2. Click **Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**. +3. Click **Restore Default URLs** or enter the settings for MDM or MAM user scope and click **Save**: -2. In **Client apps**, click **App protection policies**. + ![Configure MDM or MAM provider](images/mobility-provider.png) - ![App protection policies](images/app-protection-policies.png) +## Create a WIP policy -3. In the **App policy** screen, click **Add a policy**, and then fill out the fields: - - **Name.** Type a name (required) for your new policy. +1. Sign in to the Azure portal. - - **Description.** Type an optional description. +2. Open Microsoft Intune and click **Client apps** > **App protection policies** > **Create policy**. - - **Platform.** Choose **Windows 10**. + ![Open Client apps](images/create-app-protection-policy.png) - - **Enrollment state.** Choose **With enrollment**. +3. In the **App policy** screen, click **Add a policy**, and then fill out the fields: - ![Add a mobile app policy](images/add-a-mobile-app-policy.png) + - **Name.** Type a name (required) for your new policy. - >[!Important] - >Choosing **With enrollment** only applies for organizations using MDM. If you're using MAM only (without device enrollment), see [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md). + - **Description.** Type an optional description. -4. Click **Protected apps** and then click **Add apps**. + - **Platform.** Choose **Windows 10**. - ![Add protected apps](images/add-protected-apps.png) + - **Enrollment state.** Choose **Without enrollment** for MAM or **With enrollment** for MDM. - You can add these types of apps: + ![Add a mobile app policy](images/add-a-mobile-app-policy.png) - - [Recommended apps](#add-recommended-apps) - - [Store apps](#add-store-apps) - - [Desktop apps](#add-desktop-apps) +4. Click **Protected apps** and then click **Add apps**. + + ![Add protected apps](images/add-protected-apps.png) + + You can add these types of apps: + + - [Recommended apps](#add-recommended-apps) + - [Store apps](#add-store-apps) + - [Desktop apps](#add-desktop-apps) + +>[!NOTE] +>An application might return access denied errors after removing it from the list of protected apps. Rather than remove it from the list, uninstall and reinstall the application or exempt it from WIP policy. ### Add recommended apps -To add **Recommended apps**, select each app you want to access your enterprise data, and then click **OK**. - -The **Protected apps** blade updates to show you your selected apps. +Select **Recommended apps** and select each app you want to access your enterprise data or select them all, and click **OK**. -![Microsoft Intune management console: Recommended apps](images/wip-azure-allowed-apps-with-apps.png) +![Microsoft Intune management console: Recommended apps](images/recommended-apps.png) ### Add Store apps -To add **Store apps**, type the app product name and publisher and click **OK**. For example, to add the Power BI Mobile App from the Store, type the following: +Select **Store apps**, type the app product name and publisher, and click **OK**. For example, to add the Power BI Mobile App from the Store, type the following: - **Name**: Microsoft Power BI - **Publisher**: `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` @@ -88,7 +98,7 @@ To add **Store apps**, type the app product name and publisher and click **OK**. To add multiple Store apps, click the elipsis **…**. -If you don't know the Store app publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps. +If you don't know the Store app publisher or product name, you can find them by following these steps. 1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Power BI Mobile App*. @@ -111,6 +121,8 @@ If you don't know the Store app publisher or product name, you can find them for >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

    For example:
    {
    "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
    }     + If you need to add Windows 10 mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. @@ -173,10 +185,7 @@ To add **Desktop apps**, complete the following fields, based on what results yo -After you’ve entered the info into the fields, click **OK**. - ->[!Note] ->To add multiple Desktop apps, click the elipsis **…**. When you’re done, click **OK**. +To add another Desktop app, click the elipsis **…**. After you’ve entered the info into the fields, click **OK**. ![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png) @@ -185,6 +194,7 @@ If you’re unsure about what to include for the publisher, you can run this Pow ```ps1 Get-AppLockerFileInformation -Path "" ``` + Where `""` goes to the location of the app on the device. For example: ```ps1 @@ -202,9 +212,16 @@ Path Publisher Where `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the **Publisher** name and `WORDPAD.EXE` is the **File** name. ### Import a list of apps -For this example, we’re going to add an AppLocker XML file to the **Protected apps** list. You’ll use this option if you want to add multiple apps at the same time. The first example shows how to create a Packaged App rule for Store apps. The second example shows how to create an Executable rule by using a path for unsigned apps. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. -**To create a list of protected apps using the AppLocker tool** +This section covers two examples of using an AppLocker XML file to the **Protected apps** list. You’ll use this option if you want to add multiple apps at the same time. + +- [Create a Packaged App rule for Store apps](#create-a-packaged-app-rule-for-store-apps) +- [Create an Executable rule for unsigned apps](#create-an-executable-rule-for-unsigned-apps) + +For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. + +#### Create a Packaged App rule for Store apps + 1. Open the Local Security Policy snap-in (SecPol.msc). 2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. @@ -277,7 +294,8 @@ For this example, we’re going to add an AppLocker XML file to the **Protected 12. After you’ve created your XML file, you need to import it by using Microsoft Intune. -**To create an Executable rule and xml file for unsigned apps** +## Create an Executable rule for unsigned apps + 1. Open the Local Security Policy snap-in (SecPol.msc). 2. In the left pane, click **Application Control Policies** > **AppLocker** > **Executable Rules**. @@ -325,9 +343,7 @@ For this example, we’re going to add an AppLocker XML file to the **Protected The file imports and the apps are added to your **Protected apps** list. ### Exempt apps from a WIP policy -If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. - -**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Protected apps list** +If your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. 1. In **Client apps - App protection policies**, click **Exempt apps**. @@ -354,14 +370,7 @@ After you've added the apps you want to protect with WIP, you'll need to apply a We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Block**. ->[!NOTE] ->For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). - -**To add your protection mode** - -1. From the **App protection policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears. - - The **Required settings** blade appears. +1. From the **App protection policy** blade, click the name of your policy, and then click **Required settings**. ![Microsoft Intune, Required settings blade showing Windows Information Protection mode](images/wip-azure-required-settings-protection-mode.png) @@ -381,89 +390,159 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor **To change your corporate identity** -1. From the **App policy** blade, click the name of your policy, and then click **Required settings**. +1. From the **App policy** blade, click the name of your policy, and then click **Required settings**. -2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field. If you need to add domains, for example your email domains, you can do it in the **Advanced settings** area. +2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field. - ![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png) + ![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png) + +3. To add domains, such your email domain names, click **Configure Advanced settings** > **Add network boundary** and select **Protected domains**. + + ![Add protected domains](images/add-protected-domains.png) ## Choose where apps can access enterprise data -After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. +After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include policy that defines your enterprise network locations. There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). ->[!Important] ->Every WIP policy should include policy that defines your enterprise network locations.
    Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. +To define the network boundaries, click **App policy** > the name of your policy > **Advanced settings** > **Add network boundary**. -**To define where your protected apps can find and send enterprise data on you network** +![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png) -1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings**. +Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the options covered in the following subsections, and then click **OK**. -2. Click **Add network boundary** from the Network perimeter area. +### Cloud resources - ![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png) +Specify the cloud resources to be treated as corporate and protected by WIP. +For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. +Be aware that all traffic routed through your Internal proxy servers is considered enterprise. -3. Select the type of network boundary to add from the **Boundary type** box. +Separate multiple resources with the "|" delimiter. +If you don’t use proxy servers, you must also include the "," delimiter just before the "|". +For example: -4. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the following options, and then click **OK**. +```code +URL <,proxy>|URL <,proxy> +``` - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Boundary typeValue formatDescription
    Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
    contoso.visualstudio.com,contoso.internalproxy2.com

    Without proxy: contoso.sharepoint.com|contoso.visualstudio.com    		Specify the cloud resources to be treated as corporate and protected by WIP.

    For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

    If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

    Important
    In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

    When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.
    Protected domainsexchange.contoso.com,contoso.com,region.contoso.comSpecify the domains used for identities in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

    If you have multiple domains, you must separate them using the "," delimiter.
    Network domainscorp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

    If you have multiple resources, you must separate them using the "," delimiter.
    Proxy serversproxy.contoso.com:80;proxy2.contoso.com:443Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

    This list shouldn’t include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.

    If you have multiple resources, you must separate them using the ";" delimiter.
    Internal proxy serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

    This list shouldn’t include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.

    If you have multiple resources, you must separate them using the ";" delimiter.
    IPv4 ranges**Starting IPv4 Address:** 3.4.0.1
    **Ending IPv4 Address:** 3.4.255.254
    **Custom URI:** 3.4.0.1-3.4.255.254,
    10.0.0.1-10.255.255.254    		Starting with Windows 10, version 1703, this field is optional.

    Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries.

    If you have multiple ranges, you must separate them using the "," delimiter.
    IPv6 ranges**Starting IPv6 Address:** 2a01:110::
    **Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
    **Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
    fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff    		Starting with Windows 10, version 1703, this field is optional.

    Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries.

    If you have multiple ranges, you must separate them using the "," delimiter.
    Neutral resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

    These locations are considered enterprise or personal, based on the context of the connection before the redirection.

    If you have multiple resources, you must separate them using the "," delimiter.
    +Personal applications will be able to access a cloud resource that has a blank space or an invalid character, such as a trailing dot in the URL. -5. Repeat steps 1-4 to add any additional network boundaries. +To add a subdomain for a cloud resource, use a period (.) instead of an asterisk (*). For example, to add all subdomains within Office.com, use ".office.com" (without the quotation marks). -6. Decide if you want to Windows to look for additional network settings: +In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. +In this case, Windows blocks the connection by default. +To stop Windows from automatically blocking these connections, you can add the `/*AppCompat*/` string to the setting. +For example: - ![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise](images/wip-azure-advanced-settings-network-autodetect.png) +```code +URL <,proxy>|URL <,proxy>/*AppCompat*/ +``` - - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. +When you use this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the **Domain joined or marked as compliant** option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. - - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. +Value format with proxy: + +```code +contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,contoso.internalproxy2.com +``` + +Value format without proxy: + +```code +contoso.sharepoint.com|contoso.visualstudio.com +``` + +### Protected domains + +Specify the domains used for identities in your environment. +All traffic to the fully-qualified domains appearing in this list will be protected. +Separate multiple domains with the "," delimiter. + +```code +exchange.contoso.com,contoso.com,region.contoso.com +``` + +### Network domains + +Specify the DNS suffixes used in your environment. +All traffic to the fully-qualified domains appearing in this list will be protected. +Separate multiple resources with the "," delimiter. + +```code +corp.contoso.com,region.contoso.com +``` + +### Proxy servers + +Specify the proxy servers your devices will go through to reach your cloud resources. +Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. + +This list shouldn’t include any servers listed in your Internal proxy servers list. +Internal proxy servers must be used only for WIP-protected (enterprise) traffic. +Separate multiple resources with the ";" delimiter. + +```code +proxy.contoso.com:80;proxy2.contoso.com:443 +``` + +### Internal proxy servers + +Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. + +This list shouldn’t include any servers listed in your Proxy servers list. +Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic. +Separate multiple resources with the ";" delimiter. + +```code +contoso.internalproxy1.com;contoso.internalproxy2.com +``` + +### IPv4 ranges + +Starting with Windows 10, version 1703, this field is optional. + +Specify the addresses for a valid IPv4 value range within your intranet. +These addresses, used with your Network domain names, define your corporate network boundaries. +Classless Inter-Domain Routing (CIDR) notation isn’t supported. + +Separate multiple ranges with the "," delimiter. + +**Starting IPv4 Address:** 3.4.0.1 +**Ending IPv4 Address:** 3.4.255.254 +**Custom URI:** 3.4.0.1-3.4.255.254, +
    10.0.0.1-10.255.255.254 + +### IPv6 ranges + +Starting with Windows 10, version 1703, this field is optional. + +Specify the addresses for a valid IPv6 value range within your intranet. +These addresses, used with your network domain names, define your corporate network boundaries. +Classless Inter-Domain Routing (CIDR) notation isn’t supported. + +Separate multiple ranges with the "," delimiter. + +**Starting IPv6 Address:** 2a01:110:: +**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff +**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
    fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + +### Neutral resources + +Specify your authentication redirection endpoints for your company. +These locations are considered enterprise or personal, based on the context of the connection before the redirection. +Separate multiple resources with the "," delimiter. + +```code +sts.contoso.com,sts.contoso2.com +``` + +Decide if you want Windows to look for additional network settings: + +- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you turn this off, Windows will search for additional proxy servers in your immediate network. + +- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you turn this off, Windows will search for additional IP ranges on any domain-joined devices connected to your network. + +![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise](images/wip-azure-advanced-settings-network-autodetect.png) ## Upload your Data Recovery Agent (DRA) certificate After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data. @@ -524,7 +603,7 @@ WIP can integrate with Microsoft Azure Rights Management to enable secure sharin To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. -Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. +Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. This template will be applied to the protected data that is copied to a removable drive. >[!IMPORTANT] >Curly braces -- {} -- are required around the RMS Template ID. @@ -533,15 +612,12 @@ Optionally, if you don’t want everyone in your organization to be able to shar >For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic. ## Related topics + - [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md) -- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) - -- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) - - [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) -- [What is Azure Rights Management?]( https://docs.microsoft.com/information-protection/understand-explore/what-is-azure-rms) +- [What is Azure Rights Management?](https://docs.microsoft.com/information-protection/understand-explore/what-is-azure-rms) - [Create and deploy Windows Information Protection (WIP) app protection policy with Intune and MAM](https://docs.microsoft.com/intune/deploy-use/create-windows-information-protection-policy-with-intune) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md deleted file mode 100644 index 6e09af0066..0000000000 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md +++ /dev/null @@ -1,484 +0,0 @@ ---- -title: Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune (Windows 10) -description: Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. -ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721 -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: justinha -ms.author: justinha -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 02/26/2019 ---- - -# Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune - -**Applies to:** - -- Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later - -Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. - -## Add a WIP policy -After you’ve set up Intune for your organization, you must create a WIP-specific policy. - -**To add a WIP policy** -1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area. - -2. Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. - - ![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png) - -3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. - - ![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-generalinfo.png) - -## Add app rules to your policy -During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. - -The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. - ->[!Important] ->Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

    Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. - -### Add a store app rule to your policy -For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. - -**To add a store app** -1. From the **App Rules** area, click **Add**. - - The **Add App Rule** box appears. - - ![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png) - -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*. - -3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. - -4. Pick **Store App** from the **Rule template** drop-down list. - - The box changes to show the store app rule options. - -5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`. - -If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps. - -**To find the Publisher and Product Name values for Store apps without installing them** -1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*. - -2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. - -3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value. - - The API runs and opens a text editor with the app details. - - ```json - { - "packageIdentityName": "Microsoft.Office.OneNote", - "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" - } - ``` - -4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune. - - >[!Important] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

    For example:
    - ```json - { - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } - ``` - -**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** -1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. - - >**Note**
    Your PC and phone must be on the same wireless network. - -2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. - -3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**. - -4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate. - -5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step. - -6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names. - -7. Start the app for which you're looking for the publisher and product name values. - -8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. - - >[!Important] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

    For example:
    - ```json - { - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } - ``` - -### Add a desktop app rule to your policy -For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. - -**To add a desktop app** -1. From the **App Rules** area, click **Add**. - - The **Add App Rule** box appears. - - ![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png) - -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. - -3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. - -4. Pick **Desktop App** from the **Rule template** drop-down list. - - The box changes to show the store app rule options. - -5. Pick the options you want to include for the app rule (see table), and then click **OK**. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    OptionManages
    All fields left as “*”All files signed by any publisher. (Not recommended)
    Publisher selectedAll files signed by the named publisher.

    This might be useful if your company is the publisher and signer of internal line-of-business apps.

    Publisher and Product Name selectedAll files for the specified product, signed by the named publisher.
    Publisher, Product Name, and Binary name selectedAny version of the named file or package for the specified product, signed by the named publisher.
    Publisher, Product Name, Binary name, and File Version, and above, selectedSpecified version or newer releases of the named file or package for the specified product, signed by the named publisher.

    This option is recommended for enlightened apps that weren't previously enlightened.

    Publisher, Product Name, Binary name, and File Version, And below selectedSpecified version or older releases of the named file or package for the specified product, signed by the named publisher.
    Publisher, Product Name, Binary name, and File Version, Exactly selectedSpecified version of the named file or package for the specified product, signed by the named publisher.
    - -If you’re unsure about what to include for the publisher, you can run this PowerShell command: - -```ps1 - Get-AppLockerFileInformation -Path "" -``` -Where `""` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`. - -In this example, you'd get the following info: - -``` json - Path Publisher - ---- --------- - %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR... -``` -Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box. - -### Add an AppLocker policy file -Now we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info, see [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview). - -**To create a Packaged App rule and xml file** -1. Open the Local Security Policy snap-in (SecPol.msc). - -2. In the left pane, click **Application Control Policies** > **AppLocker** > **Packaged App Rules**. - - ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) - -3. Right-click **Packaged App Rules** > **Create New Rule**. - -4. On the **Before You Begin** page, click **Next**. - - ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png) - -5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. - - ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png) - -6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. - - ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) - -7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos. - - ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) - -8. On the updated **Publisher** page, click **Create**. - - ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) - -9. Review the Local Security Policy snap-in to make sure your rule is correct. - - ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) - -10. In the left pane, right-click on **AppLocker**, and then click **Export policy**. - - The **Export policy** box opens, letting you export and save your new policy as XML. - - ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) - -11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. - - The policy is saved and you’ll see a message that says 1 rule was exported from the policy. - - **Example XML file**
    - This is the XML file that AppLocker creates for Microsoft Photos. - - ```xml - - - - - - - - - - - - - - - - ``` -12. After you’ve created your XML file, you need to import it by using Microsoft Intune. - -**To import your Applocker policy file app rule using Microsoft Intune** -1. From the **App Rules** area, click **Add**. - - The **Add App Rule** box appears. - - ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png) - -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*. - -3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. - -4. Pick **AppLocker policy file** from the **Rule template** drop-down list. - - The box changes to let you import your AppLocker XML policy file. - -5. Click **Import**, browse to your AppLocker XML file, click **Open**, and then click **OK** to close the **Add App Rule** box. - - The file is imported and the apps are added to your **App Rules** list. - -### Exempt apps from WIP restrictions -If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. - -**To exempt a store app, a desktop app, or an AppLocker policy file app rule** -1. From the **App Rules** area, click **Add**. - - The **Add App Rule** box appears. - -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*. - -3. Click **Exempt** from the **Windows Information Protection mode** drop-down list. - - Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. - -4. Fill out the rest of the app rule info, based on the type of rule you’re adding: - - - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. - - - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic. - - - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps. - -5. Click **OK**. - -## Manage the WIP protection mode for your enterprise data -After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. - -We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Allow Overrides** or **Block**. - -|Mode |Description | -|-----|------------| -|Block|WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| -|Allow Overrides|WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). | -|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| -|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

    After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| - -![Microsoft Intune, Set the protection mode for your data](images/intune-protection-mode.png) - -## Define your enterprise-managed corporate identity -Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies. - -You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list. - -**To add your corporate identity** -- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. - - ![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png) - -## Choose where apps can access enterprise data -After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. - -There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). - ->[!IMPORTANT] ->Every WIP policy should include policy that defines your enterprise network locations.
    ->Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. - -**To define where your protected apps can find and send enterprise data on you network** - -1. Add additional network locations your apps can access by clicking **Add**. - - The **Add or edit corporate network definition** box appears. - -2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. - - ![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png) -

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Network location typeFormatDescription
    Enterprise Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
    contoso.visualstudio.com,contoso.internalproxy2.com

    Without proxy: contoso.sharepoint.com|contoso.visualstudio.com

    		Specify the cloud resources to be treated as corporate and protected by WIP.

    For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

    If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

    Important
    In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

    When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.

    Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

    This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

    If you have multiple resources, you must separate them using the "," delimiter.

    Enterprise Proxy Serversproxy.contoso.com:80;proxy2.contoso.com:443Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

    This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

    This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

    If you have multiple resources, you must separate them using the ";" delimiter.

    Enterprise Internal Proxy Serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the proxy servers your devices will go through to reach your cloud resources.

    Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

    This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

    If you have multiple resources, you must separate them using the ";" delimiter.

    Enterprise IPv4 Range (Required, if not using IPv6)**Starting IPv4 Address:** 3.4.0.1
    **Ending IPv4 Address:** 3.4.255.254
    **Custom URI:** 3.4.0.1-3.4.255.254,
    10.0.0.1-10.255.255.254    		Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

    If you have multiple ranges, you must separate them using the "," delimiter.

    Enterprise IPv6 Range (Required, if not using IPv4)**Starting IPv6 Address:** 2a01:110::
    **Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
    **Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
    fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff    		Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

    If you have multiple ranges, you must separate them using the "," delimiter.

    Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

    These locations are considered enterprise or personal, based on the context of the connection before the redirection.

    If you have multiple resources, you must separate them using the "," delimiter.

    - -3. Add as many locations as you need, and then click **OK**. - - The **Add corporate network definition** box closes. - -4. Decide if you want to Windows to look for additional network settings: - - ![Microsoft Intune, Choose if you want Windows to search for additinal proxy servers or IP ranges in your enterprise](images/intune-network-detection-boxes.png) - - - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. - - - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. - -5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - - ![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png) - - After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. - - For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). - -## Choose to set up Azure Rights Management with WIP -WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. - -To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. - -Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. - ->[!IMPORTANT] ->Curly braces -- {} -- are required around the RMS Template ID. - ->[!NOTE] ->For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic. - -## Choose your optional WIP-related settings -After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. - -![Microsoft Intune, Choose any additional, optional settings](images/intune-optional-settings.png) - -**To set your optional settings** -1. Choose to set any or all of the optional settings: - - - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: - - - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. - - - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. - - - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: - - - **Yes (recommended).** Turns on the feature and provides the additional protection. - - - **No, or not configured.** Doesn't enable this feature. - - - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: - - - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. - - - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. - - - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are: - - - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps. - - - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. - - - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: - - - **Yes.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. - - - **No, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option. - -2. Click **Save Policy**. - -## Related topics -- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) - -- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) - -- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) - -- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/) - -- [What is Azure Rights Management?]( https://docs.microsoft.com/information-protection/understand-explore/what-is-azure-rms) - ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md deleted file mode 100644 index 1e940e8137..0000000000 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md +++ /dev/null @@ -1,665 +0,0 @@ ---- -title: Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune (Windows 10) -description: The Azure portal for Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, supporting mobile application management (MAM), to let you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: justinha -ms.author: justinha -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 02/26/2019 ---- - -# Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune - -**Applies to:** - -- Windows 10, version 1703 and later -- Windows 10 Mobile, version 1703 and later (except Microsoft Azure Rights Management, which is only available on the desktop) - -By using Microsoft Intune with Mobile application management (MAM), organizations can take advantage of Azure Active Directory (Azure AD) and the app protection policy feature to keep employees from logging in with personal credentials and accessing corporate data. Additionally, MAM solutions can help your enterprise do the following for mobile apps: - -- Configure, update, and deploy mobile apps to employees -- Control what your employees can do with enterprise data, such as copying, pasting, and saving -- Keep enterprise data separate from your employee's personal data -- Remove enterprise data from employee's devices -- Report on mobile app inventory and track usage - -## Alternative steps if you already manage devices with MDM - -This topic covers creating a Windows Information Protection (WIP) policy for organizations using a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without device enrollment. If you are already managing devices by using a Mobile Device Management (MDM) solution, see [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md). - -If the same user and device are targeted for both MAM-only (without device enrollment) policy and MDM policy, the MDM policy (with device enrollement) will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. - -Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. - -## Prerequisites to using MAM with Windows Information Protection (WIP) -Before you can create your WIP policy with MAM, you need to [set up your MAM provider](https://docs.microsoft.com/intune-classic/deploy-use/get-ready-to-configure-app-protection-policies-for-windows-10). - -Additionally, you must have an [Azure AD Premium license](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-what-is) and be running at least Windows 10, version 1703 on your device. - ->[!Important] ->WIP doesn't support multi-identity. Only one managed identity can exist at a time. - -## Add a WIP policy -After you’ve set up Intune for your organization, you must create a WIP-specific policy. - -**To add a WIP policy** -1. Open the Azure portal and click the **Intune service** from the sidebar. - - The Microsoft Intune Overview blade appears. - -2. Click **Client apps**, click **App protection policies**, and then click **Add a policy**. - - ![Microsoft Intune management console: App policy link](images/wip-azure-portal-start-mam.png) - -3. In the **Add a policy** blade, fill out the fields: - - - **Name.** Type a name (required) for your new policy. - - - **Description.** Type an optional description. - - - **Platform.** Choose **Windows 10** to create your MAM policy for desktop client devices. - - - **Enrollment state.** Choose **Without enrollment** as the enrollment state for your policy. - - ![Microsoft Intune management console: Create your new policy in the Add a policy blade](images/wip-azure-add-policy.png) - - >[!Important] - >Choosing **Without enrollment** only applies for organizations using MAM. If you're using MDM, see [Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md). - -4. Click **Create**. - - The policy is created and appears in the table on the **Client apps - App protection policies** blade. - - >[!NOTE] - >Optionally, you can also add your apps and set your settings from the **Add a policy** blade, but for the purposes of this documentation, we recommend instead that you create the policy first, and then use the subsequent menus that become available. - -## Add apps to your Protected apps list -During the policy-creation process in Intune, you can choose the apps you want to allow, as well as deny, access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. - -The steps to add your apps are based on the type of template being applied. You can add a recommended app, a store app (also known as a Universal Windows Platform (UWP) app), or a signed Windows desktop app. You can also import a list of approved apps or add exempt apps. - -In addition, you can create an app deny list related to the policy based on an **action** value. The action can be either **Allow** or **Deny**. When you specify the deny action for an app using the policy, corporate access is denied to the app. - ->[!Important] ->Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

    Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **Protected apps** list. If you don’t get this statement, it’s possible that you could experience app compatibility issues due to an app losing the ability to access a necessary file after revocation. - -### Add a Recommended app to your Protected apps list -For this example, we’re going to add a few recommended apps to the **Protected apps** list. - -**To add a recommended app** -1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Protected apps** from the menu that appears. - - The **Protected apps** blade appears, showing you any apps that are already included in the list for this policy. - - ![Microsoft Intune management console: Viewing the recommended apps that you can add to your policy](images/wip-azure-allowed-apps-pane.png) - -2. From the **Protected apps** blade, click **Add apps**. - - The **Add apps** blade appears, showing you all **Recommended apps**. - - ![Microsoft Intune management console: Adding recommended apps to your policy](images/wip-azure-add-recommended-apps.png) - -3. Select each app you want to access your enterprise data, and then click **OK**. - - The **Protected apps** blade updates to show you your selected apps. - - ![Microsoft Intune management console: Protected apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png) - -4. Click **Save** to save the **Protected apps** list to your policy. - -### Add a Store app to your Protected apps list -For this example, we’re going to add Microsoft Power BI, a Windows store app, to the **Protected apps** list. - -**To add a Store app** -1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Protected apps** from the menu that appears. - - The **Protected apps** blade appears, showing you any apps that are already included in the list for this policy. - -2. From the **Protected apps** blade, click **Add apps**. - -3. On the **Add apps** blade, click **Store apps** from the dropdown list. - -4. Type the friendly name of the app, the publisher info, and the product name. For this example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.MicrosoftPowerBIForWindows`. - -5. After you’ve entered the info into the fields, click **OK** to add the app to your **Protected apps** list, and then click **Save** to save the **Protected apps** list to your policy. - - >[!NOTE] - >To add multiple Store apps at the same time, you can click the menu **(…)** at the end of the app row, and continue to add more apps. When you’re done, click **OK**. - - ![Microsoft Intune management console: Adding Store app info](images/wip-azure-add-store-apps.png) - -#### Find the Name, Publisher, and Product name for Store apps -If you don't know the publisher or product name for your Store app, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps. - -**To find the publisher and product name values for Store apps without installing them** -1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft Power BI*. - -2. Copy the ID value from the app URL. For example, Microsoft Power BI ID URL is https://www.microsoft.com/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`. - -3. In a browser, run the Microsoft Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata, where `9nblgggzlxn1` is replaced with your ID value. - - The API runs and opens a text editor with the app details. - - ```json - { - "packageIdentityName": "Microsoft.MicrosoftPowerBIForWindows", - "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" - } - ``` - -4. Copy the `publisherCertificateName` value into the **Publisher** box and copy the `packageIdentityName` value into the **Name** box of the **Add apps** blade. - - >[!Important] - >The JSON file might also return a windowsPhoneLegacyId value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as windowsPhoneLegacyId, and set the **Publisher Name** as CN= followed by the windowsPhoneLegacyId.

    For example:
    - {
    "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
    }     - -**To find the publisher and product name values for apps installed on Windows 10 mobile phones** -1. If you need to add mobile apps that aren't distributed through the Microsoft Store for Business, you must use the **Windows Device Portal** feature. - - >[!NOTE] - >Your PC and phone must be on the same wireless network. - -2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. - -3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**. - -4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate. - -5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step. - -6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names. - -7. Start the app for which you're looking for the publisher and product name values. - -8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. - - >[!Important] - >The JSON file might also return a windowsPhoneLegacyId value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as windowsPhoneLegacyId, and set the **Publisher Name** as CN= followed by the windowsPhoneLegacyId.

    For example:
    - {
    "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
    }     - -### Add a Desktop app to your Protected apps list -For this example, we’re going to add WordPad, a Desktop app, to the **Protected apps** list. - -**To add a Desktop app** -1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Protected apps** from the menu that appears. - - The **Protected apps** blade appears, showing you any apps that are already included in the list for this policy. - -2. From the **Protected apps** blade, click **Add apps**. - -3. On the **Add apps** blade, click **Desktop apps** from the dropdown list. - - The blade changes to show boxes for you to add the following, based on the results you want returned: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldManages
    All fields marked as “*”All files signed by any publisher. (Not recommended)
    NameA friendly name for your app. You can't use this field by itself. However, you can use it in conjunction with any of the other fields.
    Publisher (required) onlyFilling out this field, gives you all files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps.

    This is a required field and must be filled out whether by itself or in conjunction with other fields.
    Publisher (required) and Product name onlyIf you only fill out these fields, you’ll get all files for the specified product, signed by the named publisher.
    Publisher (required), Product name, and File onlyIf you only fill out these fields, you’ll get any version of the named file or package for the specified product, signed by the named publisher.
    Publisher (required), Product name, File, and Min version onlyIf you only fill out these fields, you’ll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher.

    This option is recommended for enlightened apps that weren't previously enlightened.
    Publisher (required), Product name, File, and Max version onlyIf you only fill out these fields, you’ll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.
    All fields completedIf you fill out all fields, you’ll get the specified version of the named file or package for the specified product, signed by the named publisher.
    - -4. After you’ve entered the info into the fields, click **OK** to add the app to your **Protected apps** list, and then click **Save** to save the **Protected apps** list to your policy. - - >[!Note] - >To add multiple Desktop apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When you’re done, click **OK**. - - ![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png) - -#### Find the Publisher and File name for Desktop apps -If you’re unsure about what to include for the publisher, you can run this PowerShell command: - -```ps1 -Get-AppLockerFileInformation -Path "" -``` -Where `""` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe"`. - -In this example, you'd get the following info: - -``` json -Path Publisher ----- --------- -%PROGRAMFILES%\WINDOWS NT\ACCESSORIES\WORDPAD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US -``` -Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter into the **Publisher** box and `WORDPAD.EXE` is the text to enter into the **File** box. - -### Import a list of apps to your Protected apps list -For this example, we’re going to add an AppLocker XML file to the **Protected apps** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. - -**To create a list of Protected apps using the AppLocker tool** - -1. Open the Local Security Policy snap-in (SecPol.msc). - -2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. - - ![Local security snap-in, showing the Packaged app Rules](images/wip-applocker-secpol-1.png) - -3. Right-click in the right-hand blade, and then click **Create New Rule**. - - The **Create Packaged app Rules** wizard appears. - -4. On the **Before You Begin** page, click **Next**. - - ![Create Packaged app Rules wizard, showing the Before You Begin page](images/wip-applocker-secpol-wizard-1.png) - -5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. - - ![Create Packaged app Rules wizard, showing the Before You Begin page](images/wip-applocker-secpol-wizard-2.png) - -6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. - - ![Create Packaged app Rules wizard, showing the Publisher](images/wip-applocker-secpol-wizard-3.png) - -7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Dynamics 365. - - ![Create Packaged app Rules wizard, showing the Select applications page](images/wip-applocker-secpol-wizard-4.png) - -8. On the updated **Publisher** page, click **Create**. - - ![Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page](images/wip-applocker-secpol-wizard-5.png) - -9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy. - - ![Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page](images/wip-applocker-default-rule-warning.png) - -9. Review the Local Security Policy snap-in to make sure your rule is correct. - - ![Local security snap-in, showing the new rule](images/wip-applocker-secpol-create.png) - -10. In the left blade, right-click on **AppLocker**, and then click **Export policy**. - - The **Export policy** box opens, letting you export and save your new policy as XML. - - ![Local security snap-in, showing the Export Policy option](images/wip-applocker-secpol-export.png) - -11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. - - The policy is saved and you’ll see a message that says 1 rule was exported from the policy. - - **Example XML file**
    - This is the XML file that AppLocker creates for Microsoft Dynamics 365. - - ```xml - - - - - - - - - - - - - - - - - ``` - -12. After you’ve created your XML file, you need to import it by using Microsoft Intune. - -**To import your list of Protected apps using Microsoft Intune** - -1. From the **Protected apps** area, click **Import apps**. - - The blade changes to let you add your import file. - - ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/wip-azure-import-apps.png) - -2. Browse to your exported AppLocker policy file, and then click **Open**. - - The file imports and the apps are added to your **Allowed app** list. - -### Add exempt apps to your policy -If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. - -**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Protected apps list** - -1. From the **App policy** blade, click the name of your policy, and then click **Exempt apps** from the menu that appears. - - The **Exempt apps** blade appears, showing you any apps that are already included in the list for this policy. - -2. From the **Exempt apps** blade, click **Add apps**. - - Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-apps-to_your-allowed-apps-list) section of this topic. - -3. Fill out the rest of the app info, based on the type of app you’re adding: - - - **Recommended app.** Follow the instructions in the [Add a Recommended app to your Protected apps list](#add-a-recommended-app-to_your-allowed-apps-list) section of this topic. - - - **Store app.** Follow the instructions in the [Add a Store app to your Protected apps list](#add-a-store-app-to_your-allowed-apps-list) section of this topic. - - - **Desktop app.** Follow the instructions in the [Add a Desktop app to your Protected apps list](#add-a-desktop-app-to_your-allowed-apps-list) section of this topic. - - - **AppLocker policy file.** Follow the instructions to create your app list in the [Import a list of apps to your Protected apps list](#import-a-list-of-apps-to_your-allowed-apps-list) section of this topic, using a list of exempted apps. - -4. Click **OK**. - -## Manage your Required settings -In the **Required settings** blade you must pick your Windows Information Protection mode and you can review or change your **Corporate identity**. - -### Manage the WIP protection mode for your enterprise data -After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. - -We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. - ->[!NOTE] ->For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). - -**To add your protection mode** - -1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Required settings** from the menu that appears. - - The **Required settings** blade appears. - - ![Microsoft Intune, Required settings blade showing Windows Information Protection mode](images/wip-azure-required-settings-protection-mode.png) - - |Mode |Description | - |-----|------------| - |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| - |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| - |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| - |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

    After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| - -2. Click **Save**. - -### Define your enterprise-managed corporate identity -Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies. - -Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the **Corporate identity** field. - -**To change your corporate identity** - -1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Required settings** from the menu that appears. - - The **Required settings** blade appears. - -2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field. If you need to add additional domains, for example your email domains, you can do it in the **Advanced settings** area. - - ![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png) - -## Manage your Advanced settings -In the **Advanced settings** blade you must specify where apps can access your corporate data, upload a Data Recovery Agent (DRA) certificate, and set several optional data protection and access settings. - -### Choose where apps can access enterprise data -After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. - -Intune will add SharePoint sites that are discovered through the Graph API. You must add other network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). - ->[!Important] ->Every WIP policy should include policy that defines your enterprise network locations.
    Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. - -**To define where your allowed apps can find and send enterprise data on you network** - -1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. - - The **Advanced settings** blade appears. - -2. Click **Add network boundary** from the **Network perimeter** area. - - The **Add network boundary** blade appears. - - ![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png) - -3. Select the type of network boundary to add from the **Boundary type** box. - -4. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the following options, and then click **OK**. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Boundary typeValue formatDescription
    Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
    contoso.visualstudio.com,contoso.internalproxy2.com

    Without proxy: contoso.sharepoint.com|contoso.visualstudio.com    		Specify the cloud resources to be treated as corporate and protected by WIP.

    For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

    If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

    Important
    In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

    When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.
    Network domain namescorp.contoso.com,region.contoso.comStarting with Windows 10, version 1703, this field is optional.

    Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

    If you have multiple resources, you must separate them using the "," delimiter.
    Proxy serversproxy.contoso.com:80;proxy2.contoso.com:443Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

    This list shouldn’t include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.

    If you have multiple resources, you must separate them using the ";" delimiter.
    Internal proxy serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

    This list shouldn’t include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.

    If you have multiple resources, you must separate them using the ";" delimiter.
    IPv4 ranges**Starting IPv4 Address:** 3.4.0.1
    **Ending IPv4 Address:** 3.4.255.254
    **Custom URI:** 3.4.0.1-3.4.255.254,
    10.0.0.1-10.255.255.254    		Starting with Windows 10, version 1703, this field is optional.

    Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries.

    If you have multiple ranges, you must separate them using the "," delimiter.
    IPv6 ranges**Starting IPv6 Address:** 2a01:110::
    **Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
    **Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
    fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff    		Starting with Windows 10, version 1703, this field is optional.

    Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries.

    If you have multiple ranges, you must separate them using the "," delimiter.
    Neutral resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

    These locations are considered enterprise or personal, based on the context of the connection before the redirection.

    If you have multiple resources, you must separate them using the "," delimiter.
    - -5. Repeat steps 1-4 to add any additional network boundaries. - -6. Decide if you want to Windows to look for additional network settings: - - ![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise](images/wip-azure-advanced-settings-network-autodetect.png) - - - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click **On** for Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network.Click **Off** and Windows searches for additional proxy servers in your immediate network. - - - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click **On** for Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. Click **Off** and Windows searches for additional IP ranges on any domain-joined devices connected to your network. - -### Upload your Data Recovery Agent (DRA) certificate -After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data. - ->[!Important] ->Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) topic. - -**To upload your DRA certificate** -1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. - - The **Advanced settings** blade appears. - -2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - - ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png) - -### Choose your optional WIP-related settings -After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. - -**To set your optional settings** - -1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. - - The **Advanced settings** blade appears. - -2. Choose to set any or all optional settings: - - ![Microsoft Intune, Choose if you want to include any of the optional settings](images/wip-azure-advanced-settings-optional.png) - - - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: - - - **On (recommended).** Turns on the feature and provides the additional protection. - - - **Off** Doesn't enable this feature. - - - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: - - - **On (recommended).** Revokes local encryption keys from a device during unenrollment. - - - **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if you’re migrating between Mobile Device Management (MDM) solutions. - - - **Revoke access to protected data when the device enrolls to MDM.** Determines whether to revoke a user's WIP keys when a device is upgraded from MAM to a higher-security MDM solution. The options are: - - - **On.** Revokes the encryption keys from a device when it's upgraded from MAM to MDM. - - - **Off.** Encryption keys aren't removed and the user can continue to access protected files. This is the recommended setting if the MDM service uses the same WIP EnterpriseID value as the MAM service. - - - **Show the enterprise data protection icon.** Determines whether an icon appears on corporate files in the **Save As** and **File Explorer** views. The options are: - - - **On.** Allows an icon to appear on corporate files in the **Save As** and **File Explorer** views. Additionally, for unenlightened but allowed apps, the icon also appears on the app tile and with Managed text on the app name in the **Start** menu. - - - **Off (recommended).** Stops the icon from appearing on corporate files or unenlightened, but allowed apps. By default, this is turned off. - - - **Use Azure RMS for WIP.** Determines whether to use Azure Rights Management encryption with Windows Information Protection. The options are: - - - **On.** Starts using Azure Rights Management encryption with WIP. By turning this option on, you can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. For more info about setting up Azure Rights management and using a template ID with WIP, see the [Choose to set up Azure Rights Management with WIP](#choose-to-set-up-azure-rights-management-with-wip) section of this topic. - - - **Off.** Stops using Azure Rights Management encryption with WIP. - - - **MDM discovery URL.** Lets the **Windows Settings** > **Accounts** > **Access work or school** sign-in offer an **Upgrade to MDM** link. Additionally, this lets you switch to another MDM provider, so that Microsoft Intune can manage MAM, while the new MDM provider manages the MDM devices. By default, this is specified to use Microsoft Intune. - -#### Choose to set up Azure Rights Management with WIP -WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. - -To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. - -Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. - ->[!IMPORTANT] ->Curly braces -- {} -- are required around the RMS Template ID. - ->[!NOTE] ->For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic. - -### Choose whether to use and configure Windows Hello for Business -You can turn on Windows Hello for Business, letting your employees use it as a sign-in method for their devices. - -**To turn on and configure Windows Hello for Business** - -1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. - - The **Advanced settings** blade appears. - -2. Choose to turn on and configure the Windows Hello for Business settings: - - ![Microsoft Intune, Choose to use Windows Hello for Business](images/wip-azure-access-options.png) - - - **Use Windows Hello for Business as a method for signing into Windows.** Turns on Windows Hello for Business. The options are: - - - **On.** Turns on Windows Hello For Business for anyone assigned to this policy. - - - **Off.** Turns off Windows Hello for Business. - - - **Set the minimum number of characters required for the PIN.** Enter a numerical value (4-127 characters) for how many characters must be used to create a valid PIN. Default is 4 characters. - - - **Configure the use of uppercase letters in the Windows Hello for Business PIN.** Lets you decide whether uppercase letters can be used in a valid PIN. The options are: - - - **Allow the use of uppercase letters in PIN.** Lets an employee use uppercase letters in a valid PIN. - - - **Require the use of at least one uppercase letter in PIN.** Requires an employee to use at least 1 uppercase letter in a valid PIN. - - - **Do not allow the use of uppercase letters in PIN.** Prevents an employee from using uppercase letters in a valid PIN. - - - **Configure the use of lowercase letters in the Windows Hello for Business PIN.** Lets you decide whether lowercase letters can be used in a valid PIN. The options are: - - - **Allow the use of lowercase letters in PIN.** Lets an employee use lowercase letters in a valid PIN. - - - **Require the use of at least one lowercase letter in PIN.** Requires an employee to use at least 1 lowercase letter in a valid PIN. - - - **Do not allow the use of lowercase letters in PIN.** Prevents an employee from using lowercase letters in a valid PIN. - - - **Configure the use of special characters in the Windows Hello for Business PIN.** Lets you decide whether special characters can be used in a valid PIN. The options are: - - - **Allow the use of special characters in PIN.** Lets an employee use special characters in a valid PIN. - - - **Require the use of at least one special character in PIN.** Requires an employee to use at least 1 special character in a valid PIN. - - - **Do not allow the use of special characters in PIN.** Prevents an employee from using special characters in a valid PIN. - - - **Specify the period of time (in days) that a PIN can be used before the system requires the user to change it.** Enter a numerical value (0-730 days) for how many days can pass before a PIN must be changed. If you enter a value of 0, the PIN never expires. - - - **Specify the number of past PINs that can be associated to a user account that can't be reused.** Enter a numerical value (0-50 days) for how many days can pass before an employee can reuse a previous PIN. If you enter a value of 0, a PINs can be reused immediately and past PINs aren't stored. - - >[!NOTE] - >PIN history is not preserved through a PIN reset. - - - **Number of authentication failures allowed before the device will be wiped.** Enter a numerical value for how many times the PIN can be incorrectly entered before wiping the device of corporate data. If you enter a value of 0, the device is never wiped, regardless of the number of incorrect PIN entries.

    This setting has different behavior for mobile devices and desktops. - - - **On mobile devices.** When an employee reaches the value set here, the device is wiped of corporate data. - - - **On desktop devices.** When an employee reaches the value set here, the desktop is put into BitLocker recovery mode, instead of being wiped. You must have BitLocker installed on the device or this setting is ignored. - - - **Maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked.** Enter a numerical value for how many days can pass before a PIN must be changed. If you enter a value of 0, the device never becomes PIN or password locked while idle. - - >[!NOTE] - >You can set this value to be anything; however, it can't be longer than the time specified by the **Settings** app. If you exceed the maximum timeout value, this setting is ignored. - - -## Deploy your policy -After you’ve created your policy, you'll need to deploy it to your employees. MAM is deployed to users and not devices. - -**To deploy your policy** - -1. On the **Client apps - App protection policies** pane, click your newly-created policy, click **Assignments** from the menu that appears, and then click **Select groups**. - - A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** pane. - -2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy. - - The policy is deployed to the selected group. - - ![Microsoft Intune, Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) - -## Related topics - -- [Implement server-side support for mobile application management on Windows](https://docs.microsoft.com/windows/client-management/mdm/implement-server-side-mobile-application-management) - -- [Microsoft Intune - Mobile Application Management (MAM) standalone blog post](https://blogs.technet.microsoft.com/cbernier/2016/01/05/microsoft-intune-mobile-application-management-mam-standalone/) - -- [MAM-supported apps](https://www.microsoft.com/cloud-platform/microsoft-intune-apps) - -- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) - -- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) - -- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md index 2783e1edb2..101b9976ad 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/26/2019 +ms.date: 04/05/2019 --- # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager @@ -95,7 +95,7 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for Store apps without installing them** -1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote. +1. Go to the [Microsoft Store for Business](https://businessstore.microsoft.com/store) website, and find your app. For example, Microsoft OneNote. >[!NOTE] @@ -505,16 +505,11 @@ After you've finished configuring your policy, you can review all of your info o After you’ve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics: - [Operations and Maintenance for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708224) -- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708225) +- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708225) -- [How to Deploy Configuration Baselines in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708226) +- [How to Deploy Configuration Baselines in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708226) ## Related topics -- [System Center Configuration Manager and Endpoint Protection (Version 1606)](https://go.microsoft.com/fwlink/p/?LinkId=717372) - -- [TechNet documentation for Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=691623) - -- [Manage mobile devices with Configuration Manager and Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=691624) - [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md) diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md index f76e952f71..84fcae9939 100644 --- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md @@ -13,7 +13,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/26/2019 +ms.date: 03/05/2019 --- # Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune @@ -40,8 +40,5 @@ After you’ve created your Windows Information Protection (WIP) policy, you'll >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). ## Related topics -- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) - -- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) - [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md deleted file mode 100644 index 6f1c74f23f..0000000000 --- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune (Windows 10) -description: After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. -ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211 -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, Intune -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: justinha -ms.author: justinha -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 02/26/2019 ---- - -# Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune -**Applies to:** - -- Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later - -After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information. - -**To deploy your WIP policy** - -1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button. - - ![Microsoft Intune: Click the Manage Deployment link from the Configuration Policies screen](images/intune-managedeployment.png) - -2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.

    -The added people move to the **Selected Groups** list on the right-hand pane. - - ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-groupselection.png) - -3. After you've picked all of the employees and groups that should get the policy, click **OK**.

    -The policy is deployed to the selected users' devices. - ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). - -## Related topics -- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) - -- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) - -- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md index 3b2125c461..cfcae5b9de 100644 --- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md +++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md @@ -13,7 +13,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/26/2019 +ms.date: 04/15/2019 --- # How Windows Information Protection (WIP) protects a file that has a sensitivity label @@ -34,8 +34,6 @@ Microsoft information protection technologies include: - [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects local data at rest on endpoint devices, and manages apps to protect local data in use. Data that leaves the endpoint device, such as email attachment, is not protected by WIP. -- [Office 365 Information Protection](https://docs.microsoft.com/office365/securitycompliance/office-365-info-protection-for-gdpr-overview) is a solution to classify, protect, and monitor personal data in Office 365. - - [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. Azure Information Protection is applied directly to content, and roams with the content as it's moved between locations and cloud services. - [Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security) is a cloud access security broker (CASB) solution that allows you to discover, classify, protect, and monitor user data in first-party and third-party Software-as-a-Service (SaaS) apps used by your organization. @@ -63,7 +61,7 @@ This section covers how WIP works with sensitivity labels in specific use cases. ### User downloads from or creates a document on a work site -If WIP policy is deployed, any document that is downloaded from a work site, or created on a work site, will have WIP protection regradless of whether the document has a sensitivity label. +If WIP policy is deployed, any document that is downloaded from a work site, or created on a work site, will have WIP protection regardless of whether the document has a sensitivity label. If the document also has a sensitivity label, which can be Office or PDF files, WIP protection is applied according to the label. diff --git a/windows/security/information-protection/windows-information-protection/images/add-protected-domains.png b/windows/security/information-protection/windows-information-protection/images/add-protected-domains.png new file mode 100644 index 0000000000..848ff120a2 Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/add-protected-domains.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/create-app-protection-policy.png b/windows/security/information-protection/windows-information-protection/images/create-app-protection-policy.png new file mode 100644 index 0000000000..345093afc8 Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/create-app-protection-policy.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/mobility-provider.png b/windows/security/information-protection/windows-information-protection/images/mobility-provider.png new file mode 100644 index 0000000000..280a0531dc Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/mobility-provider.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/recommended-apps.png b/windows/security/information-protection/windows-information-protection/images/recommended-apps.png new file mode 100644 index 0000000000..658cbb343b Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/recommended-apps.png differ diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 787a6cfba1..f3d8fb9489 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -6,14 +6,14 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium author: justinha ms.author: justinha manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/26/2019 +ms.date: 04/05/2019 +ms.localizationpriority: medium --- # Limitations while using Windows Information Protection (WIP) @@ -75,6 +75,11 @@ This table provides info about the most common problems you might encounter whil Apps might encounter access errors while attempting to read a cached, offline file. Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.

    Note
    For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/kb/3187045). + + An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device. +

    Data copied from the WIP-managed device is marked as Work.

    Data copied to the WIP-managed device is not marked as Work.

    Local Work data copied to the WIP-managed device remains Work data.

    Work data that is copied between two apps in the same session remains data. + Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default. + You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer. A message appears stating that the content is marked as Work and the user isn't given an option to override to Personal. @@ -108,11 +113,27 @@ This table provides info about the most common problems you might encounter whil

  2. SavedGames
    3. - WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using System Center Configuration Manager. + WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using System Center Configuration Manager. Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.

    If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection). + + Only enlightened apps can be managed without device enrollment + + If a user enrolls a device for Mobile Application Management (MAM) without device enrollment, only enlightened apps will be managed. This is by design to prevent personal files from being unintenionally encrypted by unenlighted apps. Unenlighted apps that need to access work using MAM need to be re-compiled as LOB apps or managed by using MDM with device enrollment. + If all apps need to be managed, enroll the device for MDM. + + + + By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encypted by one user, other users can't access it. + + Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner. + + If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it. + + >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). + diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md index ecb1b8af14..4c8459fac2 100644 --- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -13,7 +13,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/26/2019 +ms.date: 03/05/2019 --- # Mandatory tasks and settings required to turn on Windows Information Protection (WIP) @@ -24,13 +24,10 @@ ms.date: 02/26/2019 This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. ->[!IMPORTANT] ->All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your organization. - |Task|Description| |----|-----------| |Add at least one app to the **Protected apps** list in your WIP policy.|You must have at least one app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics.| -|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Hide Overrides**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| +|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.

    Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.| |Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.

    Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.| diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md index eca0d84acb..3af1d9b274 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md @@ -13,7 +13,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/26/2019 +ms.date: 03/11/2019 --- # Create a Windows Information Protection (WIP) policy using Microsoft Intune @@ -27,8 +27,6 @@ Microsoft Intune helps you create and deploy your enterprise data protection (WI ## In this section |Topic |Description | |------|------------| -|[Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy with MDM (Mobile Device Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | -|[Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create your WIP policy with MAM (Mobile Application Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.| -|[Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](create-wip-policy-using-intune.md) |Details about how to use the classic console for Microsoft Intune to create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | +|[Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy with MDM (Mobile Device Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. | |[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). | diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index 5768cd40ed..626c296a9d 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/26/2019 +ms.date: 03/05/2019 --- # Protect your enterprise data using Windows Information Protection (WIP) @@ -147,7 +147,7 @@ You can set your WIP policy to use 1 of 4 protection and management modes: |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| |Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.| |Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| -|Off |WIP is turned off and doesn't help to protect or audit your data.

    After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.

    **Note**
    For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. | +|Off |WIP is turned off and doesn't help to protect or audit your data.

    After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on. | ## Turn off WIP You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn’t recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won’t be automatically reapplied. diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md index 4af9ce947b..46b7344b5f 100644 --- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -13,7 +13,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/26/2019 +ms.date: 03/25/2019 --- # Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP) @@ -38,8 +38,15 @@ This table includes the recommended URLs to add to your Enterprise Cloud Resourc |Visual Studio Online |contoso.visualstudio.com | |Power BI |contoso.powerbi.com | ->[!NOTE] ->You can add other work-only apps to the Cloud Resource list, or you can create a packaged app rule for the .exe file to protect every file the app creates or modifies. Depending on how the app is accessed, you might want to add both. +You can add other work-only apps to the Cloud Resource list, or you can create a packaged app rule for the .exe file to protect every file the app creates or modifies. Depending on how the app is accessed, you might want to add both. + +For Office 365 endpoints, see [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges). +Office 365 endpoints are updated monthly. +Allow the domains listed in section number 46 Allow Required and add also add the apps. +Note that apps from officeapps.live.com can also store personal data. + +When multiple files are selected from SharePoint Online or OneDrive, the files are aggregated and the URL can change. In this case, add a entry for a second-level domain and use a wildcard such as .svc.ms. + ## Recommended Neutral Resources We recommended adding these URLs if you use the Neutral Resources network setting with Windows Information Protection (WIP). diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index b00cdeb40f..6f698cb26c 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/26/2019 +ms.date: 03/05/2019 --- # Testing scenarios for Windows Information Protection (WIP) @@ -55,7 +55,7 @@ You can try any of the processes included in these scenarios, but you should foc Create work documents in enterprise-allowed apps. For desktop:

    For mobile:

      @@ -150,7 +150,7 @@ You can try any of the processes included in these scenarios, but you should foc Verify your Virtual Private Network (VPN) can be auto-triggered.
        -
      1. Set up your VPN network to start based on the WIPModeID setting.
        For specific info about how to do this, see the [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) topic.
        2. +
      2. Set up your VPN network to start based on the WIPModeID setting.
        For specific info about how to do this, see the [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune-azure.md) topic.
      3. Start an app from your allowed apps list.
        The VPN network should automatically start.
      4. Disconnect from your network and then start an app that isn't on your allowed apps list.
        The VPN shouldn't start and the app shouldn't be able to access your enterprise network.
      diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index cb808fca31..e65fbfe36a 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -7,7 +7,7 @@ ##### [Hardware-based isolation](windows-defender-atp/overview-hardware-based-isolation.md) ###### [Application isolation](windows-defender-application-guard/wd-app-guard-overview.md) ####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md) -###### [System integrity](windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) +###### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) ##### [Application control](windows-defender-application-control/windows-defender-application-control.md) ##### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md) ##### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md) @@ -73,8 +73,8 @@ #### [Secure score](windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md) -##### [Threat analytics](windows-defender-atp/threat-analytics.md) -###### [Threat analytics for Spectre and Meltdown](windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) +#### [Threat analytics](windows-defender-atp/threat-analytics.md) + #### [Advanced hunting](windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md) ##### [Query data using Advanced hunting](windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md) ###### [Advanced hunting reference](windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md) @@ -96,11 +96,16 @@ +#### [Microsoft Threat Experts](windows-defender-atp/microsoft-threat-experts.md) + + + #### [Portal overview](windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md) ### [Get started](windows-defender-atp/get-started.md) +#### [What's new in Windows Defender ATP](windows-defender-atp/whats-new-in-windows-defender-atp.md) #### [Minimum requirements](windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md) #### [Validate licensing and complete setup](windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md) #### [Preview features](windows-defender-atp/preview-windows-defender-advanced-threat-protection.md) @@ -122,10 +127,10 @@ ### [Configure and manage capabilities](windows-defender-atp/onboard.md) #### [Configure attack surface reduction](windows-defender-atp/configure-attack-surface-reduction.md) -####Hardware-based isolation -##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) -##### [Application isolation](windows-defender-application-guard/install-wd-app-guard.md) -###### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md) +#####Hardware-based isolation +###### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) +###### [Application isolation](windows-defender-application-guard/install-wd-app-guard.md) +####### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md) ##### [Application control](windows-defender-application-control/windows-defender-application-control.md) ##### Device control ###### [Control USB devices](device-control/control-usb-devices-using-intune.md) @@ -134,11 +139,9 @@ ######## [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) ######## [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) ##### [Exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md) -###### [Customize exploit protection](windows-defender-exploit-guard/customize-exploit-protection.md) ###### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) ##### [Network protection](windows-defender-exploit-guard/enable-network-protection.md) ##### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md) -###### [Customize controlled folder access](windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md) ##### [Attack surface reduction controls](windows-defender-exploit-guard/enable-attack-surface-reduction.md) ###### [Customize attack surface reduction](windows-defender-exploit-guard/customize-attack-surface-reduction.md) ##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md) @@ -225,17 +228,20 @@ ####### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) ###### [Onboard servers](windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md) ###### [Onboard non-Windows machines](windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) +###### [Onboard machines without Internet access](windows-defender-atp/onboard-offline-machines.md) ###### [Run a detection test on a newly onboarded machine](windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md) ###### [Run simulated attacks on machines](windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md) ###### [Configure proxy and Internet connectivity settings](windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md) ###### [Troubleshoot onboarding issues](windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) ####### [Troubleshoot subscription and portal access issues](windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) -##### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/use-apis.md) -###### Create your app -####### [Get access on behalf of a user](windows-defender-atp/exposed-apis-create-app-nativeapp.md) -####### [Get access without a user](windows-defender-atp/exposed-apis-create-app-webapp.md) -###### [Supported Windows Defender ATP APIs](windows-defender-atp/exposed-apis-list.md) +##### [Windows Defender ATP API](windows-defender-atp/use-apis.md) +###### [Get started with Windows Defender ATP APIs](windows-defender-atp/apis-intro.md) +####### [Hello World](windows-defender-atp/api-hello-world.md) +####### [Get access with application context](windows-defender-atp/exposed-apis-create-app-webapp.md) +####### [Get access with user context](windows-defender-atp/exposed-apis-create-app-nativeapp.md) +###### [APIs](windows-defender-atp/exposed-apis-list.md) + ####### [Advanced Hunting](windows-defender-atp/run-advanced-query-api.md) ####### [Alert](windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md) @@ -249,6 +255,33 @@ ######## [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) ######## [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) +####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md) +######## [List machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md) +######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md) +######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) +######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Add or Remove machine tags](windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md) +######## [Find machines by IP](windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md) + +####### [Machine Action](windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md) +######## [List Machine Actions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) +######## [Get Machine Action](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md) +######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md) +######## [Get investigation package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) +######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md) +######## [Release machine from isolation](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md) +######## [Restrict app execution](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md) +######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) +######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md) +######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md) +######## [Stop and quarantine file](windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md) +######## [Initiate investigation (preview)](windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md) + +####### [Indicators (preview)](windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md) +######## [Submit Indicator](windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md) +######## [List Indicators](windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) +######## [Delete Indicator](windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) + ####### Domain ######## [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md) ######## [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md) @@ -267,28 +300,6 @@ ######## [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md) ######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md) -####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md) -######## [List machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md) -######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md) -######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) -######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) -######## [Add or Remove machine tags](windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md) -######## [Find machines by IP](windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md) - - -####### [Machine Action](windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md) -######## [List Machine Actions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) -######## [Get Machine Action](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md) -######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md) -######## [Get investigation package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) -######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md) -######## [Release machine from isolation](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md) -######## [Restrict app execution](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md) -######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) -######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md) -######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md) -######## [Stop and quarantine file](windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md) - ####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md) ######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) ######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md) @@ -325,14 +336,19 @@ ###### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md) ###### [Configure Splunk to pull alerts](windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md) ###### [Configure HP ArcSight to pull alerts](windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md) -###### [Windows Defender ATP alert API fields](windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md) -###### [Pull alerts using REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +###### [Windows Defender ATP SIEM alert API fields](windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md) +###### [Pull alerts using SIEM REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) ###### [Troubleshoot SIEM tool integration issues](windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md) ##### Reporting ###### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md) ###### [Threat protection reports](windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md) +###### [Machine health and compliance reports](windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md) + +##### Interoperability +###### [Partner applications](windows-defender-atp/partner-applications.md) + ##### Role-based access control ###### [Manage portal access using RBAC](windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md) @@ -344,6 +360,10 @@ ##### [Configure managed security service provider (MSSP) support](windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md) +#### [Configure and manage Microsoft Threat Experts capabilities](windows-defender-atp/configure-microsoft-threat-experts.md) + + + #### Configure Microsoft threat protection integration ##### [Configure conditional access](windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md) ##### [Configure Microsoft Cloud App Security integration](windows-defender-atp/microsoft-cloud-app-security-config.md) @@ -373,7 +393,8 @@ #####Rules ###### [Manage suppression rules](windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md) -###### [Manage automation allowed/blocked](windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +###### [Manage automation allowed/blocked lists](windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +###### [Manage indicators](windows-defender-atp/manage-indicators.md) ###### [Manage automation file uploads](windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) ###### [Manage automation folder exclusions](windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) @@ -398,6 +419,7 @@ ####Troubleshoot attack surface reduction ##### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md) ##### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md) +##### [Collect diagnostic data for files](windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md) #### [Troubleshoot next generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md) @@ -457,9 +479,6 @@ ### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) -### [Use attack surface reduction rules in Windows 10 Enterprise E3](windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md) - - ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) ### [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) @@ -1004,10 +1023,17 @@ ###### [Synchronize directory service data](security-policy-settings/synchronize-directory-service-data.md) ###### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md) +### [Windows security guidance for enterprises](windows-security-configuration-framework/windows-security-compliance.md) -### [Windows security baselines](windows-security-baselines.md) -#### [Security Compliance Toolkit](security-compliance-toolkit-10.md) -#### [Get support](get-support-for-security-baselines.md) +#### [Windows security baselines](windows-security-configuration-framework/windows-security-baselines.md) +##### [Security Compliance Toolkit](windows-security-configuration-framework/security-compliance-toolkit-10.md) +##### [Get support](windows-security-configuration-framework/get-support-for-security-baselines.md) +#### [Windows security configuration framework](windows-security-configuration-framework/windows-security-configuration-framework.md) +##### [Level 5 enterprise security](windows-security-configuration-framework/level-5-enterprise-security.md) +##### [Level 4 enterprise high security](windows-security-configuration-framework/level-4-enterprise-high-security.md) +##### [Level 3 enterprise VIP security](windows-security-configuration-framework/level-3-enterprise-vip-security.md) +##### [Level 2 enterprise dev/ops workstation](windows-security-configuration-framework/level-2-enterprise-devops-security.md) +##### [Level 1 enterprise administrator workstation](windows-security-configuration-framework/level-1-enterprise-administrator-security.md) ### [MBSA removal and alternatives](mbsa-removal-and-guidance.md) diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md index 7ce77ac37a..66dbdee966 100644 --- a/windows/security/threat-protection/auditing/audit-security-group-management.md +++ b/windows/security/threat-protection/auditing/audit-security-group-management.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: Mir0sh -ms.date: 04/19/2017 +ms.date: 02/28/2019 --- # Audit Security Group Management @@ -32,9 +32,9 @@ This subcategory allows you to audit events generated by changes to security gro | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
      We recommend Failure auditing, to collect information about failed attempts to create, change, or delete new security groups.| -| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
      We recommend Failure auditing, to collect information about failed attempts to create, change, or delete new security groups.| -| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
      We recommend Failure auditing, to collect information about failed attempts to create, change, or delete new security groups.| +| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.| +| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.| +| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.| **Events List:** diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md index 651817d90c..6187a558da 100644 --- a/windows/security/threat-protection/auditing/event-4716.md +++ b/windows/security/threat-protection/auditing/event-4716.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: Mir0sh -ms.date: 04/19/2017 +ms.date: 04/04/2019 --- # 4716(S): Trusted domain information was modified. @@ -132,7 +132,7 @@ This event is generated only on domain controllers. | 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
      Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
      Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | | 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/library/cc223991.aspx).
      Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
      Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | | 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
      Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | -| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.
      Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
      Only evaluated if SID Filtering is used.
      Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
      Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are [more stringently filtered](https://docs.microsoft.com/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts.
      Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
      Only evaluated if SID Filtering is used.
      Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
      Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | | 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](https://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/library/cc223782.aspx).
      Only evaluated on TRUST\_TYPE\_MIT | | 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section 3.3.5.7.5.
      Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | | 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.
      Evaluated only on Windows Server 2016
      Evaluated only if SID Filtering is used.
      Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
      Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index cfb61706ce..ea200b936f 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -80,12 +80,14 @@ You will typically see many Failure events with **Failure Code** “**0x20**”, **Account Information:** -- **Account Name** \[Type = UnicodeString\]**:** the User Principal Name (UPN) of the account that requested the ticket. Computer account name ends with **$** character in UPN. This field typically has the following value format: user\_account\_name@FULL\_DOMAIN\_NAME. +- **Account Name** \[Type = UnicodeString\]**:** the user name of the account that requested the ticket in the User Principal Name (UPN) syntax. Computer account name ends with **$** character in the user name part. This field typically has the following value format: user\_account\_name@FULL\_DOMAIN\_NAME. - User account example: dadmin@CONTOSO.LOCAL - Computer account example: WIN81$@CONTOSO.LOCAL + > **Note** Although this field is in the UPN format, this is not the attribute value of "UserPrincipalName" of the user account. It is the "normalized" name or implicit UPN. It is built from the user SamAccountName and the Active Directory domain name. + This parameter in this event is optional and can be empty in some cases. - **Account Domain** \[Type = UnicodeString\]**:** the name of the Kerberos Realm that **Account Name** belongs to. This can appear in a variety of formats, including the following: @@ -169,7 +171,7 @@ The most common values: | 12 | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag. | | 13 | Ok-as-delegate | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation. | | 14 | Request-anonymous | KILE not use this flag. | -| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. | +| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the “canonicalize” KDC option for the AS-REQ or TGS-REQ. | | 16-25 | Unused | - | | 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor
      the DISABLE-TRANSITED-CHECK option.
      Should not be in use, because Transited-policy-checked flag is not supported by KILE. | | 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. | diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md index 74fd606119..a1cf9746d1 100644 --- a/windows/security/threat-protection/auditing/event-5159.md +++ b/windows/security/threat-protection/auditing/event-5159.md @@ -17,37 +17,48 @@ ms.date: 04/19/2017 - Windows Server 2016 -This event is logged if the Windows Filtering Platform has blocked a bind to a local port. - -There is no example of this event in this document. +Event 5159 illustration ***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md) -***Event Schema:*** +***Event Description:*** -*The Windows Filtering Platform has blocked a bind to a local port.* +This event is logged if the Windows Filtering Platform has blocked a bind to a local port. -*Application Information:* +
      -> *Process ID:%1* -> -> *Application Name:%2* +***Event XML:*** +``` +- +- + + 5159 + 0 + 0 + 12810 + 0 + 0x8010000000000000 + + 44097 + + + Security + DC01.contoso.local + + +- + 7924 + \device\harddiskvolume2\users\test\desktop\netcat\nc.exe + 0.0.0.0 + 5555 + 6 + 84614 + %%14608 + 36 + + -*Network Information:* - -> *Source Address:%3* -> -> *Source Port:%4* -> -> *Protocol:%5* - -*Filter Information:* - -> *Filter Run-Time ID:%6* -> -> *Layer Name:%7* -> -> *Layer Run-Time ID:%8* +``` ***Required Server Roles:*** None. @@ -55,6 +66,76 @@ There is no example of this event in this document. ***Event Versions:*** 0. +***Field Descriptions:*** + +**Application Information**: + +- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): + + Task manager illustration + + If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager. + + You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**. + + + +- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process. + + Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**: + +DiskPart illustration + +**Network Information:** + +- **Source Address** \[Type = UnicodeString\]**:** the local IP address of the computer running the application. + + - IPv4 Address + + - IPv6 Address + + - :: - all IP addresses in IPv6 format + + - 0.0.0.0 - all IP addresses in IPv4 format + + - 127.0.0.1 , ::1 - localhost + +- **Source Port** \[Type = UnicodeString\]**:** the port number used by the application. + +- **Protocol** \[Type = UInt32\]: the protocol number being used. + +| Service | Protocol Number | +|----------------------------------------------------|-----------------| +| Internet Control Message Protocol (ICMP) | 1 | +| Transmission Control Protocol (TCP) | 6 | +| User Datagram Protocol (UDP) | 17 | +| General Routing Encapsulation (PPTP data over GRE) | 47 | +| Authentication Header (AH) IPSec | 51 | +| Encapsulation Security Payload (ESP) IPSec | 50 | +| Exterior Gateway Protocol (EGP) | 8 | +| Gateway-Gateway Protocol (GGP) | 3 | +| Host Monitoring Protocol (HMP) | 20 | +| Internet Group Management Protocol (IGMP) | 88 | +| MIT Remote Virtual Disk (RVD) | 66 | +| OSPF Open Shortest Path First | 89 | +| PARC Universal Packet Protocol (PUP) | 12 | +| Reliable Datagram Protocol (RDP) | 27 | +| Reservation Protocol (RSVP) QoS | 46 | + +**Filter Information:** + +- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesn’t match any filters, you will get value 0 in this field. + + To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As a result of this command, **filters.xml** file will be generated. You need to open this file and find the specific substring with the required filter ID (**<filterId>**)**,** for example: + + Filters.xml file illustration + +- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name. + +- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example: + +Wfpstate xml illustration + ## Security Monitoring Recommendations - There is no recommendation for this event in this document. diff --git a/windows/security/threat-protection/auditing/images/event-5159.png b/windows/security/threat-protection/auditing/images/event-5159.png new file mode 100644 index 0000000000..a2f9134fe8 Binary files /dev/null and b/windows/security/threat-protection/auditing/images/event-5159.png differ diff --git a/windows/security/threat-protection/change-history-for-threat-protection.md b/windows/security/threat-protection/change-history-for-threat-protection.md index 6261639989..1deaa652b8 100644 --- a/windows/security/threat-protection/change-history-for-threat-protection.md +++ b/windows/security/threat-protection/change-history-for-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Change history for [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +title: Change history for [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) description: This topic lists new and updated topics in the WWindows Defender ATP content set. ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index e2554705b5..1439390f50 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -13,7 +13,7 @@ ms.date: 02/22/2019 # How to control USB devices and other removable media using Windows Defender ATP -**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Windows Defender ATP provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices: diff --git a/windows/security/threat-protection/images/AH_icon.png b/windows/security/threat-protection/images/AH_icon.png index ff9c97c86e..3fae6eba9a 100644 Binary files a/windows/security/threat-protection/images/AH_icon.png and b/windows/security/threat-protection/images/AH_icon.png differ diff --git a/windows/security/threat-protection/images/AR_icon.png b/windows/security/threat-protection/images/AR_icon.png index 887498f7bc..fa8836ea1f 100644 Binary files a/windows/security/threat-protection/images/AR_icon.png and b/windows/security/threat-protection/images/AR_icon.png differ diff --git a/windows/security/threat-protection/images/ASR_icon.png b/windows/security/threat-protection/images/ASR_icon.png index 28b5b3156f..dd521d492a 100644 Binary files a/windows/security/threat-protection/images/ASR_icon.png and b/windows/security/threat-protection/images/ASR_icon.png differ diff --git a/windows/security/threat-protection/images/EDR_icon.png b/windows/security/threat-protection/images/EDR_icon.png index 7e6df62bdf..f2622cbc2b 100644 Binary files a/windows/security/threat-protection/images/EDR_icon.png and b/windows/security/threat-protection/images/EDR_icon.png differ diff --git a/windows/security/threat-protection/images/MTE_icon.png b/windows/security/threat-protection/images/MTE_icon.png new file mode 100644 index 0000000000..d5b9b48086 Binary files /dev/null and b/windows/security/threat-protection/images/MTE_icon.png differ diff --git a/windows/security/threat-protection/images/NGP_icon.png b/windows/security/threat-protection/images/NGP_icon.png index df1b70e041..6066f305a2 100644 Binary files a/windows/security/threat-protection/images/NGP_icon.png and b/windows/security/threat-protection/images/NGP_icon.png differ diff --git a/windows/security/threat-protection/images/SS_icon.png b/windows/security/threat-protection/images/SS_icon.png index 95908405ce..e69ea2a796 100644 Binary files a/windows/security/threat-protection/images/SS_icon.png and b/windows/security/threat-protection/images/SS_icon.png differ diff --git a/windows/security/threat-protection/images/TVM_icon.png b/windows/security/threat-protection/images/TVM_icon.png new file mode 100644 index 0000000000..41faa16718 Binary files /dev/null and b/windows/security/threat-protection/images/TVM_icon.png differ diff --git a/windows/security/threat-protection/images/seccon-framework.png b/windows/security/threat-protection/images/seccon-framework.png new file mode 100644 index 0000000000..06f66acf99 Binary files /dev/null and b/windows/security/threat-protection/images/seccon-framework.png differ diff --git a/windows/security/threat-protection/images/security-control-classification.png b/windows/security/threat-protection/images/security-control-classification.png new file mode 100644 index 0000000000..75467f2098 Binary files /dev/null and b/windows/security/threat-protection/images/security-control-classification.png differ diff --git a/windows/security/threat-protection/images/security-control-deployment-methodologies.png b/windows/security/threat-protection/images/security-control-deployment-methodologies.png new file mode 100644 index 0000000000..4f869474e2 Binary files /dev/null and b/windows/security/threat-protection/images/security-control-deployment-methodologies.png differ diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index d81a0d9707..4c4b362d5c 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -1,7 +1,7 @@ --- title: Threat Protection (Windows 10) description: Learn how Windows Defender ATP helps protect against threats. -keywords: threat protection, windows defender advanced threat protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, secure score, advanced hunting +keywords: threat protection, windows defender advanced threat protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, secure score, advanced hunting search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -9,32 +9,43 @@ ms.sitesec: library ms.pagetype: security author: dansimp ms.localizationpriority: medium -ms.date: 10/04/2018 --- # Threat Protection -[Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture. +[Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture. + +>[!Note] +> The Windows Defender Security Center is currently going through rebranding. All references to Windows Defender will be replaced with Microsoft Defender. You will see the updates in the user interface and in the documentation library in next few months.

      Windows Defender ATP

      + - - + + - + - - +

      Threat & Vulnerability Management

      Attack surface reduction

      Next generation protection

      Endpoint detection and response

      Next generation protection

      Endpoint detection and response

      Automated investigation and remediation

      Secure score

      Advanced hunting

      Microsoft Threat Experts
      +
      Management and APIs
      Microsoft Threat Protection
      Microsoft Threat Protection

      + + +**[Threat & Vulnerability Management](windows-defender-atp/next-gen-threat-and-vuln-mgt.md)**
      +This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. +- [Risk-based Threat & Vulnerability Management](windows-defender-atp/next-gen-threat-and-vuln-mgt.md) +- [What's in the dashboard and what it means for my organization](windows-defender-atp/tvm-dashboard-insights.md) +- [Configuration score](windows-defender-atp/configuration-score.md) +- [Scenarios](windows-defender-atp/threat-and-vuln-mgt-scenarios.md) @@ -72,6 +83,9 @@ Endpoint detection and response capabilities are put in place to detect, investi - [Forensic collection](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines) - [Threat intelligence](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md) - [Advanced detonation and analysis service](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis) +- [Advanced hunting](windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md) + - [Custom detection](windows-defender-atp/overview-custom-detections.md) + - [Realtime and historical hunting](windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md) @@ -92,13 +106,14 @@ Windows Defender ATP includes a secure score to help you dynamically assess the - [Secure score](windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md) - [Threat analytics](windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) - + -**[Advanced hunting](windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md)**
      -Create custom threat intelligence and use a powerful search and query tool to hunt for possible threats in your organization. +**[Microsoft Threat Experts](windows-defender-atp/microsoft-threat-experts.md)**
      +Windows Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. -- [Custom detection](windows-defender-atp/overview-custom-detections.md) -- [Realtime and historical hunting](windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md) +- [Targeted attack notification](windows-defender-atp/microsoft-threat-experts.md) +- [Experts-on-demand](windows-defender-atp/microsoft-threat-experts.md) +- [Configure your Microsoft Threat Protection managed hunting service](windows-defender-atp/configure-microsoft-threat-experts.md) diff --git a/windows/security/threat-protection/intelligence/coinminer-malware.md b/windows/security/threat-protection/intelligence/coinminer-malware.md index acafa8b532..8902f8b68f 100644 --- a/windows/security/threat-protection/intelligence/coinminer-malware.md +++ b/windows/security/threat-protection/intelligence/coinminer-malware.md @@ -12,6 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +search.appverid: met150 --- # Coin miners diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md index c0a0e11884..9faa0b36fe 100644 --- a/windows/security/threat-protection/intelligence/criteria.md +++ b/windows/security/threat-protection/intelligence/criteria.md @@ -12,6 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +search.appverid: met150 --- # How Microsoft identifies malware and potentially unwanted applications diff --git a/windows/security/threat-protection/intelligence/exploits-malware.md b/windows/security/threat-protection/intelligence/exploits-malware.md index 9a519a1f3d..3768e71add 100644 --- a/windows/security/threat-protection/intelligence/exploits-malware.md +++ b/windows/security/threat-protection/intelligence/exploits-malware.md @@ -12,6 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +search.appverid: met150 --- # Exploits and exploit kits diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md index 51d21fcd0c..f0d0633fa0 100644 --- a/windows/security/threat-protection/intelligence/fileless-threats.md +++ b/windows/security/threat-protection/intelligence/fileless-threats.md @@ -12,11 +12,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +search.appverid: met150 --- # Fileless threats -What exactly is a fileless threat? The term "fileless" suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition. The terms is used broadly; it's also used to describe malware families that do rely on files in order to operate. +What exactly is a fileless threat? The term "fileless" suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition. The terms is used broadly; it's also used to describe malware families that do rely on files in order to operate. Given that attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, information theft, lateral movement, communication with command-and-control, etc., some parts of the attack chain may be fileless, while others may involve the filesystem in some form or another. @@ -25,13 +26,13 @@ To shed light on this loaded term, we grouped fileless threats into different ca ![Comprehensive diagram of fileless malware](images/fileless-malware.png)
      *Figure 1. Comprehensive diagram of fileless malware* -We can classify fileless threats by their entry point, which indicates how fileless malware can arrive on a machine: via an exploit; through compromised hardware; or via regular execution of applications and scripts. +We can classify fileless threats by their entry point, which indicates how fileless malware can arrive on a machine: via an exploit; through compromised hardware; or via regular execution of applications and scripts. Next, we can list the form of entry point: for example, exploits can be based on files or network data; PCI peripherals are a type of hardware vector; and scripts and executables are sub-categories of the execution vector. Finally, we can classify the host of the infection: for example, a Flash application that may contain an exploit; a simple executable; a malicious firmware from a hardware device; or an infected MBR, which could bootstrap the execution of a malware before the operating system even loads. -This helps us divide and categorize the various kinds of fileless threats. Clearly, the categories are not all the same: some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced. +This helps us divide and categorize the various kinds of fileless threats. Clearly, the categories are not all the same: some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced. From this categorization, we can glean three big types of fileless threats based on how much fingerprint they may leave on infected machines. @@ -39,7 +40,7 @@ From this categorization, we can glean three big types of fileless threats based A completely fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? An example scenario could be a target machine receiving malicious network packets that exploit the EternalBlue vulnerability, leading to the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there is no file or any data written on a file. -Another scenario could involve compromised devices, where malicious code could be hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or even in the firmware of a network card. All these examples do not require a file on the disk in order to run and can theoretically live only in memory, surviving even reboots, disk reformats, and OS reinstalls. +Another scenario could involve compromised devices, where malicious code could be hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or even in the firmware of a network card. All these examples do not require a file on the disk in order to run and can theoretically live only in memory, surviving even reboots, disk reformats, and OS reinstalls. Infections of this type can be extra difficult to detect and remediate. Antivirus products usually don’t have the capability to access firmware for inspection; even if they did, it would be extremely challenging to detect and remediate threats at this level. Because this type of fileless malware requires high levels of sophistication and often depend on particular hardware or software configuration, it’s not an attack vector that can be exploited easily and reliably. For this reason, while extremely dangerous, threats of this type tend to be very uncommon and not practical for most attacks. @@ -68,7 +69,7 @@ Having described the broad categories, we can now dig into the details and provi **File-based** (Type III: executable, Flash, Java, documents): An initial file may exploit the operating system, the browser, the Java engine, the Flash engine, etc. in order to execute a shellcode and deliver a payload in memory. While the payload is fileless, the initial entry vector is a file. -**Network-based** (Type I): A network communication that takes advantage of a vulnerability in the target machine can achieve code execution in the context of an application or the kernel. An example is WannaCry, which exploits a previously fixed vulnerability in the SMB protocol to deliver a backdoor within the kernel memory. +**Network-based** (Type I): A network communication that takes advantage of a vulnerability in the target machine can achieve code execution in the context of an application or the kernel. An example is WannaCry, which exploits a previously fixed vulnerability in the SMB protocol to deliver a backdoor within the kernel memory. ### Hardware @@ -76,9 +77,9 @@ Having described the broad categories, we can now dig into the details and provi **CPU-based** (Type I): Modern CPUs are extremely complex and may include subsystems running firmware for management purposes. Such firmware may be vulnerable to hijacking and allow the execution of malicious code that would hence operate from within the CPU. In December 2017, two researchers reported a vulnerability that can allow attackers to execute code inside the [Management Engine (ME)](https://en.wikipedia.org/wiki/Intel_Management_Engine) present in any modern CPU from Intel. Meanwhile, the attacker group PLATINUM has been observed to have the capability to use Intel's [Active Management Technology (AMT)](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology) to perform [invisible network communications](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/) bypassing the installed operating system. ME and AMT are essentially autonomous micro-computers that live inside the CPU and that operate at a very low level. Because these technologies’ purpose is to provide remote manageability, they have direct access to hardware, are independent of the operating system, and can run even if the computer is turned off. Besides being vulnerable at the firmware level, CPUs could be manufactured with backdoors inserted directly in the hardware circuitry. This attack has been [researched and proved possible](https://www.emsec.rub.de/media/crypto/veroeffentlichungen/2015/03/19/beckerStealthyExtended.pdf) in the past. Just recently it has been reported that certain models of x86 processors contain a secondary embedded RISC-like CPU core that can [effectively provide a backdoor](https://www.theregister.co.uk/2018/08/10/via_c3_x86_processor_backdoor/) through which regular applications can gain privileged execution. -**USB-based** (Type I): USB devices of all kinds can be reprogrammed with a malicious firmware capable of interacting with the operating system in nefarious ways. This is the case of the [BadUSB technique](https://arstechnica.com/information-technology/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/), demonstrated few years ago, which allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via keystrokes, or as a network card that can redirect traffic at will. +**USB-based** (Type I): USB devices of all kinds can be reprogrammed with a malicious firmware capable of interacting with the operating system in nefarious ways. This is the case of the [BadUSB technique](https://arstechnica.com/information-technology/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/), demonstrated few years ago, which allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via keystrokes, or as a network card that can redirect traffic at will. -**BIOS-based** (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on, initializes the hardware, and then transfers control to the boot sector. It’s a very important component that operates at a very low level and executes before the boot sector. It’s possible to reprogram the BIOS firmware with malicious code, as has happened in the past with the [Mebromi rootkit](https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/). +**BIOS-based** (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on, initializes the hardware, and then transfers control to the boot sector. It’s a very important component that operates at a very low level and executes before the boot sector. It’s possible to reprogram the BIOS firmware with malicious code, as has happened in the past with the [Mebromi rootkit](https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/). **Hypervisor-based** (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory unaware of the emulation. A malware taking over a machine may implement a small hypervisor in order to hide itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and eventually real hypervisor rootkits [have been observed](http://seclists.org/fulldisclosure/2017/Jun/29), although very few are known to date. diff --git a/windows/security/threat-protection/intelligence/images/wdatp-pillars2.png b/windows/security/threat-protection/intelligence/images/wdatp-pillars2.png deleted file mode 100644 index 8a67d190b7..0000000000 Binary files a/windows/security/threat-protection/intelligence/images/wdatp-pillars2.png and /dev/null differ diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md index f58b40e4bf..e1f2daf0a0 100644 --- a/windows/security/threat-protection/intelligence/macro-malware.md +++ b/windows/security/threat-protection/intelligence/macro-malware.md @@ -12,6 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +search.appverid: met150 --- # Macro malware diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md index c2073434a4..faad082cc7 100644 --- a/windows/security/threat-protection/intelligence/malware-naming.md +++ b/windows/security/threat-protection/intelligence/malware-naming.md @@ -12,6 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +search.appverid: met150 --- # Malware names diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md index 31666e81cb..8e7744a439 100644 --- a/windows/security/threat-protection/intelligence/phishing.md +++ b/windows/security/threat-protection/intelligence/phishing.md @@ -12,6 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +search.appverid: met150 --- # Phishing @@ -83,6 +84,7 @@ Enterprises should educate and train their employees to be wary of any communica Here are several telltale signs of a phishing scam: * The links or URLs provided in emails are **not pointing to the correct location** or are attempting to have you access a third-party site that is not affiliated with the sender of the email. For example, in the image below the URL provided does not match the URL that you will be taken to. + ![example of how exploit kits work](./images/URLhover.png) * There is a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email. diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md index 6826c7b1af..58a9dfebdd 100644 --- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md +++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md @@ -12,6 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +search.appverid: met150 --- # Prevent malware infection diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md index 5e39af26b7..d8acf29b6a 100644 --- a/windows/security/threat-protection/intelligence/ransomware-malware.md +++ b/windows/security/threat-protection/intelligence/ransomware-malware.md @@ -12,6 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +search.appverid: met150 --- # Ransomware diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md index 7f3d5bf8b2..9bf672fbe7 100644 --- a/windows/security/threat-protection/intelligence/rootkits-malware.md +++ b/windows/security/threat-protection/intelligence/rootkits-malware.md @@ -12,6 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +search.appverid: met150 --- # Rootkits diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md index 4ae4b880f3..890f7e0401 100644 --- a/windows/security/threat-protection/intelligence/safety-scanner-download.md +++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md @@ -12,6 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +search.appverid: met150 --- # Microsoft Safety Scanner diff --git a/windows/security/threat-protection/intelligence/submission-guide.md b/windows/security/threat-protection/intelligence/submission-guide.md index 5ef22fbc0b..512fe8ad03 100644 --- a/windows/security/threat-protection/intelligence/submission-guide.md +++ b/windows/security/threat-protection/intelligence/submission-guide.md @@ -12,6 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +search.appverid: met150 --- # Submit files for analysis diff --git a/windows/security/threat-protection/intelligence/supply-chain-malware.md b/windows/security/threat-protection/intelligence/supply-chain-malware.md index 82d2b453d7..ba786ebe0b 100644 --- a/windows/security/threat-protection/intelligence/supply-chain-malware.md +++ b/windows/security/threat-protection/intelligence/supply-chain-malware.md @@ -12,6 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +search.appverid: met150 --- # Supply chain attacks @@ -48,15 +49,17 @@ To learn more about supply chain attacks, read this blog post called [attack inc ### For software vendors and developers -* Take steps to ensure your apps are not compromised. - -* Maintain a secure and up-to-date infrastructure. Restrict access to critical build systems. +* Maintain a highly secure build and update infrastructure. * Immediately apply security patches for OS and software. - + * Implement mandatory integrity controls to ensure only trusted tools run. * Require multi-factor authentication for admins. -* Build secure software update processes as part of the software development lifecycle. +* Build secure software updaters as part of the software development lifecycle. + * Require SSL for update channels and implement certificate pinning. + * Sign everything, including configuration files, scripts, XML files, and packages. + * Check for digital signatures, and don’t let the software updater accept generic input and commands. * Develop an incident response process for supply chain attacks. + * Disclose supply chain incidents and notify customers with accurate and timely information For more general tips on protecting your systems and devices, see [prevent malware infection](prevent-malware-infection.md). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md index 461a852aa9..2619629157 100644 --- a/windows/security/threat-protection/intelligence/support-scams.md +++ b/windows/security/threat-protection/intelligence/support-scams.md @@ -12,6 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +search.appverid: met150 --- # Tech support scams diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md index db3886f938..c035c41d1f 100644 --- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md +++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md @@ -5,13 +5,14 @@ keywords: security, malware, av-comparatives, av-test, av, antivirus, windows, d ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: high ms.author: ellevin author: levinec manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +search.appverid: met150 --- # Top scoring in industry tests @@ -40,7 +41,11 @@ Windows Defender Antivirus is part of the [next generation](https://www.youtub The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware"). -- November - December 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2018/microsoft-windows-defender-antivirus-4.18-185074/) **Latest** +- January - February 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2019/microsoft-windows-defender-antivirus-4.18-190611/) **Latest** + + Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 19,956 malware samples used. This is the fifth consecutive cycle that Windows Defender Antivirus achieved a perfect score. + +- November - December 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2018/microsoft-windows-defender-antivirus-4.18-185074/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWusR9) Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 19,956 malware samples. @@ -112,6 +117,4 @@ It is important to remember that Microsoft sees a wider and broader set of threa The capabilities within [Windows Defender ATP](https://www.microsoft.com/en-us/windowsforbusiness?ocid=cx-docs-avreports) provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Windows Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Windows Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively our security suite protects customers in the real world. -Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports). - -![ATP](./images/wdatp-pillars2.png) +Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/trojans-malware.md b/windows/security/threat-protection/intelligence/trojans-malware.md index 0494fb62b7..c5e8363680 100644 --- a/windows/security/threat-protection/intelligence/trojans-malware.md +++ b/windows/security/threat-protection/intelligence/trojans-malware.md @@ -12,6 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +search.appverid: met150 --- # Trojans diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md index afe18b8e94..28f670b9f3 100644 --- a/windows/security/threat-protection/intelligence/understanding-malware.md +++ b/windows/security/threat-protection/intelligence/understanding-malware.md @@ -12,6 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual +search.appverid: met150 --- # Understanding malware & other threats diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md index bea8e40fca..ed1811238e 100644 --- a/windows/security/threat-protection/intelligence/unwanted-software.md +++ b/windows/security/threat-protection/intelligence/unwanted-software.md @@ -12,6 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +search.appverid: met150 --- # Unwanted software diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md index b7d6bd79e6..85021d7f4e 100644 --- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md @@ -49,4 +49,4 @@ To be eligible for VIA your organization must: 3. Be willing to sign and adhere to the VIA membership agreement. -If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). \ No newline at end of file +If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index f87f26230b..a889665a8c 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -18,29 +18,25 @@ ms.topic: article The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with Windows. -Like the [Virus Information Alliance (VIA)](virus-information-alliance-criteria.md) and the [Coordinated Malware Eradication (CME) program](coordinated-malware-eradication.md), MVI aims to share information about the threat landscape that can help your organization protect its customers. +MVI members will receive access to Windows APIs (such as those used by Windows Defender Antivirus), and other technologies including IOAV, AMSI and Cloud Files, malware telemetry and samples, and invitations to security related events and conferences. -MVI members will receive access to Windows APIs (such as those used by Windows Defender Security Center, IOAV, AMSI and Cloud Files), malware telemetry and samples, and invitations to security related events and conferences. - -MVI adds to VIA by requiring members to develop and own antimalware technology, and to be present in the antimalware industry community. +MVI requires members to develop and own antimalware technology and to be present in the antimalware industry community. ## Join MVI A request for membership is made by an individual as a representative of an organization that develops and produces antimalware or antivirus technology. -The base criteria for MVI membership are the same as for VIA, but your organization must also offer an antimalware or antivirus product. ### Initial selection criteria -Your organization must meet the following eligibility requirements to participate in the MVI program: +Your organization must meet the following eligibility requirements to qualify for the MVI program: 1. Offer an antimalware or antivirus product that is one of the following: * Your organization's own creation. - * Licensed from another organization, but your organization adds value such as additional Security intelligence. - * Developed by using an SDK (engine and other components) from another MVI Partner AM company and your organization adds a custom UI and/or other functionality (white box versions). + * Developed by using an SDK (engine and other components) from another MVI Partner company and your organization adds a custom UI and/or other functionality. -2. Have your own malware research team unless you distribute a Whitebox product. +2. Have your own malware research team unless you build a product based on an SDK. 3. Be active and have a positive reputation in the antimalware industry. Your organization is: @@ -51,10 +47,10 @@ Your organization must meet the following eligibility requirements to participat 5. Be willing to sign a program license agreement. -6. Be willing to adhere to program requirements for AM apps. These requirements define the behavior of AM apps necessary to ensure proper interaction with Windows. +6. Be willing to adhere to program requirements for antimalware apps. These requirements define the behavior of antimalware apps necessary to ensure proper interaction with Windows. -7. Submit your AM app to Microsoft for periodic performance testing. +7. Submit your app to Microsoft for periodic performance testing. ### Apply now -If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). \ No newline at end of file +If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry). diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md index 0916baf125..eea3dbea97 100644 --- a/windows/security/threat-protection/intelligence/worms-malware.md +++ b/windows/security/threat-protection/intelligence/worms-malware.md @@ -12,6 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +search.appverid: met150 --- # Worms diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index 580a5b58bd..860ed64ab2 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -19,12 +19,12 @@ MBSA was largely used in situations where neither Microsoft Update nor a local W ## The Solution A script can help you with an alternative to MBSA’s patch-compliance checking: -- [Using WUA to Scan for Updates Offline](https://docs.microsoft.com/previous-versions/windows/desktop/aa387290(v=vs.85)), which includes a sample .vbs script. +- [Using WUA to Scan for Updates Offline](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script. For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be). For example: -[![VBS script](images/vbs-example.png)](https://docs.microsoft.com/previous-versions/windows/desktop/aa387290(v=vs.85)) +[![VBS script](images/vbs-example.png)](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline) [![PowerShell script](images/powershell-example.png)](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be) The preceding scripts leverage the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it. diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md index 0b3a95e875..cc5c550da5 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md @@ -12,7 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 04/01/2019 --- # Audit: Audit the use of Backup and Restore privilege @@ -80,7 +80,7 @@ When the backup and restore function is used, it creates a copy of the file syst ### Countermeasure Enable the **Audit: Audit the use of Backup and Restore privilege** setting. Alternatively, implement automatic log backup by configuring the **AutoBackupLogFiles** registry key. If you enable this option when the [Audit privilege use](../auditing/basic-audit-privilege-use.md) setting is also enabled, an audit event is generated for every file that is backed up or restored. This information could help you to identify an account that was used to accidentally or maliciously restore data in an unauthorized manner. -For more information about configuring this key, see Microsoft Knowledge Base article [100879](https://go.microsoft.com/fwlink/p/?LinkId=100879). +For more information about configuring this key, see [Eventlog Key](https://docs.microsoft.com/windows/desktop/EventLog/eventlog-key). ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/create-global-objects.md b/windows/security/threat-protection/security-policy-settings/create-global-objects.md index d6d7af1bda..5b2eef2194 100644 --- a/windows/security/threat-protection/security-policy-settings/create-global-objects.md +++ b/windows/security/threat-protection/security-policy-settings/create-global-objects.md @@ -89,16 +89,6 @@ By default, members of the **Administrators** group, the System account, and ser When non-administrators need to access a server using Remote Desktop, add the users to the **Remote Desktop Users** group rather than assining them this user right. -### Vulnerability - ->**Caution:**  A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts. -  -Windows examines a user's access token to determine the level of the user's privileges. Access tokens are built when users log on to the local device or connect to a remote device over a network. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any currently logged on account. They could escalate their privileges or create a denial-of-service (DoS) condition. - -### Countermeasure - -Do not assign the **Create a token object** user right to any users. Processes that require this user right should use the Local System account, which already includes it, instead of a separate user account with this user right assigned. - ### Potential impact None. Not Defined is the default domain policy configuration. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md index 14740a3224..2be015772f 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md @@ -24,7 +24,7 @@ Describes the best practices, location, values, management, and security conside ## Reference -Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver. This policy setting allows you to control the locking time by using Group Policy. +Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver (screen saver should be active on the destination machine). This policy setting allows you to control the locking time by using Group Policy. ### Possible values @@ -40,6 +40,8 @@ Set the time for elapsed user-input inactivity based on the device’s usage and Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options +Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options (While creating and linking group policy on server) + ### Default values The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md index 1fd68c4416..5201ac7cf1 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md @@ -15,12 +15,12 @@ ms.topic: conceptual ms.date: 04/19/2017 --- -# Network security: Configure encryption types allowed for Kerberos Win7 only +# Network security: Configure encryption types allowed for Kerberos **Applies to** - Windows 10 -Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos Win7 only** security policy setting. +Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos** security policy setting. ## Reference @@ -67,9 +67,9 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec | Default domain policy| Not defined| | Default domain controller policy| Not defined| | Stand-alone server default settings | Not defined| -| Domain controller effective default settings | None of these encryption types that are available in this policy are allowed.| -| Member server effective default settings | None of these encryption types that are available in this policy are allowed.| -| Effective GPO default settings on client computers | None of these encryption types that are available in this policy are allowed.| +| Domain controller effective default settings | The default OS setting applies, DES suites are not supported by default.| +| Member server effective default settings | The default OS setting applies, DES suites are not supported by default.| +| Effective GPO default settings on client computers | The default OS setting applies, DES suites are not supported by default.|   ## Security considerations diff --git a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md index a7425d8dc2..06d22fc8d2 100644 --- a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md +++ b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md @@ -44,7 +44,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use ### Default values -By default this setting is Administrators on domain controllers and on stand-alone servers. +By default, this setting is Administrators and NT SERVICE\WdiServiceHost on domain controllers and on stand-alone servers. The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index 61a5bb0ce0..024554261c 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -7,14 +7,15 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: tedhardyMSFT -ms.date: 02/16/2018 +ms.date: 02/28/2019 ms.localizationpriority: medium --- # Use Windows Event Forwarding to help with intrusion detection **Applies to** -- Windows 10 +- Windows 10 +- Windows Server Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. @@ -338,7 +339,7 @@ If your organizational audit policy enables additional auditing to meet its need | Category | Subcategory | Audit settings | |--------------------|---------------------------------|---------------------| | Account Logon | Credential Validation | Success and Failure | -| Account Management | Security Group Management | Success and Failure | +| Account Management | Security Group Management | Success | | Account Management | User Account Management | Success and Failure | | Account Management | Computer Account Management | Success and Failure | | Account Management | Other Account Management Events | Success and Failure | diff --git a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md index 06978674b3..61bd6e91de 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md +++ b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV Assessment section in the Update Compliance add-in. diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md index 52f53a81bb..2d08b48bfe 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 12/10/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can perform various Windows Defender Antivirus functions with the dedicated command-line tool mpcmdrun.exe. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md index 2af6cfcbc3..b2246f6bc2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can manage and configure Windows Defender Antivirus with the following tools: diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md index b916b9c91e..5714563915 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md @@ -19,7 +19,7 @@ ms.date: 10/25/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) **Use Microsoft Intune to configure scanning options** diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index 8f34c26265..b5d15d6b55 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Block at first sight is a feature of next gen protection that provides a way to detect and block new malware within seconds. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md index e78a18862c..d7ffbcbafd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) When Windows Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Windows Defender Antivirus cloud service](utilize-microsoft-cloud-protection-windows-defender-antivirus.md). diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md index f467dac2b6..d72265f76a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can configure how users of the endpoints on your network can interact with Windows Defender Antivirus. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md index ca5c66c4f2..430acbec64 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can exclude certain files, folders, processes, and process-opened files from Windows Defender Antivirus scans. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index a9db1100c9..492af0b7b7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -18,12 +18,15 @@ ms.date: 12/10/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. Generally, you shouldn't need to apply exclusions. Windows Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. +> [!NOTE] +> Automatic exclusions apply only to Windows Server 2016 and above. + >[!TIP] >The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md index 833abbcaff..9feb4b7840 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) By default, Windows Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index 0cb2288b2e..71db8e1517 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 10/08/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md index 8a98cffbc7..9874e1fe22 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md index 40785cfdec..15f82314e7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 12/10/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md index acb2c79bcf..de47e8d1a8 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Antivirus uses several methods to provide threat protection: diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md index e063f1fda5..84cef362eb 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 11/13/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md index 35159b5198..d09e59a96a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md index c075da4014..64037f0090 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md @@ -11,14 +11,13 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 --- # Configure Windows Defender Antivirus exclusions on Windows Server **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Antivirus on Windows Server 2016 computers automatically enrolls you in certain exclusions, as defined by your specified server role. See [the end of this topic](#list-of-automatic-exclusions) for a list of these exclusions. @@ -34,6 +33,8 @@ Custom exclusions take precedence over automatic exclusions. > [!TIP] > Custom and duplicate exclusions do not conflict with automatic exclusions. + + Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer. ## Opt out of automatic exclusions @@ -46,6 +47,9 @@ In Windows Server 2016, the predefined exclusions delivered by Security intellig > [!NOTE] > This setting is only supported on Windows Server 2016. While this setting exists in Windows 10, it doesn't have an effect on exclusions. +> [!TIP] +> Since the predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path *different than the original one*, you would have to manually add the exclusions using the information [here](configure-extension-file-exclusions-windows-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) . + You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI. **Use Group Policy to disable the auto-exclusions list on Windows Server 2016:** @@ -159,6 +163,9 @@ This section lists the default exclusions for all Windows Server 2016 roles. - The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File` + > [!NOTE] + > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus#opt-out-of-automatic-exclusions). + - *%systemdrive%*\System Volume Information\DFSR\\$db_normal$ - *%systemdrive%*\System Volume Information\DFSR\FileIDTable_* @@ -380,4 +387,4 @@ This section lists the folder exclusions that are delivered automatically when y - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) - [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md index 1451728ecf..862b5513c4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can configure Windows Defender Antivirus with a number of tools, including: diff --git a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md index ae4eee36d6..b719577c49 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Windows Defender Antivirus scans. diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md index d142dad965..5d587e3b8d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can deploy, manage, and report on Windows Defender Antivirus in a number of ways. @@ -41,7 +41,7 @@ System Center Configuration Manager ([1](#fn1))|Use the [Endpoint Protection poi Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][] PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference][] and [Update-MpSignature] [] cmdlets available in the Defender module|Use the appropriate [Get- cmdlets available in the Defender module][] Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][] -Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD. +Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD. 1. The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager (Current Branch) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md index 59b048bfda..df219115d7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender Antivirus protection. diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md index 06b879559b..1bf3ab9c2f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment. diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 475e161a65..37859694d9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 10/02/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can identify and block PUAs from downloading and installing on endpoints in your network. diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index 5d2d921020..787c9a85ad 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >[!NOTE] >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. @@ -45,6 +45,9 @@ There are specific network-connectivity requirements to ensure your endpoints ca - **Send safe samples automatically** - **Send all samples automatically** + >[!NOTE] + >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. + > [!WARNING] > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. @@ -73,6 +76,9 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht 1. **Send safe samples** (1) 2. **Send all samples** (3) + >[!NOTE] + >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. + > [!WARNING] > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. diff --git a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md index e40b93abd1..c937715d4a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Use this guide to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications. diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_10_ClientApps.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_10_ClientApps.png new file mode 100644 index 0000000000..40c268666e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_10_ClientApps.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_11_Assignments.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_11_Assignments.png new file mode 100644 index 0000000000..035a3c3b29 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_11_Assignments.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_12_DeviceInstall.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_12_DeviceInstall.png new file mode 100644 index 0000000000..2ed2c65ff8 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_12_DeviceInstall.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_13_SystemPreferences.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_13_SystemPreferences.png new file mode 100644 index 0000000000..517583aa77 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_13_SystemPreferences.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_14_SystemPreferencesProfiles.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_14_SystemPreferencesProfiles.png new file mode 100644 index 0000000000..b12b0271fc Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_14_SystemPreferencesProfiles.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_15_ManagementProfileConfig.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_15_ManagementProfileConfig.png new file mode 100644 index 0000000000..a70a369613 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_15_ManagementProfileConfig.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_16_PreferenceDomain.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_16_PreferenceDomain.png new file mode 100644 index 0000000000..674bd944f4 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_16_PreferenceDomain.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_17_approvedKernelExtensions.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_17_approvedKernelExtensions.png new file mode 100644 index 0000000000..f33c8959c0 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_17_approvedKernelExtensions.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_18_ConfigurationProfilesScope.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_18_ConfigurationProfilesScope.png new file mode 100644 index 0000000000..35b3fda24e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_18_ConfigurationProfilesScope.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_19_MicrosoftDefenderWDAVPKG.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_19_MicrosoftDefenderWDAVPKG.png new file mode 100644 index 0000000000..18bbcb06d4 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_19_MicrosoftDefenderWDAVPKG.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_1_RegisterApp.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_1_RegisterApp.png new file mode 100644 index 0000000000..3cc33ed139 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_1_RegisterApp.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_20_MicrosoftDefenderPackages.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_20_MicrosoftDefenderPackages.png new file mode 100644 index 0000000000..2ce5ef24b8 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_20_MicrosoftDefenderPackages.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_21_MDMProfile1.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_21_MDMProfile1.png new file mode 100644 index 0000000000..ec91e2e5ff Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_21_MDMProfile1.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_22_MDMProfileApproved.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_22_MDMProfileApproved.png new file mode 100644 index 0000000000..4c2a62a20f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_22_MDMProfileApproved.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_23_MDMStatus.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_23_MDMStatus.png new file mode 100644 index 0000000000..b531be1c10 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_23_MDMStatus.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_24_StatusOnServer.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_24_StatusOnServer.png new file mode 100644 index 0000000000..466c76234e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_24_StatusOnServer.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_25_StatusOnClient.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_25_StatusOnClient.png new file mode 100644 index 0000000000..e31a329e3b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_25_StatusOnClient.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_26_Uninstall.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_26_Uninstall.png new file mode 100644 index 0000000000..aa0d5c7caf Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_26_Uninstall.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_27_UninstallScript.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_27_UninstallScript.png new file mode 100644 index 0000000000..200873d9d8 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_27_UninstallScript.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_28_AppInstall.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_28_AppInstall.png new file mode 100644 index 0000000000..84c4fc4f59 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_28_AppInstall.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_29_AppInstallLogin.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_29_AppInstallLogin.png new file mode 100644 index 0000000000..dede0a1038 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_29_AppInstallLogin.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_IntuneAppUtil.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_IntuneAppUtil.png new file mode 100644 index 0000000000..1bc70e06c0 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_IntuneAppUtil.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_30_SystemExtension.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_30_SystemExtension.png new file mode 100644 index 0000000000..40a57dee27 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_30_SystemExtension.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_31_SecurityPrivacySettings.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_31_SecurityPrivacySettings.png new file mode 100644 index 0000000000..e6fc0ad449 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_31_SecurityPrivacySettings.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_3_ConfirmDeviceMgmt.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_3_ConfirmDeviceMgmt.png new file mode 100644 index 0000000000..6771c71e42 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_3_ConfirmDeviceMgmt.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_4_ManagementProfile.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_4_ManagementProfile.png new file mode 100644 index 0000000000..a52e252d2e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_4_ManagementProfile.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_5_allDevices.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_5_allDevices.png new file mode 100644 index 0000000000..1a84470e43 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_5_allDevices.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_6_SystemConfigurationProfiles.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_6_SystemConfigurationProfiles.png new file mode 100644 index 0000000000..be6bc477b4 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_6_SystemConfigurationProfiles.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_7_DeviceStatusBlade.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_7_DeviceStatusBlade.png new file mode 100644 index 0000000000..379f1bbddd Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_7_DeviceStatusBlade.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_8_IntuneAppInfo.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_8_IntuneAppInfo.png new file mode 100644 index 0000000000..2cb9a5a416 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_8_IntuneAppInfo.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_9_IntunePkgInfo.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_9_IntunePkgInfo.png new file mode 100644 index 0000000000..4d848f6f96 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_9_IntunePkgInfo.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_Icon.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_Icon.png new file mode 100644 index 0000000000..68b5f4381a Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_Icon.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_Icon_Bar.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_Icon_Bar.png new file mode 100644 index 0000000000..6280f2d7d2 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_Icon_Bar.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md index 923a59f0ba..93ef8703d6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md @@ -20,7 +20,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md index 6b53608726..4e04685c61 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md index b79024274c..9a77e63d64 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md index bb3a6e46d7..4f8774109a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Antivirus lets you determine when it should look for and download updates. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md index 9f27cec145..f05c21e0b5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index c43a3b2399..99e2c737d9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) There are two types of updates related to keeping Windows Defender Antivirus up to date: 1. Protection updates diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md index b62b1c4182..93a9e45f84 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md new file mode 100644 index 0000000000..fbe8f28763 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -0,0 +1,509 @@ +--- +title: Microsoft Defender ATP for Mac +description: Describes how to install and use Microsoft Defender ATP for Mac. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Microsoft Defender ATP for Mac + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. + +## Prerequisites +You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine. + +You should also have access to Windows Defender Security Center. + +### System Requirements +Microsoft Defender ATP for Mac system requirements: +- macOS version: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra) +- Disk space during preview: 1GB + +After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. + +The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an **allow** rule specifically for them: + +| Service | Description | URL | +| -------------- |:------------------------------------:| --------------------------------------------------------------------:| +| ATP | Advanced threat protection service | `https://x.cp.wd.microsoft.com/`, `https://*.x.cp.wd.microsoft.com/` | + +To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://wu-cdn.x.cp.wd.microsoft.com/` in a browser, or run the following command in Terminal: + +``` + mavel-mojave:~ testuser$ curl 'https://x.cp.wd.microsoft.com/api/report' + OK +``` + +We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. +SIP is a built-in macOS security feature that prevents low-level tampering with the OS. + +## Installation and configuration overview +There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. +In general you'll need to take the following steps: + - Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal + - Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: + * [Microsoft Intune based deployment](#microsoft-intune-based-deployment) + * [JAMF based deployment](#jamf-based-deployment) + * [Manual deployment](#manual-deployment) + +## Microsoft Intune based deployment + +### Download installation and onboarding packages +Download the installation and onboarding packages from Windows Defender Security Center: +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. +5. Download IntuneAppUtil from https://docs.microsoft.com/en-us/intune/lob-apps-macos. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +6. From a command prompt, verify that you have the three files. + Extract the contents of the .zip files: + + ``` + mavel-macmini:Downloads test$ ls -l + total 721688 + -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + mavel-macmini:Downloads test$ + ``` +7. Make IntuneAppUtil an executable: + + ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` + +8. Create the wdav.pkg.intunemac package from wdav.pkg: + + ``` + mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" + Microsoft Intune Application Utility for Mac OS X + Version: 1.0.0.0 + Copyright 2018 Microsoft Corporation + + Creating intunemac file for /Users/test/Downloads/wdav.pkg + Composing the intunemac file output + Output written to ./wdav.pkg.intunemac. + + IntuneAppUtil successfully processed "wdav.pkg", + to deploy refer to the product documentation. + ``` + +### Client Machine Setup +You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). + +1. You'll be asked to confirm device management. + +![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png) + +Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**: + +![Management profile screenshot](images/MDATP_4_ManagementProfile.png) + +2. Select the **Continue** button and complete the enrollment. + +You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned. + +3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine: + +![Add Devices screenshot](images/MDATP_5_allDevices.png) + +### Create System Configuration profiles +1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. +2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. +3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. +4. Select **OK**. + + ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) + +5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. +7. Repeat these steps with the second profile. +8. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. +9. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. + +After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: + +![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png) + +### Publish application + +1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. +2. Select **App type=Other/Line-of-business app**. +3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. +4. Select **Configure** and add the required information. +5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. + + ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) + +6. Select **OK** and **Add**. + + ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) + +7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. + + ![Client apps screenshot](images/MDATP_10_ClientApps.png) + +8. Change **Assignment type=Required**. +9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. + + ![Intune assignments info screenshot](images/MDATP_11_Assignments.png) + +10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade: + + ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) + +### Verify client machine state +1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. + + ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) + ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) + +2. Verify the three profiles listed there: + ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) + +3. The **Management Profile** should be the Intune system profile. +4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. +5. You should also see the Microsoft Defender icon in the top-right corner: + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## JAMF based deployment +### Prerequsites +You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. + + +### Download installation and onboarding packages +Download the installation and onboarding packages from Windows Defender Security Center: +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +5. From a command prompt, verify that you have the two files. + Extract the contents of the .zip files: + + ``` + mavel-macmini:Downloads test$ ls -l + total 721160 + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + mavel-macmini:Downloads test$ + ``` + +### Create JAMF Policies +You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. + +#### Configuration Profile +The configuration profile contains one custom settings payload that includes: + +- Microsoft Defender ATP for Mac onboarding information +- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run + + +1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. + + >[!NOTE] + > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain. + + ![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png) + +#### Approved Kernel Extension + +To approve the kernel extension: +1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. +2. Use **UBF8T346G9** for Team Id. + +![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) + +#### Configuration Profile's Scope +Configure the appropriate scope to specify the machines that will receive this configuration profile. + +Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. + +![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) + +Save the **Configuration Profile**. + +Use the **Logs** tab to monitor deployment status for each enrolled machine. + +#### Package +1. Create a package in **Settings > Computer Management > Packages**. + + ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) + +2. Upload wdav.pkg to the Distribution Point. +3. In the **filename** field, enter the name of the package. For example, wdav.pkg. + +#### Policy +Your policy should contain a single package for Microsoft Defender. + +![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) + +Configure the appropriate scope to specify the computers that will receive this policy. + +After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. + +### Client machine setup +You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. + +> [!NOTE] +> After a computer is enrolled, it will show up in the Computers inventory (All Computers). + +1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. + +![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) +![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) + +After some time, the machine's User Approved MDM status will change to Yes. + +![MDM status screenshot](images/MDATP_23_MDMStatus.png) + +You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. + +### Deployment +Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. + +#### Status on server +You can monitor the deployment status in the Logs tab: + - **Pending** means that the deployment is scheduled but has not yet happened + - **Completed** means that the deployment succeeded and is no longer scheduled + +![Status on server screenshot](images/MDATP_24_StatusOnServer.png) + + +#### Status on client machine +After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. + +![Status on client screenshot](images/MDATP_25_StatusOnClient.png) + +After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + +![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +You can monitor policy installation on a machine by following the JAMF's log file: + +``` +mavel-mojave:~ testuser$ tail -f /var/log/jamf.log +Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. +Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... +Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV +Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... +Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. +Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... +Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. +``` + +You can also check the onboarding status: +``` +mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py +uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 +orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +``` + +- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. + +- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. + +### Uninstalling Microsoft Defender ATP for Mac +#### Uninstalling with a script + +Create a script in **Settings > Computer Management > Scripts**. + +![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) + +For example, this script removes Microsoft Defender ATP from the /Applications directory: + +``` +echo "Is WDAV installed?" +ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + +echo "Uninstalling WDAV..." +rm -rf '/Applications/Microsoft Defender ATP.app' + +echo "Is WDAV still installed?" +ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + +echo "Done!" +``` + +#### Uninstalling with a policy +Your policy should contain a single script: + +![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) + +Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. + +### Check onboarding status + +You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: + +``` +sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' +``` + +This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. + +## Manual deployment + +### Download installation and onboarding packages +Download the installation and onboarding packages from Windows Defender Security Center: +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +5. From a command prompt, verify that you have the two files. + Extract the contents of the .zip files: + + ``` + mavel-macmini:Downloads test$ ls -l + total 721152 + -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + inflating: WindowsDefenderATPOnboarding.py + ``` + +### Application installation +To complete this process, you must have admin privileges on the machine. + +1. Navigate to the downloaded wdav.pkg in Finder and open it. + + ![App install screenshot](images/MDATP_28_AppInstall.png) + +2. Select **Continue**, agree with the License terms, and enter the password when prompted. + + ![App install screenshot](images/MDATP_29_AppInstallLogin.png) + + > [!IMPORTANT] + > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. + + ![App install screenshot](images/MDATP_30_SystemExtension.png) + +3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: + + ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) + + +The installation will proceed. + +> [!NOTE] +> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. + +### Client configuration +1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. + + The client machine is not associated with orgId. Note that the orgid is blank. + + ``` + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : + ``` +2. Install the configuration file on a client machine: + + ``` + mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py + Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) + ``` + +3. Verify that the machine is now associated with orgId: + + ``` + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 + ``` +After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## Uninstallation +### Removing Microsoft Defender ATP from Mac devices +To remove Microsoft Defender ATP from your macOS devices: + +- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. + +Or, from a command line: + +- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` + +## Known issues +- Microsoft Defender ATP is not yet optimized for performance or disk space. +- Centrally managed uninstall using Intune is still in development. To uninstall (as a workaround) a manual uninstall action has to be completed on each client device). +- Geo preference for telemetry traffic is not yet supported. Cloud traffic (definition updates) routed to US only. +- Full Windows Defender ATP integration is not yet available +- Not localized yet +- There might be accessibility issues + +## Collecting diagnostic information +If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. + +1) Increase logging level: +``` + mavel-mojave:~ testuser$ mdatp log-level --verbose + Creating connection to daemon + Connection established + Operation succeeded +``` + +2) Reproduce the problem + +3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. + + ``` + mavel-mojave:~ testuser$ mdatp --diagnostic + Creating connection to daemon + Connection established + "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" + ``` + +4) Restore logging level: +``` + mavel-mojave:~ testuser$ mdatp log-level --info + Creating connection to daemon + Connection established + Operation succeeded +``` + + +### Installation issues +If an error occurs during installation, the installer will only report a general failure. The detailed log is saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. You can also contact _**xplatpreviewsupport@microsoft.com**_ for support on onboarding issues. + + +For feedback on the preview, contact: _**mdatpfeedback@microsoft.com**_. diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md index 880d56c9e3..a156c5b1dd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can use Group Policy to prevent users on endpoints from seeing the Windows Defender Antivirus interface. You can also prevent them from pausing scans. diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md index efa0d8b522..6e22b89713 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) There are a number of ways you can review protection status and alerts, depending on the management tool you are using for Windows Defender Antivirus. diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md index 10d6f5bedc..1718727ee2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 11/16/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender Antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them. diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md index c75f970b7b..ae3a67efe6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) After an Windows Defender Antivirus scan completes, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results. diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md index 7f0a6d6037..15a9be7d17 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type. diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md index 74b72c9ab1..9a451f585c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 12/10/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > [!NOTE] > By default, Windows Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default. @@ -75,7 +75,7 @@ Location | Setting | Description | Default setting (if not configured) Scan | Specify the scan type to use for a scheduled scan | Quick scan Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am -Root | Randomize scheduled task times | Randomize the start time of the scan to any interval from 0 to 4 hours, or to any interval plus or minus 30 minutes for non-Windows Defender Antivirus scans. This can be useful in VM or VDI deployments. | Enabled +Root | Randomize scheduled task times |In Windows Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
      In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled **Use PowerShell cmdlets to schedule scans:** diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md index 924c523815..089226de14 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager. @@ -62,9 +62,14 @@ For more information about Intune device profiles, including how to create and c 5. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**. 1. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection: - 1. Setting to **Default Windows Defender Antivirus blocking level** will provide strong detection without increasing the risk of detecting legitimate files. - 2. Setting to **High blocking level** will apply a strong level of detection. While unlikely, some legitimate files may be detected (although you will have the option to unblock or dispute that detection). - + 1. Setting to **Default Windows Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files. + 2. Setting to **High blocking level** applies a strong level of detection. + 3. **High + blocking level** applies additional protection measures. + 4. **Zero tolerance blocking level** blocks all unknown executables. + + > [!WARNING] + > While unlikely, setting this switch to **High** might cause some legitimate files to be detected (although you will have the option to unblock or dispute that detection). The **High +** setting might impact client performance. We recommend you set this to the default level (**Not configured**). + 1. Click **OK**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md index d1ae21771c..85b5650e9c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md +++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of machines or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you may encounter problems or issues. diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md index d23df5b8f1..0bdced17c6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/11/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution. diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md index f1a344b3d2..dcb8f76069 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can use [Group Policy](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx) to configure and manage Windows Defender Antivirus on your endpoints. diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md index 89cf104935..566898708b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender Antivirus scans. diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md index 73fca55e16..8e45003982 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/powershell/mt173057.aspx). diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md index 0ae7bc9771..c4f3239b0c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings. diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md index 0d0f8bbae9..59ec895413 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Microsoft next-gen technologies in Windows Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models. diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index c58bf2bb8a..449d118890 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md index 7e7820edbb..de41958e5e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md index 2434b61627..f38d0b3823 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same. diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md index 9c669d0de5..e860e58f69 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR). diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md index 6a03421f8d..4b78bafccb 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Security. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.md b/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.md index 9aad83e9c5..7bf12c4b20 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.md @@ -2,7 +2,6 @@ # [AppLocker](applocker-overview.md) ## [Administer AppLocker](administer-applocker.md) -### [Administer AppLocker using MDM](administer-applocker-using-mdm.md) ### [Maintain AppLocker policies](maintain-applocker-policies.md) ### [Edit an AppLocker policy](edit-an-applocker-policy.md) ### [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker-using-mdm.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker-using-mdm.md deleted file mode 100644 index af56b3544c..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker-using-mdm.md +++ /dev/null @@ -1,24 +0,0 @@ ---- -title: Administering AppLocker by using Mobile Device Management (MDM) (Windows 10) -description: This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. -ms.assetid: 6d0c99e7-0284-4547-a30a-0685a9916650 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: justinha -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 03/01/2018 ---- - -# Administering AppLocker by using Mobile Device Management (MDM) - -**Applies to** - - Windows 10 - - Windows Server - - diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md index ac2242bb9f..0064ab97ef 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md @@ -12,7 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 02/28/2019 --- # Administer AppLocker @@ -37,7 +37,6 @@ AppLocker helps administrators control how users can access and use files, such | Topic | Description | | - | - | -| [Administer AppLocker using Mobile Device Management (MDM)](administer-applocker-using-mdm.md) | This topic describes how to used MDM to manage AppLocker policies. | | [Maintain AppLocker policies](maintain-applocker-policies.md) | This topic describes how to maintain rules within AppLocker policies. | | [Edit an AppLocker policy](edit-an-applocker-policy.md) | This topic for IT professionals describes the steps required to modify an AppLocker policy. | | [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) | This topic discusses the steps required to test an AppLocker policy prior to deployment. | @@ -71,5 +70,3 @@ You must have Edit Setting permission to edit a GPO. By default, members of the ## Using Windows PowerShell to administer AppLocker For how-to info about administering AppLocker with Windows PowerShell, see [Use the AppLocker Windows PowerShell Cmdlets](use-the-applocker-windows-powershell-cmdlets.md). For reference info and examples how to administer AppLocker with Windows PowerShell, see the [AppLocker cmdlets](https://technet.microsoft.com/library/hh847210.aspx). -  -  diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md index 154d463930..b1e10dc63f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md @@ -61,7 +61,7 @@ AppLocker uses path variables for well-known directories in Windows. Path variab | Windows directory or drive | AppLocker path variable | Windows environment variable | | - | - | - | | Windows | %WINDIR% | %SystemRoot% | -| System32 | %SYSTEM32%| %SystemDirectory%| +| System32 and sysWOW64 | %SYSTEM32%| %SystemDirectory%| | Windows installation directory | %OSDRIVE%|%SystemDrive%| | Program Files | %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)%| | Removable media (for example, CD or DVD) | %REMOVABLE%| | diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 8522325f19..34fbe7530e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium author: jsuther1974 -ms.date: 08/31/2018 +ms.date: 04/09/2019 --- # Microsoft recommended block rules @@ -60,6 +60,8 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you |Lee Christensen|@tifkin_| |Vladas Bulavas | Kaspersky Lab | |Lasse Trolle Borup | Langkjaer Cyber Defence | +|Jimmy Bayne | @bohops | +|Philip Tsukerman | @PhilipTsukerman |
      @@ -76,7 +78,13 @@ These modules cannot be blocked by name or version, and therefore must be blocke For October 2017, we are announcing an update to system.management.automation.dll in which we are revoking older versions by hash values, instead of version rules. -Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet: +Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet. Beginning with the March 2019 quality update, each version of Windows requires blocking a specific version of the following files: + +- msxml3.dll +- msxml6.dll +- jscript9.dll + +Pick the correct version of each .dll for the Windows release you plan to support, and remove the other versions. ```xml @@ -137,7 +145,35 @@ Microsoft recommends that you block the following Microsoft-signed applications - + + + + + + + + --> + + + + --> + + + + --> + + + + --> + + + + --> @@ -842,8 +878,11 @@ Microsoft recommends that you block the following Microsoft-signed applications - - + + + + + diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index 3579ace8b1..80dbb5a03b 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -13,7 +13,7 @@ ms.date: 10/17/2017 # Configure Windows Defender Application Guard policy settings -**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain. diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 0c72267505..8be213c70e 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -8,12 +8,13 @@ ms.pagetype: security ms.localizationpriority: medium author: justinha ms.author: justinha -ms.date: 11/07/2017 +ms.date: 03/28/2019 + --- # Frequently asked questions - Windows Defender Application Guard -**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration. @@ -22,7 +23,7 @@ Answering frequently asked questions about Windows Defender Application Guard (A | | | |---|----------------------------| |**Q:** |Can I enable Application Guard on machines equipped with 4GB RAM?| -|**A:** |We recommend 8GB RAM for optimal performance but you may use the following registry values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. | +|**A:** |We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. | ||HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount - Default is 4 cores. | ||HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB - Default is 8GB.| ||HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB.| diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png index 48aa702feb..1afbd303b0 100644 Binary files a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png and b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png differ diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index 0d185ae9bd..7bbb3edc4c 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -14,7 +14,7 @@ ms.date: 02/19/2019 # Prepare to install Windows Defender Application Guard **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ## Review system requirements @@ -76,6 +76,11 @@ Application Guard functionality is turned off by default. However, you can quick Application Guard and its underlying dependencies are all installed. **To install by using PowerShell** + +>[!NOTE] +>Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only. + + 1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**. 2. Right-click **Windows PowerShell**, and then click **Run as administrator**. diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index 72eb82edac..fc2f274410 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -13,7 +13,7 @@ ms.date: 11/09/2017 # System requirements for Windows Defender Application Guard -**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. @@ -36,6 +36,6 @@ Your environment needs the following software to run Windows Defender Applicatio |Software|Description| |--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1709 or higher
      Windows 10 Professional edition, version 1803| +|Operating system|Windows 10 Enterprise edition, version 1709 or higher
      Windows 10 Professional edition, version 1803 or higher
      Windows 10 Education edition, version 1709 or higher
      Windows 10 Pro Education edition, version 1803 or higher| |Browser|Microsoft Edge and Internet Explorer| |Management system
      (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)

      **-OR-**

      [System Center Configuration Manager](https://docs.microsoft.com/sccm/)

      **-OR-**

      [Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)

      **-OR-**

      Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index 798a74c87b..092d966221 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -8,13 +8,13 @@ ms.pagetype: security ms.localizationpriority: medium author: justinha ms.author: justinha -ms.date: 01/16/2019 +ms.date: 03/15/2019 --- # Application Guard testing scenarios -**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization. @@ -25,7 +25,7 @@ You can see how an employee would use standalone mode with Application Guard. **To test Application Guard in Standalone mode** -1. Install Application Guard, using the [installation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard) steps in this guide. +1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). 2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu. @@ -46,7 +46,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise- ### Install, set up, and turn on Application Guard Before you can use Application Guard in enterprise mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings. -1. Install Application Guard, using the [installation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard#install-application-guard) steps in this guide. +1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard#install-application-guard). 2. Restart the device and then start Microsoft Edge. @@ -68,7 +68,7 @@ Before you can use Application Guard in enterprise mode, you must install Window 4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode** setting. -5. Click **Enabled** and click **OK**. +5. Click **Enabled**, choose Option **1**, and click **OK**. ![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png) diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md index 16fa6c33df..41cf3d2bd0 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md +++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -8,12 +8,12 @@ ms.pagetype: security ms.localizationpriority: medium author: justinha ms.author: justinha -ms.date: 11/27/2018 +ms.date: 03/28/2019 --- # Windows Defender Application Guard overview -**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. @@ -40,7 +40,7 @@ Application Guard has been created to target several types of systems: | | | |---|----------------------------| |**Q:** |Can I enable Application Guard on machines equipped with 4GB RAM?| -|**A:** |We recommend 8GB RAM for optimal performance but you may use the following registry values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. | +|**A:** |We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. | ||HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount - Default is 4 cores. | ||HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB - Default is 8GB.| ||HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB.| diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index f89dbc8e24..bf7a2585b8 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -1,11 +1,17 @@ # [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) ## [Overview](overview.md) +### [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +#### [What's in the dashboard and what it means for my organization](tvm-dashboard-insights.md) +#### [Configuration score](configuration-score.md) +#### [Scenarios](threat-and-vuln-mgt-scenarios.md) + + ### [Attack surface reduction](overview-attack-surface-reduction.md) #### [Hardware-based isolation](overview-hardware-based-isolation.md) ##### [Application isolation](../windows-defender-application-guard/wd-app-guard-overview.md) ###### [System requirements](../windows-defender-application-guard/reqs-wd-app-guard.md) -##### [System integrity](../windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) +##### [System integrity](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) #### [Application control](../windows-defender-application-control/windows-defender-application-control.md) #### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) #### [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md) @@ -32,6 +38,7 @@ ##### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) ##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) ##### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md) + #### Machines list ##### [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) @@ -70,9 +77,10 @@ ### [Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md) -#### [Threat analytics](threat-analytics.md) -#### [Threat analytics for Spectre and Meltdown](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) +### [Microsoft Threat Experts](microsoft-threat-experts.md) + +### [Threat analytics](threat-analytics.md) ### [Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md) #### [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md) @@ -81,19 +89,16 @@ #### [Custom detections](overview-custom-detections.md) #####[Create custom detections rules](custom-detection-rules.md) - ### [Management and APIs](management-apis.md) #### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) #### [Windows Defender ATP APIs](apis-intro.md) #### [Managed security service provider support](mssp-support-windows-defender-advanced-threat-protection.md) - ### [Microsoft Threat Protection](threat-protection-integration.md) #### [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md) #### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md) #### [Information protection in Windows overview](information-protection-in-windows-overview.md) - ### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) @@ -132,7 +137,6 @@ ####### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) ####### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) #### [Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md) -##### [Customize exploit protection](../windows-defender-exploit-guard/customize-exploit-protection.md) ##### [Import/export configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) #### [Network protection](../windows-defender-exploit-guard/enable-network-protection.md) #### [Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md) @@ -209,6 +213,8 @@ ### [Configure Secure score dashboard security controls](secure-score-dashboard-windows-defender-advanced-threat-protection.md) +### [Configure and manage Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) + ### Management and API support #### [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) ##### [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md) @@ -221,6 +227,7 @@ ###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) ##### [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) ##### [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) +##### [Onboard machines without Internet access](onboard-offline-machines.md) ##### [Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md) ##### [Run simulated attacks on machines](attack-simulations-windows-defender-advanced-threat-protection.md) ##### [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) @@ -228,11 +235,13 @@ ###### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) -#### [Use the Windows Defender ATP exposed APIs](use-apis.md) -##### Create your app -###### [Get access on behalf of a user](exposed-apis-create-app-nativeapp.md) -###### [Get access without a user](exposed-apis-create-app-webapp.md) -##### [Supported Windows Defender ATP APIs](exposed-apis-list.md) +#### [Windows Defender ATP API](use-apis.md) +##### [Get started with Windows Defender ATP APIs](apis-intro.md) +###### [Hello World](api-hello-world.md) +###### [Get access with application context](exposed-apis-create-app-webapp.md) +###### [Get access with user context](exposed-apis-create-app-nativeapp.md) +##### [APIs](exposed-apis-list.md) + ###### [Advanced Hunting](run-advanced-query-api.md) ###### [Alert](alerts-windows-defender-advanced-threat-protection-new.md) @@ -246,24 +255,6 @@ ####### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) ####### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) -###### Domain -####### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md) -####### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection-new.md) -####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection-new.md) -####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md) - -###### [File](files-windows-defender-advanced-threat-protection-new.md) -####### [Get file information](get-file-information-windows-defender-advanced-threat-protection-new.md) -####### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) -####### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md) -####### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md) - -###### IP -####### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md) -####### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection-new.md) -####### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection-new.md) -####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md) - ###### [Machine](machine-windows-defender-advanced-threat-protection-new.md) ####### [List machines](get-machines-windows-defender-advanced-threat-protection-new.md) ####### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection-new.md) @@ -284,6 +275,30 @@ ####### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md) ####### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md) ####### [Stop and quarantine file](stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md) +####### [Initiate investigation (preview)](initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md) + +###### [Indicators (preview)](ti-indicator-windows-defender-advanced-threat-protection-new.md) +####### [Submit Indicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) +####### [List Indicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) +####### [Delete Indicator](delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) + +###### Domain +####### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md) +####### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection-new.md) +####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection-new.md) +####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md) + +###### [File](files-windows-defender-advanced-threat-protection-new.md) +####### [Get file information](get-file-information-windows-defender-advanced-threat-protection-new.md) +####### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) +####### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md) +####### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md) + +###### IP +####### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md) +####### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection-new.md) +####### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection-new.md) +####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md) ###### [User](user-windows-defender-advanced-threat-protection-new.md) ####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) @@ -314,14 +329,19 @@ ##### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md) ##### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md) ##### [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) -##### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) -##### [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +##### [Windows Defender ATP SIEM alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) +##### [Pull alerts using SIEM REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) ##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) #### Reporting ##### [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) ##### [Threat protection reports](threat-protection-reports-windows-defender-advanced-threat-protection.md) +##### [Machine health and compliance reports](machine-reports-windows-defender-advanced-threat-protection.md) + + +#### Interoperability +##### [Partner applications](partner-applications.md) #### Role-based access control ##### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md) @@ -337,7 +357,7 @@ ####[Configure information protection in Windows](information-protection-in-windows-config.md) -### [Configure Windows Security app settings](preferences-setup-windows-defender-advanced-threat-protection.md) +### [Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) #### General ##### [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md) ##### [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) @@ -358,7 +378,8 @@ ####Rules ##### [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md) -##### [Manage automation allowed/blocked](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +##### [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +##### [Manage indicators](manage-indicators.md) ##### [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) ##### [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) @@ -367,8 +388,6 @@ ##### [Offboarding machines](offboard-machines-windows-defender-advanced-threat-protection.md) #### [Configure Windows Security app time zone settings](time-settings-windows-defender-advanced-threat-protection.md) - - ## [Troubleshoot Windows Defender ATP](troubleshoot-wdatp.md) @@ -385,5 +404,7 @@ ###Troubleshoot attack surface reduction #### [Network protection](../windows-defender-exploit-guard/troubleshoot-np.md) #### [Attack surface reduction rules](../windows-defender-exploit-guard/troubleshoot-asr.md) +#### [Collect diagnostic data for files](../windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md) + ### [Troubleshoot next generation protection](../windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md index 3735e259ac..ef694ec2c0 100644 --- a/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md @@ -19,12 +19,9 @@ ms.topic: article # Add or Remove Machine Tags API **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prerelease information](prerelease.md)] - -- Adds or remove tag to a specific machine. +This API adds or remove tag to a specific machine. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) @@ -104,7 +101,6 @@ Content-type: application/json "rbacGroupId": 140, "rbacGroupName": "The-A-Team", "riskScore": "Low", - "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", "machineTags": [ "test tag 1", "test tag 2" ] } diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md index c87fd3c401..dff8fdeb1c 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/16/2018 --- # Configure advanced features in Windows Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) @@ -40,11 +39,11 @@ For tenants created on or after Windows 10, version 1809 the automated investiga >[!NOTE] > - The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine. ->- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overrite it. +>- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it. ## Block file -This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled. +This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled, see [Block files in your network](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#block-files-in-your-network) for more details. If your organization satisfies these conditions, the feature is enabled by default. This feature enables you to block potentially malicious files in your network. This operation will prevent it from being read, written, or executed on machines in your organization. @@ -59,6 +58,10 @@ For more information, see [Investigate a user account](investigate-user-windows- ## Skype for Business integration Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks. +>[!NOTE] +> When a machine is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when machines are in isolation mode. + + ## Azure Advanced Threat Protection integration The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the machine-based investigation capability by pivoting across the network from an identify point of view. @@ -87,6 +90,13 @@ When you enable this feature, you'll be able to incorporate data from Office 365 To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Windows Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512). +## Microsoft Threat Experts +This feature is currently on public preview. When you enable this feature, you'll receive targeted attack notifications from Microsoft Threat Experts through your Windows Defender ATP portal's alerts dashboard and via email if you configure it. + +>[!NOTE] +>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. + + ## Microsoft Cloud App Security Enabling this setting forwards Windows Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data. diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md index 3589cf3196..6c0c82d32d 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md @@ -23,7 +23,7 @@ ms.date: 04/24/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md index 3fbf85c93e..e4ad2bca0f 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md @@ -23,7 +23,7 @@ ms.date: 06/01/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -42,6 +42,8 @@ To effectively build queries that span multiple tables, you need to understand t | AdditionalFields | string | Additional information about the event in JSON array format | | AlertId | string | Unique identifier for the alert | | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | +| Category | string | Type of threat indicator or breach activity identified by the alert | +| ClientVersion | string | Version of the endpoint agent or sensor running on the machine | | ComputerName | string | Fully qualified domain name (FQDN) of the machine | | ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it’s connected publicly to the internet. | | DefaultGateways | string | Default gateway addresses in JSON array format | @@ -73,6 +75,8 @@ To effectively build queries that span multiple tables, you need to understand t | Ipv4Dhcp | string | IPv4 address of DHCP server | | Ipv6Dhcp | string | IPv6 address of DHCP server | | IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory | +| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection | +| IsWindowsInfoProtectionApplied | boolean | Indicates whether Windows Information Protection (WIP) policies apply to the file | | LocalIP | string | IP address assigned to the local machine used during communication | | LocalPort | int | TCP port on the local machine used during communication | | LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | @@ -89,6 +93,7 @@ To effectively build queries that span multiple tables, you need to understand t | OSArchitecture | string | Architecture of the operating system running on the machine | | OSBuild | string | Build version of the operating system running on the machine | | OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | +| OsVersion | string | Version of the operating system running on the machine | | PreviousRegistryKey | string | Original registry key of the registry value before it was modified | | PreviousRegistryValueData | string | Original data of the registry value before it was modified | | PreviousRegistryValueName | string | Original name of the registry value before it was modified | @@ -110,8 +115,12 @@ To effectively build queries that span multiple tables, you need to understand t | RemotePort | int | TCP port on the remote device that was being connected to | | RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to | | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. | +| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert | +| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection | +| SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently | | SHA1 | string | SHA-1 of the file that the recorded action was applied to | | SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. | +| RegistryMachineTag | string | Machine tag added through the registry | | Table | string | Table that contains the details of the event | | TunnelingType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH | diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md index 850fea7739..fb04442da2 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: View and organize the Windows Defender ATP Alerts queue description: Learn about how the Windows Defender ATP alerts queues work, and how to sort and filter lists of alerts. -keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period +keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period, microsoft threat experts alerts search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -21,7 +21,7 @@ ms.date: 04/24/2018 # View and organize the Windows Defender Advanced Threat Protection Alerts queue **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -77,7 +77,7 @@ Corresponds to the automated investigation state. You can choose between showing alerts that are assigned to you or automation. ### Detection source -Select the source that triggered the alert detection. +Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts managed hunting service. >[!NOTE] >The Windows Defender Antivirus filter will only appear if machines are using Windows Defender Antivirus as the default real-time protection antimalware product. diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md index 5043e422a5..da3a29ed3a 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md @@ -14,16 +14,13 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Alert resource type **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prereleaseinformation](prerelease.md)] - -Represents an alert entity in WDATP. +Represents an alert entity in Windows Defender ATP. # Methods Method|Return Type |Description diff --git a/windows/security/threat-protection/windows-defender-atp/api-hello-world.md b/windows/security/threat-protection/windows-defender-atp/api-hello-world.md new file mode 100644 index 0000000000..9ee1dafbb9 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/api-hello-world.md @@ -0,0 +1,189 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Windows Defender ATP API - Hello World + +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +> Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## Get Alerts using a simple PowerShell script + +### How long it takes to go through this example? +It only takes 5 minutes done in two steps: +- Application registration +- Use examples: only requires copy/paste of a short PowerShell script + +### Do I need a permission to connect? +For the App registration stage, you must have a Global administrator role in your Azure Active Directory (Azure AD) tenant. + +### Step 1 - Create an App in Azure Active Directory + +1. Log on to [Azure](https://portal.azure.com) with your Global administrator user. + +2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. + + ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png) + +3. In the registration form, enter the following information, then click **Create**. + + - **Name:** Choose your own name. + - **Application type:** Web app / API + - **Redirect URI:** `https://127.0.0.1` + + ![Image of Create application window](images/webapp-create.png) + +4. Allow your App to access Windows Defender ATP and assign it 'Read all alerts' permission: + + - Click **Settings** > **Required permissions** > **Add**. + + ![Image of new app in Azure](images/webapp-add-permission.png) + + - Click **Select an API** > **WindowsDefenderATP**, then click **Select**. + + **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. + + ![Image of API access and API selection](images/webapp-add-permission-2.png) + + - Click **Select permissions** > **Read all alerts** > **Select**. + + ![Image of API access and API selection](images/webapp-add-permission-readalerts.png) + + - Click **Done** + + ![Image of add permissions completion](images/webapp-add-permission-end.png) + + - Click **Grant permissions** + + **Note**: Every time you add permission you must click on **Grant permissions**. + + ![Image of Grant permissions](images/webapp-grant-permissions.png) + +5. Create a key for your App: + + - Click **Keys**, type a key name and click **Save**. + + ![Image of create app key](images/webapp-create-key.png) + +6. Write down your App ID and your Tenant ID: + + - App ID: + + ![Image of created app id](images/webapp-app-id1.png) + + - Tenant ID: Navigate to **Azure Active Directory** > **Properties** + + ![Image of create app key](images/api-tenant-id.png) + + +Done! You have successfully registered an application! + +### Step 2 - Get a token using the App and use this token to access the API. + +- Copy the script below to PowerShell ISE or to a text editor, and save it as "**Get-Token.ps1**" +- Running this script will generate a token and will save it in the working folder under the name "**Latest-token.txt**". + +``` +# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory +# Paste below your Tenant ID, App ID and App Secret (App key). + +$tenantId = '' ### Paste your tenant ID here +$appId = '' ### Paste your app ID here +$appSecret = '' ### Paste your app key here + +$resourceAppIdUri = 'https://api.securitycenter.windows.com' +$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token" +$authBody = [Ordered] @{ + resource = "$resourceAppIdUri" + client_id = "$appId" + client_secret = "$appSecret" + grant_type = 'client_credentials' +} +$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop +$token = $authResponse.access_token +Out-File -FilePath "./Latest-token.txt" -InputObject $token +return $token + +``` + +- Sanity Check:
      +Run the script.
      +In your browser go to: https://jwt.ms/
      +Copy the token (the content of the Latest-token.txt file).
      +Paste in the top box.
      +Look for the "roles" section. Find the Alert.Read.All role. + +![Image jwt.ms](images/api-jwt-ms.png) + +### Lets get the Alerts! + +- The script below will use **Get-Token.ps1** to access the API and will get the past 48 hours Alerts. +- Save this script in the same folder you saved the previous script **Get-Token.ps1**. +- The script creates two files (json and csv) with the data in the same folder as the scripts. + +``` +# Returns Alerts created in the past 48 hours. + +$token = ./Get-Token.ps1 #run the script Get-Token.ps1 - make sure you are running this script from the same folder of Get-Token.ps1 + +# Get Alert from the last 48 hours. Make sure you have alerts in that time frame. +$dateTime = (Get-Date).ToUniversalTime().AddHours(-48).ToString("o") + +# The URL contains the type of query and the time filter we create above +# Read more about other query options and filters at Https://TBD- add the documentation link +$url = "https://api.securitycenter.windows.com/api/alerts?`$filter=alertCreationTime ge $dateTime" + +# Set the WebRequest headers +$headers = @{ + 'Content-Type' = 'application/json' + Accept = 'application/json' + Authorization = "Bearer $token" +} + +# Send the webrequest and get the results. +$response = Invoke-WebRequest -Method Get -Uri $url -Headers $headers -ErrorAction Stop + +# Extract the alerts from the results. +$alerts = ($response | ConvertFrom-Json).value | ConvertTo-Json + +# Get string with the execution time. We concatenate that string to the output file to avoid overwrite the file +$dateTimeForFileName = Get-Date -Format o | foreach {$_ -replace ":", "."} + +# Save the result as json and as csv +$outputJsonPath = "./Latest Alerts $dateTimeForFileName.json" +$outputCsvPath = "./Latest Alerts $dateTimeForFileName.csv" + +Out-File -FilePath $outputJsonPath -InputObject $alerts +($alerts | ConvertFrom-Json) | Export-CSV $outputCsvPath -NoTypeInformation + +``` + +You’re all done! You have just successfully: +- Created and registered and application +- Granted permission for that application to read alerts +- Connected the API +- Used a PowerShell script to return alerts created in the past 48 hours + + + +## Related topic +- [Windows Defender ATP APIs](exposed-apis-list.md) +- [Access Windows Defender ATP with application context](exposed-apis-create-app-webapp.md) +- [Access Windows Defender ATP with user context](exposed-apis-create-app-nativeapp.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md index edd3eab3fe..4520b214d1 100644 --- a/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md @@ -18,12 +18,12 @@ ms.topic: article ms.date: 10/16/2017 --- -# Windows Defender ATP alert API fields +# Windows Defender ATP SIEM alert API fields **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/apis-intro.md b/windows/security/threat-protection/windows-defender-atp/apis-intro.md index d1d2b0fceb..d05ecd0f1b 100644 --- a/windows/security/threat-protection/windows-defender-atp/apis-intro.md +++ b/windows/security/threat-protection/windows-defender-atp/apis-intro.md @@ -1,7 +1,7 @@ --- title: Windows Defender Advanced Threat Protection API overview description: Learn how you can use APIs to automate workflows and innovate based on Windows Defender ATP capabilities -keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query +keywords: apis, api, wdatp, open api, windows defender atp api, public api, supported apis, alerts, machine, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -14,48 +14,52 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/03/2018 --- # Windows Defender ATP API overview -**Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) - -[!include[Prerelease information](prerelease.md)] +> Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). In general, you’ll need to take the following steps to use the APIs: -- Create an app -- Get an access token +- Create an AAD application +- Get an access token using this application - Use the token to access Windows Defender ATP API -As a developer, you decide which permissions for Windows Defender ATP your app requests. When a user signs in to your app they (or, in some cases, an administrator) are given a chance to give consent to these permissions. If the user provides consent, your app is given access to the resources and APIs that it has requested. For apps that don't take a signed-in user, permissions can be pre-approved to by an administrator when the app is installed or during sign-up. +You can access Windows Defender ATP API with **Application Context** or **User Context**. -## Delegated permissions, application permissions, and effective permissions +- **Application Context: (Recommended)**
      + Used by apps that run without a signed-in user present. for example, apps that run as background services or daemons. -Windows Defender ATP has two types of permissions: delegated permissions and application permissions. + Steps that need to be taken to access Windows Defender ATP API with application context: -- **Delegated permissions**
      - Used by apps that have a signed-in user present. For these apps either the user or an administrator provides consent to the permissions that the app requests and the app is delegated permission to act as the signed-in user when making calls to Windows Defender ATP. Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require administrator consent. -- **Application permissions**
      - Used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be consented by an administrator. + 1. Create an AAD Web-Application. + 2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'. + 3. Create a key for this Application. + 4. Get token using the application with its key. + 5. Use the token to access Windows Defender ATP API -Effective permissions are permissions that your app will have when making requests to Windows Defender ATP. It is important to understand the difference between the delegated and application permissions that your app is granted and its effective permissions when making calls to Windows Defender ATP. + For more information, see [Get access with application context](exposed-apis-create-app-webapp.md). -- For delegated permissions, the effective permissions of your app will be the least privileged intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user may be determined by policy or by membership in one or more administrator roles. For more information about administrator roles, see [Assigning administrator roles in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles). - For example, assume your app has been granted the `Machine.CollectForensics` delegated permission. This permission nominally grants your app permission to collect investigation package from a machine. If the signed-in user has 'Alerts Investigation' permission, your app will be able to collect investigation package from a machine, if the machine belongs to a group the user is exposed to. However, if the signed-in user doesn't have 'Alerts Investigation' permission, your app won't be able to collect investigation package from any machine. +- **User Context:**
      + Used to perform actions in the API on behalf of a user. -- For application permissions, the effective permissions of your app will be the full level of privileges implied by the permission. For example, an app that has the `Machine.CollectForensics` application permission can collect investigation package from any machine in the organization. + Steps that needs to be taken to access Windows Defender ATP API with application context: + 1. Create AAD Native-Application. + 2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc. + 3. Get token using the application with user credentials. + 4. Use the token to access Windows Defender ATP API + + For more information, see [Get access with user context](exposed-apis-create-app-nativeapp.md). ## Related topics -- [Supported Windows Defender ATP APIs](exposed-apis-list.md) -- [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md) -- [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md) \ No newline at end of file +- [Windows Defender ATP APIs](exposed-apis-list.md) +- [Access Windows Defender ATP with application context](exposed-apis-create-app-webapp.md) +- [Access Windows Defender ATP with user context](exposed-apis-create-app-nativeapp.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md index e6775508c0..bc87a4503f 100644 --- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -23,7 +23,7 @@ ms.date: 11/28/2018 **Applies to:** - Azure Active Directory - Office 365 -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md index 76ba536762..a86ee0b027 100644 --- a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md @@ -23,7 +23,7 @@ ms.date: 11/20/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md index 6317c4b3cb..7dc172d03f 100644 --- a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md @@ -21,7 +21,7 @@ ms.topic: article **Applies to:** - Azure Active Directory -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-basicaccess-abovefoldlink) @@ -66,7 +66,7 @@ Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "s Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com" ``` -For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups). +For more information see, [Add or remove group memberships](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups). ## Assign user access using the Azure portal For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). diff --git a/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md index 3571e067fc..007cfbede6 100644 --- a/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md @@ -21,7 +21,7 @@ ms.date: 04/24/2018 # Check sensor health state in Windows Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md index 70fb7fe34a..426f70f81a 100644 --- a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md @@ -14,18 +14,16 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 + --- # Collect investigation package API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prereleaseinformation](prerelease.md)] Collect investigation package from a machine. -[!include[Machine actions note](machineactionsnote.md)] ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md index bbe7653865..35ed4d4458 100644 --- a/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md @@ -22,7 +22,7 @@ ms.date: 04/24/2018 # Access the Windows Defender ATP Community Center **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md index 0db8c85384..d3dff32b11 100644 --- a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md @@ -20,7 +20,7 @@ ms.topic: article # Enable conditional access to better protect users, devices, and data **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/configuration-score.md b/windows/security/threat-protection/windows-defender-atp/configuration-score.md new file mode 100644 index 0000000000..f9308eff7e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/configuration-score.md @@ -0,0 +1,56 @@ +--- +title: Overview of Configuration score in Microsoft Defender Security Center +description: Expand your visibility into the overall security configuration posture of your organization +keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/11/2019 +--- +# Configuration score +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +>[!NOTE] +> Secure score is now part of Threat & Vulnerability Management as Configuration score. We’ll keep the secure score page available for a few weeks. View the [Secure score](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection) page. + +The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over your organization's security posture based on security best practices. + +Your configuration score widget shows the collective security configuration state of your machines across the following categories: +- Application +- Operating system +- Network +- Accounts +- Security controls + +## How it works + +What you'll see in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously: +- Compare collected configurations to the collected benchmarks to discover misconfigured assets +- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration +- Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams) +- Collect and monitor changes of security control configuration state from all assets + +From the widget, you'd be able to see which security aspect require attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can take action based on security benchmarks. + +## Improve your configuration score +The goal is to improve your configuration score by remediating the issues in the security recommendations list. You can filter the view based on: +- **Related component** - **Accounts**, **Application**, **Network**, **OS**, or **Security controls** +- **Remediation type** - **Configuration change** or **Software update** + +## Related topics +- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-and-manage-tvm.md b/windows/security/threat-protection/windows-defender-atp/configure-and-manage-tvm.md new file mode 100644 index 0000000000..bb81e3d1db --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/configure-and-manage-tvm.md @@ -0,0 +1,44 @@ +--- +title: Configure Threat & Vulnerability Management in Windows Defender ATP +description: Configure your Threat & Vulnerability Management to allow security administrators and IT administrators to collaborate seamlessly to remediate issues via Microsoft intune and Microsoft System Center Configuration Manager (SCCM) integrations. +keywords: RBAC, Threat & Vulnerability Management configuration, Threat & Vulnerability Management integrations, Microsft Intune integration with TVM, SCCM integration with TVM +search.product: Windows 10 +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- +# Configure Threat & Vulnerability Management +**Applies to:** +- [Windows Defender Advanced Threat Protection Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM) for a seamless collaboration of issue remediation. + +### Before you begin +>[!IMPORTANT] +Threat & Vulnerability Management data currently supports Windows 10 machines. Upgrade to Windows 10 to account for the rest of your devices’ threat and vulnerability exposure data.
      + +Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM). + +>[!WARNING] +>Only Intune and SCCM enrolled devices are supported in this scenario.
      +>Use any of the following options to enroll devices in Intune: +>- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) +>- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school) +>- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup). + +## Related topics +- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Configuration score](configuration-score.md) +- [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md index 852dfacc9f..d418764a45 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -23,7 +23,7 @@ ms.date: 12/20/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -97,8 +97,8 @@ The following steps assume that you have completed all the required steps in [Be For example, if the configuration file in "flexagent" directory is named "WDATP-Connector.jsonparser.properties", you must type "WDATP-Connector" as the name of the client property file. Events URL - Depending on the location of your datacenter, select either the EU or the US URL:

      **For EU**: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME -
      **For US:** https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME + Depending on the location of your datacenter, select either the EU or the US URL:

      **For EU**: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
      +
      **For US:** https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME

      **For UK**: https://wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME Authentication Type OAuth 2 @@ -107,7 +107,7 @@ The following steps assume that you have completed all the required steps in [Be Browse to the location of the *wdatp-connector.properties* file. The name must match the file provided in the .zip that you downloaded. Refresh Token - You can obtain a refresh token in two ways: by generating a refresh token from the **SIEM settings** page or using the restutil tool.

      For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md).

      **Get your refresh token using the restutil tool:**
      a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool.

      b. Type: `arcsight restutil token -config` from the bin directory. A Web browser window will open.

      c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.

      d. A refresh token is shown in the command prompt.

      e. Copy and paste it into the **Refresh Token** field. + You can obtain a refresh token in two ways: by generating a refresh token from the **SIEM settings** page or using the restutil tool.

      For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md).

      **Get your refresh token using the restutil tool:**
      a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool.

      b. Type: `arcsight restutil token -config` from the bin directory.For example: **arcsight restutil boxtoken -proxy proxy.location.hp.com:8080** A Web browser window will open.

      c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.

      d. A refresh token is shown in the command prompt.

      e. Copy and paste it into the **Refresh Token** field. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md index b57e79e61b..cd442ff5d6 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md @@ -20,7 +20,7 @@ ms.date: 09/03/2018 # Configure conditional access in Windows Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) This section guides you through all the steps you need to take to properly implement conditional access. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md index d926b28800..2d843ca2bd 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -21,7 +21,7 @@ ms.date: 10/08/2018 # Configure alert notifications in Windows Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-emailconfig-abovefoldlink) @@ -52,8 +52,13 @@ You can create rules that determine the machines and alert severities to send em - **Rule name** - Specify a name for the notification rule. - **Include organization name** - Specify the customer name that appears on the email notification. - **Include tenant-specific portal link** - Adds a link with the tenant ID to allow access to a specific tenant. + - **Include machine information** - Includes the machine name in the email alert body. + + >[!NOTE] + > This information might be processed by recipient mail servers that ar not in the geographic location you have selected for your Windows Defender ATP data. + - **Machines** - Choose whether to notify recipients for alerts on all machines (Global administrator role only) or on selected machine groups. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). - - **Alert severity** - Choose the alert severity level + - **Alert severity** - Choose the alert severity level. 4. Click **Next**. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index ad6b565b7e..a2e8e2a9d2 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -24,7 +24,7 @@ ms.date: 04/24/2018 - Group Policy -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -48,7 +48,7 @@ ms.date: 04/24/2018 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*. -3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. +3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. 4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**. @@ -78,7 +78,7 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa b. Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_ -2. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**. +2. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11), right-click the GPO you want to configure and click **Edit**. 3. In the **Group Policy Management Editor**, go to **Computer configuration**. @@ -110,7 +110,7 @@ For security reasons, the package used to Offboard machines will expire 30 days 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. -3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. +3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. 4. In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 7eb6e5ace0..57ba954930 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -23,7 +23,7 @@ ms.date: 12/06/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md index 541f53e85e..de556b2903 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md @@ -22,7 +22,7 @@ ms.topic: article - macOS - Linux -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-nonwindows-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 4136a69a74..4d6b519e13 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -23,7 +23,7 @@ ms.date: 12/11/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - System Center 2012 Configuration Manager or later versions @@ -61,7 +61,7 @@ You can use existing System Center Configuration Manager functionality to create 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. -3. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic. +3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/packages-and-programs) topic. a. Choose a predefined device collection to deploy the package to. @@ -92,7 +92,7 @@ Possible values are: The default value in case the registry key doesn’t exist is 1. -For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx). +For more information about System Center Configuration Manager Compliance see [Get started with compliance settings in System Center Configuration Manager](https://docs.microsoft.com/sccm/compliance/get-started/get-started-with-compliance-settings). @@ -115,7 +115,7 @@ For security reasons, the package used to Offboard machines will expire 30 days 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. -3. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic. +3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/packages-and-programs) topic. a. Choose a predefined device collection to deploy the package to. @@ -155,7 +155,7 @@ Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status” Name: “OnboardingState” Value: “1” ``` -For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx). +For more information about System Center Configuration Manager Compliance see [Get started with compliance settings in System Center Configuration Manager](https://docs.microsoft.com/sccm/compliance/get-started/get-started-with-compliance-settings). ## Related topics - [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md index 14a13f7b3a..fee63e07dd 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -22,7 +22,7 @@ ms.topic: article **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md index 89b42c84ff..dc4a53e6ea 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -23,7 +23,7 @@ ms.date: 07/12/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md new file mode 100644 index 0000000000..37481f2312 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md @@ -0,0 +1,138 @@ +--- +title: Configure and manage Microsoft Threat Experts capabilities +description: You need to register to Microsoft Threats Experts preview to configure, manage, and use it in your daily security operations and security administration work. +keywords: Microsoft Threat Experts, managed threat hunting service, MTE, Microsoft managed hunting service +search.product: Windows 10 +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 02/28/2019 +--- + +# Configure and manage Microsoft Threat Experts capabilities +**Applies to:** + +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +## Before you begin +To experience the full Microsoft Threat Experts preview capability in Windows Defender ATP, you need to have a valid Premier customer service and support account. However, Premier charges will not be incurred during the preview. + +You also need to ensure that you have Windows Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up. + + +## Register to Microsoft Threat Experts preview +If you're already a Windows Defender ATP customer, you can apply for preview through the Windows Defender ATP portal. + +1. From the navigation pane, go to **Settings > General > Advanced features > Threat Experts**. + +2. Click **Apply for preview**. + +3. In the **Apply for preview** dialog box, read and make sure you understand the preview's terms of agreement. + +4. Enter your name and email address so that Microsoft can get back to you on your application. + +5. Read the privacy statement, then click **Submit** when you're done. + + >[!NOTE] + >You will receive a welcome email once your application is approved. Then, from the navigation pane, go to **Settings** > **General** > **Advanced features** to turn the **Threat Experts** toggle on. Click **Save preferences**. + + +## Receive targeted attack notification from Microsoft Threat Experts +You can receive targeted attack notification from Microsoft Threat Experts through the following: +- The Windows Defender ATP portal's **Alerts** dashboard +- Your email, if you choose to configure it + +To receive targeted attack notifications through email, you need to create an email notification rule. + +### Create an email notification rule +You can create rules to send email notifications for notification recipients. See Configure alert notifications to create, edit, delete, or troubleshoot email notification, for details. + + +## View the targeted attack notification +You'll start receiving targeted attack notification from Microsoft Threat Experts in your email after you have configured your system to receive email notification. + +1. Click the link in the email to go to the corresponding alert context in the dashboard tagged with **Threat experts**. + +2. From the dashboard, select the same alert topic that you got from the email, to view the details. + + +## Ask a Microsoft threat expert about suspicious cybersecurity activities in your organization +You can partner with Microsoft Threat Experts who can be engaged directly from within the Windows Defender Security Center for timely and accurate response. Experts provide insights needed to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. + +1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before raising an inquiry. +2. From the upper right-hand menu, click **?**, then select **Ask a threat expert**. +3. Asking a threat expert is a two-step process: you need to provide the necessary information and open a support ticket. + + **Step 1: Provide information** + a. Provide enough information to give the Microsoft Threat Experts enough context to start the investigation. Select the inquiry category from the **Provide information > Inquiry** details drop-down menu.
      + + b. Enter the additional details to give the threat experts more context of what you’d like to investigate. Click **Next**, and it takes you to the **Open support ticket** tab.
      + + c. Remember to use the ID number from the **Open a support ticket** tab page and include it to the details you will provide in the subsequent Customer Services and Support (CSS) pages.
      + + **Step 2: Open a support ticket** + >[!NOTE] + >To experience the full Microsoft Threat Experts preview capability in Windows Defender ATP, you need to have a Premier customer service and support account. However, you will not be charged for the Experts-on-demand service during the preview. + + a. In the **New support request** customer support page, select the following from the dropdown menu and then click **Next**:
      + + **Select the product family**: **Security**
      + **Select a product**: **Microsoft Threat Experts**
      + **Select a category that best describes the issue**: **Windows Defender ATP**
      + **Select a problem that best describes the issue**: Choose according to your inquiry category
      + + b. Fill out the fields with the necessary information about the issue and use the auto-generated ID when you open a Customer Services and Support (CSS) ticket. Then, click **Next**.
      + + c. In the **Select a support plan** page, select **Professional No Charge**.
      + + d. The severity of your issue has been pre-selected by default, per the support plan, **Professional No Charge**, that you'll use for this public preview. Select the time zone by which you'd like to receive the correspondence. Then, click **Next**.
      + + e. Verify your contact details and add another if necessary. Then, click **Next**.
      + + f. Review the summary of your support request, and update if necessary. Make sure that you read and understand the **Microsoft Services Agreement** and **Privacy Statement**. Then, click **Submit**. You will see the confirmation page indicating the response time and your support request number.
      + +## Sample questions to ask Microsoft Threat Experts +**Alert information** +- We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further? +- We’ve observed two similar attacks which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference? +- I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find any further evidence around these sign-in attempts. How can Windows Defender see these attempts? What type of sign-ins are being monitored? +- Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”. + +**Possible machine compromise** +- Can you please help answer why we see “Unknown process observed?” This is seen quite frequently on many machines and we would appreciate input on whether this is related to malicious activity. +- Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]? + +**Threat intelligence details** +- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Windows Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you please send me a link? +- I recently saw a [social media reference e.g. Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection WDATP provides against this threat actor? + +**Microsoft Threat Experts’ alert communications** +- Can your incident response team help us address the targeted attack notification that we got? +- I received this targeted attack notification from Microsoft Threat Experts. We don’t have our own incident response team. What can we do now, and how can we contain the incident? +- I received a targeted attack notification from Microsoft Threat Experts. What data can you provide to us that we can pass on to our incident response team? + + >[!NOTE] + >Microsoft Threat Experts is a managed cybersecurity hunting service and not an incident response service. However, the experts can seamlessly transition the investigation to Microsoft Cybersecurity Solutions Group (CSG)'s Detection and Response Team (DART) services, when necessary. You can also opt to engage with your own incident response team to address issues that requires an incident response. + +## Scenario + +### Receive a progress report about your managed hunting inquiry +Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you regarding the Ask a threat expert inquiry that you've submitted, within two days, to communicate the investigation status from the following categories: +- More information is needed to continue with the investigation +- A file or several file samples are needed to determine the technical context +- Investigation requires more time +- Initial information was enough to conclude the investigation + +It is crucial to respond in a timely manner to keep the investigation moving. See the Premier customer service and support service level agreement for details. + diff --git a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md index 785c598a10..738c8f0548 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md @@ -21,7 +21,7 @@ ms.date: 09/03/2018 # Configure managed security service provider integration **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 6c38860bcb..595b8af148 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -15,14 +15,13 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 02/14/2019 --- # Configure machine proxy and Internet connectivity settings **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -96,7 +95,7 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec Service location | Microsoft.com DNS record :---|:--- -Common URLs for all locations | ```*.blob.core.windows.net```
      ```crl.microsoft.com```
      ```ctldl.windowsupdate.com```
      ```events.data.microsoft.com``` +Common URLs for all locations | ```*.blob.core.windows.net```
      ```crl.microsoft.com```
      ```ctldl.windowsupdate.com```
      ```events.data.microsoft.com```
      ```notify.windows.com``` European Union | ```eu.vortex-win.data.microsoft.com```
      ```eu-v20.events.data.microsoft.com```
      ```winatp-gw-neu.microsoft.com```
      ```winatp-gw-weu.microsoft.com``` United Kingdom | ```uk.vortex-win.data.microsoft.com```
      ```uk-v20.events.data.microsoft.com```
      ```winatp-gw-uks.microsoft.com```
      ```winatp-gw-ukw.microsoft.com``` United States | ```us.vortex-win.data.microsoft.com```
      ```us-v20.events.data.microsoft.com```
      ```winatp-gw-cus.microsoft.com```
      ```winatp-gw-eus.microsoft.com``` @@ -166,6 +165,9 @@ If at least one of the connectivity options returns a (200) status, then the Win However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure. +> [!NOTE] +> When the TelemetryProxyServer is set, in Registry or via Group Policy, Windows Defender ATP will fall back to direct if it can't access the defined proxy. + ## Related topics - [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 93dc8a9bec..03df5ce551 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -1,224 +1,238 @@ ---- -title: Onboard servers to the Windows Defender ATP service -description: Onboard servers so that they can send sensor data to the Windows Defender ATP sensor. -keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, machine management, configure Windows ATP servers, onboard Windows Defender Advanced Threat Protection servers -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 12/14/2018 ---- - -# Onboard servers to the Windows Defender ATP service - -**Applies to:** - -- Windows Server 2012 R2 -- Windows Server 2016 -- Windows Server, version 1803 -- Windows Server, 2019 -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - -[!include[Prerelease information](prerelease.md)] - ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink) - - -Windows Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console. - -The service supports the onboarding of the following servers: -- Windows Server 2012 R2 -- Windows Server 2016 -- Windows Server, version 1803 -- Windows Server 2019 - - -For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Windows Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). - -## Windows Server 2012 R2 and Windows Server 2016 - -To onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP, you’ll need to: - -- For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients. - - >[!NOTE] - >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2. - -- Turn on server monitoring from Windows Defender Security Center. -- If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below. - ->[!TIP] -> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). - -### Configure and update System Center Endpoint Protection clients ->[!IMPORTANT] ->This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2. - -Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. - -The following steps are required to enable this integration: -- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) -- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting - - -### Turn on Server monitoring from the Windows Defender Security Center portal - -1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. - -2. Select Windows Server 2012R2 and 2016 as the operating system. - -3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. - - -### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP - -1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603). - -2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server: - - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup)
      - On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). - -3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings). - -Once completed, you should see onboarded servers in the portal within an hour. - - -### Configure server proxy and Internet connectivity settings - -- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway). -- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service: - -Agent Resource | Ports -:---|:--- -| *.oms.opinsights.azure.com | 443 | -| *.blob.core.windows.net | 443 | -| *.azure-automation.net | 443 | -| *.ods.opinsights.azure.com | 443 | -| winatp-gw-cus.microsoft.com | 443 | -| winatp-gw-eus.microsoft.com | 443 | -| winatp-gw-neu.microsoft.com | 443 | -| winatp-gw-weu.microsoft.com | 443 | -|winatp-gw-uks.microsoft.com | 443 | -|winatp-gw-ukw.microsoft.com | 443 | -| winatp-gw-aus.microsoft.com | 443| -| winatp-gw-aue.microsoft.com |443 | - -## Windows Server, version 1803 and Windows Server 2019 -To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines. - -Supported tools include: -- Local script -- Group Policy -- System Center Configuration Manager 2012 / 2012 R2 1511 / 1602 -- VDI onboarding scripts for non-persistent machines - - For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. - -1. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). - -2. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly: - - a. Set the following registry entry: - - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` - - Name: ForceDefenderPassiveMode - - Value: 1 - - b. Run the following PowerShell command to verify that the passive mode was configured: - - ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}``` - - c. Confirm that a recent event containing the passive mode event is found: - - ![Image of passive mode verification result](images/atp-verify-passive-mode.png) - -3. Run the following command to check if Windows Defender AV is installed: - - ```sc query Windefend``` - - If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). - - -## Integration with Azure Security Center -Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. - ->[!NOTE] ->You'll need to have the appropriate license to enable this feature. - -The following capabilities are included in this integration: -- Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). - - >[!NOTE] - > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. - -- Servers monitored by Azure Security Center will also be available in Windows Defender ATP - Azure Security Center seamlessly connects to the Windows Defender ATP tenant, providing a single view across clients and servers. In addition, Windows Defender ATP alerts will be available in the Azure Security Center console. -- Server investigation - Azure Security Center customers can access Windows Defender Security Center to perform detailed investigation to uncover the scope of a potential breach - ->[!IMPORTANT] ->- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. ->- If you use Windows Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. - - - -## Offboard servers -You can offboard Windows Server, version 1803 and Windows 2019 in the same method available for Windows 10 client machines. - -For other server versions, you have two options to offboard servers from the service: -- Uninstall the MMA agent -- Remove the Windows Defender ATP workspace configuration - ->[!NOTE] ->Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months. - -### Uninstall servers by uinstalling the MMA agent -To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP. -For more information, see [To disable an agent](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent). - -### Remove the Windows Defender ATP workspace configuration -To offboard the server, you can use either of the following methods: - -- Remove the Windows Defender ATP workspace configuration from the MMA agent -- Run a PowerShell command to remove the configuration - -#### Remove the Windows Defender ATP workspace configuration from the MMA agent - -1. In the **Microsoft Monitoring Agent Properties**, select the **Azure Log Analytics (OMS)** tab. - -2. Select the Windows Defender ATP workspace, and click **Remove**. - - ![Image of Microsoft Monitoring Agen Properties](images/atp-mma.png) - -#### Run a PowerShell command to remove the configuration - -1. Get your Workspace ID: - a. In the navigation pane, select **Settings** > **Onboarding**. - - b. Select **Windows Server 2012R2 and 2016** as the operating system and get your Workspace ID: - - ![Image of server onboarding](images/atp-server-offboarding-workspaceid.png) - -2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`: - - ``` - # Load agent scripting object - $AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg - # Remove OMS Workspace - $AgentCfg.RemoveCloudWorkspace($WorkspaceID) - # Reload the configuration and apply changes - $AgentCfg.ReloadConfiguration() - ``` - -## Related topics -- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) -- [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) -- [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) -- [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md) -- [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +--- +title: Onboard servers to the Windows Defender ATP service +description: Onboard servers so that they can send sensor data to the Windows Defender ATP sensor. +keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, machine management, configure Windows ATP servers, onboard Windows Defender Advanced Threat Protection servers +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Onboard servers to the Windows Defender ATP service + +**Applies to:** + +- Windows Server 2012 R2 +- Windows Server 2016 +- Windows Server, version 1803 +- Windows Server, 2019 +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink) + + +Windows Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console. + +The service supports the onboarding of the following servers: +- Windows Server 2012 R2 +- Windows Server 2016 +- Windows Server, version 1803 +- Windows Server 2019 + + +For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Windows Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). + +## Windows Server 2012 R2 and Windows Server 2016 + +There are two options to onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP: + +- **Option 1**: Onboard through Azure Security Center +- **Option 2**: Onboard through Windows Defender Security Center + +### Option 1: Onboard servers through Azure Security Center +1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + +2. Select Windows Server 2012 R2 and 2016 as the operating system. + +3. Click **Onboard Servers in Azure Security Center**. + +4. Follow the onboarding instructions in [Windows Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). + +### Option 2: Onboard servers through Windows Defender Security Center +You'll need to tak the following steps if you choose to onboard servers through Windows Defender Security Center. + +- For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients. + + >[!NOTE] + >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2. + +- Turn on server monitoring from Windows Defender Security Center. +- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through Multi Homing support. Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). + +>[!TIP] +> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). + +### Configure and update System Center Endpoint Protection clients +>[!IMPORTANT] +>This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2. + +Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. + +The following steps are required to enable this integration: +- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) +- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting + + +### Turn on Server monitoring from the Windows Defender Security Center portal + +1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + +2. Select Windows Server 2012 R2 and 2016 as the operating system. + +3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. + + +### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP + +1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603). + +2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server: + - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup)
      + On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. + - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). + +3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings). + +Once completed, you should see onboarded servers in the portal within an hour. + + +### Configure server proxy and Internet connectivity settings + +- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway). +- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service: + +Agent Resource | Ports +:---|:--- +| *.oms.opinsights.azure.com | 443 | +| *.blob.core.windows.net | 443 | +| *.azure-automation.net | 443 | +| *.ods.opinsights.azure.com | 443 | +| winatp-gw-cus.microsoft.com | 443 | +| winatp-gw-eus.microsoft.com | 443 | +| winatp-gw-neu.microsoft.com | 443 | +| winatp-gw-weu.microsoft.com | 443 | +|winatp-gw-uks.microsoft.com | 443 | +|winatp-gw-ukw.microsoft.com | 443 | +| winatp-gw-aus.microsoft.com | 443| +| winatp-gw-aue.microsoft.com |443 | + +## Windows Server, version 1803 and Windows Server 2019 +To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines. + +Supported tools include: +- Local script +- Group Policy +- System Center Configuration Manager 2012 / 2012 R2 1511 / 1602 +- VDI onboarding scripts for non-persistent machines + + For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. + +1. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). + +2. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly: + + a. Set the following registry entry: + - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` + - Name: ForceDefenderPassiveMode + - Value: 1 + + b. Run the following PowerShell command to verify that the passive mode was configured: + + ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}``` + + c. Confirm that a recent event containing the passive mode event is found: + + ![Image of passive mode verification result](images/atp-verify-passive-mode.png) + +3. Run the following command to check if Windows Defender AV is installed: + + ```sc query Windefend``` + + If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). + + +## Integration with Azure Security Center +Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. + +>[!NOTE] +>You'll need to have the appropriate license to enable this feature. + +The following capabilities are included in this integration: +- Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). + + >[!NOTE] + > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. + +- Servers monitored by Azure Security Center will also be available in Windows Defender ATP - Azure Security Center seamlessly connects to the Windows Defender ATP tenant, providing a single view across clients and servers. In addition, Windows Defender ATP alerts will be available in the Azure Security Center console. +- Server investigation - Azure Security Center customers can access Windows Defender Security Center to perform detailed investigation to uncover the scope of a potential breach + +>[!IMPORTANT] +>- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. +>- If you use Windows Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. + + + +## Offboard servers +You can offboard Windows Server, version 1803 and Windows 2019 in the same method available for Windows 10 client machines. + +For other server versions, you have two options to offboard servers from the service: +- Uninstall the MMA agent +- Remove the Windows Defender ATP workspace configuration + +>[!NOTE] +>Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months. + +### Uninstall servers by uinstalling the MMA agent +To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP. +For more information, see [To disable an agent](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent). + +### Remove the Windows Defender ATP workspace configuration +To offboard the server, you can use either of the following methods: + +- Remove the Windows Defender ATP workspace configuration from the MMA agent +- Run a PowerShell command to remove the configuration + +#### Remove the Windows Defender ATP workspace configuration from the MMA agent + +1. In the **Microsoft Monitoring Agent Properties**, select the **Azure Log Analytics (OMS)** tab. + +2. Select the Windows Defender ATP workspace, and click **Remove**. + + ![Image of Microsoft Monitoring Agen Properties](images/atp-mma.png) + +#### Run a PowerShell command to remove the configuration + +1. Get your Workspace ID: + a. In the navigation pane, select **Settings** > **Onboarding**. + + b. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID: + + ![Image of server onboarding](images/atp-server-offboarding-workspaceid.png) + +2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`: + + ``` + # Load agent scripting object + $AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg + # Remove OMS Workspace + $AgentCfg.RemoveCloudWorkspace($WorkspaceID) + # Reload the configuration and apply changes + $AgentCfg.ReloadConfiguration() + ``` + +## Related topics +- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) +- [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) +- [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) +- [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md) +- [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md index b59c733f97..239c4d95db 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md @@ -22,8 +22,7 @@ ms.date: 10/16/2017 **Applies to:** - -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md index 2177e72018..baf0a25a95 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md @@ -23,7 +23,7 @@ ms.date: 10/16/2017 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -69,7 +69,7 @@ You'll need to configure Splunk so that it can pull Windows Defender ATP alerts. Endpoint URL - Depending on the location of your datacenter, select either the EU or the US URL:

      **For EU**: `https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts`
      **For US:**` https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts` + Depending on the location of your datacenter, select any of the following URL:

      **For EU**: `https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts`

      **For US:**` https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts`

      **For UK:**` https://wdatp-alertexporter-uk.securitycenter.windows.com/api/alerts` HTTP Method @@ -111,7 +111,7 @@ You'll need to configure Splunk so that it can pull Windows Defender ATP alerts. Set sourcetype - From list + Manual Source type diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md index d20d381975..e6a5f47f96 100644 --- a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md @@ -14,16 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 + --- # Create alert from event API **Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Enables using event data, as obtained from the [Advanced Hunting](run-advanced-query-api.md) for creating a new alert entity. diff --git a/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md index 3938e9b3f5..4998ae8a80 100644 --- a/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/29/2018 --- # Create custom detections rules **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) 1. In the navigation pane, select **Advanced hunting**. diff --git a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md index 14a91c2829..bc9982d2ae 100644 --- a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md @@ -23,7 +23,7 @@ ms.date: 04/24/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md index 911625d579..8a393d5b81 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md @@ -22,7 +22,7 @@ ms.date: 04/24/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index 92e081ea4a..8967eb0a92 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/07/2018 --- # Windows Defender ATP data storage and privacy @@ -37,12 +36,12 @@ Information collected includes file data (such as file names, sizes, and hashes) Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578). -Microsoft uses this data to: +This data enables Windows Defender ATP to: - Proactively identify indicators of attack (IOAs) in your organization - Generate alerts if a possible attack was detected - Provide your security operations with a view into machines, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network. -Microsoft does not use your data for advertising or for any other purpose other than providing you the service. +Microsoft does not use your data for advertising. ## Data protection and encryption The Windows Defender ATP service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure. @@ -55,7 +54,7 @@ In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wik ## Do I have the flexibility to select where to store my data? -When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States. +When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States, or dedicated Azure Government data centers (soon to be in preview). Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States. ## Is my data isolated from other customer data? Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides. @@ -70,6 +69,9 @@ Microsoft developers and administrators have, by design, been given sufficient p Additionally, Microsoft conducts background verification checks of certain operations personnel, and limits access to applications, systems, and network infrastructure in proportion to the level of background verification. Operations personnel follow a formal process when they are required to access a customer’s account or related information in the performance of their duties. +Access to data for services deployed in Microsoft Azure Government data centers is only granted to operating personnel who have been screened and approved to handle data that is subject to certain government regulations and requirements, such as FedRAMP, NIST 800.171 (DIB), ITAR, IRS 1075, DoD L4, and CJIS. + + ## Is data shared with other customers? No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing, and which don’t contain any customer specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides. @@ -84,6 +86,7 @@ Your data will be kept and will be available to you while the licence is under g ## Can Microsoft help us maintain regulatory compliance? Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP is ISO 27001 certified and has a roadmap for obtaining national, regional and industry-specific certifications. +Windows Defender ATP for Government (soon to be in preview) is currently undergoing audit for achieving FedRAMP High accreditation as well as Provisional Authorization (PA) at Impact Levels 4 and 5. By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run. diff --git a/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md index 61c31958f3..5050e3dcb1 100644 --- a/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md @@ -24,7 +24,7 @@ ms.date: 04/24/2018 - Windows Defender -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md index e293b7a30d..51f12e0109 100644 --- a/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md @@ -1,6 +1,6 @@ --- -title: Delete Ti Indicator. -description: Deletes Ti Indicator entity by ID. +title: Delete Indicator API. +description: Deletes Indicator entity by ID. keywords: apis, public api, supported apis, delete, ti indicator, entity, id search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -14,33 +14,32 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- -# Delete TI Indicator API +# Delete Indicator API + +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prereleaseinformation](prerelease.md)] >[!Note] -> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) +> Currently this API is only supported for AppOnly context requests. (See [Get access with application context](exposed-apis-create-app-webapp.md) for more information) -**Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) -Retrieves a TI Indicator entity by ID. +- Deletes an Indicator entity by ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- Application | Ti.ReadWrite | 'Read and write TI Indicators' +Application | Ti.ReadWrite.All | 'Read and write Indicators' ## HTTP request ``` -Delete https://api.securitycenter.windows.com/api/tiindicators/{id} +Delete https://api.securitycenter.windows.com/api/indicators/{id} ``` [!include[Improve request performance](improverequestperformance-new.md)] @@ -57,8 +56,8 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If TI Indicator exist and deleted successfully - 204 OK without content. -If TI Indicator with the specified id was not found - 404 Not Found. +If Indicator exist and deleted successfully - 204 OK without content. +If Indicator with the specified id was not found - 404 Not Found. ## Example @@ -67,7 +66,7 @@ If TI Indicator with the specified id was not found - 404 Not Found. Here is an example of the request. ``` -DELETE https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f +DELETE https://api.securitycenter.windows.com/api/indicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f ``` **Response** diff --git a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md index aca29a67c7..49545c0428 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md @@ -23,7 +23,7 @@ ms.date: 04/24/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md index 73b494e5e7..c4590d0678 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md @@ -23,7 +23,7 @@ ms.date: 04/24/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md index c8e00fbc8f..b3d89ea8d0 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -21,7 +21,7 @@ ms.date: 12/10/2018 # Enable SIEM integration in Windows Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md b/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md index 1311f7c265..6dd9971ceb 100644 --- a/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md +++ b/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md @@ -19,7 +19,7 @@ ms.date: 08/10/2018 --- # Evaluate Windows Defender ATP -[Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. +[Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. You can evaluate Windows Defender Advanced Threat Protection in your organization by [starting your free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp). diff --git a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md index af1f166fa2..f49caf3929 100644 --- a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md @@ -25,7 +25,7 @@ ms.date: 05/21/2018 - Event Viewer -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md index c41d6d1439..3e8ba14f02 100644 --- a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -23,7 +23,7 @@ ms.date: 11/09/2017 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md index 9109892c6d..abe92e9dfe 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md @@ -20,32 +20,28 @@ ms.date: 09/03/2018 # Use Windows Defender ATP APIs **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +> Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +This page describes how to create an application to get programmatic access to Windows Defender ATP on behalf of a user. - -[!include[Prerelease information](prerelease.md)] - - -This page describe how to create an application to get programmatical access to Windows Defender ATP on behalf of a user. - -If you need programmatical access Windows Defender ATP without a user, refer to [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md). +If you need programmatic access Windows Defender ATP without a user, refer to [Access Windows Defender ATP with application context](exposed-apis-create-app-webapp.md). If you are not sure which access you need, read the [Introduction page](apis-intro.md). -Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). +Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate work flows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). In general, you’ll need to take the following steps to use the APIs: -- Create an app -- Get an access token +- Create an AAD application +- Get an access token using this application - Use the token to access Windows Defender ATP API -This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission. +This page explains how to create an AAD application, get an access token to Windows Defender ATP and validate the token. >[!NOTE] -> When accessing Windows Defender ATP API on behalf of a user, you will need the correct app permission and user permission. +> When accessing Windows Defender ATP API on behalf of a user, you will need the correct App permission and user permission. > If you are not familiar with user permissions on Windows Defender ATP, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md). >[!TIP] @@ -53,7 +49,7 @@ This page explains how to create an app, get an access token to Windows Defender ## Create an app -1. Log on to [Azure](https://portal.azure.com). +1. Log on to [Azure](https://portal.azure.com) with user that has Global Administrator role. 2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. @@ -78,13 +74,10 @@ This page explains how to create an app, get an access token to Windows Defender ![Image of API access and API selection](images/webapp-add-permission-2.png) -6. Click **Select permissions** > check **Read alerts** and **Collect forensics** > **Select**. +6. Click **Select permissions** > **Check the desired permissions** > **Select**. >[!IMPORTANT] >You need to select the relevant permissions. 'Read alerts' and 'Collect forensics' are only an example. - - ![Image of select permissions](images/nativeapp-select-permissions.png) - For instance, - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission @@ -92,6 +85,8 @@ This page explains how to create an app, get an access token to Windows Defender To determine which permission you need, look at the **Permissions** section in the API you are interested to call. + ![Image of select permissions](images/nativeapp-select-permissions.png) + 7. Click **Done** @@ -116,39 +111,51 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co ### Using C# -The code was below tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8 - -- Create a new Console Application -- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/) -- Add the below using +- Copy/Paste the below class in your application. +- Use **AcquireUserTokenAsync** method with the your application ID, tenant ID, user name and password to acquire a token. ``` - using Microsoft.IdentityModel.Clients.ActiveDirectory; - ``` + namespace WindowsDefenderATP + { + using System.Net.Http; + using System.Text; + using System.Threading.Tasks; + using Newtonsoft.Json.Linq; -- Copy/Paste the below code in your application (pay attention to the comments in the code) + public static class WindowsDefenderATPUtils + { + private const string Authority = "https://login.windows.net"; - ``` - const string authority = "https://login.windows.net"; - const string wdatpResourceId = "https://api.securitycenter.windows.com"; + private const string WdatpResourceId = "https://api.securitycenter.windows.com"; - string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here - string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here + public static async Task AcquireUserTokenAsync(string username, string password, string appId, string tenantId) + { + using (var httpClient = new HttpClient()) + { + var urlEncodedBody = $"resource={WdatpResourceId}&client_id={appId}&grant_type=password&username={username}&password={password}"; - string username = "SecurityAdmin123@microsoft.com"; // Paste your username here - string password = GetPasswordFromSafePlace(); // Paste your own password here for a test, and then store it in a safe place! + var stringContent = new StringContent(urlEncodedBody, Encoding.UTF8, "application/x-www-form-urlencoded"); - UserPasswordCredential userCreds = new UserPasswordCredential(username, password); + using (var response = await httpClient.PostAsync($"{Authority}/{tenantId}/oauth2/token", stringContent).ConfigureAwait(false)) + { + response.EnsureSuccessStatusCode(); - AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}"); - AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, appId, userCreds).GetAwaiter().GetResult(); - string token = authenticationResult.AccessToken; + var json = await response.Content.ReadAsStringAsync().ConfigureAwait(false); + + var jObject = JObject.Parse(json); + + return jObject["access_token"].Value(); + } + } + } + } + } ``` ## Validate the token Sanity check to make sure you got a correct token: -- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it +- Copy/paste into [JWT](https://jwt.ms) the token you got in the previous step in order to decode it - Validate you get a 'scp' claim with the desired app permissions - In the screenshot below you can see a decoded token acquired from the app in the tutorial: @@ -168,12 +175,11 @@ Sanity check to make sure you got a correct token: request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token); - var response = await httpClient.SendAsync(request).ConfigureAwait(false); + var response = httpClient.SendAsync(request).GetAwaiter().GetResult(); // Do something useful with the response ``` ## Related topics -- [Windows Defender ATP APIs](apis-intro.md) -- [Supported Windows Defender ATP APIs](exposed-apis-list.md) -- [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md) \ No newline at end of file +- [Windows Defender ATP APIs](exposed-apis-list.md) +- [Access Windows Defender ATP with application context](exposed-apis-create-app-webapp.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md index a3afcae8bd..d26d9ddb56 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md @@ -20,31 +20,29 @@ ms.date: 09/03/2018 # Create an app to access Windows Defender ATP without a user **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +> Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +This page describes how to create an application to get programmatic access to Windows Defender ATP without a user. -[!include[Prerelease information](prerelease.md)] +If you need programmatic access Windows Defender ATP on behalf of a user, see [Get access wtih user context](exposed-apis-create-app-nativeapp.md) -This page describes how to create an application to get programmatical access to Windows Defender ATP without a user. - -If you need programmatical access Windows Defender ATP on behalf of a user, see [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md) - -If you are not sure which access you need, see [Use Windows Defender ATP APIs](apis-intro.md). +If you are not sure which access you need, see [Get started](apis-intro.md). Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). In general, you’ll need to take the following steps to use the APIs: -- Create an app -- Get an access token +- Create an AAD application +- Get an access token using this application - Use the token to access Windows Defender ATP API -This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission. +This page explains how to create an AAD application, get an access token to Windows Defender ATP and validate the token. ## Create an app -1. Log on to [Azure](https://portal.azure.com). +1. Log on to [Azure](https://portal.azure.com) with user that has Global Administrator role. 2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. @@ -54,9 +52,9 @@ This page explains how to create an app, get an access token to Windows Defender ![Image of Create application window](images/webapp-create.png) - - **Name:** WdatpEcosystemPartner + - **Name:** Choose your own name. - **Application type:** Web app / API - - **Redirect URI:** `https://WdatpEcosystemPartner.com` (The URL where user can sign in and use your app. You can change this URL later.) + - **Redirect URI:** `https://127.0.0.1` 4. Click **Settings** > **Required permissions** > **Add**. @@ -69,18 +67,17 @@ This page explains how to create an app, get an access token to Windows Defender ![Image of API access and API selection](images/webapp-add-permission-2.png) -6. Click **Select permissions** > **Run advanced queries** > **Select**. +6. Click **Select permissions** > **Check the desired permissions** > **Select**. - **Important note**: You need to select the relevant permission. 'Run advanced queries' is only an example! - - ![Image of select permissions](images/webapp-select-permission.png) + **Important note**: You need to select the relevant permissions. 'Run advanced queries' is only an example! For instance, - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission - To [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), select 'Isolate machine' permission + - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call. - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call. + ![Image of select permissions](images/webapp-select-permission.png) 7. Click **Done** @@ -94,7 +91,7 @@ This page explains how to create an app, get an access token to Windows Defender ![Image of Grant permissions](images/webapp-grant-permissions.png) -9. Click **Keys** and type a key name and click **Save**. +9. Click **Keys**, type a key name and click **Save**. **Important**: After you save, **copy the key value**. You won't be able to retrieve after you leave! @@ -102,9 +99,9 @@ This page explains how to create an app, get an access token to Windows Defender 10. Write down your application ID. - ![Image of app ID](images/webapp-get-appid.png) + ![Image of created app id](images/webapp-app-id1.png) -11. Set your application to be multi-tenanted +11. **For Windows Defender ATP Partners only** - Set your application to be multi-tenanted This is **required** for 3rd party apps (for example, if you create an application that is intended to run in multiple customers tenant). @@ -114,26 +111,54 @@ This page explains how to create an app, get an access token to Windows Defender ![Image of multi tenant](images/webapp-edit-multitenant.png) + - Application consent for your multi-tenant App: + + You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with Windows Defender ATP application on behalf of your customer. -## Application consent -You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with WDATP application on behalf of your customer. + You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory. -You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory. + Consent link is of the form: -Consent link is of the form: + ``` + https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true​ + ``` -``` -https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true​ -``` - -where 00000000-0000-0000-0000-000000000000​ should be replaced with your Azure application ID + where 00000000-0000-0000-0000-000000000000​ should be replaced with your Azure application ID -## Get an access token +- **Done!** You have successfully registered an application! +- See examples below for token acquisition and validation. + +## Get an access token examples: For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) -### Using C# +### Using PowerShell + +``` +# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory +# Paste below your Tenant ID, App ID and App Secret (App key). + +$tenantId = '' ### Paste your tenant ID here +$appId = '' ### Paste your app ID here +$appSecret = '' ### Paste your app key here + +$resourceAppIdUri = 'https://api.securitycenter.windows.com' +$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token" +$authBody = [Ordered] @{ + resource = "$resourceAppIdUri" + client_id = "$appId" + client_secret = "$appSecret" + grant_type = 'client_credentials' +} +$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop +$token = $authResponse.access_token +Out-File -FilePath "./Latest-token.txt" -InputObject $token +return $token + +``` + +### Using C#: >The below code was tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8 @@ -161,9 +186,6 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co string token = authenticationResult.AccessToken; ``` -### Using PowerShell - -Refer to [Get token using PowerShell](run-advanced-query-sample-powershell.md#get-token) ### Using Python @@ -177,7 +199,7 @@ Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token) - Open a command window - ​Set CLIENT_ID to your Azure application ID - Set CLIENT_SECRET to your Azure application secret -- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access WDATP application +- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Windows Defender ATP application - Run the below command: ``` @@ -195,7 +217,7 @@ You will get an answer of the form: Sanity check to make sure you got a correct token: - Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it - Validate you get a 'roles' claim with the desired permissions -- In the screenshot below you can see a decoded token acquired from an app with permissions to all of Wdatp's roles: +- In the screenshot below you can see a decoded token acquired from an app with permissions to all of Windows Defender ATP's roles: ![Image of token validation](images/webapp-decoded-token.png) @@ -213,12 +235,11 @@ Sanity check to make sure you got a correct token: request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token); - var response = await httpClient.SendAsync(request).ConfigureAwait(false); + var response = httpClient.SendAsync(request).GetAwaiter().GetResult(); // Do something useful with the response ``` ## Related topics -- [Windows Defender ATP APIs](apis-intro.md) - [Supported Windows Defender ATP APIs](exposed-apis-list.md) - [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md index b65c98cd30..9256735a62 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md @@ -19,9 +19,7 @@ ms.date: 09/24/2018 # Windows Defender ATP APIs using PowerShell **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prerelease information](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Full scenario using multiple APIs from Windows Defender ATP. @@ -48,7 +46,7 @@ Set-ExecutionPolicy -ExecutionPolicy Bypass - Run the below > - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) -> - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP) +> - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Windows Defender ATP) > - $appSecret: Secret of your AAD app > - $suspiciousUrl: The URL diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md index 55933fb093..2be8b96e04 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md @@ -14,7 +14,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 30/07/2018 --- # Supported Windows Defender ATP query APIs diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md index 581c198d4a..3224af9ce2 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -14,18 +14,17 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/15/2018 --- # OData queries with Windows Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] -- If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/) -- Not all properties are filterable. +If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/) + +Not all properties are filterable. ### Properties that supports $filter: @@ -64,7 +63,6 @@ Content-type: application/json "rbacGroupId": 140, "rbacGroupName": "The-A-Team", "riskScore": "High", - "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] }, @@ -149,7 +147,6 @@ Content-type: application/json "rbacGroupId": 140, "rbacGroupName": "The-A-Team", "riskScore": "High", - "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] }, @@ -191,7 +188,6 @@ Content-type: application/json "rbacGroupId": 140, "rbacGroupName": "The-A-Team", "riskScore": "High", - "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] }, @@ -233,7 +229,6 @@ Content-type: application/json "rbacGroupId": 140, "rbacGroupName": "The-A-Team", "riskScore": "High", - "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] }, @@ -278,5 +273,23 @@ Content-type: application/json } ``` +### Example 7 + +- Get the count of open alerts for a specific machine: + +``` +HTTP GET https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415b8e5f383c6388bff446c62/alerts/$count?$filter=status ne 'Resolved' +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json + +4 + +``` + ## Related topic - [Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md index 6a846b32c3..fa296bb3af 100644 --- a/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,14 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # File resource type +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] -Represent a file entity in WDATP. +Represent a file entity in Windows Defender ATP. # Methods Method|Return Type |Description @@ -49,5 +49,5 @@ fileProductName | String | Product name. signer | String | File signer. issuer | String | File issuer. signerHash | String | Hash of the signing certificate. -isValidCertificate | Boolean | Was signing certificate successfully verified by WDATP agent. +isValidCertificate | Boolean | Was signing certificate successfully verified by Windows Defender ATP agent. diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md index 5e8d10dd1e..10f9c1f0dc 100644 --- a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md @@ -19,11 +19,8 @@ ms.date: 07/25/2018 # Find machine information by internal IP API -[!include[Prerelease information](prerelease.md)] - **Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Find a machine by internal IP. diff --git a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md index a3f532f281..7fd4ec0b04 100644 --- a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md @@ -14,19 +14,16 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Find machines by internal IP API - **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prereleaseinformation](prerelease.md)] +Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp -- Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp -- The given timestamp must be in the past 30 days. +The given timestamp must be in the past 30 days. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) @@ -102,7 +99,6 @@ Content-type: application/json "rbacGroupId": 140, "rbacGroupName": "The-A-Team", "riskScore": "Low", - "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", "machineTags": [ "test tag 1", "test tag 2" ] } diff --git a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md index c1c26a4658..e6933232eb 100644 --- a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md @@ -23,7 +23,7 @@ ms.date: 10/23/2017 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -44,7 +44,12 @@ A reinstalled or renamed machine will generate a new machine entity in Windows D **Machine was offboarded**
      If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive. -Do you expect a machine to be in ‘Active’ status? [Open a support ticket ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). + +**Machine is not sending signals** +If the machine is not sending any signals for more than 7 days to any of the Windows Defender ATP channels for any reason including conditions that fall under misconfigured machines classification, a machine can be considered inactive. + + +Do you expect a machine to be in ‘Active’ status? [Open a support ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). ## Misconfigured machines Misconfigured machines can further be classified to: diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md index 3cbd5cc31e..a7365f8291 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get alert information by ID API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves an alert by its ID. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md index 5e0a0256ae..9048ee44e1 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get alert related domain information API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prereleaseinformation](prerelease.md)] Retrieves all domains related to a specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md index a286bb19f9..7a06825e2d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get alert related files information API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves all files related to a specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md index af24309c36..fcc6714b48 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get alert related IP information API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves all IPs related to a specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md index 55b0895b5f..0b169ac577 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md @@ -14,17 +14,13 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get alert related machine information API - **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prereleaseinformation](prerelease.md)] - -- Retrieves machine that is related to a specific alert. +Retrieves machine that is related to a specific alert. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md index a96ecfe588..484a4874d8 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get alert related user information API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves the user associated to a specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index 45820ed888..9a1faba1e2 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -14,21 +14,20 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # List alerts API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prereleaseinformation](prerelease.md)] +Retrieves a collection of Alerts. +Supports [OData V4 queries](https://www.odata.org/documentation/). -- Retrieves a collection of Alerts. -- Supports [OData V4 queries](https://www.odata.org/documentation/). -- The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category". -- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) +The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category". + +See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md index 304062eb4b..3149b5d23f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md @@ -10,10 +10,10 @@ ms.sitesec: library ms.pagetype: security ms.author: leonidzh author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance ms.topic: article ms.date: 10/07/2018 --- @@ -22,7 +22,7 @@ ms.date: 10/07/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a map of CVE's to KB's and CVE details. diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md index 2a44ef58e4..d09e702dfd 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -14,19 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get domain related alerts API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - -[!include[Prereleaseinformation](prerelease.md)] - - - - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a collection of alerts related to a given domain address. diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md index 00bff8380f..4355e3594a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get domain related machines API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a collection of machines that have communicated to or from a given domain address. @@ -98,7 +95,6 @@ Content-type: application/json "rbacGroupId": 140, "rbacGroupName": "The-A-Team", "riskScore": "Low", - "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", "machineTags": [ "test tag 1", "test tag 2" ] }, @@ -117,7 +113,6 @@ Content-type: application/json "rbacGroupId": 140, "rbacGroupName": "The-A-Team", "riskScore": "Low", - "isAadJoined": false, "aadDeviceId": null, "machineTags": [ "test tag 1" ] } diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md index f4f669e5a2..12d290b29d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md @@ -14,15 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get domain statistics API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves the prevalence for the given domain. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md index 792f618d5f..cfa1df6eb2 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md @@ -14,16 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get file information API **Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a file by identifier Sha1, Sha256, or MD5. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md index 46f6a80f2a..f75ad0ee2d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -14,16 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get file related alerts API **Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a collection of alerts related to a given file hash. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md index bf738b355a..33e5bfd6ea 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md @@ -14,16 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get file related machines API **Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - Retrieves a collection of machines related to a given file hash. @@ -98,7 +94,6 @@ Content-type: application/json "healthStatus": "Active", "rbacGroupId": 140, "riskScore": "Low", - "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", "machineTags": [ "test tag 1", "test tag 2" ] }, @@ -116,7 +111,6 @@ Content-type: application/json "healthStatus": "Inactive", "rbacGroupId": 140, "riskScore": "Low", - "isAadJoined": false, "aadDeviceId": null, "machineTags": [ "test tag 1" ] } diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md index 17f1f3525d..00bf2bf323 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md @@ -14,19 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get file statistics API **Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] - - - - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves the prevalence for the given file. diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md index 08817b8e70..80c4fcf202 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -14,15 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get IP related alerts API **Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a collection of alerts related to a given IP address. diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md index 28d4703b18..02aa1f61ba 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get IP related machines API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a collection of machines that communicated with or from a particular IP. @@ -98,7 +95,6 @@ Content-type: application/json "rbacGroupId": 140, "riskScore": "Low", "rbacGroupName": "The-A-Team", - "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", "machineTags": [ "test tag 1", "test tag 2" ] }, @@ -117,7 +113,6 @@ Content-type: application/json "rbacGroupId": 140, "rbacGroupName": "The-A-Team", "riskScore": "Low", - "isAadJoined": false, "aadDeviceId": null, "machineTags": [ "test tag 1" ] } diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md index 3c2c965ffb..becbf40d3a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md @@ -14,17 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get IP statistics API **Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] - - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves the prevalence for the given IP. diff --git a/windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md index f44abf8b92..1752cd4d91 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md @@ -22,7 +22,7 @@ ms.date: 10/07/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a collection of KB's and KB details. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md index 3612531147..9710899e3a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md @@ -14,18 +14,14 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get machine by ID API **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] - -- Retrieves a machine entity by ID. +Retrieves a machine entity by ID. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) @@ -99,7 +95,6 @@ Content-type: application/json "rbacGroupId": 140, "rbacGroupName": "The-A-Team", "riskScore": "Low", - "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", "machineTags": [ "test tag 1", "test tag 2" ] } diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md index eb0edbe3e4..a50a37d200 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md @@ -14,16 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get machine log on users API - -[!include[Prereleaseinformation](prerelease.md)] - **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows Defender Advanced Threat Protection (Windows Defender ATP) Retrieves a collection of logged on users. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md index df392f1ef1..92fa67c016 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -14,16 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get machine related alerts API - -[!include[Prereleaseinformation](prerelease.md)] - **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows Defender Advanced Threat Protection (Windows Defender ATP) Retrieves a collection of alerts related to a given machine ID. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md index 19a78ab6d8..ede9947280 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md @@ -14,18 +14,14 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get machineAction API **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] - -- Get action performed on a machine. +Get action performed on a machine. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md index 4be4316a45..bd36b12c8a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md @@ -14,21 +14,21 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # List MachineActions API **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prereleaseinformation](prerelease.md)] +Gets collection of actions done on machines. -- Gets collection of actions done on machines. -- Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/). -- The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and "CreationDateTimeUtc". -- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) +Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/). + +The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and "CreationDateTimeUtc". + +See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md index acd0502c87..412c1bd762 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md @@ -22,7 +22,7 @@ ms.date: 10/07/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a collection of RBAC machine groups. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md index 907c5e5838..449c19a1e5 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md @@ -14,21 +14,20 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # List machines API - **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prereleaseinformation](prerelease.md)] +This API can do the following actions: -- Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days. +- Retrieves a collection of machines that have communicated with Windows Defender ATP cloud on the last 30 days. - Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/). - The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId". -- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) + +See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md index f118c229d5..64448439c9 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md @@ -15,14 +15,13 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/07/2018 --- # Get Machines security states collection API **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a collection of machines security states. diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md index 32bc25c9bd..f2f944e0e0 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get package SAS URI API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prerelease information](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Get a URI that allows downloading of an [investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md). diff --git a/windows/security/threat-protection/windows-defender-atp/get-started.md b/windows/security/threat-protection/windows-defender-atp/get-started.md index 22b8e3e7ee..96a02d2c87 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-started.md +++ b/windows/security/threat-protection/windows-defender-atp/get-started.md @@ -21,7 +21,7 @@ ms.date: 11/20/2018 # Get started with Windows Defender Advanced Threat Protection **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >[!TIP] >- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). @@ -31,6 +31,9 @@ Learn about the minimum requirements and initial steps you need to take to get s The following capabilities are available across multiple products that make up the Windows Defender ATP platform. +**Threat & Vulnerability Management**
      +Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. This infrastructure correlates endpoint detection and response (EDR) insights with endpoint vulnerabilities real-time, thus reducing organizational vulnerability exposure and increasing threat resilience. + **Attack surface reduction**
      The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. diff --git a/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md deleted file mode 100644 index ffef895d91..0000000000 --- a/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md +++ /dev/null @@ -1,96 +0,0 @@ ---- -title: Get Ti Indicator by ID API -description: Retrieves Ti Indicator entity by ID. -keywords: apis, public api, supported apis, get, ti indicator, entity, id -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 12/08/2017 ---- - -# Get TI Indicator by ID API - -[!include[Prereleaseinformation](prerelease.md)] - ->[!Note] -> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) - - -**Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) -Retrieves a TI Indicator entity by ID. - -## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) - -Permission type | Permission | Permission display name -:---|:---|:--- -Application | Ti.ReadWrite | 'Read and write TI Indicators' - - -## HTTP request -``` -GET https://api.securitycenter.windows.com/api/tiindicators/{id} -``` - -[!include[Improve request performance](improverequestperformance-new.md)] - - -## Request headers - -Name | Type | Description -:---|:---|:--- -Authorization | String | Bearer {token}. **Required**. - - -## Request body -Empty - -## Response -If successful and TI Indicator exists - 200 OK with the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the body. -If TI Indicator with the specified id was not found - 404 Not Found. - - -## Example - -**Request** - -Here is an example of the request. - -``` -GET https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f -``` - -**Response** - -Here is an example of the response. - - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#TiIndicators/$entity", - "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", - "indicatorType": "FileSha1", - "title": "test", - "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", - "createdBy": "45097602-0cfe-4cc6-925f-9f453233e62c", - "expirationTime": "2020-12-12T00:00:00Z", - "action": "AlertAndBlock", - "severity": "Informational", - "description": "test", - "recommendedActions": "TEST" -} - -``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md index c08f3eba3d..d3469d7f53 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md @@ -1,7 +1,7 @@ --- -title: List TiIndicators API -description: Use this API to create calls related to get TiIndicators collection -keywords: apis, public api, supported apis, TiIndicators collection +title: List Indicators API +description: Use this API to create calls related to get Indicators collection +keywords: apis, public api, supported apis, Indicators collection search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -14,35 +14,33 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- -# List TiIndicators API +# List Indicators API -[!include[Prereleaseinformation](prerelease.md)] - ->[!Note] -> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -**Applies to:** +>[!NOTE] +> Currently this API is supported only for AppOnly context requests. (See [Get access with application context](exposed-apis-create-app-webapp.md) for more information) -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Gets collection of TI Indicators. - Get TI Indicators collection API supports [OData V4 queries](https://www.odata.org/documentation/). +- Gets collection of TI Indicators. +- Get TI Indicators collection API supports [OData V4 queries](https://www.odata.org/documentation/). ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- -Application | Ti.ReadWrite | 'Read and write TI Indicators' +Application | Ti.ReadWrite | 'Read and write Indicators' +Application | Ti.ReadWrite.All | 'Read and write All Indicators' ## HTTP request ``` -GET https://api.securitycenter.windows.com/api/tiindicators +GET https://api.securitycenter.windows.com/api/indicators ``` [!include[Improve request performance](improverequestperformance-new.md)] @@ -58,20 +56,19 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful, this method returns 200, Ok response code with a collection of [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. +If successful, this method returns 200, Ok response code with a collection of [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. >[!Note] -> The response will only include TI Indicators that submitted by the calling Application. +> If the Application has 'Ti.ReadWrite.All' permission, it will be exposed to all Indicators. Otherwise, it will be exposed only to the Indicators it created. - -## Example +## Example 1: **Request** -Here is an example of a request that gets all TI Indicators +Here is an example of a request that gets all Indicators ``` -GET https://api.securitycenter.windows.com/api/tiindicators +GET https://api.securitycenter.windows.com/api/indicators ``` **Response** @@ -82,22 +79,23 @@ Here is an example of the response. HTTP/1.1 200 Ok Content-type: application/json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#TiIndicators", + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators", "value": [ { - "indicator": "12.13.14.15", + "indicatorValue": "12.13.14.15", "indicatorType": "IpAddress", "title": "test", "creationTimeDateTimeUtc": "2018-10-24T11:15:35.3688259Z", "createdBy": "45097602-1234-5678-1234-9f453233e62c", "expirationTime": "2020-12-12T00:00:00Z", - "action": "AlertAndBlock", + "action": "Alert", "severity": "Informational", "description": "test", - "recommendedActions": "test" + "recommendedActions": "test", + "rbacGroupNames": [] }, { - "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", "indicatorType": "FileSha1", "title": "test", "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", @@ -106,8 +104,48 @@ Content-type: application/json "action": "AlertAndBlock", "severity": "Informational", "description": "test", - "recommendedActions": "TEST" + "recommendedActions": "TEST", + "rbacGroupNames": [ "Group1", "Group2" ] } + ... + ] +} +``` + +## Example 2: + +**Request** + +Here is an example of a request that gets all Indicators with 'AlertAndBlock' action + +``` +GET https://api.securitycenter.windows.com/api/indicators?$filter=action eq 'AlertAndBlock' +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators", + "value": [ + { + "indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "test", + "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", + "createdBy": "45097602-1234-5678-1234-9f453233e62c", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "TEST", + "rbacGroupNames": [ "Group1", "Group2" ] + } + ... ] } ``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md index c0f03256f8..54be0763a9 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md @@ -14,16 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get user information API - -[!include[Prerelease information](prerelease.md)] - **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows Defender Advanced Threat Protection (Windows Defender ATP) Retrieve a User entity by key (user name). diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md index 6044ca7009..e239d6ca71 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get user related alerts API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a collection of alerts related to a given user ID. diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md index 85086a77ec..b137144be5 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md @@ -14,15 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Get user related machines API - **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a collection of machines related to a given user ID. @@ -101,7 +97,6 @@ Content-type: application/json "rbacGroupId": 140, "rbacGroupName": "The-A-Team", "riskScore": "Low", - "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", "machineTags": [ "test tag 1", "test tag 2" ] }, @@ -120,7 +115,6 @@ Content-type: application/json "rbacGroupId": 140, "rbacGroupName": "The-A-Team", "riskScore": "Low", - "isAadJoined": false, "aadDeviceId": null, "machineTags": [ "test tag 1" ] } diff --git a/windows/security/threat-protection/windows-defender-atp/images/AH_icon.png b/windows/security/threat-protection/windows-defender-atp/images/AH_icon.png index ff9c97c86e..3fae6eba9a 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/AH_icon.png and b/windows/security/threat-protection/windows-defender-atp/images/AH_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/AR_icon.png b/windows/security/threat-protection/windows-defender-atp/images/AR_icon.png index 887498f7bc..fa8836ea1f 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/AR_icon.png and b/windows/security/threat-protection/windows-defender-atp/images/AR_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ASR_icon.png b/windows/security/threat-protection/windows-defender-atp/images/ASR_icon.png index 28b5b3156f..dd521d492a 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/ASR_icon.png and b/windows/security/threat-protection/windows-defender-atp/images/ASR_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/EDR_icon.jpg b/windows/security/threat-protection/windows-defender-atp/images/EDR_icon.jpg new file mode 100644 index 0000000000..ed71564e87 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/EDR_icon.jpg differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/EDR_icon.png b/windows/security/threat-protection/windows-defender-atp/images/EDR_icon.png index 7e6df62bdf..f2622cbc2b 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/EDR_icon.png and b/windows/security/threat-protection/windows-defender-atp/images/EDR_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/MTE_icon.jpg b/windows/security/threat-protection/windows-defender-atp/images/MTE_icon.jpg new file mode 100644 index 0000000000..020b1d4132 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/MTE_icon.jpg differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/MTE_icon.png b/windows/security/threat-protection/windows-defender-atp/images/MTE_icon.png new file mode 100644 index 0000000000..d5b9b48086 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/MTE_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/NGP_icon.jpg b/windows/security/threat-protection/windows-defender-atp/images/NGP_icon.jpg new file mode 100644 index 0000000000..d089da2493 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/NGP_icon.jpg differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/NGP_icon.png b/windows/security/threat-protection/windows-defender-atp/images/NGP_icon.png index df1b70e041..6066f305a2 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/NGP_icon.png and b/windows/security/threat-protection/windows-defender-atp/images/NGP_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/SS_icon.png b/windows/security/threat-protection/windows-defender-atp/images/SS_icon.png index 95908405ce..e69ea2a796 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/SS_icon.png and b/windows/security/threat-protection/windows-defender-atp/images/SS_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/TVM_icon.png b/windows/security/threat-protection/windows-defender-atp/images/TVM_icon.png new file mode 100644 index 0000000000..41faa16718 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/TVM_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/api-jwt-ms.png b/windows/security/threat-protection/windows-defender-atp/images/api-jwt-ms.png new file mode 100644 index 0000000000..c8a117dffe Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/api-jwt-ms.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/api-tenant-id.png b/windows/security/threat-protection/windows-defender-atp/images/api-tenant-id.png new file mode 100644 index 0000000000..ebac0b0e34 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/api-tenant-id.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/creating-account.png b/windows/security/threat-protection/windows-defender-atp/images/creating-account.png new file mode 100644 index 0000000000..54599d4b99 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/creating-account.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/machine-reports.png b/windows/security/threat-protection/windows-defender-atp/images/machine-reports.png new file mode 100644 index 0000000000..44bf616eb0 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/machine-reports.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/setup-preferences.png b/windows/security/threat-protection/windows-defender-atp/images/setup-preferences.png new file mode 100644 index 0000000000..b1b9ba11c9 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/setup-preferences.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/setup-preferences2.png b/windows/security/threat-protection/windows-defender-atp/images/setup-preferences2.png new file mode 100644 index 0000000000..083f3a098d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/setup-preferences2.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_alert_icon.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_alert_icon.png new file mode 100644 index 0000000000..ebd390bd98 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_alert_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_bug_icon.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_bug_icon.png new file mode 100644 index 0000000000..b87ba02a90 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_bug_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_config_score.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_config_score.png new file mode 100644 index 0000000000..36c8c8b48f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_config_score.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_dashboard.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_dashboard.png new file mode 100644 index 0000000000..d321e0ca67 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_dashboard.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_exposed_machines.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_exposed_machines.png new file mode 100644 index 0000000000..04643d5e8d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_exposed_machines.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_exposure_score.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_exposure_score.png new file mode 100644 index 0000000000..d535499b79 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_exposure_score.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_insight_icon.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_insight_icon.png new file mode 100644 index 0000000000..f7e982c9c9 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_insight_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_machine_page_details.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_machine_page_details.png new file mode 100644 index 0000000000..6e474ccfa6 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_machine_page_details.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_menu.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_menu.png new file mode 100644 index 0000000000..eaaa01d3c0 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_menu.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_remediation_task_created.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_remediation_task_created.png new file mode 100644 index 0000000000..49850a80e1 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_remediation_task_created.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_request_remediation.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_request_remediation.png new file mode 100644 index 0000000000..2711f9560e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_request_remediation.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_save_csv_file.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_save_csv_file.png new file mode 100644 index 0000000000..fb099b05f2 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_save_csv_file.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_security_controls.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_security_controls.png new file mode 100644 index 0000000000..3dd9ada0c9 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_security_controls.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_security_recommendations.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_security_recommendations.png new file mode 100644 index 0000000000..89bdbc6495 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_security_recommendations.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_security_recommendations_page.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_security_recommendations_page.png new file mode 100644 index 0000000000..1ae6f4320d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_security_recommendations_page.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_software_page_details.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_software_page_details.png new file mode 100644 index 0000000000..095eb7424c Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_software_page_details.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_vuln_software.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_vuln_software.png new file mode 100644 index 0000000000..d7e4a4dd08 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_vuln_software.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-readalerts.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-readalerts.png new file mode 100644 index 0000000000..2872b71881 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-readalerts.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-app-id1.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-app-id1.png new file mode 100644 index 0000000000..4c058c2f93 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-app-id1.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-create.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-create.png index a091db0189..dea9d8493d 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/webapp-create.png and b/windows/security/threat-protection/windows-defender-atp/images/webapp-create.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/welcome1.png b/windows/security/threat-protection/windows-defender-atp/images/welcome1.png new file mode 100644 index 0000000000..7a52f49989 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/welcome1.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md b/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md index 475a844fa1..880f5e4d11 100644 --- a/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md +++ b/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md @@ -14,7 +14,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # Improve request performance diff --git a/windows/security/threat-protection/windows-defender-atp/incidents-queue.md b/windows/security/threat-protection/windows-defender-atp/incidents-queue.md index c8959b8a9b..1a769c409b 100644 --- a/windows/security/threat-protection/windows-defender-atp/incidents-queue.md +++ b/windows/security/threat-protection/windows-defender-atp/incidents-queue.md @@ -19,7 +19,7 @@ ms.topic: conceptual # Incidents in Windows Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) When a cybersecurity threat is emerging, or a potential attacker is deploying its tactics, techniques/tools, and procedures (TTPs) on the network, Windows Defender ATP will quickly trigger alerts and launch matching automatic investigations. diff --git a/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md index 7ca743699d..a8696ec1d9 100644 --- a/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md +++ b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md @@ -19,9 +19,7 @@ ms.date: 12/05/2018 # Configure information protection in Windows **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - -[!include[Prerelease information](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Learn how you can use Windows Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin. diff --git a/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md index fc95457fbb..be963a981f 100644 --- a/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md +++ b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md @@ -14,12 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 12/05/2018 --- # Information protection in Windows overview **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease information](prerelease.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..7e91cf5285 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,98 @@ +--- +title: Initiate machine investigation API +description: Use this API to create calls related to initiating an investigation on a machine. +keywords: apis, graph api, supported apis, initiate AutoIR investigation +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Initiate machine investigation API (Preview) +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +> [!IMPORTANT] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +Initiate AutoIR investigation on a machine. + +>[!Note] +> This page focuses on performing an automated investigation on a machine. See [Automated Investigation](automated-investigations-windows-defender-advanced-threat-protection.md) for more information. + +## Limitations +1. The number of executions is limited (up to 5 calls per hour). +2. For Automated Investigation limitations, see [Automated Investigation](automated-investigations-windows-defender-advanced-threat-protection.md). + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/InitiateInvestigation +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 200 OK response code with object that holds the investigation ID in the "value" parameter. If machine was not found - 404 Not Found. + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/InitiateInvestigation +Content-type: application/json +{ + "Comment": "Initiate an investigation on machine fb9ab6be3965095a09c057be7c90f0a2" +} +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.Int64", + "value": 5146 +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md index caeb9391f8..1c60dae5b7 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -22,7 +22,7 @@ ms.date: 04/24/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md index 8da3f67372..010408840d 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md @@ -22,7 +22,7 @@ ms.date: 04/24/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md index d9ae8a7faf..cf4b455f24 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md @@ -22,7 +22,7 @@ ms.date: 04/24/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md index 4bf073aca3..47c0edb764 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md @@ -20,7 +20,7 @@ ms.topic: article # Investigate incidents in Windows Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them. diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md index b197fed832..cf77b8afb9 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md @@ -22,7 +22,7 @@ ms.date: 04/24/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md index 838654bcf3..2b9d2d90f5 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md @@ -21,7 +21,7 @@ ms.date: 09/18/2018 # Investigate machines in the Windows Defender ATP Machines list **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md index b47a079791..4260159191 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md @@ -21,7 +21,7 @@ ms.date: 04/24/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md index 026174d5f5..fbf715ebd3 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md @@ -14,15 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # Was domain seen in org **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Answers whether a domain was seen in the organization. diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md index 8cfb010fc6..73631e76cb 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md @@ -14,16 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Was IP seen in org **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - -[!include[Prereleaseinformation](prerelease.md)] Answers whether an IP was seen in the organization. diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md index a09ded139b..66ef8c4c99 100644 --- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Isolate machine API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prerelease information](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Isolates a machine from accessing external network. diff --git a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md index 42437e4204..9560bb473f 100644 --- a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md @@ -8,21 +8,19 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: v-tanewt -author: tbit0001 +ms.author: macapara +author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/16/2017 --- + # Validate licensing provisioning and complete set up for Windows Defender ATP **Applies to:** - - -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -58,67 +56,56 @@ When accessing [Windows Defender Security Center](https://SecurityCenter.Windows 1. Each time you access the portal you will need to validate that you are authorized to access the product. This **Set up your permissions** step will only be available if you are not currently authorized to access the product. - ![Image of Set up your permissions for WDATP](images\atp-setup-permissions-wdatp-portal.png) + ![Image of Set up your permissions for Windows Defender ATP](images\atp-setup-permissions-wdatp-portal.png) Once the authorization step is completed, the **Welcome** screen will be displayed. 2. The **Welcome** screen will provide some details as to what is about to occur during the set up wizard. - ![Image of Welcome screen for portal set up](images\atp-portal-welcome-screen.png) + ![Image of Welcome screen for portal set up](images\welcome1.png) You will need to set up your preferences for Windows Defender Security Center. -3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation. +3. Set up preferences + + ![Image of geographic location in set up](images\setup-preferences.png) - > [!WARNING] - > This option cannot be changed without completely offboarding from Windows Defender ATP and completing a new enrollment process. + 1. **Select data storage location**
      When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the United States, the European Union, or the United Kingdom. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation. - ![Image of geographic location in set up](images\atp-geographic-location-setup.png) + > [!WARNING] + > This option cannot be changed without completely offboarding from Windows Defender ATP and completing a new enrollment process. -4. Windows Defender ATP will store data up to a period of 6 months in your cloud instance, however, you have the option to set the data retention period for a shorter timeframe during this step of the set up process. + 2. **Select the data retention policy**
      Windows Defender ATP will store data up to a period of 6 months in your cloud instance, however, you have the option to set the data retention period for a shorter timeframe during this step of the set up process. - > [!NOTE] - > This option can be changed at a later time. + > [!NOTE] + > This option can be changed at a later time. - ![Image of data retention set up](images\atp-data-retention-policy.png) + 3. **Select the size of your organization**
      You will need to indicate the size of your organization based on an estimate of the number of employees currently employed. -5. You will need to indicate the size of your organization based on an estimate of the number of employees currently employed. + > [!NOTE] + > The **organization size** question is not related to how many licenses were purchased for your organization. It is used by the service to optimize the creation of the data cluster for your organization. - > [!NOTE] - > The **organization size** question is not related to how many licenses were purchased for your organization. It is used by the service to optimize the creation of the data cluster for your organization. + 4. **Turn on preview features**
      Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on **Preview features**. - ![Image of organization size](images\atp-organization-size.png) - -6. The customer industry information is helpful in collecting data for the Windows Security Team, and while optional, would be useful if completed. - - > [!NOTE] - > This option can be changed at a later time. - - ![Image of industry information](images\atp-industry-information.png) - -7. Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on **Preview features**. - - You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available. + You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available. - Toggle the setting between On and Off to choose **Preview features**. - > [!NOTE] - > This option can be changed at a later time. + > [!NOTE] + > This option can be changed at a later time. - ![Image of preview experience](images\atp-preview-experience.png) - -8. You will receive a warning notifying you that you won't be able to change some of your preferences once you click **Continue**. +4. You will receive a warning notifying you that you won't be able to change some of your preferences once you click **Continue**. > [!NOTE] > Some of these options can be changed at a later time in Windows Defender Security Center. - ![Image of final preference set up](images\atp-final-preference-setup.png) + ![Image of final preference set up](images\setup-preferences2.png) -9. A dedicated cloud instance of Windows Defender Security Center is being created at this time. This step will take an average of 5 minutes to complete. +5. A dedicated cloud instance of Windows Defender Security Center is being created at this time. This step will take an average of 5 minutes to complete. - ![Image of Windows Defender ATP cloud instance](images\atp-windows-cloud-instance-creation.png) + ![Image of Windows Defender ATP cloud instance](images\creating-account.png) -10. You are almost done. Before you can start using Windows Defender ATP you'll need to: +6. You are almost done. Before you can start using Windows Defender ATP you'll need to: - [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) @@ -130,7 +117,7 @@ When accessing [Windows Defender Security Center](https://SecurityCenter.Windows > If you click **Start using Windows Defender ATP** before onboarding machines you will receive the following notification: >![Image of setup imcomplete](images\atp-setup-incomplete.png) -11. After onboarding machines you can click **Start using Windows Defender ATP**. You will now launch Windows Defender ATP for the first time. +7. After onboarding machines you can click **Start using Windows Defender ATP**. You will now launch Windows Defender ATP for the first time. ![Image of onboard machines](images\atp-onboard-endpoints-WDATP-portal.png) diff --git a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md index 577b8b2663..d983539915 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 05/08/2018 --- # Create and manage machine groups in Windows Defender ATP @@ -24,7 +23,7 @@ ms.date: 05/08/2018 - Azure Active Directory - Office 365 -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -34,6 +33,9 @@ In Windows Defender ATP, you can create machine groups and use them to: - Limit access to related alerts and data to specific Azure AD user groups with [assigned RBAC roles](rbac-windows-defender-advanced-threat-protection.md) - Configure different auto-remediation settings for different sets of machines +>[!TIP] +> For a comprehensive look into RBAC application, read: [Is your SOC running flat with RBAC](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Is-your-SOC-running-flat-with-limited-RBAC/ba-p/320015). + As part of the process of creating a machine group, you'll: - Set the automated remediation level for that group. For more information on remediation levels, see [Use Automated investigation to investigate and remediate threats](automated-investigations-windows-defender-advanced-threat-protection.md). - Specify the matching rule that determines which machine group belongs to the group based on the machine name, domain, tags, and OS platform. If a machine is also matched to other groups, it is added only to the highest ranked machine group. @@ -44,6 +46,7 @@ As part of the process of creating a machine group, you'll: >A machine group is accessible to all users if you don’t assign any Azure AD groups to it. + ## Create a machine group 1. In the navigation pane, select **Settings** > **Machine groups**. diff --git a/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..25140e78df --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md @@ -0,0 +1,81 @@ +--- +title: Machine health and compliance report in Windows Defender ATP +description: Track machine health state detections, antivirus status, OS platform, and Windows 10 versions using the machine health and compliance report +keywords: health state, antivirus, os platform, windows 10 version, version, health, compliance, state +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Machine health and compliance report in Windows Defender ATP +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +The machines status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions. + + +The dashboard is structured into two sections: + ![Image of the machine report](images/machine-reports.png) + +Section | Description +:---|:--- +1 | Machine trends +2 | Machine summary (current day) + + + +By default, the machine trends displays machine information from the 30-day period ending in the latest full day. To gain better perspective on trends occurring in your organization, you can fine-tune the reporting period by adjusting the time period shown. To adjust the time period, select a time range from the drop-down options: + +- 30 days +- 3 months +- 6 months +- Custom + +While the machines trends shows trending machine information, the machine summary shows machine information scoped to the current day. + +The machine trends section allows you to drill down to the machines list with the corresponding filter applied to it. For example, clicking on the Inactive bar in the Sensor health state card will bring you the machines list with results showing only machines whose sensor status is inactive. + + + + +## Machine attributes +The report is made up of cards that display the following machine attributes: + +- **Health state**: shows information about the sensor state on devices, providing an aggregated view of devices that are active, experiencing impaired communications, inactive, or where no sensor data is seen. + +- **Antivirus status for active Windows 10 machines**: shows the number of machines and status of Windows Defender Antivirus. + +- **OS platforms**: shows the distribution of OS platforms that exists within your organization. + +- **Windows 10 versions**: shows the distribution of Windows 10 machines and their versions in your organization. + + + +## Filter data + +Use the provided filters to include or exclude machines with certain attributes. + +You can select multiple filters to apply from the machine attributes. + +>[!NOTE] +>These filters apply to **all** the cards in the report. + +For example, to show data about Windows 10 machines with Active sensor health state: + +1. Under **Filters > Sensor health state > Active**. +2. Then select **OS platforms > Windows 10**. +3. Select **Apply**. + + +## Related topic +- [Threat protection report ](threat-protection-reports-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md index 72b05d4072..40687ef4f7 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md @@ -14,10 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/11/2018 --- # Machine resource type +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) # Methods @@ -35,18 +36,17 @@ Property | Type | Description :---|:---|:--- id | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) identity. computerDnsName | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) fully qualified name. -firstSeen | DateTimeOffset | First date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP. -lastSeen | DateTimeOffset | Last date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP. +firstSeen | DateTimeOffset | First date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by Windows Defender ATP. +lastSeen | DateTimeOffset | Last date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by Windows Defender ATP. osPlatform | String | OS platform. osVersion | String | OS Version. lastIpAddress | String | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md). lastExternalIpAddress | String | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet. -agentVersion | String | Version of WDATP agent. +agentVersion | String | Version of Windows Defender ATP agent. osBuild | Nullable long | OS build number. healthStatus | Enum | [machine](machine-windows-defender-advanced-threat-protection-new.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication" rbacGroupId | Int | RBAC Group ID. rbacGroupName | String | RBAC Group Name. -riskScore | Nullable Enum | Risk score as evaluated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. -isAadJoined | Nullable Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined. +riskScore | Nullable Enum | Risk score as evaluated by Windows Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. aadDeviceId | Nullable Guid | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined). machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md index 29d142c046..aa6b9b537e 100644 --- a/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md @@ -14,15 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # MachineAction resource type - **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Method|Return Type |Description :---|:---|:--- @@ -35,7 +31,7 @@ Method|Return Type |Description [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Restrict application execution. [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Remove application execution restriction. [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Run an AV scan using Windows Defender (when applicable). -[Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)|[Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Offboard [machine](machine-windows-defender-advanced-threat-protection-new.md) from WDATP. +[Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)|[Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Offboard [machine](machine-windows-defender-advanced-threat-protection-new.md) from Windows Defender ATP. # Properties Property | Type | Description diff --git a/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md index fcbd68ecec..3f4a20dcbc 100644 --- a/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md +++ b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md @@ -3,4 +3,4 @@ ms.date: 08/28/2017 author: zavidor --- >[!Note] -> This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via WDATP. +> This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via Windows Defender ATP. diff --git a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md index bf990d1101..c94234e9e1 100644 --- a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md @@ -23,7 +23,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-machinesview-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md index 660e1f0cd1..9e41349720 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 09/03/2018 --- # Manage Windows Defender Advanced Threat Protection alerts **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-managealerts-abovefoldlink) @@ -67,7 +66,15 @@ Create custom rules to control when alerts are suppressed, or resolved. You can 1. Select the alert you'd like to suppress. This brings up the **Alert management** pane. -2. Select **Create a supression rule**. +2. Select **Create a suppression rule**. + + You can create a suppression rule based on the following attributes: + + * File hash + * File name - wild card supported + * File path - wild card supported + * IP + * URL - wild card supported 3. Select the **Trigerring IOC**. diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md index 94a7712aed..78b40b3a95 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md @@ -15,15 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 06/14/2018 --- # Manage automation allowed/blocked lists **Applies to:** - - -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -40,12 +37,9 @@ You can define the conditions for when entities are identified as malicious or s ## Create an allowed or blocked list 1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**. -2. Select the tab of the type of entity you'd like to create an exclusion for. You can choose any of the following entities: - - File hash - - Certificate - - IP address - -3. Click **Add system exclusion**. +2. Select the tab of the type of entity you'd like to create an exclusion for. Currently, you can add a rule for certificates. + +3. Select **Add allowed/blocked list rule**. 4. For each attribute specify the exclusion type, details, and their corresponding required values. @@ -70,4 +64,5 @@ You can define the conditions for when entities are identified as malicious or s ## Related topics - [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) -- [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Manage allowed/blocked lists](manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +- [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md index b3d4ebdb7c..e311c292ff 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # Manage automation file uploads @@ -23,7 +22,7 @@ ms.date: 04/24/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md index f559363b7a..370187b6f0 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # Manage automation folder exclusions @@ -23,7 +22,7 @@ ms.date: 04/24/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-edr.md b/windows/security/threat-protection/windows-defender-atp/manage-edr.md index b430f21281..38ce9039ff 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-edr.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-edr.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 07/01/2018 --- # Manage endpoint detection and response capabilities diff --git a/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md index 649d06d0fa..8b8fa19749 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md @@ -21,7 +21,7 @@ ms.date: 010/08/2018 # Manage Windows Defender ATP incidents **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. You can assign incidents to yourself, change the status, classify, rename, or comment on them to keep track of their progress. diff --git a/windows/security/threat-protection/windows-defender-atp/manage-indicators.md b/windows/security/threat-protection/windows-defender-atp/manage-indicators.md new file mode 100644 index 0000000000..db76c00fda --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/manage-indicators.md @@ -0,0 +1,84 @@ +--- +title: Manage indicators +description: Create indicators for a file hash, IP address, URLs or domains that define the detection, prevention, and exclusion of entities. +keywords: manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Manage indicators + +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) + + +Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to. + +On the top navigation you can: +- Import a list +- Add an indicator +- Customize columns to add or remove columns +- Export the entire list in CSV format +- Select the items to show per page +- Navigate between pages +- Apply filters + +## Create an indicator +1. In the navigation pane, select **Settings** > **Allowed/blocked list**. + +2. Select the tab of the type of entity you'd like to create an indicator for. You can choose any of the following entities: + - File hash + - IP address + - URLs/Domains + +3. Click **Add indicator**. + +4. For each attribute specify the following details: + - Indicator - Specify the entity details and define the expiration of the indicator. + - Action - Specify the action to be taken and provide a description. + - Scope - Define the scope of the machine group. + +5. Review the details in the Summary tab, then click **Save**. + + +>[!NOTE] +>Blocking IPs, domains, or URLs is currently available on limited preview only. +>This requires sending your custom list to [network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection) to be enforced which is an option that will be generally available soon. +>As it is not yet generally available, when Automated investigations finds this indicator during an investigation it will use the allowed/block list as the basis of its decision to automatically remediate (blocked list) or skip (allowed list) the entity. + + +## Manage indicators +1. In the navigation pane, select **Settings** > **Allowed/blocked list**. + +2. Select the tab of the entity type you'd like to manage. + +3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list. + +## Import a list +You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details. + +Download the sample CSV to know the supported column attributes. + + +## Related topics +- [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) + + + + + diff --git a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md index 0ff8691e5c..ec47236a66 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md @@ -15,15 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # Manage suppression rules **Applies to:** - - -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/management-apis.md b/windows/security/threat-protection/windows-defender-atp/management-apis.md index 8a0deb4397..2fd2dd6083 100644 --- a/windows/security/threat-protection/windows-defender-atp/management-apis.md +++ b/windows/security/threat-protection/windows-defender-atp/management-apis.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/03/2018 --- # Overview of management and APIs **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mgt-apis-abovefoldlink) @@ -61,7 +60,7 @@ Managed security service provider | Get a quick overview on managed security ser ## Related topics - [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) - [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) -- [Use the Windows Defender ATP exposed APIs](use-apis.md) +- [Windows Defender ATP Public API](use-apis.md) - [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md) - [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) - [Role-based access control](rbac-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md index 0c182b091a..41f0442d90 100644 --- a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md +++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md @@ -15,31 +15,26 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/19/2018 - --- -# Configure Microsoft Cloud App Security in Windows +# Configure Microsoft Cloud App Security in Windows Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease�information](prerelease.md)] +[!include[Prerelease information](prerelease.md)] To benefit from Windows Defender Advanced Threat Protection (ATP) cloud app discovery signals, turn on Microsoft Cloud App Security integration. >[!NOTE] ->This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later. +>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. 1. In the navigation pane, select **Preferences setup** > **Advanced features**. 2. Select **Microsoft Cloud App Security** and switch the toggle to **On**. 3. Click **Save preferences**. - -![Advanced features](images/atp-mcas-settings.png) - Once activated, Windows Defender ATP will immediately start forwarding discovery signals to Cloud App Security. ## View the data collected diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md index 75ad85f97d..0edfd423b9 100644 --- a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md +++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md @@ -18,11 +18,11 @@ ms.topic: conceptual ms.date: 10/18/2018 --- -# Microsoft Cloud App Security in Windows overview +# Microsoft Cloud App Security in Windows Defender ATP overview **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease�information](prerelease.md)] +[!include[Prerelease information](prerelease.md)] Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution that gives visibility into cloud apps and services by allowing you to control and limit access to cloud apps, while enforcing compliance requirements on data stored in the cloud. For more information, see [Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security). diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts.md new file mode 100644 index 0000000000..45bd9d4c80 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts.md @@ -0,0 +1,47 @@ +--- +title: Microsoft Threat Experts +description: Microsoft Threat Experts is the new managed threat hunting service in Windows Defender Advanced Threat Protection (Windows Defender ATP) that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365. +keywords: managed threat hunting service, managed threat hunting, MTE, Microsoft Threat Experts +search.product: Windows 10 +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 02/28/2019 +--- + +# Microsoft Threat Experts +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed. + +This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand. + +## Targeted attack notification +Microsoft Threat Experts provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyberespionage. The managed hunting service includes: +- Threat monitoring and analysis, reducing dwell time and risk to the business +- Hunter-trained artificial intelligence to discover and prioritize both known and unknown attacks +- Identifying the most important risks, helping SOCs maximize time and energy +- Scope of compromise and as much context as can be quickly delivered to enable fast SOC response. + +## Collaborate with experts, on demand +Customers can engage our security experts directly from within Windows Defender Security Center for timely and accurate response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised machines, root cause of a suspicious network connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can: +- Get additional clarification on alerts including root cause or scope of the incident +- Gain clarity into suspicious machine behavior and next steps if faced with an advanced attacker +- Determine risk and protection regarding threat actors, campaigns, or emerging attacker techniques +- Seamlessly transition to Microsoft Incident Response (IR) or other third-party Incident Response services when necessary + + +## Related topic +- [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index 02bcbfb594..afd1ba57b5 100644 --- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Minimum requirements for Windows Defender ATP -description: Minimum network and data storage configuration, machine hardware and software requirements, and deployment channel requirements for Windows Defender ATP. -keywords: minimum requirements, Windows Defender Advanced Threat Protection minimum requirements, network and data storage, machine configuration, deployment channel +description: Understand the licensing requirements and requirements for onboarding machines to the sercvie +keywords: minimum requirements, licensing, comparison table search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/20/2018 --- # Minimum requirements for Windows Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) There are some minimum requirements for onboarding machines to the service. @@ -41,8 +40,9 @@ Windows Defender Advanced Threat Protection requires one of the following Micros For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare). -For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf). +For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://go.microsoft.com/fwlink/p/?linkid=2069559). +For more information about licensing requirements for Windows Defender ATP platform on Windows Server, see [Protecting Windows Servers with Windows Defender ATP](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114). ## Related topic diff --git a/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md index 1940bd5a74..ee2aca23c7 100644 --- a/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 10/29/2018 --- # Managed security service provider support **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt.md new file mode 100644 index 0000000000..40df258764 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -0,0 +1,67 @@ +--- +title: Next-generation Threat & Vulnerability Management +description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. +keywords: threat and vulnerability management, MDATP-TVM, vulnerability management, threat and vulnerability scanning +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Threat & Vulnerability Management +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrustructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience. + +It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context. + +## Next-generation capabilities +Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase. + +It is the first solution in the industry to automate the remediation process through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) for patching, configuration changes, or upgrades. +>[!Note] +> Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks. + +It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication. +- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities +- Linked machine vulnerability and security configuration assessment data in the context of exposure discovery +- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager + +### Real-time discovery + +To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides: +- Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard. +- Visibility into software and vulnerabilities. Optics into the organization’s software inventory, as well as software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications. +- Application runtime context. Constant visibility into application usage patterns for better prioritization and decision-making. Critical dependencies, such as vulnerable runtime libraries being loaded by other applications, are made visible. +- Configuration posture. Visibility into organizational security configuration, surfacing issues like disabled antivirus, enabled SMBv1, or misconfigurations that could allow escalation of privileges. Issues are reported in the dashboard with actionable security recommendations. + +### Intelligence-driven prioritization + +Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context: +- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk. +- Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization. +- Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection allows Threat & Vulnerability Management to call attention to exposed machines with business-critical applications, confidential data, or high-value users. + +### Seamless remediation + +Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues. +- One-click remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune with one click. We plan to expand this capability to other IT security management platforms. +- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities. +- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization. + +## Related topics +- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Configuration score](configuration-score.md) +- [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md index a228a7ad08..b49c5af6ec 100644 --- a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md @@ -14,16 +14,13 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Offboard machine API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prereleaseinformation](prerelease.md)] - -Offboard machine from WDATP. +Offboard machine from Windows Defender ATP. [!include[Machine actions note](machineactionsnote.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md index 9e1a9a8972..dc2b133c7a 100644 --- a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/24/2018 --- # Offboard machines from the Windows Defender ATP service @@ -25,7 +24,7 @@ ms.date: 04/24/2018 - Linux - Windows Server 2012 R2 - Windows Server 2016 -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md index bc7c30d8a2..59fad5bda4 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/19/2018 --- # Onboard machines to the Windows Defender ATP service **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You need to turn on the sensor to give visibility within Windows Defender ATP. diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md index 0bccc2871e..700436d636 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md @@ -25,7 +25,7 @@ ms.topic: article - Windows 7 SP1 Pro - Windows 8.1 Pro - Windows 8.1 Enterprise -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevel-abovefoldlink) @@ -66,7 +66,7 @@ Review the following details to verify minimum system requirements: - Install either [.NET framework 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework) - >[NOTE] + >[!NOTE] >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. >Don't install .NET framework 4.0.x, since it will negate the above installation. diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md new file mode 100644 index 0000000000..9d6532688d --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md @@ -0,0 +1,53 @@ +--- +title: Onboard machines without Internet access to Windows Defender ATP +description: Onboard machines without Internet access so that they can send sensor data to the Windows Defender ATP sensor +keywords: onboard, servers, vm, on-premise, oms gateway, log analytics, azure log analytics, mma +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Onboard machines without Internet access to Windows Defender ATP + +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +To onboard machines without Internet access, you'll need to take the following general steps: + + +## On-premise machines + +- Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub: + - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway) + - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints-windows-defender-advanced-threat-protection.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-windows-defender-atp) point to Microsoft Defender ATP Workspace key & ID + +- Offline machines in the same network of Azure Log Analytics + - Configure MMA to point to: + - Azure Log Analytics IP as a proxy + - Microsoft Defender ATP workspace key & ID + +## Azure virtual machines +- Configure and enable [Azure Log Analytics workspace](https://docs.microsoft.com/azure/azure-monitor/platform/gateway) + + - Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub: + - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway) + - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints-windows-defender-advanced-threat-protection.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-windows-defender-atp) point to Microsoft Defender ATP Workspace key & ID + - Offline Azure VMs in the same network of OMS Gateway + - Configure Azure Log Analytics IP as a proxy + - Azure Log Analytics Workspace Key & ID + + - Azure Security Center (ASC) + - [Security Policy \> Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enable-windows-defender-atp-integration) + - [Threat Detection \> Allow Windows Defender ATP to access my data](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enable-windows-defender-atp-integration) + + For more information, see [Working with security policies](https://docs.microsoft.com/azure/security-center/tutorial-security-policy). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/onboard.md b/windows/security/threat-protection/windows-defender-atp/onboard.md index 6a260ac891..979917a18f 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/03/2018 --- # Configure and manage Windows Defender ATP capabilities **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Configure and manage all the Windows Defender ATP capabilities to get the best security protection for your organization. diff --git a/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md index c23a4512ad..e6ea3aed4c 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/21/2019 --- # Overview of attack surface reduction **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Attack surface reduction capabilities in Windows Defender ATP helps protect the devices and applications in your organization from new and emerging threats. diff --git a/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md index a9c37011dc..76fd2d9bd1 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 10/29/2018 --- # Custom detections overview **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Alerts in Windows Defender ATP are surfaced through the system based on signals gathered from endpoints. With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. diff --git a/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md index a282188a74..4599298025 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md @@ -15,14 +15,13 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/03/2018 --- # Overview of endpoint detection and response **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. diff --git a/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md index f98065e413..b86fea8fb4 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md @@ -18,15 +18,12 @@ ms.date: 09/07/2018 # Hardware-based isolation in Windows 10 -**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Windows Defender ATP. | Feature | Description | |------------|-------------| | [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md) | Application Guard protects your device from advanced attacks while keeping you productive. Using a unique hardware-based isolation approach, the goal is to isolate untrusted websites and PDF documents inside a lightweight container that is separated from the operating system via the native Windows Hypervisor. If an untrusted site or PDF document turns out to be malicious, it still remains contained within Application Guard’s secure container, keeping the desktop PC protected and the attacker away from your enterprise data. | -| [Windows Defender System Guard](how-hardware-based-containers-help-protect-windows.md) | System Guard protects and maintains the integrity of the system as it starts and after it's running, and validates system integrity by using attestation. | - - - +| [Windows Defender System Guard](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) | System Guard protects and maintains the integrity of the system as it starts and after it's running, and validates system integrity by using attestation. | diff --git a/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md index f23f20f711..3f92d168af 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md @@ -15,12 +15,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/12/2018 --- # Overview of advanced hunting **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Windows Defender Security Center. diff --git a/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md index e6b0df0de0..bde1e7c9b6 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md @@ -15,12 +15,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/03/2018 --- # Overview of Secure score in Windows Defender Security Center **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines. diff --git a/windows/security/threat-protection/windows-defender-atp/overview.md b/windows/security/threat-protection/windows-defender-atp/overview.md index 90ad7887df..f91e35c7df 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview.md +++ b/windows/security/threat-protection/windows-defender-atp/overview.md @@ -1,7 +1,7 @@ --- title: Overview of Windows Defender ATP -description: -keywords: +description: Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform +keywords: atp, microsoft defender atp, defender, mdatp, threat protection, platform, threat, vulnerability, asr, attack, surface, reduction, next-gen, protection, edr, endpoint, detection, response, automated, air search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/20/2018 --- # Overview of Windows Defender ATP capabilities **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform. @@ -33,6 +32,7 @@ Understand the concepts behind the capabilities in Windows Defender ATP so you t Topic | Description :---|:--- +[Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) | Reduce organizational vulnerability exposure and increase threat resilience while seamlessly connecting workflows across security stakeholders—security administrators, security operations, and IT administrators in remediating threats. [Attack surface reduction](overview-attack-surface-reduction.md) | Leverage the attack surface reduction capabilities to protect the perimeter of your organization. [Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | Learn about the antivirus capabilities in Windows Defender ATP so you can protect desktops, portable computers, and servers. [Endpoint detection and response](overview-endpoint-detection-response.md) | Understand how Windows Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization and the features you can use to mitigate and remediate threats. diff --git a/windows/security/threat-protection/windows-defender-atp/partner-applications.md b/windows/security/threat-protection/windows-defender-atp/partner-applications.md new file mode 100644 index 0000000000..24ba042fc8 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/partner-applications.md @@ -0,0 +1,64 @@ +--- +title: Partner applications in Microsoft Defender ATP +description: View supported partner applications to enhance the detection, investigation, and threat intelligence capabilities of the platform +keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Partner applications in Microsoft Defender ATP +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + + +Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform. + + +The support for third-party solutions help to further streamline, integrate, and orchestrate defenses from other vendors with Microsoft Defender ATP; enabling security teams to effectively respond better to modern threats. + +Microsoft Defender ATP seamlessly integrates with existing security solutions - providing out of the box integration with SIEM, ticketing and IT service management solutions, managed security service providers (MSSP), IoC indicators ingestions and matching, automated device investigation and remediation based on external alerts, and integration with Security orchestration and automation response (SOAR) systems. + +## SIEM integration +Microsoft Defender ATP supports SIEM integration through a variety of methods specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management. For more information, see [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md). + +## Ticketing and IT service management +Ticketing solution integration helps to implement manual and automatic response processes. Microsoft Defender ATP can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are closed using the alerts API. + +## Security orchestration and automation response (SOAR) integration +Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs expose to orchestrate responses, such as query for device data, trigger machine isolation, block/allow, resolve alert and others. + +## External alert correlation and Automated investigation and remediation +Microsoft Defender ATP offers unique automated investigation and remediation capabilities to drive incident response at scale. + +Integrating the automated investigation and response capability with other solutions such as IDS and firewalls help to address alerts and minimize the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices. + +External alerts can be pushed into Microsoft Defender ATP and is presented side-by-side with additional device-based alerts from Microsoft Defender ATP. This view provides a full context of the alert - with the real process and the full story of attack. + +## Indicators matching +You can use threat-intelligence from providers and aggregators to maintain and use indicators of compromise (IOCs). + +Microsoft Defender ATP allows you to integrate with such solutions and act on IoCs by correlating its rich telemetry and creating alerts when there's a match; leveraging prevention and automated response capabilities to block execution and take remediation actions when theres a match. + +Microsoft Defender ATP currently supports IOC matching and remediation for file and network indicators. Blocking is supported for file indicators. + +## Support for non-Windows platforms +Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network. This experience leverages on a third-party security products sensor data giving you a unified experience. + + + + + + + diff --git a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md index b32528daaa..d94a65a540 100644 --- a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/24/2018 --- # Windows Defender Advanced Threat Protection portal overview **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -44,7 +43,7 @@ When you open the portal, you’ll see the main areas of the application: - (3) Search, Community center, Time settings, Help and support, Feedback > [!NOTE] -> Malware related detections will only appear if your machines are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. +> Malware related detections will only appear if your machines are using Windows Defender Antivirus as the default real-time protection antimalware product. You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section. @@ -108,10 +107,12 @@ Icon | Description ![Running icon](images\running.png) | Automated investigation - running ![Remediated icon](images\remediated.png) | Automated investigation - remediated ![Partially investigated icon](images\partially_remediated.png) | Automated investigation - partially remediated - +![Threat insights icon](images\tvm_bug_icon.png) | Threat & Vulnerability Management - threat insights +![Possible active alert icon](images\tvm_alert_icon.png) | Threat & Vulnerability Management - possible active alert +![Recommendation insights icon](images\tvm_insight_icon.png) | Threat & Vulnerability Management - recommendation insights ## Related topics - [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) - [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) - [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md) -- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md index 52645783c6..82d437d18a 100644 --- a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -1,7 +1,7 @@ --- -title: Submit or Update Ti Indicator API -description: Use this API to submit or Update Ti Indicator. -keywords: apis, graph api, supported apis, submit, ti, ti indicator, update +title: Submit or Update Indicator API +description: Use this API to submit or Update Indicator. +keywords: apis, graph api, supported apis, submit, ti, indicator, update search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -14,35 +14,33 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- -# Submit or Update TI Indicator API +# Submit or Update Indicator API + +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] >[!Note] -> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) +> Currently this API is supported only for AppOnly context requests. (See [Get access with application context](exposed-apis-create-app-webapp.md) for more information) -**Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -- Submits or Updates new [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +- Submits or Updates new [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- -Application | Ti.ReadWrite | 'Read and write TI Indicators' +Application | Ti.ReadWrite | 'Read and write Indicators' +Application | Ti.ReadWrite.All | 'Read and write All Indicators' ## HTTP request ``` -POST https://api.securitycenter.windows.com/api/tiindicators +POST https://api.securitycenter.windows.com/api/indicators ``` [!include[Improve request performance](improverequestperformance-new.md)] @@ -60,10 +58,10 @@ In the request body, supply a JSON object with the following parameters: Parameter | Type | Description :---|:---|:--- -indicator | String | Identity of the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. **Required** +indicatorValue | String | Identity of the [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. **Required** indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required** action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required** -title | String | TI indicator alert title. **Optional** +title | String | Indicator alert title. **Optional** expirationTime | DateTimeOffset | The expiration time of the indicator. **Optional** severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". **Optional** description | String | Description of the indicator. **Optional** @@ -71,8 +69,8 @@ recommendedActions | String | TI indicator alert recommended actions. **Optional ## Response -- If successful, this method returns 200 - OK response code and the created / updated [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the response body. -- If not successful: this method return 400 - Bad Request / 409 - Conflict with the failure reason. Bad request usually indicates incorrect body and Conflict can happen if you try to submit a TI Indicator with existing indicator value but with different Indicator type or Action. +- If successful, this method returns 200 - OK response code and the created / updated [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the response body. +- If not successful: this method return 400 - Bad Request / 409 - Conflict with the failure reason. Bad request usually indicates incorrect body and Conflict can happen if you try to submit an Indicator that conflicts with an existing Indicator type or Action. ## Example @@ -81,10 +79,10 @@ recommendedActions | String | TI indicator alert recommended actions. **Optional Here is an example of the request. ``` -POST https://api.securitycenter.windows.com/api/tiindicators +POST https://api.securitycenter.windows.com/api/indicators Content-type: application/json { - "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", "indicatorType": "FileSha1", "title": "test", "expirationTime": "2020-12-12T00:00:00Z", @@ -103,8 +101,8 @@ Here is an example of the response. HTTP/1.1 200 OK Content-type: application/json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", - "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators/$entity", + "indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", "indicatorType": "FileSha1", "title": "test", "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", @@ -113,7 +111,8 @@ Content-type: application/json "action": "AlertAndBlock", "severity": "Informational", "description": "test", - "recommendedActions": "TEST" + "recommendedActions": "TEST", + "rbacGroupNames": [] } ``` diff --git a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md index 6c737bf2c1..c38db1be9d 100644 --- a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md @@ -14,14 +14,13 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/26/2018 --- # Create and build Power BI reports using Windows Defender ATP data **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease information](prerelease.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md index 406846d961..66420af797 100644 --- a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # PowerShell code examples for the custom threat intelligence API **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md index 980babf64a..c868f2a2d3 100644 --- a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md @@ -15,12 +15,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # Configure Windows Defender Security Center settings **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-prefsettings-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/prerelease.md b/windows/security/threat-protection/windows-defender-atp/prerelease.md index c910af7f12..f3b45c2b5a 100644 --- a/windows/security/threat-protection/windows-defender-atp/prerelease.md +++ b/windows/security/threat-protection/windows-defender-atp/prerelease.md @@ -1,6 +1,6 @@ --- ms.date: 08/28/2017 --- ->[!IMPORTANT] +>[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md index 7095ae73d1..469a59e63e 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md @@ -15,12 +15,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # Turn on the preview experience in Windows Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index b20c0b27fa..934fbed168 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -20,7 +20,7 @@ ms.topic: conceptual # Windows Defender ATP preview features **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md index 69d7354d93..22a8c2fd31 100644 --- a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/19/2018 --- -# Pull Windows Defender ATP alerts using REST API +# Pull Windows Defender ATP alerts using SIEM REST API **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -93,7 +92,7 @@ With an access token, your app can make authenticated requests to the Windows De ### Request syntax Method | Request URI :---|:---| -GET| Use the URI applicable for your region.

      **For EU**: `https://wdatp-alertexporter-eu.windows.com/api/alerts`
      **For US**: `https://wdatp-alertexporter-us.windows.com/api/alerts` +GET| Use the URI applicable for your region.

      **For EU**: `https://wdatp-alertexporter-eu.windows.com/api/alerts`
      **For US**: `https://wdatp-alertexporter-us.windows.com/api/alerts`
      **For UK**: `https://wdatp-alertexporter-uk.windows.com/api/alerts` ### Request header Header | Type | Description| @@ -134,7 +133,7 @@ The return value is an array of alert objects in JSON format. Here is an example return value: -```json +```json {"AlertTime":"2017-01-23T07:32:54.1861171Z", "ComputerDnsName":"desktop-bvccckk", "AlertTitle":"Suspicious PowerShell commandline", diff --git a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md index 01a648cb4f..c64fd1617c 100644 --- a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # Python code examples for the custom threat intelligence API @@ -23,7 +22,7 @@ ms.date: 04/24/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md index f2c279e739..38f1c79ee9 100644 --- a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md @@ -15,14 +15,13 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 05/08/2018 --- # Manage portal access using role-based access control **Applies to:** - Azure Active Directory - Office 365 -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-rbac-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index 8f7a09142a..544077f49b 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # Take response actions on a file **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -109,13 +108,17 @@ You can roll back and remove a file from quarantine if you’ve determined that You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization. >[!IMPORTANT] ->- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).

      +>- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). +>- The Antimalware client version must be 4.18.1901.x or later. >- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. >- This response action is available for machines on Windows 10, version 1703 or later. +>- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action. + + >[!NOTE] > The PE file needs to be in the machine timeline for you to be able to take this action. - +>- There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked. ### Enable the block file feature Before you can block files, you'll need to enable the feature. @@ -149,6 +152,9 @@ Before you can block files, you'll need to enable the feature. When the file is blocked, there will be a new event in the machine timeline.
      +>[!NOTE] +>-If a file was scanned before the action was taken, it may take longer to be effective on the device. + **Notification on machine user**:
      When a file is being blocked on the machine, the following notification is displayed to inform the user that the file was blocked: @@ -247,19 +253,19 @@ If you encounter a problem when trying to submit a file, try each of the followi 1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications). 2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified. 3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error. -4. Verify the policy setting enables sample collection and try to submit the file again. +4. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value: - a. Change the following registry entry and values to change the policy on specific machines: - ``` -HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection - Value = 0 – block sample collection - Value = 1 – allow sample collection -``` + ``` + Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection + Name: AllowSampleCollection + Type: DWORD + Hexadecimal value : + Value = 0 – block sample collection + Value = 1 – allow sample collection + ``` 5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md). 6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com). -> [!NOTE] -> If the value *AllowSampleCollection* is not available, the client will allow sample collection by default. ## Related topic - [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index c82e80bdbd..9d051a1e7e 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/28/2018 --- # Take response actions on a machine **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-respondmachine-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md index 0c62d93571..6e601dc0fd 100644 --- a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/12/2017 --- # Take response actions in Windows Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -31,7 +30,7 @@ ms.date: 11/12/2017 You can take response actions on machines and files to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization. >[!NOTE] -> These response actions are only available for machines on Windows 10, version 1703 or higher. +> The machine related response actions are only available for machines on Windows 10 (version 1703 or higher), Windows Server, version 1803 and Windows Server 2019. ## In this section Topic | Description diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md index 5cf3e7bd28..671ec7d8fe 100644 --- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Restrict app execution API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Restrict execution of all applications on the machine except a predefined set (see [Response machine alerts](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md index b3d7d901b7..9d9ea6c85d 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md @@ -14,26 +14,21 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 09/03/2018 --- # Advanced hunting API + **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - -[!include[Prerelease information](prerelease.md)] - - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) This API allows you to run programmatic queries that you are used to running from [Windows Defender ATP Portal](https://securitycenter.windows.com/hunting). ## Limitations -This API is a beta version only and is currently restricted to the following actions: -1. ​You can only run a query on data from the last 30 days +1. You can only run a query on data from the last 30 days 2. The results will include a maximum of 10,000 rows -3. The number of executions is limited​ (up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day) +3. The number of executions is limited (up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day) +4. The maximal execution time of a single request is 10 minutes. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) @@ -45,7 +40,7 @@ Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have 'Global Admin' AD role (note: will be updated soon to 'View Data') +>- The user needs to have 'View Data' AD role >- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request @@ -135,7 +130,7 @@ Content-Type: application/json​ ## T​roubl​eshoot issues -- Error: (403) Forbidden +- Error: (403) Forbidden / (401) Unauthorized If you get this error when calling Windows Defender ATP API, your token might not include the necessary permission. diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md index 90d62c40c1..dd2f1dc672 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md @@ -14,7 +14,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 09/24/2018 --- # Schedule Advanced Hunting using Microsoft Flow diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md index dbbd0cd122..9282b0c321 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md @@ -14,7 +14,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 30/07/2018 --- # Create custom reports using Power BI (app authentication) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md index f4b88a4481..83380bfe20 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md @@ -14,12 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 30/07/2018 --- # Create custom reports using Power BI (user authentication) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease information](prerelease.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md index 88eb22a167..487b150df6 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 09/24/2018 --- # Advanced Hunting using PowerShell **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prerelease information](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Run advanced queries using PowerShell, see [Advanced Hunting API](run-advanced-query-api.md). @@ -65,7 +62,7 @@ $aadToken = $response.access_token where - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) -- $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP) +- $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Windows Defender ATP) - $appSecret: Secret of your AAD app ## Run query diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md index 2b39edf624..a80cd077b7 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 30/07/2018 --- # Advanced Hunting using Python **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prerelease information](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Run advanced queries using Python, see [Advanced Hunting API](run-advanced-query-api.md). @@ -65,7 +62,7 @@ aadToken = jsonResponse["access_token"] where - tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) -- appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP) +- appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Windows Defender ATP) - appSecret: Secret of your AAD app ## Run query diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md index 4a58f9eedf..95d084af2a 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Run antivirus scan API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prerelease information](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Initiate Windows Defender Antivirus scan on a machine. diff --git a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md index ec866e736e..098f8b6720 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 09/07/2018 --- # Run a detection test on a newly onboarded Windows Defender ATP machine @@ -26,7 +25,7 @@ ms.date: 09/07/2018 - Windows Server 2016 - Windows Server, version 1803 - Windows Server, 2019 -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service. diff --git a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md index 2a6ed6838b..d3c9466607 100644 --- a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md @@ -14,12 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/26/2018 --- # Configure the security controls in Secure score **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Each security control lists recommendations that you can take to increase the security posture of your organization. diff --git a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md index 7c773ae71b..b152fd4194 100644 --- a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/04/2018 --- # Windows Defender Security Center Security operations dashboard **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md index 9189cf364e..6d64ca2629 100644 --- a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # Check the Windows Defender Advanced Threat Protection service health **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md index 49687ff26c..b64296d1c8 100644 --- a/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md @@ -14,17 +14,14 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Stop and quarantine file API - **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prereleaseinformation](prerelease.md)] -- Stop execution of a file on a machine and delete it. +Stop execution of a file on a machine and delete it. [!include[Machine actions note](machineactionsnote.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md index bc06fcaf60..cdcdf40b44 100644 --- a/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 12/01/2017 --- # Supported Windows Defender ATP query APIs **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supported-response-apis-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md deleted file mode 100644 index bbcdcee3cf..0000000000 --- a/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -title: Threat analytics for Spectre and Meltdown -description: Get a tailored organizational risk evaluation and actionable steps you can take to minimize risks in your organization. -keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 09/03/2018 ---- - -# Threat analytics for Spectre and Meltdown -**Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - -The **Threat analytics** dashboard provides insight on how emerging threats affect your organization. It provides information that's specific for your organization. - -[Spectre and Meltdown](https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/) is a new class of exploits that take advantage of critical vulnerabilities in the CPU processors, allowing attackers running user-level, non-admin code to steal data from kernel memory. These exploits can potentially allow arbitrary non-admin code running on a host machine to harvest sensitive data belonging to other apps or system processes, including apps on guest VMs. - -Mitigating these vulnerabilities involves a complex multivendor update. It requires updates to Windows and Microsoft browsers using the [January 2018 Security Updates from Microsoft](https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/858123b8-25ca-e711-a957-000d3a33cf99) and updates to processor microcode using fixes released by OEM and CPU vendors. - -## Prerequisites -Note the following requirements and limitations of the charts and what you might be able to do to improve visibility of the mitigation status of machines in your network: - -- Only active machines running Windows 10 are checked for OS mitigations. -- When checking for microcode mitgations, Windows Defender ATP currently checks for updates applicable to Intel CPU processors only. -- To determine microcode mitigation status, machines must enable Windows Defender Antivirus and update to Security intelligence version 1.259.1545.0 or above. -- To be covered under the overall mitigation status, machines must have both OS and microcode mitigation information. - -## Assess organizational risk with Threat analytics - -Threat analytics helps you continually assess and control risk exposure to Spectre and Meltdown. Use the charts to quickly identify machines for the presence or absence of the following mitigations: - -- **OS mitigation**: Identifies machines that have installed the January 2018 Security Updates from Microsoft and have not explicitly disabled any of the OS mitigations provided with these updates -- **Microcode mitigation**: Identifies machines that have installed the necessary microcode updates or those that do not require them -- **Overall mitigation status**: Identifies the completeness by which machines have mitigated against the Spectre and Meltdown exploits - - -To access Threat analytics, from the navigation pane select **Dashboards** > **Threat analytics**. - -Click a section of each chart to get a list of the machines in the corresponding mitigation status. - -## Related topics -- [Threat analytics](threat-analytics.md) -- [Overview of Secure Score in Windows Defender Security Center](overview-secure-score-windows-defender-advanced-threat-protection.md) -- [Configure the security controls in Secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md) - - diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics.md index a4669b615e..4fe07149cf 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-analytics.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics.md @@ -15,12 +15,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/29/2018 --- # Threat analytics **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to be able to quickly assess their security posture, including impact, and organizational resilience in the context of specific emerging threats. diff --git a/windows/security/threat-protection/windows-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/windows-defender-atp/threat-and-vuln-mgt-scenarios.md new file mode 100644 index 0000000000..22ef58fb69 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -0,0 +1,107 @@ +--- +title: Threat & Vulnerability Management scenarios +description: Learn how to use Threat & Vulnerability Management in the context of scenarios that Security Administrators encounter when collaborating with IT Administrators and SecOps while protecting their organization from cybersecurity threats. +keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase configuration score, increase threat & vulnerability configuration score, configuration score, exposure score, security controls +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Threat & Vulnerability Management scenarios +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +## Before you begin +Ensure that your machines: +- Are onboarded to Microsoft Defender Advanced Threat Protection +- Running with Windows 10 1709 (Fall Creators Update) or later +- Have the following mandatory updates installed: +- (1) RS3 customers | [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441) +- (2) RS4 customers | [KB4493464](https://support.microsoft.com/en-us/help/4493464) +- Have at least one security recommendation that can be viewed in the machine page +- Are tagged or marked as co-managed + + +## Reduce your threat and vulnerability exposure +Threat & Vulnerability Management introduces a new exposure score metric which visually represents how exposed your machines are to imminent threats. + +The exposure score is continuously calculated on each device in the organization and influenced by the following factors: +- Weaknesses, such as vulnerabilities and misconfigurations discovered on the device +- External and internal threats such as public exploit code and security alerts +- Likelihood of the device getting breached given its current security posture +- Value of the device to the organization given its role and content + +The exposure score is broken down into the following levels: +- 0 to 29: low exposure score +- 30 to 69: medium exposure score +- 70 to 100: high exposure score + +You can reduce the exposure score by remediating issues based on prioritized security recommendations. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization. + +To lower down your threat and vulnerability exposure: + +1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. This opens the **Security recommendation** page. + + >>![top security recommendations](images/tvm_security_recommendations.png) + + >[!NOTE] + > There are two types of recommendations: + > - Security update which refers to recommendations that require a package installation + > - Configuration change which refers to recommendations that require a registry or GPO modification + > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon. + +2. In the **Security recommendations** page, you will see the description of what needs to be done and why. It shows the vulnerability details, such as the associated exploits affecting what machines and its business impact. Click **Open software page** option from the flyout menu. ![details in security recommendations page](images/tvm_security_recommendations_page.png) + +3. Click **Installed machines** and select the affected machine from the list to open the flyout page with the relevant machine details, exposure and risk levels, alert and incident activities. ![details in software page ](images/tvm_software_page_details.png) + +4. Click **Open machine page** to connect to the machine and apply the selected recommendation. ![details in machine page](images/tvm_machine_page_details.png) + +5. Allow a few hours for the changes to propagate in the system. + +6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate won't be listed there anymore, and the exposure score should decrease. + +## Improve your security configuration +>[!NOTE] +> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). We’ll keep the secure score page available for a few weeks. View the [secure score](https://securitycenter.windows.com/securescore) page. + +Remediating issues in the security recommendations list will improve your configuration. As you do so, your configuration score improves, which means building your organization's resilience against cybersecurity threats and vulnerabilities stronger. + +1. From the Configuration score widget, select **Security controls**. This opens the **Security recommendations** page showing the list of issues related to security controls. + + >>![configuration score widget](images/tvm_config_score.png) + +2. Select the first item on the list. This opens the flyout menu with the description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**. + ![security controls related security recommendations](images/tvm_security_controls.png) + +3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up. + + >>![request remediation](images/tvm_request_remediation.png). + + >You will see a confirmation message that the remediation task has been created. + >![remediation task creation confirmation](images/tvm_remediation_task_created.png) + +4. Save your CSV file. + ![save csv file](images/tvm_save_csv_file.png) + +5. Send a follow up email to your IT Administrator and allow the time that you have alloted for the remediation to propagate in the system. + +6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be be listed there anymore, and your configuration score should increase. + + +## Related topics +- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Configuration score](configuration-score.md) + diff --git a/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md index 32eb1e6116..005f30d3e8 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/03/2018 --- # Understand threat intelligence concepts **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md index 0791b9b679..54a2033aa8 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md @@ -15,14 +15,13 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 12/03/2018 --- # Microsoft Threat Protection **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. diff --git a/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md index 04e187f344..c95bd47a62 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md @@ -8,6 +8,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp @@ -19,13 +20,13 @@ ms.topic: article # Threat protection report in Windows Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease information](prerelease.md)] The threat protection report provides high-level information about alerts generated in your organization. The report includes trending information showing the detection sources, categories, severities, statuses, classifications, and determinations of alerts across time. -The dashboard is structured into two columns: +The dashboard is structured into two sections: ![Image of the threat protection report](images/atp-threat-protection-reports.png) @@ -42,7 +43,7 @@ By default, the alert trends display alert information from the 30-day period en - 6 months - Custom -While the alerts trends shows trending information alerts, the alert summary shows alert information scoped to 6 months. +While the alert trends shows trending alert information, the alert summary shows alert information scoped to the current day. The alert summary allows you to drill down to a particular alert queue with the corresponding filter applied to it. For example, clicking on the EDR bar in the Detection sources card will bring you the alerts queue with results showing only alerts generated from EDR detections. @@ -75,4 +76,7 @@ For example, to show data about high-severity alerts only: 1. Under **Filters > Severity**, select **High** 2. Ensure that all other options under **Severity** are deselected. -3. Select **Apply**. \ No newline at end of file +3. Select **Apply**. + +## Related topic +- [Machine health and compliance report](machine-reports-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md index e7d1f84fe2..f9dd490e81 100644 --- a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -1,7 +1,7 @@ --- -title: TiIndicator resource type -description: TiIndicator entity description. -keywords: apis, supported apis, get, TiIndicator, recent +title: Indicator resource type +description: Indicator entity description. +keywords: apis, supported apis, get, TiIndicator, Indicator, recent search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -14,36 +14,33 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- -# TI(threat intelligence) Indicator resource type - +# Indicator resource type **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Method|Return Type |Description :---|:---|:--- -[List TI Indicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) Collection | List [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. -[Get TI Indicator by ID](get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Gets the requested [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. -[Submit TI Indicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Submits [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. -[Delete TI Indicator](delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | No Content | Deletes [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +[List Indicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) | [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) Collection | List [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. +[Submit Indicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) | [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Submits [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +[Delete Indicator](delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | No Content | Deletes [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +- See the corresponding [page](https://securitycenter.windows.com/preferences2/custom_ti_indicators/files) in the portal: # Properties Property | Type | Description :---|:---|:--- -indicator | String | Identity of the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +indicatorValue | String | Identity of the [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url" -title | String | Ti indicator alert title. +title | String | Indicator alert title. creationTimeDateTimeUtc | DateTimeOffset | The date and time when the indicator was created. createdBy | String | Identity of the user/application that submitted the indicator. expirationTime | DateTimeOffset | The expiration time of the indicator action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed" severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High" description | String | Description of the indicator. -recommendedActions | String | TI indicator alert recommended actions. +recommendedActions | String | Indicator alert recommended actions. +rbacGroupNames | List of strings | RBAC group names where the indicator is exposed. Empty list in case it exposed to all groups. diff --git a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md index 9fb06adc92..ea1cc5d2b6 100644 --- a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 02/13/2018 --- # Windows Defender Security Center time zone settings **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md index 89c8c201fd..96753d16e3 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md @@ -15,17 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: troubleshooting -ms.date: 06/25/2018 --- # Troubleshoot custom threat intelligence issues **Applies to:** - - -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You might need to troubleshoot issues while using the custom threat intelligence feature. diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md index 61bb32e5a1..4541e327e6 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md @@ -8,22 +8,19 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: v-tanewt -author: tbit0001 +ms.author: macapara +author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: troubleshooting -ms.date: 08/01/2018 --- # Troubleshoot subscription and portal access issues **Applies to:** - - -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 82e4b1c6f7..38a88cfe19 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -1,313 +1,312 @@ ---- -title: Troubleshoot Windows Defender ATP onboarding issues -description: Troubleshoot issues that might arise during the onboarding of machines or to the Windows Defender ATP service. -keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: troubleshooting -ms.date: 09/07/2018 ---- - -# Troubleshoot Windows Defender Advanced Threat Protection onboarding issues - -**Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -- Windows Server 2012 R2 -- Windows Server 2016 - - - -You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues. -This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the machines. - -If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an onboarding or connectivity problem. - -## Troubleshoot onboarding when deploying with Group Policy -Deployment with Group Policy is done by running the onboarding script on the machines. The Group Policy console does not indicate if the deployment has succeeded or not. - -If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the machines. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script). - -If the script completes successfully, see [Troubleshoot onboarding issues](#troubleshoot-onboarding-issues) for additional errors that might occur. - -## Troubleshoot onboarding issues when deploying with System Center Configuration Manager -When onboarding machines using the following versions of System Center Configuration Manager: -- System Center 2012 Configuration Manager -- System Center 2012 R2 Configuration Manager -- System Center Configuration Manager (current branch) version 1511 -- System Center Configuration Manager (current branch) version 1602 - - -Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the machines. You can track the deployment in the Configuration Manager Console. - -If the deployment fails, you can check the output of the script on the machines. - -If the onboarding completed successfully but the machines are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues](#troubleshoot-onboarding-issues) for additional errors that might occur. - -## Troubleshoot onboarding when deploying with a script - -**Check the result of the script on the machine**: -1. Click **Start**, type **Event Viewer**, and press **Enter**. - -2. Go to **Windows Logs** > **Application**. - -3. Look for an event from **WDATPOnboarding** event source. - -If the script fails and the event is an error, you can check the event ID in the following table to help you troubleshoot the issue. -> [!NOTE] -> The following event IDs are specific to the onboarding script only. - -Event ID | Error Type | Resolution steps -:---|:---|:--- -5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. -10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
      ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.
      Verify that the script was ran as an administrator. -15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).

      If the machine is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again. -15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender Antivirus ELAM driver, see [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) for instructions. -30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). -35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
      ```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.
      The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). -40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). -65 | Insufficient privileges| Run the script again with administrator privileges. - -## Troubleshoot onboarding issues using Microsoft Intune -You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue. - -If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. - -Use the following tables to understand the possible causes of issues while onboarding: - -- Microsoft Intune error codes and OMA-URIs table -- Known issues with non-compliance table -- Mobile Device Management (MDM) event logs table - -If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt. - -**Microsoft Intune error codes and OMA-URIs**: - - -Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps -:---|:---|:---|:---|:--- -0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
      Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.

      **Troubleshooting steps:**
      Check the event IDs in the [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section.

      Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). - | | | | Onboarding
      Offboarding
      SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.

      **Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```

      If it doesn't exist, open an elevated command and add the key. - | | | | SenseIsRunning
      OnboardingState
      OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.

      **Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues).

      Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). - || | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

      Currently is supported platforms: Enterprise, Education, and Professional.
      Server is not supported. - 0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

      Currently is supported platforms: Enterprise, Education, and Professional. - -
      -**Known issues with non-compliance** - -The following table provides information on issues with non-compliance and how you can address the issues. - -Case | Symptoms | Possible cause and troubleshooting steps -:---|:---|:--- -1 | Machine is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already.

      **Troubleshooting steps:** Wait for OOBE to complete. -2 | Machine is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the machine as non-compliant by SenseIsRunning when DM session occurs on system start.

      **Troubleshooting steps:** The issue should automatically be fixed within 24 hours. -3 | Machine is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same machine at same time. - -
      -**Mobile Device Management (MDM) event logs** - -View the MDM event logs to troubleshoot issues that might arise during onboarding: - -Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider - -Channel name: Admin - -ID | Severity | Event description | Troubleshooting steps -:---|:---|:---|:--- -1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760). - -## Troubleshoot onboarding issues on the machine -If the deployment tools used does not indicate an error in the onboarding process, but machines are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent: -- [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) -- [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled) -- [Ensure the service is set to start](#ensure-the-service-is-set-to-start) -- [Ensure the machine has an Internet connection](#ensure-the-endpoint-has-an-internet-connection) -- [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) - - -### View agent onboarding errors in the machine event log - -1. Click **Start**, type **Event Viewer**, and press **Enter**. - -2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**. - - > [!NOTE] - > SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP. - -3. Select **Operational** to load the log. - -4. In the **Action** pane, click **Filter Current log**. - -5. On the **Filter** tab, under **Event level:** select **Critical**, **Warning**, and **Error**, and click **OK**. - - ![Image of Event Viewer log filter](images/filter-log.png) - -6. Events which can indicate issues will appear in the **Operational** pane. You can attempt to troubleshoot them based on the solutions in the following table: - -Event ID | Message | Resolution steps -:---|:---|:--- -5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the machine has Internet access](#ensure-the-endpoint-has-an-internet-connection). -6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). -7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the machine has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again. -9 | Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md).

      If the event happened during offboarding, contact support. -10 | Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md).

      If the problem persists, contact support. -15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the machine has Internet access](#ensure-the-endpoint-has-an-internet-connection). -17 | Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). If the problem persists, contact support. -25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support. -27 | Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support. -29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the machine has Internet access, then run the entire offboarding process again. -30 | Failed to disable $(build.sense.productDisplayName) mode in Windows Defender Advanced Threat Protection. Failure code: %1 | Contact support. -32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the machine. -55 | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the machine. -63 | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type. -64 | Starting stopped external service. Name: %1, exit code: %2 | Contact support if the event keeps re-appearing. -68 | The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3 | Identify what is causing changes in start type. Fix mentioned service start type. -69 | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists. - -
      -There are additional components on the machine that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly. - - -### Ensure the diagnostic data service is enabled -If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the machine. The service might have been disabled by other programs or user configuration changes. - -First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't). - -### Ensure the service is set to start - -**Use the command line to check the Windows 10 diagnostic data service startup type**: - -1. Open an elevated command-line prompt on the machine: - - a. Click **Start**, type **cmd**, and press **Enter**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command, and press **Enter**: - - ```text - sc qc diagtrack - ``` - - If the service is enabled, then the result should look like the following screenshot: - - ![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png) - - If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start. - - -**Use the command line to set the Windows 10 diagnostic data service to automatically start:** - -1. Open an elevated command-line prompt on the machine: - - a. Click **Start**, type **cmd**, and press **Enter**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command, and press **Enter**: - - ```text - sc config diagtrack start=auto - ``` - -3. A success message is displayed. Verify the change by entering the following command, and press **Enter**: - - ```text - sc qc diagtrack - ``` - -4. Start the service. - - a. In the command prompt, type the following command and press **Enter**: - - ```text - sc start diagtrack - ``` - -### Ensure the machine has an Internet connection - -The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. - -WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment. - -To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic. - -If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic. - -### Ensure that Windows Defender Antivirus is not disabled by a policy -**Problem**: The Windows Defender ATP service does not start after onboarding. - -**Symptom**: Onboarding successfully completes, but you see error 577 when trying to start the service. - -**Solution**: If your machines are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy. - -- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared: - - - DisableAntiSpyware - - DisableAntiVirus - - For example, in Group Policy there should be no entries such as the following values: - - - `````` - - `````` -- After clearing the policy, run the onboarding steps again. - -- You can also check the following registry key values to verify that the policy is disabled: - - 1. Open the registry ```key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender```. - 2. Ensure that the value ```DisableAntiSpyware``` is not present. - - ![Image of registry key for Windows Defender Antivirus](images/atp-disableantispyware-regkey.png) - - -## Troubleshoot onboarding issues on a server -If you encounter issues while onboarding a server, go through the following verification steps to address possible issues. - -- [Ensure Microsoft Monitoring Agent (MMA) is installed and configured to report sensor data to the service](configure-server-endpoints-windows-defender-advanced-threat-protection.md#server-mma) -- [Ensure that the server proxy and Internet connectivity settings are configured properly](configure-server-endpoints-windows-defender-advanced-threat-protection.md#server-proxy) - -You might also need to check the following: -- Check that there is a Windows Defender Advanced Threat Protection Service running in the **Processes** tab in **Task Manager**. For example: - - ![Image of process view with Windows Defender Advanced Threat Protection Service running](images/atp-task-manager.png) - -- Check **Event Viewer** > **Applications and Services Logs** > **Operation Manager** to see if there are any errors. - -- In **Services**, check if the **Microsoft Monitoring Agent** is running on the server. For example, - - ![Image of Services](images/atp-services.png) - -- In **Microsoft Monitoring Agent** > **Azure Log Analytics (OMS)**, check the Workspaces and verify that the status is running. - - ![Image of Microsoft Monitoring Agent Properties](images/atp-mma-properties.png) - -- Check to see that machines are reflected in the **Machines list** in the portal. - - -## Licensing requirements -Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: - - - Windows 10 Enterprise E5 - - Windows 10 Education E5 - - Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5 - -For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2). - - ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootonboarding-belowfoldlink) - - -## Related topics -- [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) -- [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) -- [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) - +--- +title: Troubleshoot Windows Defender ATP onboarding issues +description: Troubleshoot issues that might arise during the onboarding of machines or to the Windows Defender ATP service. +keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: troubleshooting +--- + +# Troubleshoot Windows Defender Advanced Threat Protection onboarding issues + +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Windows Server 2012 R2 +- Windows Server 2016 + + + +You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues. +This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the machines. + +If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an onboarding or connectivity problem. + +## Troubleshoot onboarding when deploying with Group Policy +Deployment with Group Policy is done by running the onboarding script on the machines. The Group Policy console does not indicate if the deployment has succeeded or not. + +If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the machines. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script). + +If the script completes successfully, see [Troubleshoot onboarding issues on the machines](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur. + +## Troubleshoot onboarding issues when deploying with System Center Configuration Manager +When onboarding machines using the following versions of System Center Configuration Manager: +- System Center 2012 Configuration Manager +- System Center 2012 R2 Configuration Manager +- System Center Configuration Manager (current branch) version 1511 +- System Center Configuration Manager (current branch) version 1602 + + +Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the machines. You can track the deployment in the Configuration Manager Console. + +If the deployment fails, you can check the output of the script on the machines. + +If the onboarding completed successfully but the machines are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues on the machine](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur. + +## Troubleshoot onboarding when deploying with a script + +**Check the result of the script on the machine**: +1. Click **Start**, type **Event Viewer**, and press **Enter**. + +2. Go to **Windows Logs** > **Application**. + +3. Look for an event from **WDATPOnboarding** event source. + +If the script fails and the event is an error, you can check the event ID in the following table to help you troubleshoot the issue. +> [!NOTE] +> The following event IDs are specific to the onboarding script only. + +Event ID | Error Type | Resolution steps +:---|:---|:--- +5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. +10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
      ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.
      Verify that the script was ran as an administrator. +15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).

      If the machine is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again. +15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender Antivirus ELAM driver, see [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) for instructions. +30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). +35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
      ```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.
      The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). +40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). +65 | Insufficient privileges| Run the script again with administrator privileges. + +## Troubleshoot onboarding issues using Microsoft Intune +You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue. + +If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. + +Use the following tables to understand the possible causes of issues while onboarding: + +- Microsoft Intune error codes and OMA-URIs table +- Known issues with non-compliance table +- Mobile Device Management (MDM) event logs table + +If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt. + +**Microsoft Intune error codes and OMA-URIs**: + + +Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps +:---|:---|:---|:---|:--- +0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
      Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.

      **Troubleshooting steps:**
      Check the event IDs in the [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-machine-event-log) section.

      Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). + | | | | Onboarding
      Offboarding
      SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.

      **Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```

      If it doesn't exist, open an elevated command and add the key. + | | | | SenseIsRunning
      OnboardingState
      OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.

      **Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot onboarding issues on the machine](#troubleshoot-onboarding-issues-on-the-machine).

      Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). + || | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

      Currently is supported platforms: Enterprise, Education, and Professional.
      Server is not supported. + 0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

      Currently is supported platforms: Enterprise, Education, and Professional. + +
      +**Known issues with non-compliance** + +The following table provides information on issues with non-compliance and how you can address the issues. + +Case | Symptoms | Possible cause and troubleshooting steps +:---|:---|:--- +1 | Machine is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already.

      **Troubleshooting steps:** Wait for OOBE to complete. +2 | Machine is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the machine as non-compliant by SenseIsRunning when DM session occurs on system start.

      **Troubleshooting steps:** The issue should automatically be fixed within 24 hours. +3 | Machine is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same machine at same time. + +
      +**Mobile Device Management (MDM) event logs** + +View the MDM event logs to troubleshoot issues that might arise during onboarding: + +Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider + +Channel name: Admin + +ID | Severity | Event description | Troubleshooting steps +:---|:---|:---|:--- +1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760). + +## Troubleshoot onboarding issues on the machine +If the deployment tools used does not indicate an error in the onboarding process, but machines are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent: +- [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-machine-event-log) +- [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled) +- [Ensure the service is set to start](#ensure-the-service-is-set-to-start) +- [Ensure the machine has an Internet connection](#ensure-the-machine-has-an-internet-connection) +- [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) + + +### View agent onboarding errors in the machine event log + +1. Click **Start**, type **Event Viewer**, and press **Enter**. + +2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**. + + > [!NOTE] + > SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP. + +3. Select **Operational** to load the log. + +4. In the **Action** pane, click **Filter Current log**. + +5. On the **Filter** tab, under **Event level:** select **Critical**, **Warning**, and **Error**, and click **OK**. + + ![Image of Event Viewer log filter](images/filter-log.png) + +6. Events which can indicate issues will appear in the **Operational** pane. You can attempt to troubleshoot them based on the solutions in the following table: + +Event ID | Message | Resolution steps +:---|:---|:--- +5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection). +6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). +7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection), then run the entire onboarding process again. +9 | Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md).

      If the event happened during offboarding, contact support. +10 | Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md).

      If the problem persists, contact support. +15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection). +17 | Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). If the problem persists, contact support. +25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support. +27 | Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support. +29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the machine has Internet access, then run the entire offboarding process again. +30 | Failed to disable $(build.sense.productDisplayName) mode in Windows Defender Advanced Threat Protection. Failure code: %1 | Contact support. +32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the machine. +55 | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the machine. +63 | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type. +64 | Starting stopped external service. Name: %1, exit code: %2 | Contact support if the event keeps re-appearing. +68 | The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3 | Identify what is causing changes in start type. Fix mentioned service start type. +69 | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists. + +
      +There are additional components on the machine that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly. + + +### Ensure the diagnostic data service is enabled +If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the machine. The service might have been disabled by other programs or user configuration changes. + +First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't). + +### Ensure the service is set to start + +**Use the command line to check the Windows 10 diagnostic data service startup type**: + +1. Open an elevated command-line prompt on the machine: + + a. Click **Start**, type **cmd**, and press **Enter**. + + b. Right-click **Command prompt** and select **Run as administrator**. + +2. Enter the following command, and press **Enter**: + + ```text + sc qc diagtrack + ``` + + If the service is enabled, then the result should look like the following screenshot: + + ![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png) + + If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start. + + +**Use the command line to set the Windows 10 diagnostic data service to automatically start:** + +1. Open an elevated command-line prompt on the machine: + + a. Click **Start**, type **cmd**, and press **Enter**. + + b. Right-click **Command prompt** and select **Run as administrator**. + +2. Enter the following command, and press **Enter**: + + ```text + sc config diagtrack start=auto + ``` + +3. A success message is displayed. Verify the change by entering the following command, and press **Enter**: + + ```text + sc qc diagtrack + ``` + +4. Start the service. + + a. In the command prompt, type the following command and press **Enter**: + + ```text + sc start diagtrack + ``` + +### Ensure the machine has an Internet connection + +The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. + +WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment. + +To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic. + +If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic. + +### Ensure that Windows Defender Antivirus is not disabled by a policy +**Problem**: The Windows Defender ATP service does not start after onboarding. + +**Symptom**: Onboarding successfully completes, but you see error 577 when trying to start the service. + +**Solution**: If your machines are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy. + +- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared: + + - DisableAntiSpyware + - DisableAntiVirus + + For example, in Group Policy there should be no entries such as the following values: + + - `````` + - `````` +- After clearing the policy, run the onboarding steps again. + +- You can also check the following registry key values to verify that the policy is disabled: + + 1. Open the registry ```key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender```. + 2. Ensure that the value ```DisableAntiSpyware``` is not present. + + ![Image of registry key for Windows Defender Antivirus](images/atp-disableantispyware-regkey.png) + + +## Troubleshoot onboarding issues on a server +If you encounter issues while onboarding a server, go through the following verification steps to address possible issues. + +- [Ensure Microsoft Monitoring Agent (MMA) is installed and configured to report sensor data to the service](configure-server-endpoints-windows-defender-advanced-threat-protection.md#server-mma) +- [Ensure that the server proxy and Internet connectivity settings are configured properly](configure-server-endpoints-windows-defender-advanced-threat-protection.md#server-proxy) + +You might also need to check the following: +- Check that there is a Windows Defender Advanced Threat Protection Service running in the **Processes** tab in **Task Manager**. For example: + + ![Image of process view with Windows Defender Advanced Threat Protection Service running](images/atp-task-manager.png) + +- Check **Event Viewer** > **Applications and Services Logs** > **Operation Manager** to see if there are any errors. + +- In **Services**, check if the **Microsoft Monitoring Agent** is running on the server. For example, + + ![Image of Services](images/atp-services.png) + +- In **Microsoft Monitoring Agent** > **Azure Log Analytics (OMS)**, check the Workspaces and verify that the status is running. + + ![Image of Microsoft Monitoring Agent Properties](images/atp-mma-properties.png) + +- Check to see that machines are reflected in the **Machines list** in the portal. + + +## Licensing requirements +Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: + + - Windows 10 Enterprise E5 + - Windows 10 Education E5 + - Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5 + +For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2). + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootonboarding-belowfoldlink) + + +## Related topics +- [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) +- [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) +- [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) + diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md index e652ed98c1..a859c2f21b 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: troubleshooting -ms.date: 11/08/2018 --- # Troubleshoot SIEM tool integration issues **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md index fccd8ca55a..f0636c3363 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: troubleshooting -ms.date: 09/03/2018 --- # Troubleshoot Windows Defender Advanced Threat Protection diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md index ee883b6d7f..95c591fbec 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: troubleshooting -ms.date: 07/30/2018 --- # Troubleshoot service issues diff --git a/windows/security/threat-protection/windows-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/windows-defender-atp/tvm-dashboard-insights.md new file mode 100644 index 0000000000..d66a7239fa --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/tvm-dashboard-insights.md @@ -0,0 +1,76 @@ +--- +title: What's in the dashboard and what it means for my organization's security posture +description: What's in the Threat & Vulnerability Management dashboard and how it can help SecOps and Security Administrators arrive at informed decisions in addressing cybersecurity threat vulnerabilities and building their organization's security resilience. +keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: eADQiWindows 10XVcnh +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- +# Threat & Vulnerability Management dashboard overview + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) + +Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: +- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities +- Invaluable machine vulnerability context during incident investigations +- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) + + >[!NOTE] + > Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks. + +You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to: +- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines +- Correlate EDR insights with endpoint vulnerabilities and process them +- Select remediation options, triage and track the remediation tasks + +## Threat & Vulnerability Management in Microsoft Defender Security Center +When you open the portal, you’ll see the main areas of the capability: + + ![Microsoft Defender Advanced Threat Protection portal](images/tvm_dashboard.png) + + ![Threat & Vulnerability Management menu](images/tvm_menu.png) + +- (1) Menu in the navigation pane +- (2) Threat & Vulnerability Management icon +- (3) Threat & Vulnerability Management dashboard + +You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section. + +Area | Description +:---|:--- +(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities. +(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, and **Software inventory**. +**Dashboards** | Get a high-level view of the organization exposure score, MDATP configuration score, top remediation activities, top security recommendations, top vulnerable software, and top exposed machines data. +**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list and it will open a flyout pane where you will see vulnerability details, and have the option to open the software page, and see the remediation options. +**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV. +**Software inventory** | See the list of applications, versions, weaknesses, whether there’s an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the vulnerabilities and misconfigurations associated and its machine and version distribution details. +(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, **Top exposed machines**, and **Threat campaigns**. +**Organization Exposure score** | See the current state of your organization’s device exposure to threats and vulnerabilities. Several factors affect your organization’s exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down your organization’s exposure score to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. +**MDATP Configuration score** | See the security posture of your organization’s operating system, applications, network, accounts and security controls. The goal is to increase your configuration score by remediating the related security configuration issues. You can click the bars and it will take you to the **Security recommendation** page for details. +**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it will take you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, OS platform, its health state, when it was last seen, and its tags. +**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts ![possible active alert](images/tvm_alert_icon.png), associated public exploits ![threat insight](images/tvm_bug_icon.png), and recommendation insights ![recommendation insight](images/tvm_insight_icon.png). You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list. +**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your network’s devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable application list in the **Software inventory** page. +**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities. +**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list. + +See [Microsoft Defender ATP icons](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal. + +## Related topics +- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Configuration score](configuration-score.md) +- [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md index 07203db964..bcfc51d9e5 100644 --- a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 + --- # Release machine from isolation API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Undo isolation of a machine. diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md index d6bd15719c..24e1453c32 100644 --- a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -14,14 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Remove app restriction API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[!include[Prereleaseinformation](prerelease.md)] +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Enable execution of any application on the machine. diff --git a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md index 8c700cf5fd..4f1fe6545e 100644 --- a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md @@ -14,16 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # Update alert **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - -[!include[Prereleaseinformation](prerelease.md)] Update the properties of an alert entity. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/use-apis.md b/windows/security/threat-protection/windows-defender-atp/use-apis.md index 20e1451805..18e77632f4 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-apis.md +++ b/windows/security/threat-protection/windows-defender-atp/use-apis.md @@ -1,7 +1,7 @@ --- -title: Use the Windows Defender Advanced Threat Protection APIs +title: Windows Defender ATP APIs description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. -keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file +keywords: apis, api, wdatp, open api, windows defender atp api, public api, alerts, machine, user, domain, ip, file search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -14,17 +14,18 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/28/2018 --- -# Use the Windows Defender ATP exposed APIs +# Windows Defender ATP APIs -**Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +> Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## In this section Topic | Description :---|:--- -Create your app | Learn how to create an application to get programmatical access to Windows Defender ATP [on behalf of a user](exposed-apis-create-app-nativeapp.md) or [without a user](exposed-apis-create-app-webapp.md). -Supported Windows Defender ATP APIs | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. Examples include APIs for [alert resource type](alerts-windows-defender-advanced-threat-protection-new.md), [domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md), or even actions such as [isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md). +[Windows Defender ATP API overview](apis-intro.md) | Learn how to access to Windows Defender ATP Public API and on which context. +[Supported Windows Defender ATP APIs](exposed-apis-list.md) | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. Examples include APIs for [alert resource type](alerts-windows-defender-advanced-threat-protection-new.md), [domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md), or even actions such as [isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md). How to use APIs - Samples | Learn how to use Advanced hunting APIs and multiple APIs such as PowerShell. Other examples include [schedule advanced hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) or [OData queries](exposed-apis-odata-samples.md). diff --git a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md index ad0f8cbfec..be38700ccf 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md @@ -15,13 +15,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- # Use the threat intelligence API to create custom alerts **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md index ac8f1799c4..268f112212 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md @@ -15,14 +15,13 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 03/12/2018 --- # Overview of Windows Defender Security Center **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md index 89ee51ebff..ab60042a21 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -20,7 +20,7 @@ ms.topic: article # Create and manage roles for role-based access control **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-roles-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md index 12ad0a75b8..6bc2c21435 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md @@ -14,10 +14,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/08/2017 --- # User resource type +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Method|Return Type |Description :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md index e4a0548379..10af5a5e7c 100644 --- a/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md +++ b/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md @@ -15,12 +15,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/08/2018 --- # View and organize the Windows Defender Advanced Threat Protection Incidents queue **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) The **Incidents queue** shows a collection of incidents that were flagged from machines in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision. diff --git a/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md b/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md index 2c428b9ff1..b8352cb7d6 100644 --- a/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md +++ b/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md @@ -19,10 +19,30 @@ ms.topic: conceptual # What's new in Windows Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Here are the new features in the latest release of Windows Defender ATP as well as security features in Windows 10 and Windows Server. +## April 2019 +The following capability is generally available (GA). + +- [Microsoft Defender ATP API](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/use-apis)
      Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. + + +### In preview +The following capabilities are included in the April 2019 preview release. + +- [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt)
      A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. + +- [Interoperability](https://docs.microsoft.com/windows/security/threat-protection/partner-applications)
      Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform. + +## March 2019 +### In preview +The following capability are included in the March 2019 preview release. + +- [Machine health and compliance report](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection)
      The machine health and compliance report provides high-level information about the devices in your organization. + + ## February 2019 The following capabilities are generally available (GA). - [Incidents](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/incidents-queue)
      Incident is a new entity in Windows Defender ATP that brings together all relevant alerts and related entities to narrate the broader attack story, giving analysts better perspective on the purview of complex threats. @@ -34,6 +54,7 @@ The following capability are included in the February 2019 preview release. - [Reports](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection)
      The threat protection report provides high-level information about alerts generated in your organization. +- [Microsoft Threat Experts](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts)
      Microsoft Threat Experts is the new managed threat hunting service in Windows Defender ATP that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365. ## October 2018 diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index f47bbf1c7e..14c491a3cf 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -1,8 +1,8 @@ --- title: Windows Defender Advanced Threat Protection description: Windows Defender Advanced Threat Protection is an enterprise security platform that helps secops to prevent, detect, investigate, and respond to possible cybersecurity threats related to advanced persistent threats. -keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, secure score, advanced hunting, microsoft threat protection -search.product: eADQiWindows 10XVcnh +keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection +search.product: Windows 10 search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/07/2018 --- # Windows Defender Advanced Threat Protection @@ -48,33 +47,36 @@ Windows Defender ATP uses the following combination of technology built into Win

      Windows Defender ATP

      - + + - + - - +
      - -

      Attack surface reduction

      Threat & Vulnerability Management

      Attack surface reduction

      Next generation protection

      Endpoint detection and response

      Automated investigation and remediation

      Secure score

      Advanced hunting

      Microsoft Threat Experts
      +
      Management and APIs
      Microsoft Threat Protection
      Microsoft Threat Protection

      - - - >[!TIP] >- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). >- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). + + +**[Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)**
      +This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. + + + **[Attack surface reduction](overview-attack-surface-reduction.md)**
      The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. @@ -87,22 +89,22 @@ To further reinforce the security perimeter of your network, Windows Defender AT **[Endpoint detection and response](overview-endpoint-detection-response.md)**
      Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. +You can also do advanced hunting to create custom threat intelligence and use a powerful search and query tool to hunt for possible threats in your organization. **[Automated investigation and remediation](automated-investigations-windows-defender-advanced-threat-protection.md)**
      In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. - **[Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md)**
      Windows Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. - + -**[Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md)**
      -Create custom threat intelligence and use a powerful search and query tool to hunt for possible threats in your organization. +**[Microsoft Threat Experts](microsoft-threat-experts.md)**
      +Windows Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately. diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md index d85d398e43..3c620a48d0 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 07/01/2018 --- # Windows Defender Security Center diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index f010ab338b..5bfe2c6ba4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,15 +11,16 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic +ms.date: 04/02/2019 --- # Reduce attack surfaces with attack surface reduction rules **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1803 or later, or Windows Server 2019. +Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019. To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. @@ -31,30 +32,53 @@ Attack surface reduction rules target behaviors that malware and malicious apps You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. -Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Windows Defender ATP Security Center and on the M365 console. +Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Windows Defender Security Center and in the Microsoft 365 securty center. For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). +## Review attack surface reduction events in Windows Event Viewer + +You can review the Windows event log to view events that are created when attack surface reduction rules fire: + +1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine. + +2. Type **Event Viewer** in the Start menu to open the Windows Event Viewer. + +3. Click **Import custom view...** on the left panel, under **Actions**. + +4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views-exploit-guard.md). + +5. Click **OK**. + +This will create a custom view that filters to only show the following events related to controlled folder access: + +Event ID | Description +-|- +5007 | Event when settings are changed +1121 | Event when rule fires in Block-mode +1122 | Event when rule fires in Audit-mode + + ## Attack surface reduction rules -The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy: +The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use System Center Configuration Manager or Microsoft Intune, you do not need the GUIDs: -Rule name | GUID --|- -Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A -Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 -Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D -Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25 -Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 -Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c -Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 -Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c +Rule name | GUID | File & folder exclusions +-|-|- +Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported +Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported +Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported +Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported +Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported +Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported +Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported +Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported +Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported +Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported +Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c | Not supported +Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported +Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported +Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack surface reduction rules don't apply to any other Office apps. @@ -151,7 +175,12 @@ This rule blocks the following file types from launching unless they either meet >[!NOTE] >You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. -Intune name: Executables that don't meet a prevalence, age, or trusted list criteria +>[!IMPORTANT] +>The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. +> +>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to. + +Intune name: Executables that don't meet a prevalence, age, or trusted list criteria. SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria @@ -219,7 +248,7 @@ This rule prevents Outlook from creating child processes. It protects against so >[!NOTE] >This rule applies to Outlook and Outlook.com only. -Intune name: Not yet available +Intune name: Process creation from Office communication products (beta) SCCM name: Not yet available @@ -229,13 +258,14 @@ GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869 Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes. -Intune name: Not applicable +Intune name: Process creation from Adobe Reader (beta) SCCM name: Not applicable GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c + ## Related topics - [Enable attack surface reduction rules](enable-attack-surface-reduction.md) -- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) \ No newline at end of file +- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index a17ef04dd9..5d82fb8254 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/18/2018 +ms.date: 04/02/2019 --- @@ -19,7 +19,7 @@ ms.date: 09/18/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature. @@ -37,32 +37,13 @@ You can use Group Policy, PowerShell, and configuration service providers (CSPs) >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. +|Audit options | How to enable audit mode | How to view events | +|- | - | - | +|Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer) | +|Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer) | +|Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) | +|Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) | -Audit options | How to enable audit mode | How to view events -- | - | - -Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled folder access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer) -Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](attack-surface-reduction-exploit-guard.md) -Audit applies to all events | [Enable network protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) -Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) - - -You can also use the a custom PowerShell script that enables the features in audit mode automatically: - -1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *Enable-ExploitGuardAuditMode.ps1* to an easily accessible location on the machine. - -1. Type **powershell** in the Start menu. - -2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt. - -3. Enter the following in the PowerShell window to enable Controlled folder access and Attack surface reduction in audit mode: - ```PowerShell - Set-ExecutionPolicy Bypass -Force - \Enable-ExploitGuardAuditMode.ps1 - ``` - - Replace \ with the folder path where you placed the file. - - A message should appear to indicate that audit mode was enabled. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md deleted file mode 100644 index 9448ed601f..0000000000 --- a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md +++ /dev/null @@ -1,65 +0,0 @@ ---- -title: Submit cab files related to problems -description: Use the command-line tool to obtain .cab file that can be used to investigate ASR rule issues. -keywords: troubleshoot, error, fix, asr, windows defender eg, exploit guard, attack surface reduction -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic -ms.date: 08/08/2018 ---- - -# Collect diagnostic data for file submissions - -**Applies to:** - -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - -This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using attack surface reduction rules, network protection, exploit protection, and controlled folder access. - -In particular, you will be asked to collect and attach this data when using the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) if you indicate that you have encountered a problem with [attack surface reduction rules](attack-surface-reduction-exploit-guard.md) or [network protection](network-protection-exploit-guard.md). - -Before attempting this process, ensure you have met all required pre-requisites and taken any other suggested troubleshooting steps as described in these topics: -- [Troubleshoot attack surface reduction rules](troubleshoot-asr.md) -- [Troubleshoot network protection](troubleshoot-np.md) - - - -1. On the endpoint with the issue, obtain the Windows Defender .cab diagnostic file by following this process: - - 1. Open an administrator-level version of the command prompt: - - 1. Open the **Start** menu. - - 2. Type **cmd**. Right-click on **Command Prompt** and click **Run as administrator**. - - 3. Enter administrator credentials or approve the prompt. - - 2. Navigate to the Windows Defender directory. By default, this is C:\Program Files\Windows Defender, as in the following example: - - ```Dos - cd c:\program files\windows defender - ``` - - 3. Enter the following command and press **Enter** - - ```Dos - mpcmdrun -getfiles - ``` - - 4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt, but by default it will be in C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. - -2. Attach this .cab file to the submission form where indicated. - - -## Related topics - -- [Troubleshoot attack surface reduction rules](troubleshoot-asr.md) -- [Troubleshoot network protection](troubleshoot-np.md) - - diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md index 68bff70bd4..77098d4c10 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md @@ -18,7 +18,7 @@ ms.date: 11/29/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. Controlled folder access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 2b00cbb179..b772be4c4c 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -18,7 +18,7 @@ ms.date: 12/19/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md index 5f501170df..05037553e3 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md @@ -11,14 +11,13 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/02/2018 --- # Customize controlled folder access **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. @@ -40,7 +39,7 @@ You can add additional folders to be protected, but you cannot remove the defaul Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults. -You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). +You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). You can use the Windows Security app or Group Policy to add and remove additional protected folders. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index 2ad55e0a66..bde9222c86 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -11,14 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 11/16/2018 +ms.date: 03/26/2019 --- # Customize exploit protection **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. @@ -100,13 +100,16 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi >The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. >CFG will be enabled for *miles.exe*. +>[!NOTE] +>If you have found any issues in this article, you can report it directly to a Windows Server/Windows Client partner or use the Microsoft technical support numbers for your country. + ### Configure system-level mitigations with the Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. -3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here: +3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here: - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation @@ -114,32 +117,23 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi >[!NOTE] >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting. - Changing some settings may required a restart, which will be indicated in red text underneath the setting. + Changing some settings may require a restart. 4. Repeat this for all the system-level mitigations you want to configure. -You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations. +3. Go to the **Program settings** section and choose the app you want to apply mitigations to: -Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines. - -### Configure app-specific mitigations with the Windows Security app - -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings** at the bottom of the screen. - -3. Go to the **Program settings** section and choose the app you want to apply mitigations to: - - 1. If the app you want to configure is already listed, click it and then click **Edit** - 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: + 1. If the app you want to configure is already listed, click it and then click **Edit** + 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. 5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. - -You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or return to configure system-level mitigations. + + +You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations. Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines. @@ -165,7 +159,7 @@ Get-ProcessMitigation -Name processName.exe > >For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. > ->The default setting for each system-level mitigation can be seen in the Windows Security, as described in the [Configure system-level mitigations with the Windows Security app section above](#configure-system-level-mitigations-with-the-windows-defender-security-center-app). +>The default setting for each system-level mitigation can be seen in the Windows Security. Use `Set` to configure each mitigation in the following format: diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md index 3b65d090e5..843e0e7f4c 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md @@ -18,7 +18,7 @@ ms.date: 08/08/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >[!IMPORTANT] >If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows Defender ATP. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index c89bbdc0fa..73bc1915d3 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -17,7 +17,7 @@ ms.author: v-anbic [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. -To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules. +To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules. ## Exclude files and folders from ASR rules @@ -36,6 +36,9 @@ You can exclude files and folders from being evaluated by most attack surface re You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. +>[!IMPORTANT] +>The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. + ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). The following procedures for enabling ASR rules include instructions for how to exclude files and folders. @@ -176,3 +179,4 @@ Value: c:\path|e:\path|c:\Whitelisted.exe - [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) - [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) +- [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 4f95d8c023..4cc8d86d0a 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -11,22 +11,26 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 02/14/2019 +ms.date: 03/29/2019 --- # Enable controlled folder access **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. -This topic describes how to enable Controlled folder access with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). +You can enable controlled folder access by using any of the these methods: -## Enable and audit controlled folder access +- Windows Security app +- Intune +- MDM +- Group Policy +- PowerShell cmdlets -You can enable controlled folder access with the Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine. + Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine. >[!NOTE] >The Controlled folder access feature will display the state in the Windows Security app under **Virus & threat protection settings**. @@ -39,16 +43,31 @@ You can enable controlled folder access with the Security Center app, Group Poli >- System Center Endpoint Protection **Allow users to add exclusions and overrides** >For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged). -### Use the Windows Defender Security app to enable controlled folder access +## Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**. -3. Set the switch for **Controlled folder access** to **On**. +3. Set the switch for **Controlled folder access** to **On**. +## Intune -### Use Group Policy to enable Controlled folder access +1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. +1. Click **Device configuration** > **Profiles** > **Create profile**. +1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. + ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) +1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. +1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**. + ![Enable controlled folder access in Intune](images/enable-cfa-intune.png) +1. Click **OK** to save each open blade and click **Create**. +1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. + +## MDM + +Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders. + +## Group Policy 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -66,7 +85,7 @@ You can enable controlled folder access with the Security Center app, Group Poli >[!IMPORTANT] >To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu. -### Use PowerShell to enable controlled folder access +## PowerShell 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. @@ -80,11 +99,6 @@ You can enable the feature in audit mode by specifying `AuditMode` instead of `E Use `Disabled` to turn the feature off. -### Use MDM CSPs to enable controlled folder access - -Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. - - ## Related topics - [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index 69d9054c81..86f640ad6f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -11,36 +11,234 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 02/14/2019 +ms.date: 03/29/2019 --- # Enable exploit protection **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Exploit protection](exploit-protection-exploit-guard.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps. Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. -## Enable and audit exploit protection +You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine. + +You can enable each mitigation separately by using any of the these methods: + +- Windows Security app +- Intune +- MDM +- Group Policy +- PowerShell cmdlets + +They are configured by default in Windows 10. + +You can set each mitigation to on, off, or to its default value. +Some mitigations have additional options. + +You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines. + +## Windows Security app + +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. + +3. Go to **Program settings** and choose the app you want to apply mitigations to: + + 1. If the app you want to configure is already listed, click it and then click **Edit** + 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: + - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + +4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. + +5. Repeat this for all the apps and mitigations you want to configure. + +3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here: + - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section + - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section + - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation + +5. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration. + +If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: + +Enabled in **Program settings** | Enabled in **System settings** | Behavior +:-: | :-: | :-: +[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings** +[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings** +[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings** +[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option + +**Example 1** + +Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**. + +Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section. + +The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied. + +**Example 2** + +Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**. + +Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**. + +Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app. + +The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. +CFG will be enabled for *miles.exe*. + +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. + +3. Go to **Program settings** and choose the app you want to apply mitigations to: + + 1. If the app you want to configure is already listed, click it and then click **Edit** + 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: + - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + +4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. + +5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. + +## Intune + +1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. +1. Click **Device configuration** > **Profiles** > **Create profile**. +1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. + ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) +1. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**. +1. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings: + ![Enable network protection in Intune](images/enable-ep-intune.png) +1. Click **OK** to save each open blade and click **Create**. +1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. + +## MDM + +Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) configuration service provider (CSP) to enable or disable exploit protection mitigations or to use audit mode. + +## Group Policy + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**. + +6. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**. + +## PowerShell + +You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app: + +```PowerShell +Get-ProcessMitigation -Name processName.exe +``` + +>[!IMPORTANT] +>System-level mitigations that have not been configured will show a status of `NOTSET`. +> +>For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied. +> +>For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. +> +>The default setting for each system-level mitigation can be seen in the Windows Security. + +Use `Set` to configure each mitigation in the following format: + +```PowerShell +Set-ProcessMitigation - - ,, +``` +Where: + +- \: + - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag. + - `-System` to indicate the mitigation should be applied at the system level +- \: + - `-Enable` to enable the mitigation + - `-Disable` to disable the mitigation +- \: + - The mitigation's cmdlet along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma. + +For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command: + +```PowerShell +Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation +``` + +>[!IMPORTANT] +>Separate each mitigation option with commas. + +If you wanted to apply DEP at the system level, you'd use the following command: + +```PowerShell +Set-Processmitigation -System -Enable DEP +``` + +To disable mitigations, you can replace `-Enable` with `-Disable`. However, for app-level mitigations, this will force the mitigation to be disabled only for that app. + +If you need to restore the mitigation back to the system default, you need to include the `-Remove` cmdlet as well, as in the following example: + +```PowerShell +Set-Processmitigation -Name test.exe -Remove -Disable DEP +``` + +This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. + + +Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet +- | - | - | - +Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available +Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available +Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available +Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available +Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available +Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available +Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode +Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad +Block remote images | App-level only | BlockRemoteImages | Audit not available +Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly +Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned +Disable extension points | App-level only | ExtensionPoint | Audit not available +Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall +Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess +Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available +Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available +Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available +Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available +Validate handle usage | App-level only | StrictHandle | Audit not available +Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available +Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available + + + +\[1\]: Use the following format to enable EAF modules for dlls for a process: + +```PowerShell +Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll +``` + + +## Customize the notification + +See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. + + + -You enable and configure each exploit protection mitigation separately. Some mitigations apply to the entire operating system, while others can be targeted towards specific apps. -The mitigations available in exploit protection are enabled or configured to their default values automatically in Windows 10. However, you can customize the configuration to suit your organization and then deploy that configuration across your network. -You can also set mitigations to [audit mode](audit-windows-defender-exploit-guard.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine. ->[!WARNING] ->Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using audit mode before deploying in production. -You can also convert an existing EMET configuration file (in XML format) and import it into exploit protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using. -See the following topics for instructions on configuring exploit protection mitigations and importing, exporting, and converting configurations: -1. [Configure the mitigations you want to enable or audit](customize-exploit-protection.md) -2. [Export the configuration to an XML file that you can use to deploy the configuration to multiple machines](import-export-exploit-protection-emet-xml.md). ## Related topics @@ -48,6 +246,3 @@ See the following topics for instructions on configuring exploit protection miti - [Evaluate exploit protection](evaluate-exploit-protection.md) - [Configure and audit exploit protection mitigations](customize-exploit-protection.md) - [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) - - - diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index ee0f20632d..b1e858ebcb 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -1,5 +1,5 @@ --- -title: Turn network protection on +title: Turn on network protection description: Enable Network protection with Group Policy, PowerShell, or MDM CSPs keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on search.product: eADQiWindows 10XVcnh @@ -11,28 +11,49 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 02/14/2019 +ms.date: 04/01/2019 --- # Enable network protection **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. +[Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. +You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it. +You can enable network protection by using any of the these methods: -This topic describes how to enable network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM). +- Intune +- MDM +- Group Policy +- PowerShell cmdlets +- Registry -## Enable and audit network protection +## Intune -You can enable network protection in either audit or block mode with Group Policy, PowerShell, or MDM settings with CSP. +1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. +1. Click **Device configuration** > **Profiles** > **Create profile**. +1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. + ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) +1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. + ![Enable network protection in Intune](images/enable-np-intune.png) +1. Click **OK** to save each open blade and click **Create**. +1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. -For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). +## MDM -### Use Group Policy to enable or audit network protection +Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode. -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +## Group Policy + +You can use the following procedure to enable network protection on a standalone computer or for domain-joined computers. + +1. On a standalone computer, click **Start**, type and then click **Edit group policy**. + + -Or- + + On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. @@ -43,11 +64,19 @@ For background information on how audit mode works, and when you might want to u - **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains - **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address. - >[!IMPORTANT] >To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu. - ### Use PowerShell to enable or audit network protection +You can confirm network protection is enabled on a local computer by using Registry editor: + +1. Click **Start** and type **regedit** to open **Registry Editor**. +1. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection +1. Click **EnableNetworkProtection** and confirm the value: + - 0=Off + - 1=On + - 2=Audit + +## PowerShell 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: @@ -64,13 +93,13 @@ Set-MpPreference -EnableNetworkProtection AuditMode Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. +## -### Use MDM CSPs to enable or audit network protection - -Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure network protection. - +Network protection can't be turned on using the Windows Security app, but you can enable it by ## Related topics -- [Protect your network](network-protection-exploit-guard.md) +- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) +- [Network protection](network-protection-exploit-guard.md) - [Evaluate network protection](evaluate-network-protection.md) +- [Troubleshoot network protection](troubleshoot-np.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 7328140fee..8648bcd508 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -10,20 +10,32 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/15/2018 +ms.date: 04/01/2019 --- # Enable virtualization-based protection of code integrity **Applies to** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. Some applications, including device drivers, may be incompatible with HVCI. This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. +>[!NOTE] +>HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required *Mode based execution control (MBE) Virtualization*. + +>[!TIP] +> "The Secure Kernel relies on the Mode-Based Execution Control (MBEC) feature, if present in hardware, which enhances the SLAT with a user/kernel executable bit, or the hypervisor’s software emulation of this feature, called Restricted User Mode (RUM)." Mark Russinovich and Alex Ionescu. Windows Internals 7th Edition book + +## HVCI Features + +* HVCI protects modification of the Code Flow Guard (CFG) bitmap. +* HVCI also ensure your other Truslets, like Credential Guard have a valid certificate. +* Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI. + ## How to turn on HVCI in Windows 10 To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these options: @@ -215,6 +227,7 @@ This field indicates whether the Windows Defender Credential Guard or HVCI servi | **0.** | No services configured. | | **1.** | If present, Windows Defender Credential Guard is configured. | | **2.** | If present, HVCI is configured. | +| **3.** | If present, System Guard Secure Launch is configured. | #### SecurityServicesRunning @@ -225,7 +238,7 @@ This field indicates whether the Windows Defender Credential Guard or HVCI servi | **0.** | No services running. | | **1.** | If present, Windows Defender Credential Guard is running. | | **2.** | If present, HVCI is running. | - +| **3.** | If present, System Guard Secure Launch is running. | #### Version @@ -278,6 +291,6 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true ### Requirements for running HVCI in Hyper-V virtual machines - The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607. - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. - - HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time. + - HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time - Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. - The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index 290fbdaae4..93e5640492 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -11,14 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 11/16/2018 +ms.date: 04/02/2019 --- # Evaluate attack surface reduction rules **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. @@ -45,6 +45,17 @@ This enables all attack surface reduction rules in audit mode. >If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction-exploit-guard.md). +## Review attack surface reduction events in Windows Event Viewer + +To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events. + + +| Event ID | Description | +|----------|-------------| +|5007 | Event when settings are changed | +| 1121 | Event when an attack surface reduction rule fires in block mode | +| 1122 | Event when an attack surface reduction rule fires in audit mode | + ## Customize attack surface reduction rules During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index 3357f3a4fc..958cc3e6d8 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -18,7 +18,7 @@ ms.date: 11/16/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. @@ -45,7 +45,15 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode >If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders-exploit-guard.md). -For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). +## Review controlled folder access events in Windows Event Viewer + +The following controlled folder access events appear in Windows Event Viewer. + +| Event ID | Description | +| --- | --- | +| 5007 | Event when settings are changed | +| 1124 | Audited controlled folder access event | +| 1123 | Blocked controlled folder access event | ## Customize protected folders and apps @@ -56,4 +64,4 @@ See [Protect important folders with controlled folder access](controlled-folders ## Related topics - [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) - [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md) -- [Use audit mode](audit-windows-defender-exploit-guard.md) \ No newline at end of file +- [Use audit mode](audit-windows-defender-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index ec8690b50d..6ae70924c7 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -11,41 +11,105 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 11/16/2018 +ms.date: 04/02/2019 --- # Evaluate exploit protection **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. +[Exploit protection](exploit-protection-exploit-guard.md) helps protect devices from malware that uses exploits to spread and infect other devices. +It consists of a number of mitigations that can be applied to either the operating system or an individual app. +Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection. -Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection. - -This topic helps you evaluate exploit protection. For more information about what exploit protection does and how to configure it for real-world deployment, see [Exploit protection](exploit-protection-exploit-guard.md). +This topic helps you enable exploit protection in audit mode and review related events in Event Viewer. +You can enable audit mode for certain app-level mitigations to see how they will work in a test environment. +This lets you see a record of what *would* have happened if you had enabled the mitigation in production. +You can make sure it doesn't affect your line-of-business apps, and see which suspicious or malicious events occur. >[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works. -## Use audit mode to measure impact +## Enable exploit protection in audit mode -You can enable exploit protection in audit mode. You can enable audit mode for individual mitigations. +You can set mitigations in audit mode for specific programs either by using the Windows Security app or PowerShell. -This lets you see a record of what *would* have happened if you had enabled the mitigation. +### Windows Security app -You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious or malicious events generally occur over a certain period. +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. -See the [**PowerShell reference** section in customize exploit protection](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode. +2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. + +3. Go to **Program settings** and choose the app you want to apply mitigations to: -For further details on how audit mode works, and when you might want to use it, see [audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md). + 1. If the app you want to configure is already listed, click it and then click **Edit** + 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: + - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + +4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. + +5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. + +### PowerShell + +To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet. + +Configure each mitigation in the following format: + + +```PowerShell +Set-ProcessMitigation - - ,, +``` + +Where: + +- \: + - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag. +- \: + - `-Enable` to enable the mitigation + - `-Disable` to disable the mitigation +- \: + - The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma. + +| Mitigation | Audit mode cmdlet | +| - | - | +|Arbitrary code guard (ACG) | AuditDynamicCode | +|Block low integrity images | AuditImageLoad | +|Block untrusted fonts | AuditFont, FontAuditOnly | +|Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned | +|Disable Win32k system calls | AuditSystemCall | +|Do not allow child processes | AuditChildProcess | + +For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command: + +```PowerShell +Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode +``` + +You can disable audit mode by replacing `-Enable` with `-Disable`. + +## Review exploit protection audit events + +To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log. + +Feature | Provider/source | Event ID | Description +:-|:-|:-:|:- +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit ## Related topics - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) - [Enable exploit protection](enable-exploit-protection.md) - [Configure and audit exploit protection mitigations](customize-exploit-protection.md) - [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) +- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md) - [Enable network protection](enable-network-protection.md) - [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) - [Enable attack surface reduction](enable-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index 9c5516c1de..74605b559a 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -11,84 +11,60 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 11/16/2018 +ms.date: 04/02/2019 --- # Evaluate network protection **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Network protection helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. +[Network protection](network-protection-exploit-guard.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. -This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. +This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visted a malicious site or domain. ->[!NOTE] ->The site will replicate the behavior that would happen if a user visted a malicious site or domain. The sites in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. >[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how other protection features work. -## Enable network protection +## Enable network protection in audit mode + +You can enable network protection in audit mode to see which IP addresses and domains would have been blocked if it was enabled. + +You might want to do this to make sure it doesn't affect line-of-business apps or to get an idea of how often blocks occur. 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: ```PowerShell - Set-MpPreference -EnableNetworkProtection Enabled + Set-MpPreference -EnableNetworkProtection AuditMode ``` -You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace "Enabled" with either "AuditMode" or "Disabled". - ### Visit a (fake) malicious domain 1. Open Internet Explorer, Google Chrome, or any other browser of your choice. 1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net). -You will get a 403 Forbidden response in the browser, and you will see a notification that the network connnection was blocked. +The network connection will be allowed and a test message will be displayed. ![Example notification that says Connection blocked: Your IT administrator caused Windows Security to block this network connection. Contact your IT help desk.](images/np-notif.png) ## Review network protection events in Windows Event Viewer -You can also review the Windows event log to see the events there were created when performing the demo. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). +To review apps that would have been blocked, open Event Viewer and filter for Event ID 1125 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events. -1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. +| Event ID | Provide/Source | Description | +|-|-|-| +|5007 | Windows Defender (Operational) | Event when settings are changed | +|1125 | Windows Defender (Operational) | Event when a network connection is audited | +|1126 | Windows Defender (Operational) | Event when a network connection is blocked | -2. On the left panel, under **Actions**, click **Import custom view...** - -3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). - -4. Click **OK**. - -5. This will create a custom view that filters to only show the following events related to network protection: - -Event ID | Description --|- -5007 | Event when settings are changed -1125 | Event when rule fires in audit mode -1126 | Event when rule fires in block mode - - -## Use audit mode to measure impact - -You can also enable the network protection feature in audit mode. This lets you see a record of which IP addresses and domains would have been blocked if the feature were enabled. - -You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the feature will block connections during normal use. - -To enable audit mode, use the following PowerShell cmdlet: - -```PowerShell -Set-MpPreference -EnableNetworkProtection AuditMode -``` ->[!TIP] ->If you want to fully audit how network protection will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). -You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Network protection topic](network-protection-exploit-guard.md). ## Related topics -- [Protect your network](network-protection-exploit-guard.md) -- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) -- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md) +- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) +- [Network protection](network-protection-exploit-guard.md) +- [Enable network protection](enable-network-protection.md) +- [Troubleshoot network protection](troubleshoot-np.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md index fc9d4153fb..c15f7d5f95 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md @@ -12,14 +12,14 @@ ms.date: 04/16/2018 ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/08/2018 +ms.date: 03/26/2019 --- # View attack surface reduction events **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can review attack surface reduction events in Event Viewer. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow. @@ -27,7 +27,7 @@ Reviewing the events is also handy when you are evaluating the features, as you This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events. -You can also get detailed reporting into events and blocks as part of Windows Security, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). +You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). ## Use custom views to review attack surface reduction capabilities @@ -35,7 +35,7 @@ You can create custom views in the Windows Event Viewer to only see events for s The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page. -You can also manually navigate to the event area that corresponds to the feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details. +You can also manually navigate to the event area that corresponds to the feature. ### Import an existing XML custom view @@ -43,11 +43,11 @@ You can also manually navigate to the event area that corresponds to the feature - Controlled folder access events custom view: *cfa-events.xml* - Exploit protection events custom view: *ep-events.xml* - Attack surface reduction events custom view: *asr-events.xml* - - Network protection events custom view: *np-events.xml* + - Network/ protection events custom view: *np-events.xml* -1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**. +1. Type **event viewer** in the Start menu and open **Event Viewer**. -3. On the left panel, under **Actions**, click **Import Custom View...** +3. Click **Action** > **Import Custom View...** ![Animation highlighting Import custom view on the left of the Even viewer window](images/events-import.gif) @@ -55,7 +55,7 @@ You can also manually navigate to the event area that corresponds to the feature 4. Click **Open**. -5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events). +5. This will create a custom view that filters to only show the events related to that feature. ### Copy the XML directly @@ -73,7 +73,7 @@ You can also manually navigate to the event area that corresponds to the feature 4. Click **OK**. Specify a name for your filter. -5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events). +5. This will create a custom view that filters to only show the events related to that feature. ### XML for attack surface reduction rule events diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index e84b78a8a0..72869c7925 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -11,56 +11,42 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 11/29/2018 +ms.date: 04/02/2019 --- # Protect devices from exploits **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. +Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. -It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Exploit protection is supported on Windows 10, version 1709 and later and Windows Server 2016, version 1803 or later. +It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server 2016, version 1803. >[!TIP] >You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). - You [configure these settings using the Windows Security app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once. +You can [enable exploit protection](enable-exploit-protection.md) on an individual machine, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple devices at once. - When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. +When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. - You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how exploit protection would impact your organization if it were enabled. +You can also use [audit mode](evaluate-exploit-protection.md) to evaluate how exploit protection would impact your organization if it were enabled. - Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard](emet-exploit-protection-exploit-guard.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10. +Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard](emet-exploit-protection-exploit-guard.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10. - >[!IMPORTANT] - >If you are currently using EMET you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. +>[!IMPORTANT] +>If you are currently using EMET you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. >[!WARNING] >Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network. - ## Review exploit protection events in Windows Event Viewer +## Review exploit protection events in Windows Event Viewer You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app: -1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine. - -2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. - -3. On the left panel, under **Actions**, click **Import custom view...** - - ![Antimated GIF highlighting the import custom view button on the right pane ](images/events-import.gif) - -4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md). - -5. Click **OK**. - -6. This will create a custom view that filters to only show the following events related to Exploit protection: - Provider/source | Event ID | Description -|:-:|- Security-Mitigations | 1 | ACG audit @@ -97,22 +83,8 @@ Win32K | 260 | Untrusted Font > >You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. -This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Windows Defender ATP. - -Exploit protection in Windows Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options. - -EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques. - -After July 31, 2018, it will not be supported. - -For more information about the individual features and mitigations available in Windows Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics: - -- [Protect devices from exploits](exploit-protection-exploit-guard.md) -- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md) - -## Feature comparison - - The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard. +This section compares exploit protection in Windows Defender ATP with the Enhance Mitigation Experience Toolkit (EMET) for reference. +The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard.   | Windows Defender Exploit Guard | EMET -|:-:|:-: @@ -182,5 +154,6 @@ Validate image dependency integrity | [!include[Check mark yes](images/svg/check - [Enable exploit protection](enable-exploit-protection.md) - [Configure and audit exploit protection mitigations](customize-exploit-protection.md) - [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) +- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png index 6b078ec9d5..afb220f764 100644 Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png and b/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/create-endpoint-protection-profile.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/create-endpoint-protection-profile.png new file mode 100644 index 0000000000..f9a64efbd7 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/create-endpoint-protection-profile.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-allow.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-allow.png new file mode 100644 index 0000000000..ddf0ca23e9 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-allow.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-folder.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-folder.png new file mode 100644 index 0000000000..7401e1e87f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-folder.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app.png new file mode 100644 index 0000000000..f8e4dc98d1 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-intune.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-intune.png new file mode 100644 index 0000000000..620d786868 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-intune.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-ep-intune.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-ep-intune.png new file mode 100644 index 0000000000..e89118fd47 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-ep-intune.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-np-intune.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-np-intune.png new file mode 100644 index 0000000000..604dceff4c Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-np-intune.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md index 99eb36540f..1be2ff6cb2 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md @@ -18,7 +18,7 @@ ms.date: 04/30/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md index 11ff56a123..aed6d58094 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md @@ -18,7 +18,7 @@ ms.date: 08/09/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Memory integrity is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor. Memory integrity helps block many types of malware from running on computers that run Windows 10 and Windows Server 2016. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md index 78f14e5a59..8ffcfaf3cd 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md @@ -18,7 +18,7 @@ ms.date: 02/14/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. @@ -37,7 +37,7 @@ You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evalua ## Requirements -Network protection requires Windows 10 Enterprise E3 and Windows Defender AV real-time protection. +Network protection requires Windows 10 Pro, Enterprise E3, E5 and Windows Defender AV real-time protection. Windows 10 version | Windows Defender Antivirus - | - @@ -53,17 +53,11 @@ You can query Windows Defender ATP data by using [Advanced hunting](https://docs You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain: -1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *np-events.xml* to an easily accessible location on the machine. +1. [Copy the XML directly](event-views-exploit-guard.md). -1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. +2. Click **OK**. -2. On the left panel, under **Actions**, click **Import custom view...** - -3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). - -4. Click **OK**. - -5. This will create a custom view that filters to only show the following events related to network protection: +3. This will create a custom view that filters to only show the following events related to network protection: Event ID | Description -|- diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index c803573a3f..514a74a4ea 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -17,7 +17,7 @@ ms.date: 10/20/2017 **Applies to** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Computers must meet certain hardware, firmware, and software requirements in order to take adavantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md index 46df2bf21d..0eea5319db 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md @@ -11,13 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic +ms.date: 03/27/2019 --- # Troubleshoot attack surface reduction rules **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) When you use [attack surface reduction rules](attack-surface-reduction-exploit-guard.md) you may encounter issues, such as: @@ -26,17 +27,17 @@ When you use [attack surface reduction rules](attack-surface-reduction-exploit-g There are four steps to troubleshooting these problems: -1. Confirm that you have met all pre-requisites +1. Confirm prerequisites 2. Use audit mode to test the rule 3. Add exclusions for the specified rule (for false positives) 3. Submit support logs -## Confirm pre-requisites +## Confirm prerequisites Attack surface reduction rules will only work on devices with the following conditions: >[!div class="checklist"] -> - Endpoints are running Windows 10 Enterprise E5, version 1709 (also known as the Fall Creators Update). +> - Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update). > - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). > - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. > - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). @@ -45,27 +46,14 @@ If these pre-requisites have all been met, proceed to the next step to test the ## Use audit mode to test the rule -There are two ways that you can test if the rule is working. +You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only. -You can use a pre-configured demo tool to confirm attack surface reduction rules are generally working on the device, or you can use audit mode, which enables rules for reporting only. +Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with. -The demo tool uses pre-configured scenarios and processes, which can be useful to first see if the attack surface reduction rule feature as a whole is operating correctly. - -If you encounter problems when running the demo tool, check that the device you are testing the tool on meets the [pre-requisites listed above](#confirm-pre-requisites). - -Follow the instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with. - ->[!TIP] ->While the instructions for using the demo tool are intended for evaluating or seeing how attack surface reduction rules work, you can use it to test that the rule works on known scenarios that we have already extensively tested before we released the feature. - -Audit mode allows the rule to report as if it actually blocked the file or process, but will still allow the file to run. - -1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). +1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but will still allow it to run. 2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed). 3. [Review the attack surface reductio rule event logs](attack-surface-reduction-exploit-guard.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**. ->[!TIP] ->Audit mode will stop the rule from blocking the file or process. > >If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled. > @@ -74,36 +62,39 @@ Audit mode allows the rule to report as if it actually blocked the file or proce If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation: 1. If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive). -2. If the attack surface reduction rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data). +2. If the attack surface reduction rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions). ## Add exclusions for a false positive -You can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders. +If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders. -This is useful if you have enabled a rule, and it is blocking a file, process, or action that you believe it should not block. You can then collect data from an endpoint where the rule is not working correctly and send that information to us. - -To add an exclusion, see the [Customize Attack surface reduction](customize-attack-surface-reduction.md) topic. +To add an exclusion, see [Customize Attack surface reduction](customize-attack-surface-reduction.md). >[!IMPORTANT] >You can specify individual files and folders to be excluded, but you cannot specify individual rules. -> >This means any files or folders that are excluded will be excluded from all ASR rules. -If you have followed all previous troubleshooting steps, and you still have a problem (in particular, if you have a false positive), you should proceed to the next step to collect diagnostic information and send it to us. +## Report a false positive or false negative -## Collect diagnostic data +Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md). -You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with attack surface reduction rules. +## Collect diagnostic data for file submissions -When you fill out the submission form, you will be asked to specify whether it is a false negative or false positive. If you have an E5 subscription for Windows Defender Advanced Threat Protection, you can also [provide a link to the associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) (if there is one). +When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. -You must also attach associated files in a .zip file (such as the file or executable that is not being blocked, or being incorrectly blocked) along with a diagnostic .cab file to your submission. - -Follow the link below for instructions on how to collect the .cab file: - -> [!div class="nextstepaction"] -> [Collect and submit diagnostic data](collect-cab-files-exploit-guard-submission.md) +1. Open an elevated command prompt and change to the Windows Defender directory: + ```console + cd c:\program files\windows defender + ``` +2. Run this command to generate the diagnostic logs: + ```console + mpcmdrun -getfiles + ``` +3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form. ## Related topics - [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) +- [Enable attack surface reduction rules](enable-attack-surface-reduction.md) +- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) + diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md index ede76cf20a..7820eac52f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md @@ -18,7 +18,7 @@ ms.date: 08/09/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) When you create a set of exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md index b091e01721..708142ccf5 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md @@ -11,14 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/09/2018 +ms.date: 03/27/2019 --- # Troubleshoot network protection **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - IT administrators @@ -29,12 +29,12 @@ When you use [Network protection](network-protection-exploit-guard.md) you may e There are four steps to troubleshooting these problems: -1. Confirm that you have met all pre-requisites +1. Confirm prerequisites 2. Use audit mode to test the rule 3. Add exclusions for the specified rule (for false positives) 3. Submit support logs -## Confirm pre-requisites +## Confirm prerequisites Network protection will only work on devices with the following conditions: @@ -43,50 +43,47 @@ Network protection will only work on devices with the following conditions: > - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). > - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. > - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled. -> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection). +> - Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**). -If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode. -## Use audit mode to test the rule +## Use audit mode -There are two ways that you can test if the feature is working - you can use a demo website, and you can use audit mode. +You can enable network protection in audit mode and then visit a website that we've created to demo the feature. All website connections will be allowed by network protection but an event will be logged to indicate any connection that would have been blocked if network protection was enabled. -You can enable network protection and then visit a website that we've created to demo the feature. The website will always be reported as blocked by network protection. See [Evaluate network protection](evaluate-network-protection.md) for instructions. - -If you encounter problems when running the evaluation scenario, check that the device you are testing the tool on meets the [pre-requisites listed above](#confirm-pre-requisites). - ->[!TIP] ->While the instructions for using the demo website are intended for evaluating or seeing how network protection works, you can use it to test that the feature is working properly and narrow down on the cause of the problem. - -You can also use audit mode and then attempt to visit the site or IP (IPv4) address you do or don't want to block. Audit mode lets network protection report to the Windows event log as if it actually blocked the site or connection to an IP address, but will still allow the file to run. - -1. Enable audit mode for network protection. Use Group Policy to set the rule to **Audit mode** as described in the [Enable network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection). +1. Set network protection to **Audit mode**. + ```powershell + Set-MpPreference -EnableNetworkProtection AuditMode + ``` 2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block). 3. [Review the network protection event logs](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**. - - ->[!IMPORTANT] ->Audit mode will stop network protection from blocking known malicious connections. > ->If network protection is not blocking a connection that you are expecting it should block, first check if audit mode is enabled. -> ->Audit mode may have been enabled for testing another feature in Windows Defender Exploit Guard, or by an automated PowerShell script, and may not have been disabled after the tests were completed. +>If network protection is not blocking a connection that you are expecting it should block, enable the feature. - -If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, proceed to the next section to report the site or IP address. +```powershell +Set-MpPreference -EnableNetworkProtection Enabled +``` ## Report a false positive or false negative -You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with network protection. +If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md). -When you fill out the submission form, you will be asked to specify whether it is a false negative or false positive. If you have an E5 subscription for Windows Defender Advanced Threat Protection, you can also [provide a link to the associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) (if there is one). +## Collect diagnostic data for file submissions -You can also attach a diagnostic .cab file to your submission if you wish (this is not required). Follow the link below for instructions on how to collect the .cab file: +When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. -> [!div class="nextstepaction"] -> [Collect and submit diagnostic data Windows Defender Exploit Guard issues](collect-cab-files-exploit-guard-submission.md) +1. Open an elevated command prompt and change to the Windows Defender directory: + ```console + cd c:\program files\windows defender + ``` +2. Run this command to generate the diagnostic logs: + ```console + mpcmdrun -getfiles + ``` +3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form. ## Related topics - [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) - [Network protection](network-protection-exploit-guard.md) +- [Evaluate network protection](evaluate-network-protection.md) +- [Enable network protection](enable-network-protection.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md index bdf4311dfe..32055b2546 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -18,7 +18,7 @@ ms.date: 08/09/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees. @@ -60,7 +60,7 @@ This section covers requirements for each feature in Windows Defender EG. | Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 | | ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: | | Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | -| Attack surface reduction rules | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, full reporting](./images/ball_full.png) | +| Attack surface reduction rules | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | | Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | | Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md index 03fbaffd0c..15efbf1a94 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md +++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md @@ -1,6 +1,6 @@ --- -title: How a hardware-based root of trust helps protect Windows 10 (Windows 10) -description: Windows 10 uses a hardware-based root of trust to securely protect systems against firmware exploits. +title: Windows Defender System Guard How a hardware-based root of trust helps protect Windows 10 (Windows 10) +description: Windows Defender System Guard in Windows 10 uses a hardware-based root of trust to securely protect systems against firmware exploits. ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb search.appverid: met150 ms.prod: w10 @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: justinha -ms.date: 02/14/2019 +ms.date: 03/01/2019 --- @@ -43,7 +43,7 @@ In addition, a bug fix for UEFI code can take a long time to design, build, rete ### Secure Launch—the Dynamic Root of Trust for Measurement (DRTM) -Windows Defender System Guard Secure Launch, first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM). +[Windows Defender System Guard Secure Launch](system-guard-secure-launch-and-smm-protection.md), first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM). DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state. diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md new file mode 100644 index 0000000000..9f39c8f835 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md @@ -0,0 +1,83 @@ +--- +title: Windows Defender System Guard How a hardware-based root of trust helps protect Windows 10 (Windows 10) +description: Windows Defender System Guard in Windows 10 uses a hardware-based root of trust to securely protect systems against firmware exploits. +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: justinha +ms.date: 03/01/2019 +--- + + +# Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10 + +In order to protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy. + +Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees: + +- Protect and maintain the integrity of the system as it starts up +- Validate that system integrity has truly been maintained through local and remote attestation + +## Maintaining the integrity of the system as it starts + +### Static Root of Trust for Measurement (SRTM) + +With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. +This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege. + +With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. +This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). +This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM). + +As there are thousands of PC vendors that produce numerous models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup. +Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blacklist), or a list of known 'good' SRTM measurements (also known as a whitelist). +Each option has a drawback: + +- A list of known 'bad' SRTM measurements allows a hacker to change just 1 bit in a component to create an entirely new SRTM hash that needs to be listed. This means that the SRTM flow is inherently brittle - a minor change can invalidate the entire chain of trust. +- A list of known 'good' SRTM measurements requires each new BIOS/PC combination measurement to be carefully added, which is slow. +In addition, a bug fix for UEFI code can take a long time to design, build, retest, validate, and redeploy. + +### Secure Launch—the Dynamic Root of Trust for Measurement (DRTM) + +Windows Defender System Guard Secure Launch, first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM). +DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. +This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state. + + +![System Guard Secure Launch](images/system-guard-secure-launch.png) + +Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly. + +### System Management Mode (SMM) protection + +System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful. +Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS. +SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor. +To defend against this, two techniques are used: + +1. Paging protection to prevent inappropriate access to code and data +2. SMM hardware supervision and attestation + +Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering. +This prevents access to any memory that has not been specifically assigned. + +A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it does not access any part of the address space that it is not supposed to. + +SMM protection is built on top of the Secure Launch technology and requires it to function. +In the future, Windows 10 will also measure this SMI Handler’s behavior and attest that no OS-owned memory has been tampered with. + +## Validating platform integrity after Windows is running (run time) + +While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. When it comes to platform integrity, we can’t just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device’s integrity. + +As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch will not support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. + + +![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png) + +After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources. + diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 0a5094e748..73a279e7a5 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -8,12 +8,12 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: justinha -ms.date: 02/14/2019 +ms.date: 03/01/2019 --- # System Guard Secure Launch and SMM protection -This topic explains how to configure System Guard Secure Launch and System Management Mode (SMM) protection to improve the startup security of Windows 10 devices. The information below is presented from a client perspective. +This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) to improve the startup security of Windows 10 devices. The information below is presented from a client perspective. ## How to enable System Guard Secure Launch diff --git a/windows/security/threat-protection/windows-firewall/TOC.md b/windows/security/threat-protection/windows-firewall/TOC.md index 19f2d4873f..e3271818c1 100644 --- a/windows/security/threat-protection/windows-firewall/TOC.md +++ b/windows/security/threat-protection/windows-firewall/TOC.md @@ -95,6 +95,7 @@ #### [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md) #### [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md) #### [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) +#### [Create Windows Firewall rules in Intune](create-windows-firewall-rules-in-intune.md) #### [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md) #### [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md) #### [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md) diff --git a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md index 9847ec13b0..4a86815d9b 100644 --- a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md @@ -12,7 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 04/02/2019 --- # Assign Security Group Filters to the GPO @@ -23,7 +23,8 @@ ms.date: 04/19/2017 To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO. ->**Important:**  This deployment guide uses the method of adding the Domain Computers group to the membership group for the main isolated domain after testing is complete and you are ready to go live in production. To make this method work, you must prevent any computer that is a member of either the boundary or encryption zone from applying the GPO for the main isolated domain. For example, on the GPOs for the main isolated domain, deny Read and Apply Group Policy permissions to the membership groups for the boundary and encryption zones. +>[!IMPORTANT] +>This deployment guide uses the method of adding the Domain Computers group to the membership group for the main isolated domain after testing is complete and you are ready to go live in production. To make this method work, you must prevent any computer that is a member of either the boundary or encryption zone from applying the GPO for the main isolated domain. For example, on the GPOs for the main isolated domain, deny Read and Apply Group Policy permissions to the membership groups for the boundary and encryption zones.   @@ -47,7 +48,8 @@ Use the following procedure to add a group to the security filter on the GPO tha 3. In the details pane, under **Security Filtering**, click **Authenticated Users**, and then click **Remove**. - >**Note:**  You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify. + >[!NOTE] + >You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify. If the GPO contains User settings, and the **Authenticated Users** group is removed, and new security filtering is added using a security group that only contains user accounts, the GPO can fail to apply. Details and various workarounds are mentioned in this [Microsoft blog](https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/Who-broke-my-user-GPOs/ba-p/258781). 4. Click **Add**. diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md new file mode 100644 index 0000000000..59c112d9c6 --- /dev/null +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -0,0 +1,140 @@ +--- +title: Create Windows Firewall rules in Intune (Windows 10) +description: Explains how to create Windows Firewall rules in Intune +ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: tewchen +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/11/2019 +--- + +# Create Windows Firewall rules in Intune + +**Applies to** +- Windows 10 + +>[!IMPORTANT] +>This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +To get started, open Device Configuration in Intune, then create a new profile. +Choose Windows 10 as the platform, and Endpoint Protection as the profile type. +Select Windows Defender Firewall. +Add a firewall rule to this new Endpoint Protection profile using the Add button at the bottom of the blade. + +![Windows Defender Firewall in Intune](images/windows-firewall-intune.png) + +>[!IMPORTANT] +>A single Endpoint Protection profile may contain up to a maximum of 150 firewall rules. If a client device requires more than 150 rules, then multiple profiles must be assigned to it. + +## Firewall rule components + +Following table has description for each field. + + +| Property | Type | Description | +|----------|------|-------------| +| DisplayName | String | The display name of the rule. Does not need to be unique. | +| Description | String | The description of the rule. | +| PackageFamilyName | String | The package family name of a Microsoft Store application that's affected by the firewall rule. | +| FilePath | String | The full file path of an app that's affected by the firewall rule. | +| FullyQualifiedBinaryName | String | The fully qualified binary name. | +| ServiceName | String | The name used in cases when a service, not an application, is sending or receiving traffic. | +| Protocol | Nullable Integer - default value is null which maps to All | 0-255 number representing the [IP protocol](https://www.wikipedia.org/wiki/List_of_IP_protocol_numbers) (TCP = 6, UDP = 17). If not specified, the default is All. | +| LocalPortRanges | String array | List of local port ranges. For example, "100-120", "200", "300-320". If not specified, the default is All. | +| RemotePortRanges | String array | List of remote port ranges. For example, "100-120", "200", "300-320". If not specified, the default is All. | +| LocalAddressRanges | String array | List of local addresses covered by the rule. Valid tokens include:
      - "\*" indicates any local address. If present, this must be the only token included.
      - A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
      - A valid IPv6 address.
      - An IPv4 address range in the format of "start address - end address" with no spaces included.
      - An IPv6 address range in the format of "start address - end address" with no spaces included.
      Default is any address. | +| RemoteAddressRanges | String array | List of tokens specifying the remote addresses covered by the rule.Tokens are case insensitive. Valid tokens include:
      - "\*" indicates any remote address. If present, this must be the only token included.
      - "Defaultgateway"
      - "DHCP"
      - "DNS"
      - "WINS"
      - "Intranet"
      - "RmtIntranet"
      - "Internet"
      - "Ply2Renders"
      - "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.
      - A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
      - A valid IPv6 address.
      - An IPv4 address range in the format of "start address - end address" with no spaces included.
      - An IPv6 address range in the format of "start address - end address" with no spaces included.
      Default is any address. | +| ProfileTypes | WindowsFirewallNetworkProfileTypes | Specifies the profiles to which the rule belongs. If not specified, the default is All. | +| Action| StateManagementSetting | The action the rule enforces. If not specified, the default is Allowed. | +| TrafficDirection | WindowsFirewallRuleTrafficDirectionType | The traffic direction that the rule is enabled for. If not specified, the default is Out. | +| InterfaceTypes | WindowsFirewallRuleInterfaceTypes | The interface types of the rule. | +| EdgeTraversal | StateManagementSetting | Indicates whether edge traversal is enabled or disabled for this rule.
      The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
      New rules have the EdgeTraversal property disabled by default. | +| LocalUserAuthorizations | String | Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format. | + + +## Application +Control connections for an app or program. +Apps and programs can be specified either file path, package family name, or Windows service short name. + +The file path of an app is its location on the client device. +For example, C:\Windows\System\Notepad.exe. +[Learn more](https://aka.ms/intunefirewallfilepathrule) + +Package family names can be retrieved by running the Get-AppxPackage command from PowerShell. +[Learn more](https://aka.ms/intunefirewallPackageNameFromPowerShell) + +Windows service short names are used in cases when a service, not an application, is sending or receiving traffic. +Default ia All. + +[Learn more](https://aka.ms/intunefirewallServiceNameRule) + +## Protocol +Select the protocol for this port rule. Transport layer protocols—TCP and UDP—allow you to specify ports or port ranges. For custom protocols, enter a number between 0 and 255 representing the IP protocol. + +Default is Any. + +[Learn more](https://aka.ms/intunefirewallprotocolrule) + +## Local ports +Comma separated list of ranges. For example, *100-120,200,300-320*. Default is All. + +[Learn more](https://aka.ms/intunefirewalllocalportrule) + +## Remote ports +Comma separated list of ranges. For example, *100-120,200,300-320*. Default is All. + +[Learn more](https://aka.ms/intunefirewallremoteportrule) + +## Local addresses +Comma separated list of local addresses covered by the rule. Valid tokens include: +- \* indicates any local address. If present, this must be the only token included. +- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask default is 255.255.255.255. +- A valid IPv6 address. +- An IPv4 address range in the format of "start address - end address" with no spaces included. +- An IPv6 address range in the format of "start address - end address" with no spaces included. Default is Any address. + +[Learn more](https://aka.ms/intunefirewalllocaladdressrule) + +## Remote addresses +List of comma separated tokens specifying the remote addresses covered by the rule. Tokens are case insensitive. Valid tokens include: +- \* indicates any remote address. If present, this must be the only token included. +- Defaultgateway +- DHCP +- DNS +- WINS +- Intranet (supported on Windows versions 1809+) +- RmtIntranet (supported on Windows versions 1809+) +- Internet (supported on Windows versions 1809+) +- Ply2Renders (supported on Windows versions 1809+) +- LocalSubnet indicates any local address on the local subnet. +- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. +- A valid IPv6 address. +- An IPv4 address range in the format of "start address - end address" with no spaces included. +- An IPv6 address range in the format of "start address - end address" with no spaces included. + +Default is Any address. + +[Learn more](https://aka.ms/intunefirewallremotaddressrule) + +## Edge traversal (coming soon) +Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. + +[Learn more](https://aka.ms/intunefirewalledgetraversal) + +## Authorized users +Specifies the list of authorized local users for this rule. A list of authorized users cannot be specified if the rule being authored is targeting a Windows service. Default is all users. + +[Learn more](https://aka.ms/intunefirewallauthorizedusers) + +## Configuring firewall rules programmatically + +Coming soon. + + diff --git a/windows/security/threat-protection/windows-firewall/images/windows-firewall-intune.png b/windows/security/threat-protection/windows-firewall/images/windows-firewall-intune.png new file mode 100644 index 0000000000..796a030a6e Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/windows-firewall-intune.png differ diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md index 6e5a650a0c..a3f36f7725 100644 --- a/windows/security/threat-protection/windows-platform-common-criteria.md +++ b/windows/security/threat-protection/windows-platform-common-criteria.md @@ -9,7 +9,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 10/8/2018 +ms.date: 3/20/2019 --- # Common Criteria Certifications @@ -22,6 +22,7 @@ Microsoft is committed to optimizing the security of its products and services. The Security Target describes security functionality and assurance measures used to evaluate Windows. + - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf) - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf) - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf) - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf) @@ -58,6 +59,7 @@ These documents describe how to configure Windows to replicate the configuration **Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2** + - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf) - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf) - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf) - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf) @@ -134,6 +136,7 @@ These documents describe how to configure Windows to replicate the configuration An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team. + - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf) - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf) - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf) - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/TOC.md b/windows/security/threat-protection/windows-security-configuration-framework/TOC.md new file mode 100644 index 0000000000..8ea1c320ba --- /dev/null +++ b/windows/security/threat-protection/windows-security-configuration-framework/TOC.md @@ -0,0 +1,11 @@ +# [Windows security guidance for enterprises](windows-security-compliance.md) + +## [Windows security baselines](windows-security-baselines.md) +### [Security Compliance Toolkit](security-compliance-toolkit-10.md) +### [Get support](get-support-for-security-baselines.md) +## [Windows security configuration framework](windows-security-configuration-framework.md) +### [Level 5 enterprise security](level-5-enterprise-security.md) +### [Level 4 enterprise high security](level-4-enterprise-high-security.md) +### [Level 3 enterprise VIP security](level-3-enterprise-vip-security.md) +### [Level 2 enterprise dev/ops workstation](level-2-enterprise-devops-security.md) +### [Level 1 enterprise administrator workstation](level-1-enterprise-administrator-security.md) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md new file mode 100644 index 0000000000..bdbc4a1115 --- /dev/null +++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md @@ -0,0 +1,101 @@ +--- +title: Get support +description: This article, and the articles it links to, answers frequently asked question on how to get support for Windows baselines, the Security Compliance Toolkit (SCT), and related topics in your organization +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: sagaudre +author: justinha +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 06/25/2018 +--- + +# Get Support + +**What is the Microsoft Security Compliance Manager (SCM)?** + +The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we have moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy. + +More information about this change can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2017/06/15/security-compliance-manager-scm-retired-new-tools-and-procedures/). + +**Where can I get an older version of a Windows baseline?** + +Any version of Windows baseline before Windows 10 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT. + +- [SCM 4.0 Download](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) +- [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx) +- [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx) +- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx) + +**What file formats are supported by the new SCT?** + +The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a .PolicyRules file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. See the LGPO documentation for more information. Keep in mind that SCM’s .cab files are no longer supported. + +**Does SCT support Desired State Configuration (DSC) file format?** + +Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features. + +**Does SCT support the creation of System Center Configuration Manager (SCCM) DCM packs?** + +No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement). + +**Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?** + +No. SCM supported only SCAP 1.0, which was not updated as SCAP evolved. The new toolkit likewise does not include SCAP support. + +
      + +## Version Matrix + +**Client Versions** + +| Name | Build | Baseline Release Date | Security Tools | +|---|---|---|---| +|Windows 10 | [1709 (RS3)](https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/)

      [1703 (RS2)](https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/)

      [1607 (RS1)](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/)

      [1511 (TH2)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1511-threshold-2-final/)

      [1507 (TH1)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update/)| October 2017

      August 2017

      October 2016

      January 2016

      January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | +Windows 8.1 |[9600 (April Update)](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)| October 2013| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) | +Windows 8 |[9200](https://technet.microsoft.com/library/jj916413.aspx) |October 2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)| +Windows 7 |[7601 (SP1)](https://technet.microsoft.com/library/ee712767.aspx)| October 2009| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) | +| Vista |[6002 (SP2)](https://technet.microsoft.com/library/dd450978.aspx)| January 2007| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) | +| Windows XP |[2600 (SP3)](https://technet.microsoft.com/library/cc163061.aspx)| October 2001| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)| + +
      + +**Server Versions** + +| Name | Build | Baseline Release Date | Security Tools | +|---|---|---|---| +|Windows Server 2016 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | +|Windows Server 2012 R2|[SecGuide](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)| +|Windows Server 2012|[Technet](https://technet.microsoft.com/library/jj898542.aspx) |2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) | +Windows Server 2008 R2 |[SP1](https://technet.microsoft.com/library/gg236605.aspx)|2009 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) | +| Windows Server 2008 |[SP2](https://technet.microsoft.com/library/cc514539.aspx)| 2008 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) | +|Windows Server 2003 R2|[Technet](https://technet.microsoft.com/library/cc163140.aspx)| 2003 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)| +|Windows Server 2003|[Technet](https://technet.microsoft.com/library/cc163140.aspx)|2003|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)| + +
      + +**Microsoft Products** + +| Name | Details | Security Tools | +|---|---|---| +Internet Explorer 11 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)| +|Internet Explorer 10|[Technet](https://technet.microsoft.com/library/jj898540.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) | +|Internet Explorer 9|[Technet](https://technet.microsoft.com/library/hh539027.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) +|Internet Explorer 8|[Technet](https://technet.microsoft.com/library/ee712766.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) +|Exchange Server 2010|[Technet](https://technet.microsoft.com/library/hh913521.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) +|Exchange Server 2007|[Technet](https://technet.microsoft.com/library/hh913520.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) +|Microsoft Office 2010|[Technet](https://technet.microsoft.com/library/gg288965.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) +|Microsoft Office 2007 SP2|[Technet](https://technet.microsoft.com/library/cc500475.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) + +
      + +> [!NOTE] +> Browser baselines are built-in to new OS versions starting with Windows 10 + +## See also + +[Windows security baselines](windows-security-baselines.md) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png b/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png new file mode 100644 index 0000000000..06f66acf99 Binary files /dev/null and b/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png differ diff --git a/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-classification.png b/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-classification.png new file mode 100644 index 0000000000..75467f2098 Binary files /dev/null and b/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-classification.png differ diff --git a/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-deployment-methodologies.png b/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-deployment-methodologies.png new file mode 100644 index 0000000000..4f869474e2 Binary files /dev/null and b/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-deployment-methodologies.png differ diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md new file mode 100644 index 0000000000..bc0e695034 --- /dev/null +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md @@ -0,0 +1,25 @@ +--- +title: Level 1 enterprise administrator workstation security +description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 1 enterprise administrator security configuration. +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: appcompatguy +author: appcompatguy +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/05/2018 +--- + +# Level 1 enterprise administrator workstation security configuration + +**Applies to** + +- Windows 10 + + +Administrators (particularly of identity or security systems) present the highest risk to the organization−through data theft, data alteration, or service disruption. +A level 1 configuration should include all the configurations from levels 5, 4, 3, and 2 and additional controls. We are planning recommendations for the additional controls now, so check back soon for level 1 enterprise administrator security configuration guidance! diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md new file mode 100644 index 0000000000..3de02c1510 --- /dev/null +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md @@ -0,0 +1,27 @@ +--- +title: Level 2 enterprise dev/ops security workstation configuration +description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 2 enterprise dev/ops security configuration. +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: appcompatguy +author: appcompatguy +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/05/2018 +--- + +# Level 2 enterprise dev/ops workstation security configuration + +**Applies to** + +- Windows 10 + +We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. A level 2 configuration should include all the configurations from levels 5, 4, and 3 and additional controls. We are planning recommendations for the additional controls now, so check back soon for level 2 enterprise dev/ops security configuration guidance! + + + + diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md new file mode 100644 index 0000000000..9c8c264402 --- /dev/null +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md @@ -0,0 +1,141 @@ +--- +title: Level 3 enterprise VIP security configuration +description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 3 enterprise VIP security configuration. +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: appcompatguy +author: appcompatguy +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/05/2018 +--- + +# Level 3 enterprise VIP security configuration + +**Applies to** + +- Windows 10 + +Level 3 is the security configuration recommended as a standard for organizations with large and sophisticated security organizations, or for specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such merit the additional constraints and controls described here. +A level 3 configuration should include all the configurations from level 5 and level 4 and add the following security policies, controls, and organizational behaviors. + +## Policies + +The policies enforced in level 3 implement strict security configuration and controls. They can have a potentially significant impact to users or to applications, enforcing a level of security commensurate with the risks facing targeted organizations. Microsoft recommends disciplined testing and deployment using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). + +### Security Template Policies + +| Feature | Policy Setting | Policy Value | Description | +|----------|-----------------|---------------|--------------| +| [Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/) | Account lockout duration | 15 | The number of minutes a locked-out account remains locked out before automatically becoming unlocked. | +| [Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/) | Account lockout threshold | 10 | The number of failed logon attempts that causes a user account to be locked out. | +| [Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/) | Reset account lockout counter after | 15 | The number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. | +| Password Policy | Maximum password age | 60 | The number of days that a password can be used before the system requires the user to change it. | +| Password Policy | Minimum password age | 1 | The number of days that a password must be used before a user can change it. | +| Security Options | Accounts: Administrator account status | Disabled | This security setting determines whether the local Administrator account is enabled or disabled. | +| Security Options | Accounts: Limit local account use of blank passwords to console logon only | Enabled | This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. | +| Security Options | Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings | Enabled | Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category level, and existing Group Policy may override the subcategory settings of new machines as they are joined to the domain or upgraded. To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool. | +| Security Options | Domain member: Digitally encrypt or sign secure channel data (always) | Enabled | This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. This setting determines whether all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
      - Domain member: Digitally encrypt secure channel data (when possible)
      - Domain member: Digitally sign secure channel data (when possible) | +| Security Options | Domain member: Digitally encrypt secure channel data (when possible) | Enabled | This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption. | +| Security Options | Domain member: Digitally sign secure channel data (when possible) | Enabled | This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed, which ensures that it cannot be tampered with in transit. | +| Security Options | Interactive logon: Smart card removal behavior | Lock Workstation | This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. If you click **Lock Workstation** in the **Properties** for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart cards with them, and still maintain protected sessions. For this setting to work beginning with Windows Vista, the Smart Card Removal Policy service must be started. | +| Security Options | Microsoft network client: Digitally sign communications (always) | Enabled | This security setting determines whether packet signing is required by the SMB client component. | +| Security Options | Microsoft network server: Digitally sign communications (always) | Enabled | This security setting determines whether packet signing is required by the SMB server component. | +| Security Options | Network access: Do not allow anonymous enumeration of SAM accounts | Enabled | This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows: Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. | +| Security Options | Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled | This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. | +| Security Options | Network access: Restrict anonymous access to Named Pipes and Shares | Enabled | When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
      - Network access: Named pipes that can be accessed anonymously
      - Network access: Shares that can be accessed anonymously | +| Security Options | Network security: Allow PKU2U authentication requests to this computer to use online identities. | Disabled | This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. | +| Security Options | Network security: LDAP client signing requirements | Negotiate signing | This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows: Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\\SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller. | +| Security Options | System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) | Enabled | This security setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. If this policy is enabled, the default DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify shared objects that they did not create. | +| Security Options | User Account Control: Behavior of the elevation prompt for standard users | Automatically deny elevation requests | This policy setting controls the behavior of the elevation prompt for standard users. Automatically deny elevation requests: When an operation requires elevation of privilege, an access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. | + +### Computer Policies + +| Feature | Policy Setting | Policy Value | Description | +|----------|-----------------|---------------|--------------| +| Control Panel / Personalization | Prevent enabling lock screen camera | Enabled | Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen. If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings and the camera cannot be invoked on the lock screen. | +| Control Panel / Personalization | Prevent enabling lock screen slide show | Enabled | Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. By default, users can enable a slide show that will run after they lock the machine. if you enable this setting, users will no longer be able to modify slide show settings in PC Settings and no slide show will ever start. | +| Windows Defender SmartScreen / Explorer | Configure App Install Control | Allow apps from Store only | App Install Control is a feature of Windows Defender SmartScreen that helps protect PCs by allowing users to install apps only from the Store. SmartScreen must be enabled for this feature to work properly. | +| System / Device Installation / Device Installation Restrictions | Prevent installation of devices that match any of these device IDs | Enabled | This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. if you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in a list that you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. | +| System / Device Installation / Device Installation Restrictions | Prevent installation of devices using drivers that match these device setup classes | Enabled | This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. if you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. | +| System / Internet Communication Management / Internet Communication settings | Turn off downloading of print drivers over HTTP | Enabled | This policy setting specifies whether to allow this client to download print driver packages over HTTP. To set up HTTP printing non-inbox drivers need to be downloaded over HTTP. Note: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally. if you enable this policy setting, print drivers cannot be downloaded over HTTP. If you disable or do not configure this policy setting, users can download print drivers over HTTP. | +| System / Internet Communication Management / Internet Communication settings | Turn off printing over HTTP | Enabled | This policy setting specifies whether to allow printing over HTTP from this client. Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. Note: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. if you enable this policy setting, it prevents this client from printing to Internet printers over HTTP. If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP. Also see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers. | +| System / Logon | Enumerate local users on domain-joined computers | Disabled | This policy setting allows local users to be enumerated on domain-joined computers. if you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers. | +| System / Power Management / Sleep Settings | Allow standby states (S1-S3) when sleeping (on battery) | Disabled | This policy setting manages whether Windows can use standby states when putting the computer in a sleep state. If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sleep state. If you disable this policy setting standby states (S1-S3) are not allowed. | +| System / Power Management / Sleep Settings | Allow standby states (S1-S3) when sleeping (plugged in) | Disabled | This policy setting manages whether Windows can use standby states when putting the computer in a sleep state. If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sleep state. If you disable this policy setting standby states (S1-S3) are not allowed. | +| Windows Components / BitLocker Drive Encryption / Operating System Drives | Configure minimum PIN length for startup | Enabled: 7 | This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. if you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN. If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 4 and 20 digits. By default, the value is 6 digits. NOTE: If minimum PIN length is set below 6 digits Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. | +| Windows Components / BitLocker Drive Encryption / Removable Data Drives | Deny write access to removable drives not protected by BitLocker | Enabled | This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. If the "Deny write access to devices configured in another organization" option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed, it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting. If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. Note: This policy setting can be overridden by the policy settings under User Configuration\\Administrative Templates\\System\\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting is enabled, this policy setting will be ignored. | +| Windows Components / Cloud Content | Turn off Microsoft consumer experiences | Enabled | This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. if you enable this policy setting, users will no longer see personalized recommendations from Microsoft and notifications about their Microsoft account. If you disable or do not configure this policy setting, users may see suggestions from Microsoft and notifications about their Microsoft account. Note: This setting only applies to Enterprise and Education SKUs. | +| Windows Components / Credential User Interface | Enumerate administrator accounts on elevation | Disabled | This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. if you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. If you disable this policy setting users will always be required to type a user name and password to elevate. | +| Windows Components / Microsoft Edge | Configure Password Manager | Disabled | This policy setting lets you decide whether employees can save their passwords locally using Password Manager. By default, Password Manager is turned on. if you enable this setting, employees can use Password Manager to save their passwords locally. If you disable this setting employees can't use Password Manager to save their passwords locally. If you don't configure this setting employees can choose whether to use Password Manager to save their passwords locally. | +| Windows Components / Remote Desktop Services / Remote Desktop | Do not allow drive redirection | Enabled | This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format \ on \. You can use this policy setting to override this behavior. if you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions and Clipboard file copy redirection is not allowed on computers running Windows Server 2003 Windows 8 and Windows XP. If you disable this policy setting client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed. If you do not configure this policy setting client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. | +| Windows Components / RSS Feeds | Prevent downloading of enclosures | Enabled | This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. if you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs. If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. | +| Windows Components / Search | Allow indexing of encrypted files | Disabled | This policy setting allows encrypted items to be indexed. if you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores. This policy setting is not configured by default. If you do not configure this policy setting the local setting configured through Control Panel will be used. By default, the Control Panel setting is set to not index encrypted content. When this setting is enabled or disabled the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. | +| Windows Components / Windows Ink Workspace | Allow Windows Ink Workspace | On, but disallow access above lock | Allow Windows Ink Workspace | + +### IE Computer Policies + +| Feature | Policy Setting | Policy Value | Description | +|-------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Windows Components / Internet Explorer | Prevent per-user installation of ActiveX controls | Enabled | This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis. If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis. | +| Windows Components / Internet Explorer | Security Zones: Do not allow users to add/delete sites | Enabled | Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level. If you enable this policy, the site management settings for security zones are disabled. | +| Windows Components / Internet Explorer | Security Zones: Do not allow users to change policies | Enabled | Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level. If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled. | +| Windows Components / Internet Explorer | Security Zones: Use only machine settings | Enabled | Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level. If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer. | +| Windows Components / Internet Explorer | Turn off Crash Detection | Enabled | This policy setting allows you to manage the crash detection feature of add-on Management. If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely, to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply. | +| Windows Components / Internet Explorer | Turn off the Security Settings Check feature | Disabled | This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk. | +| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled | Enabled | This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. When a user has an ActiveX control installed that is not compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode. | +| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows | Enabled | This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows. | +| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn on Enhanced Protected Mode | Enabled | Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page | Intranet Sites: Include all network paths (UNCs) | Disabled | This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow drag and drop or copy and paste files | Enabled: Disable | This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow loading of XAML files | Enabled: Disable | This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow only approved domains to use ActiveX controls without prompt | Enabled: Enable | This policy setting controls whether the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow only approved domains to use the TDC ActiveX control | Enabled: Enable | This policy setting controls whether the user can run the TDC ActiveX control on websites. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow scripting of Internet Explorer WebBrowser controls | Enabled: Disable | This policy setting determines whether a page can control embedded WebBrowser controls via script. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow script-initiated windows without size or position constraints | Enabled: Disable | This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow scriptlets | Enabled: Disable | This policy setting allows you to manage whether the user can run scriptlets. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow updates to status bar via script | Enabled: Disable | This policy setting allows you to manage whether script can update the status bar within the zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow VBScript to run in Internet Explorer | Enabled: Disable | This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Download signed ActiveX controls | Enabled: Disable | This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Include local path when user is uploading files to a server | Enabled: Disable | This policy setting controls whether local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Navigate windows and frames across different domains | Enabled: Disable | This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Web sites in less privileged Web content zones can navigate into this zone | Enabled: Disable | This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. | + +### IE User Policies + +| Feature | Policy Setting | Policy Value | Description | +|----------|-----------------|--------------|--------------| +| Windows Components / Internet Explorer | Turn on the auto-complete feature for user names and passwords on forms | Disabled | This AutoComplete feature can remember and suggest User names and passwords on Forms. If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. | + +## Controls + +The controls enforced in level 3 implement complex security configuration and controls. +They are likely to have a higher impact to users or to applications, +enforcing a level of security commensurate with the risks facing the most targeted organizations. +Microsoft recommends using the Audit/Enforce methodology for controls with audit mode, and [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do +not. + +| Feature Set | Feature | Description | +|--------------|----------|--------------| +| Exploit protection | Enable exploit protection | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at the individual app level. | +| Windows Defender Application Control (WDAC) *or* AppLocker | Configure devices to use application whitelisting using one of the following approaches:
      [AaronLocker](https://blogs.msdn.microsoft.com/aaron_margosis/2018/10/11/aaronlocker-update-v0-91-and-see-aaronlocker-in-action-on-channel-9/) (admin writeable areas) when software distribution is not always centralized
      *or*
      [Managed installer](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer) when all software is pushed through software distribution
      *or*
      [Explicit control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy) when the software on a device is static and tightly controlled | Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. Application Control can help mitigate these types of security threats by restricting the applications that users can run and the code that runs in the System Core (kernel). WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs in [Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/). | + +## Behaviors + +The behaviors recommended in level 3 represent the most sophisticated security +configuration. Removing admin rights can be difficult, but it is essential to +achieve a level of security commensurate with the risks facing the most targeted +organizations. + +| Feature Set | Feature | Description | +|--------------|----------|--------------| +| Remove Admin Rights | Remove as many users as possible from the local Administrators group, targeting 0. Microsoft recommends removing admin rights role by role. Some roles are more challenging, including:
      - Developers, who often install rapidly iterating software which is difficult to package using current software distribution systems
      - Scientists/ Doctors, who often must install and operate specialized hardware devices
      - Remote locations with slow web links, where administration is delegated
      It is typically easier to address these roles later in the process.
      Microsoft recommends identifying the dependencies on admin rights and systematically addressing them:
      - Legitimate use of admin rights: crowdsourced admin, where a new process is needed to complete that workflow
      - Illegitimate use of admin rights: app compat dependency, where app remediation is the best path. The [Desktop App Assure](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-is-Desktop-App-Assure/ba-p/270232) program can assist with these app issues | Running as non-admin limits your exposure. When you are an admin, every program you run has unlimited access to your computer. If malicious code finds its way to one of those programs, it also gains unlimited access. When an exploit runs with admin privileges, its ability to compromise your system is much greater, its ability to do so without detection is much greater, and its ability to attack others on your network is greater than it would be with only User privileges. If you’re running as admin, an exploit can:
      - install kernel-mode rootkits and/or keyloggers
      - install and start services
      - install ActiveX controls, including IE and shell add-ins
      - access data belonging to other users
      - cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)
      - replace OS and other program files with trojan horses
      - disable/uninstall anti-virus
      - cover its tracks in the event log
      - render your machine unbootable | + + + + + diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md new file mode 100644 index 0000000000..2986d0f69e --- /dev/null +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md @@ -0,0 +1,209 @@ +--- +title: Level 4 enterprise high security configuration +description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 4 enterprise security configuration. +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: appcompatguy +author: appcompatguy +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/05/2018 +--- + +# Level 4 enterprise high security configuration + +**Applies to** + +- Windows 10 + +Level 4 is the security configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. While targeting high levels of security, these recommendations do not assume a large staff of highly skilled security practitioners, and therefore should be accessible to most enterprise organizations. +A level 4 configuration should include all the configurations from level 5 and add the following security policies, controls, and organizational behaviors. + +## Policies + +The policies enforced in level 4 implement more controls and a more sophisticated security +configuration than level 5. While they may have a slightly higher impact to +users or to applications, they enforce a level of security more commensurate +with the risks facing users with access to sensitive information. Microsoft +recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and +controls, with a moderate timeline that is anticipated to be slightly longer +than the process in level 5. + +### Security Template Policies + +| Feature | Policy Setting | Policy Value | Description | +|------------------------|-------------------------------------------------------------------------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Security Options | Microsoft network client: Send unencrypted password to third party | Disabled | If this security setting is enabled, the Server Message Block (SMB) redirector can send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk. | +| Security Options | Network access: Allow anonymous SID/Name translation | Disabled | This security setting determines if an anonymous user can request security identifier (SID) attributes for another user. If this policy is enabled, a user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. | +| Security Options | Network access: Restrict clients allowed to make remote calls to SAM | Enabled: Administrators (allowed) | This policy setting allows you to restrict remote RPC connections to SAM. If not selected, the default security descriptor will be used. | +| Security Options | Network security: Allow LocalSystem NULL session fallback | Disabled | Allow NTLM to fall back to NULL session when used with LocalSystem | +| Security Options | Network security: Do not store LAN Manager hash value on next password change | Enabled | This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. | +| Security Options | Network security: LAN Manager authentication level | Send NTLMv2 response only. Refuse LM & NTLM | This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send NTLMv2 response only\\refuse LM & NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). | +| Security Options | Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | Require NTLMv2 session security and Require 128-bit encryption | This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. | +| Security Options | Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Require NTLMv2 session security and Require 128-bit encryption | This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. | +| Security Options | User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled | This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\\Program Files\\, including subfolders - …\\Windows\\system32\\ - …\\Program Files (x86)\\, including subfolders for 64-bit versions of Windows | +| User Rights Assignment | Access this computer from the network | Administrators; Remote Desktop Users | This user right determines which users and groups can connect to the computer over the network. Remote Desktop Services are not affected by this user right. | +| User Rights Assignment | Enable computer and user accounts to be trusted for delegation | No One (blank) | This security setting determines which users can set the Trusted for Delegation setting on a user or computer object. | +| User Rights Assignment | Impersonate a client after authentication | Administrators, SERVICE, Local Service, Network Service | Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. | +| User Rights Assignment | Lock pages in memory | No One (blank) | This security setting determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random-access memory (RAM). | +| User Rights Assignment | Perform volume maintenance tasks | Administrators | This security setting determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. | +| User Rights Assignment | Profile single process | Administrators | This security setting determines which users can use performance monitoring tools to monitor the performance of non-system processes. | + +### Computer Policies + +| Feature | Policy Setting | Policy Value | Description | +|---------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Network / Network Connections | Prohibit use of Internet Connection Sharing on your DNS domain network | Enabled | Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. | +| Network / Network Provider | Hardened UNC Paths | Enabled: \\\\\*\\SYSVOL and \\\\\*\\NETLOGON RequireMutualAuthentication = 1, RequireIntegrity = 1 | This policy setting configures secure access to UNC paths. If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. | +| Network / Windows Connection Manager | Prohibit connection to non-domain networks when connected to domain authenticated network | Enabled | This policy setting prevents computers from connecting to both a domain-based network and a non-domain-based network at the same time. | +| Network / WLAN Service / WLAN Settings | Allow Windows to automatically connect to suggested open hotspots to networks shared by contacts and to hotspots offering paid services | Disabled | This policy setting determines whether users can enable the following WLAN settings: "Connect to suggested open hotspots," "Connect to networks shared by my contacts," and "Enable paid services". | +| System / Credentials Delegation | Remote host allows delegation of non-exportable credentials | Enabled | When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode. | +| System / Device Guard | Turn on Virtualization Based Security | Enabled: Virtualization-Based Protection of Code Integrity – Enabled with UEFI Lock | This setting enables virtualization-based protection of Kernel Mode Code Integrity. When this is enabled, kernel mode memory protections are enforced, and the Code Integrity validation path is protected by the Virtualization Based Security feature. | +| System / Internet Communication Management / Internet Communication | Turn off Internet download for Web publishing and online ordering wizards | Enabled | This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. | +| System / Logon | Turn on convenience PIN sign-in | Disabled | This policy setting allows you to control whether a domain user can sign in using a convenience PIN. | +| System / Remote Assistance | Configure Solicited Remote Assistance | Disabled | This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. | +| Windows Components / File Explorer | Turn off Data Execution Prevention for Explorer | Disabled | Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. | +| Windows Components / File Explorer | Turn off heap termination on corruption | Disabled | Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later. | +| Windows Components / Remote Desktop Services / Remote Desktop Connection Client | Do not allow passwords to be saved | Enabled | Controls whether passwords can be saved on this computer from Remote Desktop Connection. | +| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Always prompt for password upon connection | Enabled | This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. | +| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Require secure RPC communication | Enabled | Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. | +| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Set client connection encryption level | Enabled: High Level | Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. | +| Windows Components / Windows Security / App and browser protection | Prevent users from modifying settings | Enabled | Prevent users from making changes to the Exploit protection settings area in Windows Security. | +| Windows Components / Windows Game Recording and Broadcasting | Enables or disables Windows Game Recording and Broadcasting | Disabled | This setting enables or disables the Windows Game Recording and Broadcasting features. If you disable this setting, Windows Game Recording will not be allowed. | +| Windows Components / Windows PowerShell | Turn on PowerShell Script Block Logging | Enabled | This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. | +| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Allow Basic authentication | Disabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. | +| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Disallow Digest authentication | Enabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication. | +| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Allow Basic authentication | Disabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. | +| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Disallow WinRM from storing RunAs credentials | Enabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. | + +### Windows Defender Antivirus Policies + +| Feature | Policy Setting | Policy Value | Description | +|-------------------------------------------------|-----------------------------------------------------------|----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Windows Components / Windows Defender Antivirus | Configure Detection for Potentially Unwanted Applications | Enabled: Block | Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. | + +### IE Computer Policies + +| Feature | Policy Setting | Policy Value | Description | +|---------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Windows Components / Internet Explorer | Prevent bypassing SmartScreen Filter warnings | Enabled | This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious. | +| Windows Components / Internet Explorer | Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet | Enabled | This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet. | +| Windows Components / Internet Explorer | Specify use of ActiveX Installer Service for installation of ActiveX controls | Enabled | This policy setting allows you to specify how ActiveX controls are installed. If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls. | +| Windows Components / Internet Explorer / Internet Control Panel | Prevent ignoring certificate errors | Enabled | This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer. | +| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Allow software to run or install even if the signature is invalid | Disabled | This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file. | +| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Check for signatures on downloaded programs | Enabled | This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs. | +| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn off encryption support | Enabled: Use | This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each other’s list of supported protocols and versions, and they select the most preferred match. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page | Turn on certificate address mismatch warning | Enabled | This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Access data sources across domains | Enabled: Disable | This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow cut copy or paste operations from the clipboard via script | Enabled: Disable | This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Automatic prompting for file downloads | Enabled: Disable | This policy setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Download unsigned ActiveX controls | Enabled: Disable | This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Enable dragging of content from different domains across windows | Enabled: Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Enable dragging of content from different domains within a window | Enabled: Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Launching applications and files in an IFRAME | Enabled: Disable | This policy setting allows you to manage whether applications may be run, and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Logon options | Enabled: Prompt for user name and password | This policy setting allows you to manage settings for logon options. Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Run .NET Framework-reliant components not signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Run .NET Framework-reliant components signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Show security warning for potentially unsafe files | Enabled: Prompt | This policy setting controls whether the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Userdata persistence | Enabled: Disable | This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Intranet Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Local Machine Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Access data sources across domains | Enabled: Disable | This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow active scripting | Enabled: Disable | This policy setting allows you to manage whether script code on pages in the zone is run. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow binary and script behaviors | Enabled: Disable | This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow cut copy or paste operations from the clipboard via script | Enabled: Disable | This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow drag and drop or copy and paste files | Enabled: Disable | This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow file downloads | Enabled: Disable | This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow loading of XAML files | Enabled: Disable | This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow META REFRESH | Enabled: Disable | This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Download signed ActiveX controls | Enabled: Disable | This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow only approved domains to use ActiveX controls without prompt | Enabled: Enable | This policy setting controls whether the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow only approved domains to use the TDC ActiveX control | Enabled: Enable | This policy setting controls whether the user can run the TDC ActiveX control on websites. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow scripting of Internet Explorer WebBrowser controls | Enabled: Disable | This policy setting determines whether a page can control embedded WebBrowser controls via script. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow script-initiated windows without size or position constraints | Enabled: Disable | This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow scriptlets | Enabled: Disable | This policy setting allows you to manage whether the user can run scriptlets. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow updates to status bar via script | Enabled: Disable | This policy setting allows you to manage whether script can update the status bar within the zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow VBScript to run in Internet Explorer | Enabled: Disable | This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Automatic prompting for file downloads | Enabled: Disable | This policy setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Download unsigned ActiveX controls | Enabled: Disable | This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Enable dragging of content from different domains across windows | Enabled: Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Enable dragging of content from different domains within a window | Enabled: Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Include local path when user is uploading files to a server | Enabled: Disable | This policy setting controls whether local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Launching applications and files in an IFRAME | Enabled: Disable | This policy setting allows you to manage whether applications may be run, and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Logon options | Enabled: Anonymous logon | This policy setting allows you to manage settings for logon options. Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Navigate windows and frames across different domains | Enabled: Disable | This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run .NET Framework-reliant components not signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run .NET Framework-reliant components signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run ActiveX controls and plugins | Enabled: Disable | This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Script ActiveX controls marked safe for scripting | Enabled: Disable | This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Scripting of Java applets | Enabled: Disable | This policy setting allows you to manage whether applets are exposed to scripts within the zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Show security warning for potentially unsafe files | Enabled: Disable | This policy setting controls whether the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). If you disable this policy setting, these files do not open. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Userdata persistence | Enabled: Disable | This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Web sites in less privileged Web content zones can navigate into this zone | Enabled: Disable | This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Java permissions | Enabled: High Safety | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. High Safety enables applets to run in their sandbox. | +| Windows Components / Internet Explorer / Security Features / Add-on Management | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer | Enabled | This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer. | +| Windows Components / Internet Explorer / Security Features / Add-on Management | Turn off blocking of outdated ActiveX controls for Internet Explorer | Disabled | This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. | +| Windows Components / Internet Explorer / Security Features / Consistent Mime Handling | Internet Explorer Processes | Enabled | Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension. If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files. | +| Windows Components / Internet Explorer / Security Features / Mime Sniffing Safety Feature | Internet Explorer Processes | Enabled | This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. | +| Windows Components / Internet Explorer / Security Features / MK Protocol Security Restriction | Internet Explorer Processes | Enabled | The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail. If you enable this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. | +| Windows Components / Internet Explorer / Security Features / Notification Bar | Internet Explorer Processes | Enabled | This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes. If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes. | +| Windows Components / Internet Explorer / Security Features / Protection from Zone Elevation | Internet Explorer Processes | Enabled | Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context. If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. | +| Windows Components / Internet Explorer / Security Features / Restrict ActiveX Install | Internet Explorer Processes | Enabled | This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes. | +| Windows Components / Internet Explorer / Security Features / Restrict File Download | Internet Explorer Processes | Enabled | This policy setting enables blocking of file download prompts that are not user initiated. If you enable this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes. | +| Windows Components / Internet Explorer / Security Features / Scripted Window Security Restrictions | Internet Explorer Processes | Enabled | Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars. If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. | + +### Custom Policies + +| Feature | Policy Setting | Policy Value | Description | +|-------------------|---------------------------------|-------------------------|------------------------| +| MS Security Guide | Configure SMB v1 server | Disabled | Disable or enable server-side processing of the SMBv1 protocol | +| MS Security Guide | Configure SMB v1 client driver | Enabled: Disable driver | Configure the startup mode for the kernel mode driver that implements client-side SMBv1 processing (MrxSmb10). This setting includes a dropdown that is activated when the Enabled radio button is selected and that controls the “Start” registry value in HKLM\\SYSTEM\\CurrentControlSet\\Services\\MrxSmb10. | +| MS Security Guide | Enabled Structured Exception Handling Overwrite Protection (SEHOP)| Enabled | This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option. We recommend that Windows users who are running any of the above operating systems enable this feature to improve the security profile of their systems. | +| MS Security Guide | WDigest Authentication | Disabled | When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. WDigest is disabled by default in Windows 10. This setting ensures this is enforced. | +| MS Security Guide | Block Flash activation in Office documents | Enabled | Prevents the Adobe Flash ActiveX control from being loaded by Office applications. | +| MSS (Legacy) | MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (Protects against packet spoofing) | Highest Protection, source routing is completely disabled | Allowing source routed network traffic allows attackers to obscure their identity and location. | +| MSS (Legacy) | MSS: (DisableIPSourceRouting) IP source routing protection level (Protects against packet spoofing) | Highest Protection, source routing is completely disabled | Allowing source routed network traffic allows attackers to obscure their identity and location. | +| MSS (Legacy) | MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes | Disabled | Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via shortest path first. | +| MSS (Legacy) | MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers | Enabled | Prevents a denial-of-service (DoS) attack against a WINS server. The DoS consists of sending a NetBIOS Name Release Request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability. | + +## Controls + +The controls enforced in level 4 implement more controls and a more sophisticated security +configuration than level 5. While they may have a slightly higher impact to +users or to applications, they enforce a level of security more commensurate +with the risks facing users with access to sensitive information. Microsoft +recommends using the Audit/Enforce methodology for controls with an Audit mode, +and [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do not, with a moderate timeline that +is anticipated to be slightly longer than the process in level 5. + +| Feature Set | Feature | Description | +|-------------------------------------------------------------|-------------------------------------------------------|----------------| +| [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) | Enforce memory protection for OS-level controls:
      - Control flow guard (CFG)
      - Data Execution Protection (DEP)
      - Mandatory ASLR
      - Bottom-Up ASLR
      - High-entropy ASLR
      - Validate Exception Chains (SEHOP)
      - Validate heap integrity | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at either the operating system level, or at the individual app level. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. dynamically generating code without marking memory as executable). Microsoft recommends gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | +| [Attack Surface Reduction (ASR)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)| Configure and enforce [Attack Surface Reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules)| Attack surface reduction controls help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. an Office application spawning a child process). Each control has an Audit mode, and as such, Microsoft recommends the Audit / Enforce Methodology (repeated here):
      1) Audit – enable the controls in audit mode, and gather audit data in a centralized location
      2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
      3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode | +| [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) | Configure and enforce Network Protection | Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). There is a risk to application compatibility, as a result of false positives in flagged sites. Microsoft recommends deploying using the Audit / Enforce Methodology. | + +## Behaviors + +The behaviors recommended in level 4 implement a more sophisticated security process. While they may require a more sophisticated organization, they enforce +a level of security more commensurate with the risks facing users with access to +sensitive information. + +| Feature Set| Feature | Description | +|------------|----------|--------------| +| Antivirus | Configure Protection Updates to failover to retrieval from Microsoft | Sources for Windows Defender Antivirus Protection Updates can be provided in an ordered list. If you are using internal distribution, such as SCCM or WSUS, configure Microsoft Update lower in the list as a failover. | +| OS Security Updates | Deploy Windows Quality Updates within 4 days | As the time between release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, engineering a process that provides the ability to validate and deploy quality updates addressing known security vulnerabilities is a critical aspect of security hygiene.| +| Helpdesk| 1:1 Administration| A simple and common model for helpdesk support is to add the Helpdesk group as a permanent member of the Local Administrators group of every device. If any device is compromised and helpdesk can connect to it, then these credentials can be used to obtain privilege on any / all other devices. Design and implement a strategy to provide helpdesk support without providing 1:all admin access – constraining the value of these Helpdesk credentials | + + diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md new file mode 100644 index 0000000000..5b7819551f --- /dev/null +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md @@ -0,0 +1,244 @@ +--- +title: Level 5 enterprise security configuration +description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 5 enterprise security configuration. +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: appcompatguy +author: appcompatguy +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/05/2018 +--- + +# Level 5 enterprise security configuration + +**Applies to** + +- Windows 10 + +Level 5 is the minimum security configuration for an enterprise device. +Microsoft recommends the following configuration for level 5 devices. + +## Policies + +The policies in level 5 enforce a reasonable security level while minimizing the impact to users or to applications. +Microsoft recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and controls, noting that the timeline can generally be short given the limited potential impact of the security controls. + +### Security Template Policies + +| Feature | Policy Setting | Policy Value | Description | +|-------------------------|--------------------------------------------------------------------------------------------------|---------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Password Policy | Enforce password history | 24 | The number of unique new passwords that must be associated with a user account before an old password can be reused. | +| Password Policy | Minimum password length | 14 | The least number of characters that a password for a user account may contain. | +| Password Policy | Password must meet complexity requirements | Enabled | Determines whether passwords must meet complexity requirements:
      1) Not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither check is case sensitive.
      The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
      2) Contain characters from three of the following categories:
      - Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
      - Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
      - Base 10 digits (0 through 9)
      -Non-alphanumeric characters (special characters):
      (~!@#$%^&*_-+=`\|\\(){}[]:;"'<>,.?/)
      Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting.
      - Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. | +| Password Policy | Store passwords using reversible encryption | Disabled | Determines whether the operating system stores passwords using reversible encryption. | +| Security Options | Accounts: Guest account status | Disabled | Determines if the Guest account is enabled or disabled. | +| Security Options | Domain member: Disable machine account password changes | Disabled | Determines whether a domain member periodically changes its computer account password. | +| Security Options | Domain member: Maximum machine account password age | 30 | Determines how often a domain member will attempt to change its computer account password | +| Security Options | Domain member: require strong (Windows 2000 or later) session key | Enabled | Determines whether 128-bit key strength is required for encrypted secure channel data | +| Security Options | Interactive logon: Machine inactivity limit | 900 | The number of seconds of inactivity before the session is locked | +| Security Options | User Account Control: Admin approval mode for the built-in administrator | Enabled | The built-in Administrator account uses Admin Approval Mode - any operation that requires elevation of privilege will prompt to user to approve that operation | +| Security Options | User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent on the secure desktop | When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. | +| Security Options | User Account Control: Detect application installations and prompt for elevation | Enabled | When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. | +| Security Options | User Account Control: Run all Administrators in admin approval mode | Enabled | This policy must be enabled, and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. | +| Security Options | User Account Control: Virtualize file and registry write failures to per-user locations | Enabled | This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software. | +| User Rights Assignments | Access Credential Manager as a trusted caller | No One (blank) | This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities. | +| User Rights Assignments | Act as part of the operating system | No One (blank) | This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | +| User Rights Assignments | Allow log on locally | Administrators; Users | Determines which users can log on to the computer | +| User Rights Assignments | Back up files and directories | Administrators | Determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system | +| User Rights Assignments | Create a pagefile | Administrators | Determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file | +| User Rights Assignments | Create a token object | No One (blank) | Determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. | +| User Rights Assignments | Create global objects | Administrators; LOCAL SERVICE; NETWORK SERVICE; SERVICE | This security setting determines whether users can create global objects that are available to all sessions. | +| User Rights Assignments | Create permanent shared objects | No One (blank) | Determines which accounts can be used by processes to create a directory object using the object manager | +| User Rights Assignments | Create symbolic links | Administrators | Determines if the user can create a symbolic link from the computer he is logged on to | +| User Rights Assignments | Debug programs | Administrators | Determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. | +| User Rights Assignments | Deny access to this computer from the network | Guests; NT AUTHORITY\\Local Account | Determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. | +| User Rights Assignments | Deny log on locally | Guests | Determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies. | +| User Rights Assignments | Deny log on through Remote Desktop Services | Guests; NT AUTHORITY\\Local Account | Determines which users and groups are prohibited from logging on as a Remote Desktop Services client | +| User Rights Assignments | Force shutdown from a remote system | Administrators | Determines which users can shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. | +| User Rights Assignments | Increase scheduling priority | Administrators | Determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| User Rights Assignments | Load and unload device drivers | Administrators | Determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| User Rights Assignments | Manage auditing and security log | Administrators | Determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. | +| User Rights Assignments | Modify firmware environment variables | Administrators | Determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. | +| User Rights Assignments | Restore files and directories | Administrators | Determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object | +| User Rights Assignments | Take ownership of files or other objects | Administrators | Determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads | + +### Advanced Audit Policies + +| Feature | Policy Setting | Policy Value | Description | +|--------------------|---------------------------------------|---------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Account Logon | Audit Credential Validation | Success and Failure | Audit events generated by validation tests on user account logon credentials. Occurs only on the computer that is authoritative for those credentials. | +| Account Management | Audit Security Group Management | Success | Audit events generated by changes to security groups, such as creating, changing or deleting security groups, adding or removing members, or changing group type. | +| Account Management | Audit User Account Management | Success and Failure | Audit changes to user accounts. Events include creating, changing, deleting user accounts; renaming, disabling, enabling, locking out, or unlocking accounts; setting or changing a user account’s password; adding a security identifier (SID) to the SID History of a user account; configuring the Directory Services Restore Mode password; changing permissions on administrative user accounts; backing up or restoring Credential Manager credentials | +| Detailed Tracking | Audit PNP Activity | Success | Audit when plug and play detects an external device | +| Detailed Tracking | Audit Process Creation | Success | Audit events generated when a process is created or starts; the name of the application or user that created the process is also audited | +| Logon/ Logoff | Audit Account Lockout | Failure | Audit events generated by a failed attempt to log on to an account that is locked out | +| Logon/ Logoff | Audit Group Membership | Success | Audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. | +| Logon/ Logoff | Audit Logon | Success and Failure | Audit events generated by user account logon attempts on the computer | +| Logon/ Logoff | Audit Other Logon / Logoff Events | Success and Failure | Audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting, such as Terminal Services session disconnections, new Terminal Services sessions locking and unlocking a workstation, invoking or dismissing a screen saver, detection of a Kerberos replay attack, or access to a wireless network granted to a user or computer account | +| Logon/ Logoff | Audit Special Logon | Success | Audit events generated by special logons such as the use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level, or a logon by a member of a Special Group (Special Groups enable you to audit events generated when a member of a certain group has logged on to your network) | +| Object Access | Audit Detailed File Share | Failure | Audit attempts to access files and folders on a shared folder; the Detailed File Share setting logs an event every time a file or folder is accessed | +| Object Access | Audit File Share | Success and Failure | Audit attempts to access a shared folder; an audit event is generated when an attempt is made to access a shared folder | +| Object Access | Audit Other Object Access Events | Success and Failure | Audit events generated by the management of task scheduler jobs or COM+ objects | +| Object Access | Audit Removable Storage | Success and Failure | Audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. | +| Policy Change | Audit Audit Policy Change | Success | Audit changes in the security audit policy settings | +| Policy Change | Audit Authentication Policy Change | Success | Audit events generated by changes to the authentication policy | +| Policy Change | Audit MPSSVC Rule-Level Policy Change | Success and Failure | Audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. | +| Policy Change | Audit Other Policy Change Events | Failure | Audit events generated by other security policy changes that are not audited in the policy change category, such as Trusted Platform Module (TPM) configuration changes, kernel-mode cryptographic self tests, cryptographic provider operations, cryptographic context operations or modifications, applied Central Access Policies (CAPs) changes, or boot Configuration Data (BCD) modifications | +| Privilege Use | Audit Sensitive Privilege Use | Success and Failure | Audit events generated when sensitive privileges (user rights) are used | +| System | Audit Other System Events | Success and Failure | Audit any of the following events: Startup and shutdown of the Windows Firewall service and driver, security policy processing by the Windows Firewall Service, cryptography key file and migration operations. | +| System | Audit Security State Change | Success | Audit events generated by changes in the security state of the computer such as startup and shutdown of the computer, change of system time, recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. | +| System | Audit Security System Extension | Success | Audit events related to security system extensions or services | +| System | Audit System Integrity | Success and Failure | Audit events that violate the integrity of the security subsystem | + +### Windows Defender Firewall Policies + +| Feature | Policy Setting | Policy Value | Description | +|----------------------------|---------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a domain connection | +| Domain Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a domain connection | +| Domain Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a domain connection | +| Domain Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the domain profile | +| Domain Profile / State | Firewall State | On | Enables the firewall when connected to the domain profile | +| Domain Profile / State | Inbound Connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the domain profile | +| Private Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a private connection | +| Private Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a private connection | +| Private Profile / Logging | Size limit | 16384 | Sets the firewall log file size for a private connection | +| Private Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the private profile | +| Private Profile / State | Firewall state | On | Enables the firewall when connected to the private profile | +| Private Profile / State | Inbound connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the private profile | +| Public Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a public connection | +| Public Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a public connection | +| Public Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a public connection | +| Public Profile / Settings | Apply local connection security rules | No | Ensures local connection rules will not be merged with Group Policy settings in the domain | +| Public Profile / Settings | Apply local firewall rules | No | Users cannot create new firewall rules | +| Public Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the public profile | +| Public Profile / State | Firewall state | On | Enables the firewall when connected to the public profile | +| Public Profile / State | Inbound connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the public profile | + +### Computer Policies + +| Feature | Policy Setting | Policy Value | Description | +|---------------------------------------------------------------------------|------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Network / Lanman Workstation | Enable insecure guest logons | Disabled | Determines if the SMB client will allow insecure guest logons to an SMB server | +| System / Device Guard | Turn on Virtualization Based Security | Enabled: SecureBoot and DMA Protection | Specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices. | +| System / Early Launch Antimalware | Boot-Start Driver Initialization Policy | Enabled: Good, Unknown and bad but critical | Allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. | +| System / Power Management / Sleep Settings | Require a password when a computer wakes (on battery) | Enabled | Specifies whether the user is prompted for a password when the system resumes from sleep | +| System / Power Management / Sleep Settings | Require a password when a computer wakes (plugged in) | Enabled | Specifies whether the user is prompted for a password when the system resumes from sleep | +| System / Remote Procedure Call | Restrict Unauthenticated RPC clients | Enabled: Authenticated | Controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. | +| Windows Components / App runtime | Allow Microsoft accounts to be optional | Enabled | Lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. | +| Windows Components / AutoPlay Policies | Disallow Autoplay for non-volume devices | Enabled | Disallows AutoPlay for MTP devices like cameras or phones. | +| Windows Components / AutoPlay Policies | Set the default behavior for AutoRun | Enabled: Do not execute any autorun commands | Sets the default behavior for Autorun commands. | +| Windows Components / AutoPlay Policies | Turn off Autoplay | Enabled: All Drives | Allows you to turn off the Autoplay feature. | +| Windows Components / Biometrics / Facial Features | Configure enhanced anti-spoofing | Enabled | Determines whether enhanced anti-spoofing is required for Windows Hello face authentication | +| Windows Components / BitLocker Drive Encryption | Choose drive encryption method and cipher strength (Windows 10) | Enabled: XTA-AES-256 for operating system drives and fixed drives and AES-CBC-256 for removable drives | Allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. | +| Windows Components / BitLocker Drive Encryption | Disable new DMA devices when this computer is locked | Enabled | Allows you to block direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports until a user logs into Windows | +| Windows Components / BitLocker Drive Encryption / Operating System Drives | Allow enhanced PINs for startup | Enabled | Allows you to configure whether enhanced startup PINs are used with BitLocker | +| Windows Components / BitLocker Drive Encryption / Operating System Drives | Allow Secure Boot for integrity validation | Enabled | Allows you to configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives. | +| Windows Components / Event Log Service / Application | Specify the maximum log file size (KB) | Enabled: 32768 | Specifies the maximum size of the log file in kilobytes. | +| Windows Components / Event Log Service / Security | Specify the maximum log file size (KB) | Enabled: 196608 | Specifies the maximum size of the log file in kilobytes. | +| Windows Components / Event Log Service / System | Specify the maximum log file size (KB) | Enabled: 32768 | Specifies the maximum size of the log file in kilobytes. | +| Windows Components / Microsoft Edge | Configure Windows Defender SmartScreen | Enabled | Configure whether to turn on Windows Defender SmartScreen to provide warning messages to help protect your employees from potential phishing scams and malicious software | +| Windows Components / Windows Defender SmartScreen / Explorer | Configure Windows Defender SmartScreen | Warn and prevent bypass | Allows you to turn Windows Defender SmartScreen on or off | +| Windows Components / Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for files | Enabled | This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. | +| Windows Components / Windows Defender SmartScreen / Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for sites | Enabled | Lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites | +| Windows Components / Windows Installer | Allow user control over installs | Disabled | Permits users to change installation options that typically are available only to system administrators | +| Windows Components / Windows Installer | Always install with elevated privileges | Disabled | Directs Windows Installer to use elevated permissions when it installs any program on the system | +| Windows Components / Windows Logon Options | Sign-in last interactive user automatically after a system-initiated restart | Disabled | Controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system | +| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Allow unencrypted traffic | Disabled | Manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network | +| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Allow unencrypted traffic | Disabled | Manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. | + +### Windows Defender Antivirus Policies + +| Feature | Policy Setting | Policy Value | Description | +|------------------------------------------------------------------------|-----------------------------------------------------------|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Windows Components / Windows Defender Antivirus | Turn off Windows Defender Antivirus | Disabled | Turns off Windows Defender Antivirus | +| Windows Components / Windows Defender Antivirus | Configure detection for potentially unwanted applications | Enabled: Audit | Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. | +| Windows Components / Windows Defender Antivirus / MAPS | Join Microsoft MAPS | Enabled: Advanced MAPS | Allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. | +| Windows Components / Windows Defender Antivirus / MAPS | Send file samples when further analysis is required | Enabled: Send safe samples | Configures behavior of samples submission when opt-in for MAPS telemetry is set | +| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn off real-time protection | Disabled | Turns off real-time protection prompts for known malware detection | +| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn on behavior monitoring | Enabled | Allows you to configure behavior monitoring. | +| Windows Components / Windows Defender Antivirus / Scan | Scan removable drives | Enabled | Allows you to manage whether to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. | +| Windows Components / Windows Defender Antivirus / Scan | Specify the interval to run quick scans per day | 24 | Allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). | +| Windows Components / Windows Defender Antivirus / Scan | Turn on e-mail scanning | Enabled | Allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments | + +### User Policies + +| Feature | Policy Setting | Policy Value | Description | +|----------------------------------------|-------------------------------------------------------------|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Start Menu and Taskbar / Notifications | Turn off toast notifications on the lock screen | Enabled | Turns off toast notifications on the lock screen. | +| Windows Components / Cloud Content | Do not suggest third-party content in the Windows spotlight | Enabled | Windows spotlight features like lock screen spotlight, suggested apps in Start menu or Windows tips will no longer suggest apps and content from third-party software publishers | + +### IE Computer Policies + +| Feature | Policy Setting | Policy Value | Description | +|---------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Windows Components / Internet Explorer | Prevent managing SmartScreen Filter | Enabled: On | Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. | +| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Check for server certificate revocation | Enabled | Allows you to manage whether Internet Explorer will check revocation status of servers' certificates | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on Cross-Site Scripting Filter | Enabled: Enable | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on Protected Mode | Enabled: Enable | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Use Pop-up Blocker | Enabled: Enable | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Java permissions | Enabled: High Safety | Allows you to manage permissions for Java applets. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-down Internet Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Cross-Site Scripting Filter | Enabled: Enable | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Protected Mode | Enabled: Enable | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Trusted Sites Zone | Java permissions | Enabled: Enable | Allows you to configure policy settings according to the default for the selected security level, such Low, Medium, or High. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Use Pop-up Blocker | Enabled: Enable | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | +| Windows Components / Internet Explorer / Security Features | Allow fallback to SSL 3.0 (Internet Explorer) | Enabled: No sites | Allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails. | + +### LAPS + +Download and install the [Microsoft Local Admin Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899). + +| Feature | Policy Setting | Policy Value | Description | +|---------|----------------------------------------|--------------|-------------------------------| +| LAPS | Enable local admin password management | Enabled | Activates LAPS for the device | + +### Custom Policies + +| Feature | Policy Setting | Policy Value | Description | +|-----------------------------------------------------------------------|-----------------------------------------------------------|--------------|---------------------------------------------------------------------------------------| +| Computer Configuration / Administrative Templates / MS Security Guide | Apply UAC restrictions to local accounts on network logon | Enabled | Filters the user account token for built-in administrator accounts for network logons | + +### Services + +| Feature | Policy Setting | Policy Value | Description | +|----------------|-----------------------------------|--------------|-----------------------------------------------------------------------------------| +| Scheduled Task | XblGameSaveTask | Disabled | Syncs save data for Xbox Live save-enabled games | +| Services | Xbox Accessory Management Service | Disabled | Manages connected Xbox accessories | +| Services | Xbox Game Monitoring | Disabled | Monitors Xbox games currently being played | +| Services | Xbox Live Auth Manager | Disabled | Provides authentication and authorization services for interactive with Xbox Live | +| Services | Xbox Live Game Save | Disabled | Syncs save data for Xbox live save enabled games | +| Services | Xbox Live Networking Service | Disabled | Supports the Windows.Networking.XboxLive API | + +## Controls + +The controls enabled in level 5 enforce a reasonable security level while minimizing the impact to users and applications. + +| Feature | Config | Description | +|-----------------------------------|-------------------------------------|--------------------| +| [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | Deployed to all devices | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step. | +| [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) | Enabled for all compatible hardware | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as [applications will break](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements#application-requirements) if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | +| [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/) | Default browser | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | +| [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | + +## Behaviors + +The behaviors recommended in level 5 enforce a reasonable security level while minimizing the impact to users or to applications. + +| Feature | Config | Description | +|---------|-------------------|-------------| +| OS security updates | Deploy Windows Quality Updates within 7 days of release | As the time between the release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, a critical aspect of security hygiene is having an engineering process that quickly validates and deploys Quality Updates that address security vulnerabilities. | + diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md new file mode 100644 index 0000000000..fe229e350d --- /dev/null +++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -0,0 +1,72 @@ +--- +title: Microsoft Security Compliance Toolkit 1.0 +description: This article describes how to use the Security Compliance Toolkit in your organization +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: sagaudre +author: justinha +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 11/26/2018 +--- + +# Microsoft Security Compliance Toolkit 1.0 + +## What is the Security Compliance Toolkit (SCT)? + +The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products. + +The SCT enables administrators to effectively manage their enterprise’s Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy. +

      + +The Security Compliance Toolkit consists of: + +- Windows 10 security baselines + - Windows 10 Version 1809 (October 2018 Update) + - Windows 10 Version 1803 (April 2018 Update) + - Windows 10 Version 1709 (Fall Creators Update) + - Windows 10 Version 1703 (Creators Update) + - Windows 10 Version 1607 (Anniversary Update) + - Windows 10 Version 1511 (November Update) + - Windows 10 Version 1507 + +- Windows Server security baselines + - Windows Server 2019 + - Windows Server 2016 + - Windows Server 2012 R2 + +- Microsoft Office security baseline + - Office 2016 + +- Tools + - Policy Analyzer tool + - Local Group Policy Object (LGPO) tool + + +You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/). + +## What is the Policy Analyzer tool? + +The Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). Its main features include: +- Highlight when a set of Group Policies has redundant settings or internal inconsistencies +- Highlight the differences between versions or sets of Group Policies +- Compare GPOs against current local policy and local registry settings +- Export results to a Microsoft Excel spreadsheet + +Policy Analyzer lets you treat a set of GPOs as a single unit. This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set. + +More information on the Policy Analyzer tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/22/new-tool-policy-analyzer/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). + +## What is the Local Group Policy Object (LGPO) tool? + +LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy. +Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non-domain-joined systems. +LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, as well as from formatted “LGPO text” files. +It can export local policy to a GPO backup. +It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file. + +Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md new file mode 100644 index 0000000000..af866029c2 --- /dev/null +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -0,0 +1,79 @@ +--- +title: Windows security baselines +description: This article, and the articles it links to, describe how to use Windows security baselines in your organization +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: sagaudre +author: justinha +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 06/25/2018 +--- + +# Windows security baselines + +**Applies to** + +- Windows 10 +- Windows Server 2016 +- Office 2016 + +## Using security baselines in your organization + +Microsoft is dedicated to providing its customers with secure operating systems, such as Windows 10 and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities. + +Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines. + +We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This helps increase flexibility and reduce costs. + +Here is a good blog about [Sticking with Well-Known and Proven Solutions](https://blogs.technet.microsoft.com/fdcc/2010/10/06/sticking-with-well-known-and-proven-solutions/). + +## What are security baselines? + +Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. + +A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. + +## Why are security baselines needed? + +Security baselines are an essential benefit to customers because they bring together expert knowledge from Microsoft, partners, and customers. + +For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings, only some are security-related. Although Microsoft provides extensive guidance on different security features, exploring each one can take a long time. You would have to determine the security impact of each setting on your own. Then, you would still need to determine the appropriate value for each setting. + +In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to Windows security settings to help mitigate these threats. To enable faster deployments and make managing Windows easier, Microsoft provides customers with security baselines that are available in consumable formats, such as Group Policy Objects backups. + +## How can you use security baselines? + +You can use security baselines to: +- Ensure that user and device configuration settings are compliant with the baseline. +- Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline. + +## Where can I get the security baselines? + +You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines. + +The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. + +[![Security Compliance Toolkit](./../images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) +[![Get Support](./../images/get-support.png)](get-support-for-security-baselines.md) + +## Community + +[![Microsoft Security Guidance Blog](./../images/community.png)](https://blogs.technet.microsoft.com/secguide/) + +## Related Videos + +You may also be interested in this msdn channel 9 video: +- [Defrag Tools](https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-174-Security-Baseline-Policy-Analyzer-and-LGPO) + +## See Also + +- [System Center Configuration Manager (SCCM)](https://www.microsoft.com/cloud-platform/system-center-configuration-manager) +- [Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/) +- [Microsoft Security Guidance Blog](https://blogs.technet.microsoft.com/secguide/) +- [Microsoft Security Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319) +- [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md new file mode 100644 index 0000000000..aaf62986eb --- /dev/null +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md @@ -0,0 +1,28 @@ +--- +title: Windows security guidance for enterprises +description: This article describes how to use Windows security baselines in your organization +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: appcompatguy +author: appcompatguy +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/05/2018 +--- + +# Windows security guidance for enterprises + +**Applies to** + +- Windows 10 + +The topics in this section provide security configuration guidelines for enterprises. You can use these guidelines to deploy security configuration settings and to ensure that user and device settings comply with enterprise policies. + +| Capability | Description | +|------------|-------------| +| [Windows security baselines](windows-security-baselines.md) | Microsoft-recommended configuration settings and their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. | +| [Windows security configuration framework](windows-security-configuration-framework.md) | Five distinct security configurations for more granular control over productivity devices and privileged access workstations. | diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md new file mode 100644 index 0000000000..e17ed61da6 --- /dev/null +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md @@ -0,0 +1,64 @@ +--- +title: Windows security configuration framework +description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework. +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: appcompatguy +author: appcompatguy +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/05/2018 +--- + +# Introducing the security configuration framework + +**Applies to** + +- Windows 10 + +Security configuration is complex. With thousands of group policies available in Windows, choosing the “best” setting is difficult. +It’s not always obvious which permutations of policies are required to implement a complete scenario, and there are often unintended consequences of some security lockdowns. + +Because of this, with each release of Windows, Microsoft publishes [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines), an industry-standard configuration that is broadly known and well-tested. +However, many organizations have discovered that this baseline sets a very high bar. +While appropriate for organizations with very high security needs such as those persistently targeted by Advanced Persistent Threats, some organizations have found that the cost of navigating the potential compatibility impact of this configuration is prohibitively expensive given their risk appetite. +They can’t justify the investment in that very high level of security with an ROI. + +As such, Microsoft is introducing a new taxonomy for security configurations for Windows 10. +This new security configuration framework, which we call the SECCON framework (remember "WarGames"?), organizes devices into one of 5 distinct security configurations. + +![SECCON Framework](images/seccon-framework.png) + +- [Level 5 Enterprise Security](level-5-enterprise-security.md) – We recommend this configuration as the minimum security configuration for an enterprise device. Recommendations for this level are generally straightforward and are designed to be deployable within 30 days. +- [Level 4 Enterprise High Security](level-4-enterprise-high-security.md) – We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compat, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this level are generally accessible to most organizations and are designed to be deployable within 90 days. +- [Level 3 Enterprise VIP Security](level-3-enterprise-vip-security.md) – We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days. +- [Level 2 DevOps Workstation](level-2-enterprise-devops-security.md) – We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. Level 2 guidance is coming soon! +- [Level 1 Administrator Workstation](level-1-enterprise-administrator-security.md) – Administrators (particularly of identity or security systems) present the highest risk to the organization, through data theft, data alteration, or service disruption. Level 1 guidance is coming soon! + + +The security configuration framework divides configuration into Productivity Devices and Privileged Access Workstations. This document will focus on Productivity Devices +(Levels 5, 4, and 3). +Microsoft’s current guidance on [Privileged Access Workstations](http://aka.ms/privsec) are part of the [Securing Privileged Access roadmap](http://aka.ms/privsec). + +Microsoft recommends reviewing and categorizing your devices, and then configuring them using the prescriptive guidance for that level. +Level 5 should be considered the minimum baseline for an enterprise device, and Microsoft recommends increasing the protection based on both threat environment and risk appetite. + +## Security control classification + +The recommendations are grouped into three categories. + +![Security Control Classifications](images/security-control-classification.png) + + +## Security control deployment methodologies + +The way Microsoft recommends implementing these controls depends on the +auditability of the control–there are two primary methodologies. + +![Security Control Deployment methodologies](images/security-control-deployment-methodologies.png) + + diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json index 055e983ab5..ca62dbde8c 100644 --- a/windows/threat-protection/docfx.json +++ b/windows/threat-protection/docfx.json @@ -39,7 +39,8 @@ "ms.date": "04/05/2017", "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "MSDN.win-threat-protection" + "depot_name": "MSDN.win-threat-protection", + "folder_relative_path_in_docset": "./" } } }, @@ -47,4 +48,4 @@ "template": [], "dest": "win-threat-protection" } -} \ No newline at end of file +} diff --git a/windows/update/docfx.json b/windows/update/docfx.json index e95b5a9ccc..0e654307a9 100644 --- a/windows/update/docfx.json +++ b/windows/update/docfx.json @@ -32,7 +32,8 @@ "globalMetadata": { "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "MSDN.windows-update" + "depot_name": "MSDN.windows-update", + "folder_relative_path_in_docset": "./" } } }, @@ -40,4 +41,4 @@ "template": [], "dest": "windows-update" } -} \ No newline at end of file +} diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md index 14772f6caf..8d052ede68 100644 --- a/windows/whats-new/contribute-to-a-topic.md +++ b/windows/whats-new/contribute-to-a-topic.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.date: 10/13/2017 +ms.topic: tutorial --- # Editing existing Windows IT professional documentation diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 12dd2d0312..8095c10abd 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -41,12 +41,14 @@ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", "_op_documentIdPathDepotMapping": { "./": { - "depot_name": "MSDN.win-whats-new" + "depot_name": "MSDN.win-whats-new", + "folder_relative_path_in_docset": "./" } } }, "fileMetadata": {}, "template": [], - "dest": "win-whats-new" + "dest": "win-whats-new", + "markdownEngineName": "dfm" } -} \ No newline at end of file +} diff --git a/windows/whats-new/get-started-with-1709.md b/windows/whats-new/get-started-with-1709.md index 932997f615..3f464216ef 100644 --- a/windows/whats-new/get-started-with-1709.md +++ b/windows/whats-new/get-started-with-1709.md @@ -9,6 +9,7 @@ author: DaniHalfin ms.author: daniha ms.date: 10/16/2017 ms.localizationpriority: high +ms.topic: article --- # Get started with Windows 10, version 1709 diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index 47357b364c..1798631ea3 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -7,6 +7,7 @@ ms.prod: w10 author: TrudyHa ms.date: 04/30/2018 ms.localizationpriority: high +ms.topic: article --- # What's new in Windows 10 @@ -28,7 +29,6 @@ Windows 10 provides IT professionals with advanced protection against modern sec ## Learn more -- [Windows 10 roadmap](https://www.microsoft.com/en-us/WindowsForBusiness/windows-roadmap) - [Windows 10 release information](https://technet.microsoft.com/windows/release-info) - [Windows 10 update history](https://support.microsoft.com/help/12387/windows-10-update-history) - [Windows 10 content from Microsoft Ignite](https://go.microsoft.com/fwlink/p/?LinkId=613210) diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md index df4bb4d4b9..de2548056a 100644 --- a/windows/whats-new/ltsc/index.md +++ b/windows/whats-new/ltsc/index.md @@ -8,6 +8,7 @@ ms.sitesec: library author: greg-lindsay ms.date: 12/27/2018 ms.localizationpriority: low +ms.topic: article --- # Windows 10 Enterprise LTSC diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index ce85311efd..7b02c68fa1 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.localizationpriority: low +ms.topic: article --- # What's new in Windows 10 Enterprise 2015 LTSC diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md index 1058f0c9b3..acf81acf24 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.localizationpriority: low +ms.topic: article --- # What's new in Windows 10 Enterprise 2016 LTSC diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 94f4540a5d..dd8a314962 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.localizationpriority: low +ms.topic: article --- # What's new in Windows 10 Enterprise 2019 LTSC @@ -304,7 +305,7 @@ IT Pros can use Autopilot Reset to quickly remove personal files, apps, and sett ### Faster sign-in to a Windows 10 shared pc -If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](/windows/configuration/set-up-shared-or-guest-pc.md) in a flash! +If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash! **To enable fast sign-in:** 1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC. diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index 33588a5731..da039f72df 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -8,6 +8,7 @@ ms.sitesec: library author: TrudyHa ms.localizationpriority: high ms.date: 10/16/2017 +ms.topic: article --- # What's new in Windows 10, versions 1507 and 1511 diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index 55c81fa1cf..6ef3ef4059 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -8,6 +8,7 @@ ms.sitesec: library author: TrudyHa ms.localizationpriority: high ms.date: 10/16/2017 +ms.topic: article --- # What's new in Windows 10, version 1607 diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 08f3d814ab..91bac38458 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -9,6 +9,7 @@ author: JasonGerend ms.localizationpriority: high ms.assetid: dca7c655-c4f6-45f8-aa02-64187b202617 ms.date: 10/16/2017 +ms.topic: article --- # What's new in Windows 10, version 1703 IT pro content diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index aa01ea5caa..af0c9c725d 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -8,6 +8,7 @@ ms.sitesec: library author: greg-lindsay ms.date: 01/24/2018 ms.localizationpriority: high +ms.topic: article --- # What's new in Windows 10, version 1709 IT Pro content diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index 622cbcdd98..a4846edc0d 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -8,6 +8,7 @@ ms.sitesec: library author: greg-lindsay ms.date: 07/07/2018 ms.localizationpriority: high +ms.topic: article --- # What's new in Windows 10, version 1803 IT Pro content @@ -134,7 +135,7 @@ Portions of the work done during the offline phases of a Windows update have bee ### Co-management -Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. +Intune and System Center Configuration Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803) diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index de8365b010..f50ed452fa 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.localizationpriority: high +ms.topic: article --- # What's new in Windows 10, version 1809 for IT Pros @@ -35,7 +36,7 @@ To learn more about Autopilot self-deploying mode and to see step-by-step instru ### SetupDiag -[SetupDiag](/windows/deployment/upgrade/setupdiag.md) version 1.4 is released. SetupDiag is a standalone diagnostic tool that can be used to troubleshoot issues when a Windows 10 upgrade is unsuccessful. +[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) version 1.4 is released. SetupDiag is a standalone diagnostic tool that can be used to troubleshoot issues when a Windows 10 upgrade is unsuccessful. ## Security @@ -201,6 +202,9 @@ Do you have shared devices deployed in your work place? **Fast sign-in** enables ![fast sign-in](images/fastsignin.png "fast sign-in") +>[!NOTE] +>This is a preview feature and therefore not meant or recommended for production purposes. + ## Web sign-in to Windows 10 Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML). @@ -213,6 +217,9 @@ Until now, Windows logon only supported the use of identities federated to ADFS ![Web sign-in](images/websignin.png "web sign-in") +>[!NOTE] +>This is a preview feature and therefore not meant or recommended for production purposes. + ## Your Phone app Android phone users, you can finally stop emailing yourself photos. With Your Phone you get instant access to your Android’s most recent photos on your PC. Drag and drop a photo from your phone onto your PC, then you can copy, edit, or ink on the photo. Try it out by opening the **Your Phone** app. You’ll receive a text with a link to download an app from Microsoft to your phone. Android 7.0+ devices with ethernet or Wi-Fi on unmetered networks are compatible with the **Your Phone** app. For PCs tied to the China region, **Your Phone** app services will be enabled in the future. diff --git a/windows/whats-new/windows-10-insider-preview.md b/windows/whats-new/windows-10-insider-preview.md index 5d236f5f30..7ec491e3ef 100644 --- a/windows/whats-new/windows-10-insider-preview.md +++ b/windows/whats-new/windows-10-insider-preview.md @@ -6,6 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: TrudyHa ms.date: 04/14/2017 +ms.topic: article --- # Documentation for Windows 10 Insider Preview