From dc34bd40348177139601e9bbc75e645171a4a0c1 Mon Sep 17 00:00:00 2001 From: Zach Dvorak Date: Thu, 26 Oct 2017 11:15:20 -0700 Subject: [PATCH 01/81] Update upgrade-readiness-additional-insights.md Added a disclaimer to say that Edge data will be collected starting with the newest Insider preview builds. --- .../deployment/upgrade/upgrade-readiness-additional-insights.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md index 2073022a88..40b6f4fcb0 100644 --- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md +++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md @@ -17,7 +17,7 @@ This topic provides information on additional features that are available in Upg The site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data. > [!NOTE] -> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, the data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees. +> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, data will be collected on all sites visited by Microsoft Edge on computers running Windows 10 version 1803 (including Insider Preview builds) or newer. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees. ### Install prerequisite security update for Internet Explorer From 460d37022764980da20a3ffc52b249c316a3a703 Mon Sep 17 00:00:00 2001 From: Mattias Borg Date: Fri, 27 Oct 2017 11:47:36 +0200 Subject: [PATCH 02/81] Update use-windows-event-forwarding-to-assist-in-instrusion-detection.md --- ...-event-forwarding-to-assist-in-instrusion-detection.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md b/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md index 5142227854..658e3fcaf7 100644 --- a/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md +++ b/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md @@ -606,9 +606,9 @@ Here are the minimum steps for WEF to operate: - + *[EventData[Data[@Name="QueryOptions"]="140737488355328"]] - + *[EventData[Data[@Name="QueryResults"]=""]] @@ -636,7 +636,7 @@ Here are the minimum steps for WEF to operate: - + @@ -650,4 +650,4 @@ You can get more info with the following links: - [Event Query Schema](http://msdn.microsoft.com/library/aa385760.aspx) - [Windows Event Collector](http://msdn.microsoft.com/library/windows/desktop/bb427443.aspx) -Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=use-windows-event-forwarding-to-assist-in-instrusion-detection.md). \ No newline at end of file +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=use-windows-event-forwarding-to-assist-in-instrusion-detection.md). From f3bd91296e31b5cf29639d834ab1121333d6b953 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Mon, 30 Oct 2017 14:34:52 -0700 Subject: [PATCH 03/81] exclusion updates --- ...e-exclusions-windows-defender-antivirus.md | 28 +++++++++++++------ 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 3ab8d056a6..86c96a7475 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -48,9 +48,17 @@ A specific file in a specific folder | The file c:\sample\sample.test only | Fil A specific process | The executable file c:\test\process.exe | File and folder exclusions This means the exclusion lists have the following characteristics: -- Folder exclusions will apply to all files and folders under that folder. +- Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately. - File extensions will apply to any file name with the defined extension, regardless of where the file is located. +>[!IMPORTANT] +>The use of wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work. +> +>You cannot exclude mapped network drives +>Folders that are reparse points that are created after the Windows Defender AV service starts and that are added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. + + + To exclude files opened by a specific process, see the [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) topic. @@ -187,21 +195,23 @@ See [Add exclusions in the Windows Defender Security Center app](windows-defende ## Use wildcards in the file name and folder path or extension exclusion lists -You can use the asterisk \*, question mark ?, or environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the file name or folder path exclusion list. +You can use the asterisk \*, question mark ?, or environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages, so you should read this section to understand their specific limitations. >[!IMPORTANT] ->Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. - -You cannot use a wildcard in place of a drive letter. +>There are key limitations and usage scenarios for these wildcards: +> +>- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. +>- You cannot use a wildcard in place of a drive letter. +>- The use of asterisk \* in a folder exclusion will stand in place for a single folder The following table describes how the wildcards can be used and provides some examples. -Wildcard | Use | Example use | Example matches +Wildcard | Use in file and file extension exclusions | Use in folder exclusions | Example use | Example matches ---|---|---|--- -\* (asterisk) | Replaces any number of characters |
  • C:\MyData\my\*.zip
  • C:\somepath\\\*\Data
|
  • C:\MyData\my-archived-files-43.zip
  • Any file in C:\somepath\folder1\folder2\Data
-? (question mark) | Replaces a single character |
  • C:\MyData\my\?.zip
  • C:\somepath\\\?\Data
|
  • C:\MyData\my1.zip
  • Any file in C:\somepath\P\Data
-Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
  • %ALLUSERSPROFILE%\CustomLogFiles
|
  • C:\ProgramData\CustomLogFiles\Folder1\file1.txt
+\* (asterisk) | Replaces any number of characters | Replaces a single folder |
  1. C:\MyData\my\*.zip
  2. C:\somepath\\\*\Data
|
  1. C:\MyData\my-archived-files-43.zip
  2. Any file in C:\somepath\folder1\Data or C:\somepath\folder2\Data
+? (question mark) | Replaces a single character | Replaces a single character in a folder name |
  1. C:\MyData\my\?.zip
  2. C:\somepath\\\?\Data
  3. C:\somepath\\\test0?\Data
|
  1. C:\MyData\my1.zip
  2. Any file in C:\somepath\P\Data
  3. Any file in C:\somepath\test01\Data
+Environment variables | The defined variable will be populated as a path when the exclusion is evaluated | Same as file and extension use |
  1. %ALLUSERSPROFILE%\CustomLogFiles
|
  1. C:\ProgramData\CustomLogFiles\Folder1\file1.txt
From 81824f0e242855e3d908acb624fa7ef30a82be2e Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Mon, 30 Oct 2017 16:54:08 -0700 Subject: [PATCH 04/81] updates to make clerare how wildcards work, also indicate that wildcards shouldn't normally be used. --- ...e-exclusions-windows-defender-antivirus.md | 24 +++++++++++++------ 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 86c96a7475..d35a4a4e97 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -38,6 +38,11 @@ ms.date: 06/13/2017 You can exclude certain files from being scanned by Windows Defender AV by modifying exclusion lists. +Generally, you shouldn't need to apply exclusions. Windows Defender AV includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. + +>[!TIP] +>We don't use exclusions in our deployment of Windows Defender AV at Microsoft! + This topic describes how to configure exclusion lists for the following: Exclusion | Examples | Exclusion list @@ -49,7 +54,7 @@ A specific process | The executable file c:\test\process.exe | File and folder e This means the exclusion lists have the following characteristics: - Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately. -- File extensions will apply to any file name with the defined extension, regardless of where the file is located. +- File extensions will apply to any file name with the defined extension if a path or folder is not defined. >[!IMPORTANT] >The use of wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work. @@ -195,25 +200,30 @@ See [Add exclusions in the Windows Defender Security Center app](windows-defende ## Use wildcards in the file name and folder path or extension exclusion lists -You can use the asterisk \*, question mark ?, or environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages, so you should read this section to understand their specific limitations. +You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages, so you should read this section to understand their specific limitations. >[!IMPORTANT] >There are key limitations and usage scenarios for these wildcards: > >- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. >- You cannot use a wildcard in place of a drive letter. ->- The use of asterisk \* in a folder exclusion will stand in place for a single folder +>- The use of asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names. The following table describes how the wildcards can be used and provides some examples. Wildcard | Use in file and file extension exclusions | Use in folder exclusions | Example use | Example matches ---|---|---|--- -\* (asterisk) | Replaces any number of characters | Replaces a single folder |
  1. C:\MyData\my\*.zip
  2. C:\somepath\\\*\Data
|
  1. C:\MyData\my-archived-files-43.zip
  2. Any file in C:\somepath\folder1\Data or C:\somepath\folder2\Data
-? (question mark) | Replaces a single character | Replaces a single character in a folder name |
  1. C:\MyData\my\?.zip
  2. C:\somepath\\\?\Data
  3. C:\somepath\\\test0?\Data
|
  1. C:\MyData\my1.zip
  2. Any file in C:\somepath\P\Data
  3. Any file in C:\somepath\test01\Data
-Environment variables | The defined variable will be populated as a path when the exclusion is evaluated | Same as file and extension use |
  1. %ALLUSERSPROFILE%\CustomLogFiles
|
  1. C:\ProgramData\CustomLogFiles\Folder1\file1.txt
- +`*` (asterisk) | Replaces any number of characters.
Only applies to files in the last folder defined in the argument. | Replaces a single folder.
Use multiple `*` with folder slashes `\` to indicate multiple, nested folders.
After matching to the number of wilcarded and named folders, all subfolders will also be included. |
  1. C:\MyData\my\\**\***.txt
  2. C:\somepath\\**\***\Data
  3. C:\Serv\\**\***\\**\***\Backup
|
  1. C:\MyData\\notes.txt
  2. Any file in:
    • C:\somepath\\Archives\Data and its subfolders
    • C:\somepath\\Authorized\Data and its subfolders
  3. Any file in:
    • C:\Serv\\Primary\\Denied\Backup and its subfolders
    • C:\Serv\\Secondary\\Allowed\Backup and its subfolders
+`?` (question mark) | Replaces a single character.
Only applies to files in the last folder defined in the argument. | Replaces a single character in a folder name.
After matching to the number of wilcarded and named folders, all subfolders will also be included. |
  1. C:\MyData\my?.zip
  2. C:\somepath\\?\Data
  3. C:\somepath\\test0?\Data
|
  1. C:\MyData\my1.zip
  2. Any file in C:\somepath\\P\Data and its subfolders
  3. Any file in C:\somepath\test01\Data and its subfolders
+Environment variables | The defined variable will be populated as a path when the exclusion is evaluated | Same as file and extension use |
  1. %ALLUSERSPROFILE%\CustomLogFiles
|
  1. C:\ProgramData\CustomLogFiles\Folder1\file1.txt
+>[!IMPORTANT] +>If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders. +> +>For example, you can exclude all files that start with "date" in the folders *c:\data\final\marked* and *c:\data\review\marked* by using the rule argument c:\data\\\*\marked\date*.\*. +> +>This argument, however, will not match any folders in subfolders under *c:\data\final\marked* or *c:\data\review\marked*. From cf42ceaaa5a7fd5778f5e12e8b6a8bc821d8252e Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Mon, 30 Oct 2017 17:45:40 -0700 Subject: [PATCH 05/81] updates to table - convert to htrml table to allow for ital, bolding and use of wildcards --- ...e-exclusions-windows-defender-antivirus.md | 84 +++++++++++++++++-- 1 file changed, 78 insertions(+), 6 deletions(-) diff --git a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index d35a4a4e97..3e6dafe9ff 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -211,12 +211,84 @@ You can use the asterisk `*`, question mark `?`, or environment variables (such The following table describes how the wildcards can be used and provides some examples. - -Wildcard | Use in file and file extension exclusions | Use in folder exclusions | Example use | Example matches ----|---|---|--- -`*` (asterisk) | Replaces any number of characters.
Only applies to files in the last folder defined in the argument. | Replaces a single folder.
Use multiple `*` with folder slashes `\` to indicate multiple, nested folders.
After matching to the number of wilcarded and named folders, all subfolders will also be included. |
  1. C:\MyData\my\\**\***.txt
  2. C:\somepath\\**\***\Data
  3. C:\Serv\\**\***\\**\***\Backup
|
  1. C:\MyData\\notes.txt
  2. Any file in:
    • C:\somepath\\Archives\Data and its subfolders
    • C:\somepath\\Authorized\Data and its subfolders
  3. Any file in:
    • C:\Serv\\Primary\\Denied\Backup and its subfolders
    • C:\Serv\\Secondary\\Allowed\Backup and its subfolders
-`?` (question mark) | Replaces a single character.
Only applies to files in the last folder defined in the argument. | Replaces a single character in a folder name.
After matching to the number of wilcarded and named folders, all subfolders will also be included. |
  1. C:\MyData\my?.zip
  2. C:\somepath\\?\Data
  3. C:\somepath\\test0?\Data
|
  1. C:\MyData\my1.zip
  2. Any file in C:\somepath\\P\Data and its subfolders
  3. Any file in C:\somepath\test01\Data and its subfolders
-Environment variables | The defined variable will be populated as a path when the exclusion is evaluated | Same as file and extension use |
  1. %ALLUSERSPROFILE%\CustomLogFiles
|
  1. C:\ProgramData\CustomLogFiles\Folder1\file1.txt
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
WildcardUse in file and file extension exclusionsUse in folder exclusionsExample useExample matches>
* (asterisk)Replaces any number of characters.
Only applies to files in the last folder defined in the argument. 		Replaces a single folder.
Use multiple * with folder slashes \ to indicate multiple, nested folders.
After matching to the number of wilcarded and named folders, all subfolders will also be included.		 +
    +
  1. C:\MyData\my\*.txt
    2. +
  2. C:\somepath\*\Data
    3. +
  3. C:\Serv\*\*\Backup +
+ 		+
    +
  1. C:\MyData\notes.txt
    2. +
  2. Any file in: +
      +
    • C:\somepath\Archives\Data and its subfolders
      • +
    • C:\somepath\Authorized\Data and its subfolders
      • +
    +
  3. Any file in: +
      +
    • C:\Serv\Primary\Denied\Backup and its subfolders
      • +
    • C:\Serv\Secondary\Allowed\Backup and its subfolders
      • +
    +
+
+ ? (question mark) + + Replaces a single character.
+ Only applies to files in the last folder defined in the argument. + 		+ Replaces a single character in a folder name.
+ After matching to the number of wilcarded and named folders, all subfolders will also be included. + 		+
    +
  1. C:\MyData\my?.zip
    2. +
  2. C:\somepath\?\Data
    3. +
  3. C:\somepath\test0?\Data
    4. +
+ 		+
    +
  1. C:\MyData\my1.zip
    2. +
  2. Any file in C:\somepath\P\Data and its subfolders
    3. +
  3. Any file in C:\somepath\test01\Data and its subfolders
    4. +
+
Environment variablesThe defined variable will be populated as a path when the exclusion is evaluatedSame as file and extension use +
    +
  1. %ALLUSERSPROFILE%\CustomLogFiles
    2. +
+ 		+
    +
  1. C:\ProgramData\CustomLogFiles\Folder1\file1.txt
    2. +
+
>[!IMPORTANT] >If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders. From 0da8c46e30e700509e5d4fa16369600f1a584cb4 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Mon, 30 Oct 2017 18:02:41 -0700 Subject: [PATCH 06/81] table code updates --- ...e-exclusions-windows-defender-antivirus.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 3e6dafe9ff..2a4c50e729 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -220,28 +220,28 @@ The following table describes how the wildcards can be used and provides some ex Example matches> - * (asterisk) + \* (asterisk) Replaces any number of characters.
Only applies to files in the last folder defined in the argument. - Replaces a single folder.
Use multiple * with folder slashes \ to indicate multiple, nested folders.
After matching to the number of wilcarded and named folders, all subfolders will also be included. + Replaces a single folder.
Use multiple \* with folder slashes \\ to indicate multiple, nested folders.
After matching to the number of wilcarded and named folders, all subfolders will also be included.
    -
  1. C:\MyData\my\*.txt
    2. -
  2. C:\somepath\*\Data
    3. -
  3. C:\Serv\*\*\Backup +
  4. C:\MyData\my\\\*.txt
    5. +
  5. C:\somepath\\\*\Data
    6. +
  6. C:\Serv\\\*\\\*\Backup
    -
  1. C:\MyData\notes.txt
    2. +
  2. C:\MyData\\notes.txt
  3. Any file in:
      -
    • C:\somepath\Archives\Data and its subfolders
      • -
    • C:\somepath\Authorized\Data and its subfolders
      • +
    • C:\somepath\\Archives\Data and its subfolders
      • +
    • C:\somepath\\Authorized\Data and its subfolders
  4. Any file in:
      -
    • C:\Serv\Primary\Denied\Backup and its subfolders
      • -
    • C:\Serv\Secondary\Allowed\Backup and its subfolders
      • +
    • C:\Serv\\Primary\\Denied\Backup and its subfolders
      • +
    • C:\Serv\\Secondary\\Allowed\Backup and its subfolders
@@ -268,15 +268,15 @@ The following table describes how the wildcards can be used and provides some ex
  1. C:\MyData\my1.zip
    2. -
  2. Any file in C:\somepath\P\Data and its subfolders
    3. +
  3. Any file in C:\somepath\\P\Data and its subfolders
  4. Any file in C:\somepath\test01\Data and its subfolders
Environment variables - The defined variable will be populated as a path when the exclusion is evaluated - Same as file and extension use + The defined variable will be populated as a path when the exclusion is evaluated. + Same as file and extension use.
  1. %ALLUSERSPROFILE%\CustomLogFiles
    2. From 492ddf1f65bd7f793ad9b4a23aaee2394edbcdb0 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Tue, 31 Oct 2017 01:19:07 +0000 Subject: [PATCH 07/81] Updated configure-extension-file-exclusions-windows-defender-antivirus.md --- ...gure-extension-file-exclusions-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 2a4c50e729..72866b63fe 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: iaanw ms.author: iawilt -ms.date: 06/13/2017 +ms.date: 10/30/2017 --- # Configure and validate exclusions based on file extension and folder location From 0627a6b4e834b72022a009f6303f50d443a544a1 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Mon, 30 Oct 2017 18:30:49 -0700 Subject: [PATCH 08/81] update formatting --- ...re-extension-file-exclusions-windows-defender-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 2a4c50e729..b7f21aa8a2 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -261,7 +261,7 @@ The following table describes how the wildcards can be used and provides some ex
    1. C:\MyData\my?.zip
      2. -
    2. C:\somepath\?\Data
      3. +
    3. C:\somepath\\?\Data
    4. C:\somepath\test0?\Data
    @@ -295,7 +295,7 @@ The following table describes how the wildcards can be used and provides some ex > >For example, you can exclude all files that start with "date" in the folders *c:\data\final\marked* and *c:\data\review\marked* by using the rule argument c:\data\\\*\marked\date*.\*. > ->This argument, however, will not match any folders in subfolders under *c:\data\final\marked* or *c:\data\review\marked*. +>This argument, however, will not match any files in **subfolders** under *c:\data\final\marked* or *c:\data\review\marked*. From 4bbb532acf268087cfaff300e3124cfe5df08671 Mon Sep 17 00:00:00 2001 From: Jan Pilar Date: Wed, 1 Nov 2017 13:24:12 +0100 Subject: [PATCH 09/81] Update respond-machine-alerts-windows-defender-advanced-threat-protection.md There is mistake with Windows 10 release number. Number mentioned is 1710 however correct number is 1709 --- ...achine-alerts-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index ffd0412eb8..148544e3fc 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -173,7 +173,7 @@ Depending on the severity of the attack and the sensitivity of the machine, you This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine. -On Windows 10, version 1710 and above, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity. +On Windows 10, version 1709 and above, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity. >[!NOTE] >You’ll be able to reconnect the machine back to the network at any time. From 9d79c614ef3fd37d6763739aa8fbbb07e22df606 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 1 Nov 2017 13:31:58 -0700 Subject: [PATCH 10/81] update to pre-reqs on actions --- ...windows-defender-advanced-threat-protection.md | 15 ++++++++++++--- ...windows-defender-advanced-threat-protection.md | 11 +++++------ 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index 10734a86ca..db6ecc2b69 100644 --- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -29,17 +29,26 @@ ms.date: 10/17/2017 Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center. ->[!NOTE] -> These response actions are only available for machines on Windows 10, version 1703. +>[!IMPORTANT] +>These response actions are only available for machines on Windows 10, version 1703 or later. You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file. ## Stop and quarantine files in your network You can contain an attack in your organization by stopping the malicious process and quarantine the file where it was observed. +>[!IMPORTANT] +>You can only take this action if: +> - The machine you're taking the action on is running Windows 10, version 1703 or later +> - The file does not belong to the system or not signed by Microsoft +> - Windows Defender Antivirus must at least be running on Passive mode + The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys. -The action takes effect on machines with the latest Windows 10, version 1703 where the file was observed in the last 30 days. +The action takes effect on machines with the latest Windows 10, version 1703 and above where the file was observed in the last 30 days. + +>[!NOTE] +>You’ll be able to remove the file from quarantine at any time. ### Stop and quarantine files 1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box: diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index ffd0412eb8..dbed86a45a 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -24,20 +24,19 @@ ms.date: 10/17/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-respondmachine-abovefoldlink) Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center. ->[!NOTE] -> These response actions are only available for machines on Windows 10, version 1703. - - +>[!IMPORTANT] +> These response actions are only available for PCs on Windows 10, version 1703 and above. ## Collect investigation package from machines As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker. +>[!IMPORTANT] +> This response action is only available for machines on Windows 10, version 1703 and above. + You can download the package (Zip file) and investigate the events that occurred on a machine. The package contains the following folders: From 8621ed3d73e8aa58d67a4c5f8b15e1c98b41cd06 Mon Sep 17 00:00:00 2001 From: jvheaton Date: Wed, 1 Nov 2017 15:38:55 -0700 Subject: [PATCH 11/81] Update credentials spelling --- ...fferences-between-surface-hub-and-windows-10-enterprise.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md index 8a85487527..d1a52c56b3 100644 --- a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md +++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md @@ -32,7 +32,7 @@ Surface Hub doesn't have a lock screen or a screen saver, but it has a similar f ### User sign-in -Surface Hub is designed to be used in communal spaces, such as meeting rooms. Unlike Windows PCs, anyone can walk up and use a Surface Hub without requiring a user to sign in. To enable this communal functionality, Surface Hub does not support Windows sign-in the same way that Windows 10 Enterprise does (e.g., signing in a user to the OS and using those crednetials throughout the OS). Instead, there is always a local, auto signed-in, low-privilege user signed in to the Surface Hub. It doesn't support signing in any additional users, including admin users (e.g., when an admin signs in, they are not signed in to the OS). +Surface Hub is designed to be used in communal spaces, such as meeting rooms. Unlike Windows PCs, anyone can walk up and use a Surface Hub without requiring a user to sign in. To enable this communal functionality, Surface Hub does not support Windows sign-in the same way that Windows 10 Enterprise does (e.g., signing in a user to the OS and using those credentials throughout the OS). Instead, there is always a local, auto signed-in, low-privilege user signed in to the Surface Hub. It doesn't support signing in any additional users, including admin users (e.g., when an admin signs in, they are not signed in to the OS). Users can sign in to a Surface Hub, but they will not be signed in to the OS. For example, when a user signs in to Apps or My Meetings and Files, the users is signed in only to the apps or services, not to the OS. As a result, the signed-in user is able to retrieve their cloud files and personal meetings stored in the cloud, and these credentials are discarded when **End session** is activated. @@ -168,4 +168,4 @@ Users can sign in to Microsoft Edge to access intranet sites and online resource The Surface Hub OS uses the Windows 10 Connected User Experience and Telemetry component to gather and transmit telemetry data. For more information, see [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization). -*Organization policies that this may affect:*
    Configure telemetry levels for Surface Hub in the same way as you do for Windows 10 Enterprise. \ No newline at end of file +*Organization policies that this may affect:*
    Configure telemetry levels for Surface Hub in the same way as you do for Windows 10 Enterprise. From b24fe893325b29b09dba603cafcb03679064f090 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 1 Nov 2017 16:27:41 -0700 Subject: [PATCH 12/81] updates --- ...ile-alerts-windows-defender-advanced-threat-protection.md | 5 +++-- ...ine-alerts-windows-defender-advanced-threat-protection.md | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index db6ecc2b69..583a583988 100644 --- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -107,8 +107,9 @@ You can roll back and remove a file from quarantine if you’ve determined that You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization. >[!NOTE] ->This feature is only available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).

    -This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. This response action is available for machines on Windows 10, version 1703 or later. +>- This feature is only available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).

    +>- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. +>- This response action is only available for machines on Windows 10, version 1703 or later. >[!IMPORTANT] > The PE file needs to be in the machine timeline for you to be able to take this action. diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index dbed86a45a..8d6f2ada9e 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -29,13 +29,13 @@ ms.date: 10/17/2017 Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center. >[!IMPORTANT] -> These response actions are only available for PCs on Windows 10, version 1703 and above. +> These response actions are only available for PCs on Windows 10, version 1703 and later. ## Collect investigation package from machines As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker. >[!IMPORTANT] -> This response action is only available for machines on Windows 10, version 1703 and above. +> This response action is only available for machines on Windows 10, version 1703 and later. You can download the package (Zip file) and investigate the events that occurred on a machine. From 79e79de520c4aec71f6b2340299be451365cee02 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Wed, 1 Nov 2017 16:38:04 -0700 Subject: [PATCH 13/81] updates based on css fb --- ...e-exclusions-windows-defender-antivirus.md | 36 +++++++++++++------ 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index db4c76fc08..c779b9a8bb 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -41,7 +41,7 @@ You can exclude certain files from being scanned by Windows Defender AV by modif Generally, you shouldn't need to apply exclusions. Windows Defender AV includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. >[!TIP] ->We don't use exclusions in our deployment of Windows Defender AV at Microsoft! +>The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default. This topic describes how to configure exclusion lists for the following: @@ -59,8 +59,9 @@ This means the exclusion lists have the following characteristics: >[!IMPORTANT] >The use of wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work. > ->You cannot exclude mapped network drives ->Folders that are reparse points that are created after the Windows Defender AV service starts and that are added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. +>You cannot exclude mapped network drives. You must specify the actual network path. +> +>Folders that are reparse points that are created after the Windows Defender AV service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. @@ -70,11 +71,11 @@ To exclude files opened by a specific process, see the [Configure and validate e The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). -Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists. +>[!IMPORTANT] +>Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). +> +>Changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists. -You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. - -You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) and [validating](#validate) your lists. By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. @@ -92,7 +93,7 @@ You can [configure how locally and globally defined exclusions lists are merged] **Use Group Policy to configure folder or file extension exclusions:** >[!NOTE] ->If you include a fully qualified path to a file, then only that file will be excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded. +>If you specify a fully qualified path to a file, then only that file will be excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded. 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -107,7 +108,7 @@ You can [configure how locally and globally defined exclusions lists are merged] 1. Set the option to **Enabled**. 2. Under the **Options** section, click **Show...** - 3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column for all processes. + 3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column. 7. Click **OK**. @@ -117,7 +118,7 @@ You can [configure how locally and globally defined exclusions lists are merged] 1. Set the option to **Enabled**. 2. Under the **Options** section, click **Show...** - 3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column for all processes. + 3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column. 9. Click **OK**. @@ -225,7 +226,7 @@ The following table describes how the wildcards can be used and provides some ex Replaces a single folder.
    Use multiple \* with folder slashes \\ to indicate multiple, nested folders.
    After matching to the number of wilcarded and named folders, all subfolders will also be included.
      -
    1. C:\MyData\my\\\*.txt
      2. +
    2. C:\MyData\\\*.txt
    3. C:\somepath\\\*\Data
    4. C:\Serv\\\*\\\*\Backup
    @@ -303,6 +304,11 @@ The following table describes how the wildcards can be used and provides some ex You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). +>[!IMPORTANT] +>Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). +> +>Changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists. + If you use PowerShell, you can retrieve the list in two ways: - Retrieve the status of all Windows Defender AV preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. @@ -365,6 +371,14 @@ $client = new-object System.Net.WebClient $client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt") ``` +If you do not have Internet access, you can create your own EICAR test file by writing the EICAR string to a new text file with the following PowerShell command: + +```PowerShell +[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*') +``` + +You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude. + ## Related topics From d2f2c7b515b72e1a1b1c31f293a8499c4a52db95 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 1 Nov 2017 16:42:44 -0700 Subject: [PATCH 14/81] minor updates --- windows/threat-protection/TOC.md | 1 + ...le-alerts-windows-defender-advanced-threat-protection.md | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index ce3a47ceb7..3eb9dfc4fd 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -69,6 +69,7 @@ ###### [Stop and quarantine files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) ###### [Remove file from quarantine](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine) ###### [Block files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network) +###### [Remove file from blocked list](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list) ###### [Check activity details in Action center](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) ###### [Deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis) ####### [Submit files for analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index 583a583988..a559e0f478 100644 --- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -40,8 +40,8 @@ You can contain an attack in your organization by stopping the malicious process >[!IMPORTANT] >You can only take this action if: > - The machine you're taking the action on is running Windows 10, version 1703 or later -> - The file does not belong to the system or not signed by Microsoft -> - Windows Defender Antivirus must at least be running on Passive mode +> - The file does not belong to trusted third-party publishers or not signed by Microsoft +> - Windows Defender Antivirus must at least be running on Passive mode The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys. @@ -79,7 +79,7 @@ When the file is being removed from an endpoint, the following notification is s In the machine timeline, a new event is added for each machine where a file was stopped and quarantined. ->[!NOTE] +>[!IMPORTANT] >The **Action** button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the removal of critical system files and files used by important applications. ![Image of action button turned off](images/atp-file-action.png) From 0ce44c44e19625d51661c484b9a885426ad9d0f1 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 1 Nov 2017 17:01:05 -0700 Subject: [PATCH 15/81] minor change --- ...file-alerts-windows-defender-advanced-threat-protection.md | 4 ++-- ...hine-alerts-windows-defender-advanced-threat-protection.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index a559e0f478..20cd52d1c5 100644 --- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -106,12 +106,12 @@ You can roll back and remove a file from quarantine if you’ve determined that ## Block files in your network You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization. ->[!NOTE] +>[!IMPORTANT] >- This feature is only available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).

    >- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. >- This response action is only available for machines on Windows 10, version 1703 or later. ->[!IMPORTANT] +>[!NOTE] > The PE file needs to be in the machine timeline for you to be able to take this action. diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index 8d6f2ada9e..bbef37d999 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -29,7 +29,7 @@ ms.date: 10/17/2017 Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center. >[!IMPORTANT] -> These response actions are only available for PCs on Windows 10, version 1703 and later. +> These response actions are only available for machines on Windows 10, version 1703 and later. ## Collect investigation package from machines As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker. From 937db704b9148e9cee7c7010cad4d00ce9c4fdad Mon Sep 17 00:00:00 2001 From: Matt Graeber Date: Thu, 2 Nov 2017 10:30:11 -0700 Subject: [PATCH 16/81] Adding runscripthelper.exe to the blacklist ruleset Reference for the runscripthelper.exe bypass: https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc Also giving credit to Lee Christensen for his visualuiaverifynative.exe bypass contribution. --- .../device-guard/deploy-code-integrity-policies-steps.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index 47d2848249..f5c907daf3 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -73,6 +73,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you |Matt Nelson | @enigma0x3| |Oddvar Moe |@Oddvarmoe| |Alex Ionescu | @aionescu| +|Lee Christensen|@tifkin_|
    @@ -134,6 +135,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + @@ -418,6 +420,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + From 075074135adbbaabd51586097a07b3d682454a14 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 2 Nov 2017 11:10:13 -0700 Subject: [PATCH 17/81] updates on notes and important --- ...ndows-defender-advanced-threat-protection.md | 6 +++--- ...ndows-defender-advanced-threat-protection.md | 17 ++++++++++++++--- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index 20cd52d1c5..c346dc4ffe 100644 --- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -41,7 +41,7 @@ You can contain an attack in your organization by stopping the malicious process >You can only take this action if: > - The machine you're taking the action on is running Windows 10, version 1703 or later > - The file does not belong to trusted third-party publishers or not signed by Microsoft -> - Windows Defender Antivirus must at least be running on Passive mode +> - Windows Defender Antivirus must at least be running on Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility). The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys. @@ -107,9 +107,9 @@ You can roll back and remove a file from quarantine if you’ve determined that You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization. >[!IMPORTANT] ->- This feature is only available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).

    +>- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).

    >- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. ->- This response action is only available for machines on Windows 10, version 1703 or later. +>- This response action is available for machines on Windows 10, version 1703 or later. >[!NOTE] > The PE file needs to be in the machine timeline for you to be able to take this action. diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index bbef37d999..af19622d4a 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -35,7 +35,7 @@ Quickly respond to detected attacks by isolating machines or collecting an inves As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker. >[!IMPORTANT] -> This response action is only available for machines on Windows 10, version 1703 and later. +> This response action is available for machines on Windows 10, version 1703 and later. You can download the package (Zip file) and investigate the events that occurred on a machine. @@ -88,8 +88,9 @@ The package contains the following folders: ## Run Windows Defender Antivirus scan on machines As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine. ->[!NOTE] -> A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. +>[!IMPORTANT] +>- This action is available for machines on Windows 10, version 1709 and later. +>- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. 1. Select the machine that you want to run the scan on. You can select or search for a machine from any of the following views: @@ -120,6 +121,11 @@ The machine timeline will include a new event, reflecting that a scan action was ## Restrict app execution In addition to the ability of containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. +>[!IMPORTANT] +> - This action is available for machines on Windows 10, version 1709 and later. +> - This action needs to meet the Windows Defender Application Control code integrity policy formas and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/en-us/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing). + + The action to restrict an application from running applies a code integrity policy that only allows running of files that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities. >[!NOTE] @@ -170,6 +176,11 @@ Depending on the severity of the attack and the state of the machine, you can ch ## Isolate machines from the network Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement. +>[!IMPORTANT] +>- Full isolation is available for machines on Windows 10, version 1703. +>- Selective isolation is available for machines on Windows 10, version 1709 and above. +>- + This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine. On Windows 10, version 1710 and above, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity. From d465f6fd751cb04f7c96fc75fd71cd85fe2b1ff7 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 2 Nov 2017 12:50:52 -0700 Subject: [PATCH 18/81] fix link --- ...d-file-alerts-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index c346dc4ffe..8101839e92 100644 --- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -41,7 +41,7 @@ You can contain an attack in your organization by stopping the malicious process >You can only take this action if: > - The machine you're taking the action on is running Windows 10, version 1703 or later > - The file does not belong to trusted third-party publishers or not signed by Microsoft -> - Windows Defender Antivirus must at least be running on Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility). +> - Windows Defender Antivirus must at least be running on Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys. From c236872fc7c3f3a03ca9dcce0d4db69570ee4622 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 2 Nov 2017 14:47:51 -0700 Subject: [PATCH 19/81] fiddling with svg --- .../windows-defender-antivirus-compatibility.md | 2 +- .../windows-defender-exploit-guard/images/svg/check-no.svg | 7 +++++++ .../images/svg/{check-yes.md => check-yes.svg} | 0 .../images/svg/check-yes.txt | 7 +++++++ 4 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg rename windows/threat-protection/windows-defender-exploit-guard/images/svg/{check-yes.md => check-yes.svg} (100%) create mode 100644 windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index b2d2890d2b..dc473a60bd 100644 --- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -67,7 +67,7 @@ This table indicates the functionality and features that are available in each s State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Threat definition updates](manage-updates-baselines-windows-defender-antivirus.md) :-|:-|:-:|:-:|:-:|:-:|:-: -Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] +Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.txt)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg new file mode 100644 index 0000000000..89a87afa8b --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg @@ -0,0 +1,7 @@ + + Check mark no + + \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg similarity index 100% rename from windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md rename to windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt new file mode 100644 index 0000000000..483ff5fefc --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt @@ -0,0 +1,7 @@ + + Check mark yes + + \ No newline at end of file From 100f50a48374d74fed4367f277393e4c297baf1b Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 2 Nov 2017 15:58:44 -0700 Subject: [PATCH 20/81] svg --- .../windows-defender-antivirus-compatibility.md | 2 +- .../images/svg/{check-yes.svg => check-yes.md} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename windows/threat-protection/windows-defender-exploit-guard/images/svg/{check-yes.svg => check-yes.md} (100%) diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index dc473a60bd..8abaf116d0 100644 --- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -67,7 +67,7 @@ This table indicates the functionality and features that are available in each s State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Threat definition updates](manage-updates-baselines-windows-defender-antivirus.md) :-|:-|:-:|:-:|:-:|:-:|:-: -Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.txt)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] +Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | ![Check mark no](images/svg/check-no.svg) | [!include[Check mark yes](images/svg/check-yes.txt)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md similarity index 100% rename from windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg rename to windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md From eb305abc4fb5839491be690429c9c729fc5329c9 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Mon, 6 Nov 2017 23:33:36 +0000 Subject: [PATCH 21/81] Merged PR 4338: Merge ms-whfb-staging to whfb-staging Corrections for Hybrid Cert trust deployment guide --- .../hello-for-business/hello-deployment-guide.md | 2 +- .../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 2 +- .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 2 +- .../hello-hybrid-cert-whfb-settings-policy.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-deployment-guide.md b/windows/access-protection/hello-for-business/hello-deployment-guide.md index c202596cd4..35ca37be84 100644 --- a/windows/access-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/access-protection/hello-for-business/hello-deployment-guide.md @@ -28,7 +28,7 @@ This deployment guide is to guide you through deploying Windows Hello for Busine This guide assumes a baseline infrastructure exists that meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have: * A well-connected, working network * Internet access - * Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning +* Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning * Proper name resolution, both internal and external names * Active Directory and an adequate number of domain controllers per site to support authentication * Active Directory Certificate Services 2012 or later diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 7c56e7ded8..0aafbf488a 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -23,7 +23,7 @@ Hybrid environments are distributed systems that enable organizations to use on- The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: * [Directories](#directories) -* [Public Key Infrastucture](#public-key-infastructure) +* [Public Key Infrastucture](#public-key-infrastructure) * [Directory Synchronization](#directory-synchronization) * [Federation](#federation) * [MultiFactor Authetication](#multifactor-authentication) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index d7f825257f..6c59f37b66 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -133,7 +133,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq 9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. 10. On the **Request Handling** tab, select the **Renew with same key** check box. 11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. -12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. +12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Read**, **Enroll**, and **AutoEnroll** permissions. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. 13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. 14. Click on the **Apply** to save changes and close the console. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index 342e42b0d0..5b1f2a3188 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -108,7 +108,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv 3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. 4. In the navigation pane, expand **Policies** under **User Configuration**. 5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. -6. In the details pane, right-click **Certificate Services Client � Auto-Enrollment** and select **Properties**. +6. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties**. 7. Select **Enabled** from the **Configuration Model** list. 8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. 9. Select the **Update certificates that use certificate templates** check box. From 0db0e752118f308807a455701b55947b42978473 Mon Sep 17 00:00:00 2001 From: chintanpatel Date: Tue, 7 Nov 2017 09:20:28 -0800 Subject: [PATCH 22/81] Update reqs-wd-app-guard.md --- .../windows-defender-application-guard/reqs-wd-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index 00798f619b..0cf68cd835 100644 --- a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -22,7 +22,7 @@ Your environment needs the following hardware to run Windows Defender Applicatio |Hardware|Description| |--------|-----------| -|64-bit CPU|A 64-bit computer is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).| +|64-bit CPU|A 64-bit computer with minimum 4 cores is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).| |CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

    **-AND-**

    One of the following virtualization extensions for VBS:

    VT-x (Intel)

    **-OR-**

    AMD-V| |Hardware memory|Microsoft recommends 8GB RAM for optimal performance| |Hard disk|5 GB free space, solid state disk (SSD) recommended| From 7fa368519ae5709fecc0da34556ae34aac9e215b Mon Sep 17 00:00:00 2001 From: Trevor Stevens Date: Tue, 7 Nov 2017 12:39:27 -0500 Subject: [PATCH 23/81] Update firewall-csp.md Added missing slash to FirewallRules_FirewallRuleName_/Profiles --- windows/client-management/mdm/firewall-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index b15f378072..d3aec267c5 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -263,7 +263,7 @@ The following diagram shows the Firewall configuration service provider in tree

    If not specified - a new rule is disabled by default.

    Boolean value. Supported operations are Get and Replace.

    -**FirewallRules_FirewallRuleName_/Profiles** +**FirewallRules/_FirewallRuleName_/Profiles**

    Specifies the profiles to which the rule belongs: Domain, Private, Public. . See [FW_PROFILE_TYPE](https://msdn.microsoft.com/en-us/library/cc231559.aspx) for the bitmasks that are used to identify profile types.

    If not specified, the default is All.

    Value type is integer. Supported operations are Get and Replace.

    From 74ef1a6727d16115ad1a7d16b3498ebf849aae9c Mon Sep 17 00:00:00 2001 From: chintanpatel Date: Tue, 7 Nov 2017 10:22:26 -0800 Subject: [PATCH 24/81] Update reqs-wd-app-guard.md --- .../windows-defender-application-guard/reqs-wd-app-guard.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index 00798f619b..bbc943fd7b 100644 --- a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -17,6 +17,9 @@ ms.date: 08/11/2017 The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. +>[!NOTE] +>Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. + ## Hardware requirements Your environment needs the following hardware to run Windows Defender Application Guard. From 038a0821842c2cd0ab4e860446e5da17a82112c4 Mon Sep 17 00:00:00 2001 From: Trevor Stevens Date: Tue, 7 Nov 2017 15:33:09 -0500 Subject: [PATCH 25/81] Update firewall-csp.md Updated italics for FirewallRules/FirewallRuleName/InterfaceTypes --- windows/client-management/mdm/firewall-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index d3aec267c5..94f9d6bbf9 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -290,7 +290,7 @@ The following diagram shows the Firewall configuration service provider in tree

    Value type is string. Supported operations are Get and Replace.

    -**FirewallRules/FirewallRuleName/InterfaceTypes** +**FirewallRules/_FirewallRuleName_/InterfaceTypes**

    Comma separated list of interface types. Valid values:

    • RemoteAccess
      • From 509532bb847b2274d1f936cf28b1b07e7103a154 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Tue, 7 Nov 2017 22:06:00 +0000 Subject: [PATCH 26/81] Updated configure-extension-file-exclusions-windows-defender-antivirus.md --- ...gure-extension-file-exclusions-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index c779b9a8bb..4648182715 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -69,7 +69,7 @@ This means the exclusion lists have the following characteristics: To exclude files opened by a specific process, see the [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) topic. -The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). +The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [real-time protection](configure-real-time-protection-windows-defender-antivirus.md). >[!IMPORTANT] >Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). From ab19870cb13dfd625150dbcb69ef0c2e459d455b Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 8 Nov 2017 00:07:37 +0000 Subject: [PATCH 27/81] Merged PR 4339: Merged PR 4338: Merge ms-whfb-staging to whfb-staging Merged PR 4338: Merge ms-whfb-staging to whfb-staging Corrections for Hybrid Cert trust deployment guide --- .../hello-for-business/hello-deployment-guide.md | 2 +- .../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 2 +- .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 2 +- .../hello-hybrid-cert-whfb-settings-policy.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-deployment-guide.md b/windows/access-protection/hello-for-business/hello-deployment-guide.md index c202596cd4..35ca37be84 100644 --- a/windows/access-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/access-protection/hello-for-business/hello-deployment-guide.md @@ -28,7 +28,7 @@ This deployment guide is to guide you through deploying Windows Hello for Busine This guide assumes a baseline infrastructure exists that meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have: * A well-connected, working network * Internet access - * Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning +* Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning * Proper name resolution, both internal and external names * Active Directory and an adequate number of domain controllers per site to support authentication * Active Directory Certificate Services 2012 or later diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 7c56e7ded8..0aafbf488a 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -23,7 +23,7 @@ Hybrid environments are distributed systems that enable organizations to use on- The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: * [Directories](#directories) -* [Public Key Infrastucture](#public-key-infastructure) +* [Public Key Infrastucture](#public-key-infrastructure) * [Directory Synchronization](#directory-synchronization) * [Federation](#federation) * [MultiFactor Authetication](#multifactor-authentication) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index d7f825257f..6c59f37b66 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -133,7 +133,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq 9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. 10. On the **Request Handling** tab, select the **Renew with same key** check box. 11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. -12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. +12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Read**, **Enroll**, and **AutoEnroll** permissions. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. 13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. 14. Click on the **Apply** to save changes and close the console. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index 342e42b0d0..5b1f2a3188 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -108,7 +108,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv 3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. 4. In the navigation pane, expand **Policies** under **User Configuration**. 5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. -6. In the details pane, right-click **Certificate Services Client � Auto-Enrollment** and select **Properties**. +6. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties**. 7. Select **Enabled** from the **Configuration Model** list. 8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. 9. Select the **Update certificates that use certificate templates** check box. From f739e7356dfb97a8281c09929949a031ab355226 Mon Sep 17 00:00:00 2001 From: chintanpatel Date: Tue, 7 Nov 2017 16:16:19 -0800 Subject: [PATCH 28/81] Update faq-wd-app-guard.md --- .../faq-wd-app-guard.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 634876b5b8..74e513ecbd 100644 --- a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -19,6 +19,15 @@ Answering frequently asked questions about Windows Defender Application Guard (A ## Frequently Asked Questions +| | | +|---|----------------------------| +|**Q:** |Can I enable Application Guard on machines equipped with 4GB RAM?| +|**A:** |We recommend 8GB RAM for optimal performance but you may use the following registry values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. | +||HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount - Default is 4 cores. | +||HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB - Default is 8GB.| +||HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB.| +
      + | | | |---|----------------------------| |**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?| From 5ed75d14bf060387067770e9907dbcdc635cfa99 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 8 Nov 2017 00:35:08 +0000 Subject: [PATCH 29/81] Merged PR 4331: Add desktop support to Conditions for multivariant provisioning --- .../change-history-for-configure-windows-10.md | 8 +++++++- .../provisioning-multivariant.md | 14 ++++++++------ 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index f2d6cf6527..95fedcd1de 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -8,13 +8,19 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: jdeckerms -ms.date: 10/20/2017 +ms.date: 11/06/2017 --- # Change history for Configure Windows 10 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## November 2017 + +New or changed topic | Description +--- | --- +[Create a provisioning package with multivariant settings](provisioning-packages/provisioning-multivariant.md) | Add support for desktop to [Conditions](provisioning-packages/provisioning-multivariant.md#conditions) table. + ## October 2017 New or changed topic | Description diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index 6da2cc4314..e63300657b 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -6,6 +6,8 @@ ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerms ms.localizationpriority: high +ms.date: 11/06/2017 +ms.author: jdecker --- # Create a provisioning package with multivariant settings @@ -44,12 +46,12 @@ The following table shows the conditions supported in Windows 10 provisioning fo | Condition Name | Condition priority | Windows 10 Mobile | Windows 10 for desktop editions | Value type | Value description | | --- | --- | --- | --- | --- | --- | -| MNC | P0 | Supported | N/A | Digit string | Use to target settings based on the Mobile Network Code (MNC) value. | -| MCC | P0 | Supported | N/A | Digit string | Use to target settings based on the Mobile Country Code (MCC) value. | -| SPN | P0 | Supported | N/A | String | Use to target settings based on the Service Provider Name (SPN) value. | -| PNN | P0 | Supported | N/A | String | Use to target settings based on public land mobile network (PLMN) Network Name value. | -| GID1 | P0 | Supported | N/A | Digit string | Use to target settings based on the Group Identifier (level 1) value. | -| ICCID | P0 | Supported | N/A | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. | +| MNC | P0 | Supported | Supported | Digit string | Use to target settings based on the Mobile Network Code (MNC) value. | +| MCC | P0 | Supported | Supported | Digit string | Use to target settings based on the Mobile Country Code (MCC) value. | +| SPN | P0 | Supported | Supported | String | Use to target settings based on the Service Provider Name (SPN) value. | +| PNN | P0 | Supported | Supported | String | Use to target settings based on public land mobile network (PLMN) Network Name value. | +| GID1 | P0 | Supported | Supported | Digit string | Use to target settings based on the Group Identifier (level 1) value. | +| ICCID | P0 | Supported | Supported | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. | | Roaming | P0 | Supported | N/A | Boolean | Use to specify roaming. Set the value to **1** (roaming) or **0** (non-roaming). | | UICC | P0 | Supported | N/A | Enumeration | Use to specify the Universal Integrated Circuit Card (UICC) state. Set the value to one of the following:


      - 0 - Empty
      - 1 - Ready
      - 2 - Locked | | UICCSLOT | P0 | Supported | N/A | Digit string | Use to specify the UICC slot. Set the value one of the following:


      - 0 - Slot 0
      - 1 - Slot 1 | From 41642eb46e5d304630f88a82d8fde900dabfae76 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Tue, 7 Nov 2017 19:55:24 -0800 Subject: [PATCH 30/81] add non-windows topic --- windows/threat-protection/TOC.md | 1 + ...ows-defender-advanced-threat-protection.md | 70 +++++++++++++++++++ ...ows-defender-advanced-threat-protection.md | 1 + 3 files changed, 72 insertions(+) create mode 100644 windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index 84c4ef2208..dca4705764 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -30,6 +30,7 @@ ###### [Configure endpoints using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) ##### [Configure endpoints using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md) ##### [Configure non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) +#### [Configure non-Windows endpoints](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection) #### [Configure server endpoints](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md) #### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md) #### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..bdb618b0cb --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md @@ -0,0 +1,70 @@ +--- +title: Configure non-Windows endpoints in Windows Defender ATP +description: Configure non-Winodws endpoints so that they can send sensor data to the Windows Defender ATP service. +keywords: configure endpoints non-Windows endpoints, macos, linux, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +ms.date: 11/07/2017 +--- + +# Configure non-Windows endpoints + +**Applies to:** + +- Mac OS X +- Linux +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products’ sensor data. + +You'll need to know the exact Linux distros and Mac OS X versions that are compatible with Windows Defender ATP for the integration to work. + +## Onboard non-Windows endpoints +You'll need to take the following steps to oboard non-Windows endpoints: +1. Turn on third-party integration +2. Run a detection test + +### Turn on third-party integration + +1. In Windows Defender Security Center portal, select **Endpoint management** > **Clients** > **Non-Windows**. Make sure the third-party solution is listed. + +2. Toggle the third-party provider switch button to turn on the third-party solution integration. + +3. Click **Generate access token** button and then **Copy**. + +4. Depending on the third-party implementation you're using, the implementation might vary. Refer to the third-party solution documentation for guidance on how to use the token. + + +>[!WARNING] +>The access token has a limited validity period. If needed, regenerate the token close to the time you need to share it with the third-party solution. + +### Run detection test +Create an EICAR test file by saving the string displayed on the portal in an empty text file. Then, introduce the test file to a machine running the third-party antivirus solution. + +The file should trigger a detection and a corresponding alert on Windows Defender ATP. + +### Offboard non-Windows endpoints +To effectively offboard the endpoints from the service, you'll need to disable the data push on the third-party portal first then switch the toggle to off in Windows Defender Security Center. The toggle in the portal only blocks the data inbound flow. + + +1. Follow the third-party documentation to opt-out on the third-party service side. + +2. In Windows Defender Security Center portal, select **Endpoint management**> **Non-Windows**. + +3. Toggle the third-party provider switch button to turn stop telemetry from endpoints. + +>[!WARNING] +>If you decide to turn on the third-party integration again after disabling the integration, you'll need to regenerate the token and reapply it on endpoints. + +## Related topics +- [Configure Windows Defender ATP client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +- [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md) +- [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) +- [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md index 68514478d8..a937627030 100644 --- a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md @@ -44,6 +44,7 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us Topic | Description :---|:--- [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure endpoints in your enterprise. +[Configure non-Windows endpoints](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products sensor data. [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings. [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding. From 09eb4e53b8d52b22774566ccae12d4f03240d782 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Tue, 7 Nov 2017 20:13:00 -0800 Subject: [PATCH 31/81] minor updates --- windows/threat-protection/TOC.md | 2 +- ...ver-endpoints-windows-defender-advanced-threat-protection.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index dca4705764..72f67e94be 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -30,7 +30,7 @@ ###### [Configure endpoints using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) ##### [Configure endpoints using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md) ##### [Configure non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -#### [Configure non-Windows endpoints](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection) +#### [Configure non-Windows endpoints](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) #### [Configure server endpoints](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md) #### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md) #### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 8e51bf936a..d4e348984c 100644 --- a/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -85,5 +85,6 @@ For more information, see [To disable an agent](https://docs.microsoft.com/en-us ## Related topics - [Configure Windows Defender ATP client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +- [Configure non-Windows endpoints](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) - [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) From 1271d020237622965d997e629b2ff4157f873c83 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 8 Nov 2017 19:15:10 +0000 Subject: [PATCH 32/81] Merged PR 4379: Add waring about Skip OOBE in Unattend.xml --- .../create-a-windows-10-reference-image.md | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index 491211e7a9..e4723f6e1c 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -9,6 +9,7 @@ ms.localizationpriority: high ms.sitesec: library ms.pagetype: mdt author: mtniehaus +ms.date: 11/08/2017 --- # Create a Windows 10 reference image @@ -19,8 +20,8 @@ author: mtniehaus Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution. For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, PC0001 is a Windows 10 Enterprise x64 client, and MDT01 is a Windows Server 2012 R2 standard server. HV01 is a Hyper-V host server, but HV01 could be replaced by PC0001 as long as PC0001 has enough memory and is capable of running Hyper-V. MDT01, HV01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. -**Note**   -For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). +>{!NOTE]}   +>For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).   ![figure 1](../images/mdt-08-fig01.png) @@ -75,8 +76,8 @@ This section will show you how to populate the MDT deployment share with the Win MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft. -**Note**   -Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM. +>[!OTE]   +>Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM.   ### Add Windows 10 Enterprise x64 (full source) @@ -115,8 +116,8 @@ By storing configuration items as MDT applications, it is easy to move these obj In these examples, we assume that you downloaded the software in this list to the E:\\Downloads folder. The first application is added using the UI, but because MDT supports Windows PowerShell, you add the other applications using Windows PowerShell. -**Note**   -All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). +>[!NOTE]   +>All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523).   ### Create the install: Microsoft Office Professional Plus 2013 x86 @@ -371,8 +372,11 @@ Figure 9. The Windows 10 desktop with the Resume Task Sequence shortcut. When using MDT, you don't need to edit the Unattend.xml file very often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer 11 behavior, then you can edit the Unattend.xml for this. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you will want to use Internet Explorer Administration Kit (IEAK). -**Note**   -You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the Install Roles and Features action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you are adding packages via Unattend.xml, it is version specific, so Unattend.xml must match the exact version of the operating system you are servicing. +>[!WARNING] +>Do not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml + +>[!NOTE]   +>You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you are adding packages via Unattend.xml, it is version specific, so Unattend.xml must match the exact version of the operating system you are servicing.   Follow these steps to configure Internet Explorer settings in Unattend.xml for the Windows 10 Enterprise x64 RTM Default Image task sequence: From 15f0afcecbad6f5d3e293f0d5d5a53c101af1d3f Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Wed, 8 Nov 2017 19:15:55 +0000 Subject: [PATCH 33/81] Merged PR 4380: set publishing date for support article Top support solutions article currently using the default 4/5/17 publishing date, instead of a manually set date, which is needed to help customers know that the support list is current. Updated to 8/30/17. --- windows/client-management/windows-10-support-solutions.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index 5c68eb15b8..2daf689b30 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -7,6 +7,7 @@ ms.sitesec: library ms.author: elizapo author: kaushika-msft ms.localizationpriority: high +ms.date: 08/30/2017 --- # Top support solutions for Windows 10 From bd5013b930a9da2e505982704e50a02dafa8f27e Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 8 Nov 2017 20:29:07 +0000 Subject: [PATCH 34/81] Merged PR 4384: Noted the new unattend.xml warning in Change History --- .../deployment/change-history-for-deploy-windows-10.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/deployment/change-history-for-deploy-windows-10.md b/windows/deployment/change-history-for-deploy-windows-10.md index fab7d7e9ce..af4b28f704 100644 --- a/windows/deployment/change-history-for-deploy-windows-10.md +++ b/windows/deployment/change-history-for-deploy-windows-10.md @@ -6,12 +6,18 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay -ms.date: 10/31/2017 +ms.date: 11/08/2017 --- # Change history for Deploy Windows 10 This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10). +## November 2017 + +New or changed topic | Description +-- | --- + [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) | Added warning that you should not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml. + ## RELEASE: Windows 10, version 1709 | New or changed topic | Description | |----------------------|-------------| From 951895ea0ac9bdbfe50d2c315cd32a62d113054b Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 8 Nov 2017 12:54:39 -0800 Subject: [PATCH 35/81] add pre-release --- ...-non-windows-windows-defender-advanced-threat-protection.md | 2 +- .../preview-windows-defender-advanced-threat-protection.md | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md index bdb618b0cb..7ebccf3f0f 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md @@ -20,7 +20,7 @@ ms.date: 11/07/2017 - Linux - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!includePrerelease information] Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products’ sensor data. diff --git a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index 8364b738c5..301fdd085f 100644 --- a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -55,6 +55,9 @@ Windows Defender ATP supports the use of Power BI data connectors to enable you - [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
      Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you, to automate workflows and innovate based on Windows Defender ATP capabilities. +- [Configure non-Windows endpoints](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
      +Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data. + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink) From 4d620dc79b9f1716ebeb67f89bc2fede02df0579 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 8 Nov 2017 12:57:06 -0800 Subject: [PATCH 36/81] pre-release --- ...non-windows-windows-defender-advanced-threat-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md index 7ebccf3f0f..39feb6c290 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security author: mjcaparas localizationpriority: high -ms.date: 11/07/2017 +ms.date: 11/08/2017 --- # Configure non-Windows endpoints @@ -20,7 +20,7 @@ ms.date: 11/07/2017 - Linux - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!includePrerelease information] +[!include[Prerelease information](prerelease.md)] Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products’ sensor data. From d067c6d4f06f3fdd059a3af9d7bab864d4783596 Mon Sep 17 00:00:00 2001 From: Celeste de Guzman Date: Wed, 8 Nov 2017 14:44:11 -0800 Subject: [PATCH 37/81] changed instances of the parameter enablePrint or enablePrinting to requirePrinting, per PM --- education/windows/change-history-edu.md | 2 ++ education/windows/take-a-test-multiple-pcs.md | 4 ++-- education/windows/take-a-test-single-pc.md | 4 ++-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index b8aac09d33..12ad05add1 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -20,6 +20,8 @@ This topic lists new and updated topics in the [Windows 10 for Education](index. | New or changed topic | Description | | --- | ---- | | [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | Updated the the list of device manufacturers. | +| [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. | +| [Set up Take a Test on a single PC](take-a-test-single-pc.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. | ## RELEASE: Windows 10, version 1709 (Fall Creators Update) diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index beddf8d589..4514676415 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -233,9 +233,9 @@ One of the ways you can present content in a locked down manner is by embedding 2. To enable printing, screen capture, or both, use the above link and append one of these parameters: - `&enableTextSuggestions` - Enables text suggestions - - `&enablePrint` - Enables printing + - `&requirePrinting` - Enables printing - `&enableScreenCapture` - Enables screen capture - - `&enablePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&enablePrint`, and `&enableScreenCapture` if you want to enable more than one capability. + - `&requirePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&requirePrinting`, and `&enableScreenCapture` if you want to enable more than one capability. If you exclude these parameters, the default behavior is disabled. diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index 6b07a96b6c..b64859a2d9 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -97,9 +97,9 @@ One of the ways you can present content in a locked down manner is by embedding 2. To enable printing, screen capture, or both, use the above link and append one of these parameters: - `&enableTextSuggestions` - Enables text suggestions - - `&enablePrint` - Enables printing + - `&requirePrinting` - Enables printing - `&enableScreenCapture` - Enables screen capture - - `&enablePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&enablePrint`, and `&enableScreenCapture` if you want to enable more than one capability. + - `&requirePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&requirePrinting`, and `&enableScreenCapture` if you want to enable more than one capability. If you exclude these parameters, the default behavior is disabled. From 0d8db2b14dab737437aace046231418046c8e16a Mon Sep 17 00:00:00 2001 From: nevedita Date: Wed, 8 Nov 2017 15:32:09 -0800 Subject: [PATCH 39/81] Update upgrade-readiness-requirements.md --- windows/deployment/upgrade/upgrade-readiness-requirements.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md index 687130e800..18d561a304 100644 --- a/windows/deployment/upgrade/upgrade-readiness-requirements.md +++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md @@ -57,6 +57,7 @@ See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields `https://v10.vortex-win.data.microsoft.com/collect/v1`
      `https://vortex-win.data.microsoft.com/health/keepalive`
      `https://settings.data.microsoft.com/qos`
      +`https://settings-win.data.microsoft.com/qos`
      `https://go.microsoft.com/fwlink/?LinkID=544713`
      `https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc`
      From cbd7a32c3628da7d25f12f11ed7ff0ab0ae31a30 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 8 Nov 2017 17:16:59 -0800 Subject: [PATCH 40/81] wdav and atp alerts --- ...ows-defender-advanced-threat-protection.md | 24 +++++++++++++++---- ...ows-defender-advanced-threat-protection.md | 2 +- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md index a4b8d93002..d73a80c764 100644 --- a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md @@ -47,20 +47,20 @@ To see a list of alerts, click any of the queues under the **Alerts queue** opti ## Sort, filter, and group the alerts list You can sort and filter the alerts using the available filters or clicking on a column's header that will sort the view in ascending or descending order. -**Time period**
      +### Time period - 1 day - 3 days - 7 days - 30 days - 6 months -**OS Platform**
      +### OS Platform - Windows 10 - Windows Server 2012 R2 - Windows Server 2016 - Other -**Severity**
      +### Severity Alert severity | Description :---|:--- @@ -71,7 +71,21 @@ Informational
      (Grey) | Informational alerts are those that might not be con Reviewing the various alerts and their severity can help you decide on the appropriate action to protect your organization's endpoints. -**Detection source**
      +#### Understanding alert severity +It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Windows Defender ATP alert severities are different because they represent different scopes. + +The Windows Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual machine, if infected. + +The Windows Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization. + +So, for example: +- The severity of a Windows Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as Informational because there was no actual damage incurred. +- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as Low because it may have caused some damage to the individual machine but poses no organizational threat. +- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as Medium or High. +- Suspicious behavioral alerts which were not blocked or remediated will be ranked Low, Medium or High following the same organizational threat considerations. + + +### Detection source - Windows Defender AV - Windows Defender ATP - Windows Defender SmartScreen @@ -80,7 +94,7 @@ Reviewing the various alerts and their severity can help you decide on the appro >[!NOTE] >The Windows Defender Antivirus filter will only appear if your endpoints are using Windows Defender Antivirus as the default real-time protection antimalware product. -**View**
      +### View - **Flat view** - Lists alerts individually with alerts having the latest activity displayed at the top. - **Grouped view** - Groups alerts by alert ID, file hash, malware family, or other attribute to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating similar alerts together. diff --git a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md index b196a3f4fa..e92c2218ce 100644 --- a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -148,7 +148,7 @@ This step will guide you in exploring the custom alert in the portal. ![Image of sample custom ti alert in the portal](images/atp-sample-custom-ti-alert.png) > [!NOTE] -> It can take up to 15 minutes for the alert to appear in the portal. +> There is a latency time of approximately 20 minutes between the the time a custom TI is introduced and when an alert appears in the portal. ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) From 927cba612505f356444b7c4b5e4a712af385e6d8 Mon Sep 17 00:00:00 2001 From: y0avb Date: Thu, 9 Nov 2017 16:33:29 +0100 Subject: [PATCH 41/81] remove line "see Surface Hub device account scripts in Script Center" As the url no longer exists. --- devices/surface-hub/prepare-your-environment-for-surface-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index c2281921b1..8ad6bda6cb 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -68,7 +68,7 @@ Surface Hub interacts with a few different products and services. Depending on t A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, send email, and (optionally) to authenticate to Exchange. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details. -After you've created your device account, to verify that it's setup correctly, run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. +After you've created your device account, to verify that it's setup correctly, run Surface Hub device account validation PowerShell scripts. For more information, see [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. From ec05ac833e7c87a0b36204e63313ef12b9d10246 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Thu, 9 Nov 2017 16:38:13 +0000 Subject: [PATCH 42/81] Merged PR 4405: fixed formatting for XML examples --- .../manage-windows-mixed-reality.md | 32 +++++++++--------- .../client-management/mdm/applocker-csp.md | 33 +++++++++---------- 2 files changed, 32 insertions(+), 33 deletions(-) diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index cc3105a21f..d69d0aca40 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -65,22 +65,22 @@ In the following example, the **Id** can be any generated GUID and the **Name** text/plain - <RuleCollection Type="Appx" EnforcementMode="Enabled"> - <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> - <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> - <FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*" /> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> - </RuleCollection>> + <RuleCollection Type="Appx" EnforcementMode="Enabled"> + <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> + <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + <FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + </RuleCollection>> diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 5ab0e0ff0b..c9a7ca2be4 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -876,29 +876,28 @@ The following example disables the Mixed Reality Portal. In the example, the **I text/plain - <RuleCollection Type="Appx" EnforcementMode="Enabled"> - <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> - <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> - <FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*" /> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> - </RuleCollection>> + <RuleCollection Type="Appx" EnforcementMode="Enabled"> + <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> + <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + <FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + </RuleCollection>> - ``` The following example for Windows 10 Mobile denies all apps and allows the following apps: From 7259ac6a546fe8a7e3d0cae4411293b159a92e57 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Thu, 9 Nov 2017 20:19:22 +0000 Subject: [PATCH 43/81] Merged PR 4404: Add SHub link + clarify note in Unattend.xml --- ...prepare-your-environment-for-surface-hub.md | 1 + .../create-a-windows-10-reference-image.md | 18 +++++++++--------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index 8ad6bda6cb..d5fdb07a74 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -118,6 +118,7 @@ When you go through the first-run program for your Surface Hub, there's some inf ## More information - [Surface Hub and the Skype for Business Trusted Domain List](https://blogs.technet.microsoft.com/y0av/2017/10/25/95/) +- [Surface Hub in a Multi-Domain Environment](https://blogs.technet.microsoft.com/y0av/2017/11/08/11/)   diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index e4723f6e1c..b8bc4a5ce1 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -373,7 +373,7 @@ Figure 9. The Windows 10 desktop with the Resume Task Sequence shortcut. When using MDT, you don't need to edit the Unattend.xml file very often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer 11 behavior, then you can edit the Unattend.xml for this. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you will want to use Internet Explorer Administration Kit (IEAK). >[!WARNING] ->Do not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml +>Do not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used. >[!NOTE]   >You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you are adding packages via Unattend.xml, it is version specific, so Unattend.xml must match the exact version of the operating system you are servicing. @@ -469,8 +469,8 @@ For that reason, add only a minimal set of rules to Bootstrap.ini, such as which 2. ISO file name: MDT Build Lab x64.iso 8. Click **OK**. -**Note**   -In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except on computers based on Unified Extensible Firmware Interface). +>[!NOTE]   +>In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except on computers based on Unified Extensible Firmware Interface).   ### Update the deployment share @@ -480,8 +480,8 @@ After the deployment share has been configured, it needs to be updated. This is 1. Using the Deployment Workbench, right-click the **MDT Build Lab deployment share** and select **Update Deployment Share**. 2. Use the default options for the Update Deployment Share Wizard. -**Note**   -The update process will take 5 to 10 minutes. +>[!NOTE]   +>The update process will take 5 to 10 minutes.   ### The rules explained @@ -491,8 +491,8 @@ The Bootstrap.ini and CustomSettings.ini files work together. The Bootstrap.ini The CustomSettings.ini file is normally stored on the server, in the Deployment share\\Control folder, but also can be stored on the media (when using offline media). -**Note**   -The settings, or properties, that are used in the rules (CustomSettings.ini and Bootstrap.ini) are listed in the MDT documentation, in the Microsoft Deployment Toolkit Reference / Properties / Property Definition section. +>[!NOTE]   +>The settings, or properties, that are used in the rules (CustomSettings.ini and Bootstrap.ini) are listed in the MDT documentation, in the Microsoft Deployment Toolkit Reference / Properties / Property Definition section.   ### The Bootstrap.ini file @@ -519,8 +519,8 @@ So, what are these settings?   - **SkipBDDWelcome.** Even if it is nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard. -**Note**   -All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values. +>[!NOTE]   +>All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values.   ### The CustomSettings.ini file From b829576491a039eba086ceae3360dd07ebf2d8e3 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 9 Nov 2017 12:52:52 -0800 Subject: [PATCH 44/81] updates to ASR exclusions to indicate which rules can't use them --- .../attack-surface-reduction-exploit-guard.md | 5 ++-- .../customize-attack-surface-reduction.md | 30 +++++++++++++++++-- .../enable-attack-surface-reduction.md | 6 ++-- .../images/svg/check-no.svg | 7 +++++ .../images/svg/check-yes.svg | 7 +++++ 5 files changed, 48 insertions(+), 7 deletions(-) create mode 100644 windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg create mode 100644 windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 5173d88d30..7aed2de7ad 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -64,7 +64,7 @@ You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evalua The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table: -Rule name | GUIDs +Rule name | GUID -|- Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A @@ -93,7 +93,8 @@ This rule blocks the following file types from being run or launched from an ema - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) - Script archive files - +>[!IMPORTANT] +>Exclusions do not apply to this rule. ### Rule: Block Office applications from creating child processes diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index e68c054cde..da4006d74f 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -43,9 +43,35 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. ## Exclude files and folders -You can exclude files and folders from being evaluated by Attack surface reduction rules. +You can exclude files and folders from being evaluated by most Attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an Attack surface reduction rule, the file will not be blocked from running. + +This could potentially allow unsafe files to run and infect your devices. + +>[!WARNING] +>Excluding files or folders can severly reduce the protection provided by Attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded. +> +>If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules). + +You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions. + +Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe. + +>[!IMPORTANT] +>Rules that do not honor the exclusion list will not exclude folders or files added in the exclusion list. All files will be evaluated and potentially blocked by rules that do not honor the exclusion list (indicated with a red X in the following table). + + +Rule description | Rule honors exclusions | GUID +-|- +Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 +Block Office applications from creating child processes | ![Check mark yes](images/svg/check-yes.svg) | D4F940AB-401B-4EFC-AADC-AD5F3C50688A +Block execution of potentially obfuscated scripts | ![Check mark yes](images/svg/check-yes.svg) | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC +Block Win32 imports from Macro code in Office | ![Check mark yes](images/svg/check-yes.svg) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block Office applications from creating executable content | ![Check mark no](images/svg/check-no.svg) | 3B576869-A4EC-4529-8536-B80A7769E899 +Block Office applications from injecting into other processes | ![Check mark no](images/svg/check-no.svg) | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 +Impede JavaScript and VBScript to launch executables | ![Check mark no](images/svg/check-no.svg) | D3E037E1-3EB8-44C8-A917-57927947596D + +See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. -You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode). ### Use Group Policy to exclude files and folders diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index e4853782de..7c56eff7bf 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -50,7 +50,7 @@ Attack surface reduction rules are identified by their unique rule ID. You can manually add the rules by using the GUIDs in the following table: -Rule description | GUIDs +Rule description | GUID -|- Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A @@ -62,7 +62,7 @@ Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DD See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. -### Use Group Policy to enable Attack surface reduction rules +### Use Group Policy to enable or audit Attack surface reduction rules 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -84,7 +84,7 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to - ### Use PowerShell to enable Attack surface reduction rules + ### Use PowerShell to enable or audit Attack surface reduction rules 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg new file mode 100644 index 0000000000..89a87afa8b --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg @@ -0,0 +1,7 @@ + + Check mark no + + \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg new file mode 100644 index 0000000000..483ff5fefc --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg @@ -0,0 +1,7 @@ + + Check mark yes + + \ No newline at end of file From 5709a6732a55a0c35974671e750f3ab521439218 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 9 Nov 2017 13:13:22 -0800 Subject: [PATCH 45/81] fix quotes --- ...rts-queue-windows-defender-advanced-threat-protection.md | 6 +++--- ...custom-ti-windows-defender-advanced-threat-protection.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md index d73a80c764..a89494bfc1 100644 --- a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md @@ -79,10 +79,10 @@ The Windows Defender AV threat severity represents the absolute severity of the The Windows Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization. So, for example: -- The severity of a Windows Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as Informational because there was no actual damage incurred. +- The severity of a Windows Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred. - An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as Low because it may have caused some damage to the individual machine but poses no organizational threat. -- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as Medium or High. -- Suspicious behavioral alerts which were not blocked or remediated will be ranked Low, Medium or High following the same organizational threat considerations. +- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". +- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. ### Detection source diff --git a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md index e92c2218ce..5250f2f639 100644 --- a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -148,7 +148,7 @@ This step will guide you in exploring the custom alert in the portal. ![Image of sample custom ti alert in the portal](images/atp-sample-custom-ti-alert.png) > [!NOTE] -> There is a latency time of approximately 20 minutes between the the time a custom TI is introduced and when an alert appears in the portal. +> There is a latency time of approximately 20 minutes between the the time a custom TI is introduced and when it takes effect. ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) From 9292352705422b4f1af31d889b2a02764d024405 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 9 Nov 2017 13:44:47 -0800 Subject: [PATCH 46/81] update svg --- .../customize-attack-surface-reduction.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index da4006d74f..71d5e72d89 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -61,14 +61,14 @@ Exclusions will only be applied to certain rules. Some rules will not honor the Rule description | Rule honors exclusions | GUID --|- +-|-|- Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Block Office applications from creating child processes | ![Check mark yes](images/svg/check-yes.svg) | D4F940AB-401B-4EFC-AADC-AD5F3C50688A -Block execution of potentially obfuscated scripts | ![Check mark yes](images/svg/check-yes.svg) | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 imports from Macro code in Office | ![Check mark yes](images/svg/check-yes.svg) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -Block Office applications from creating executable content | ![Check mark no](images/svg/check-no.svg) | 3B576869-A4EC-4529-8536-B80A7769E899 -Block Office applications from injecting into other processes | ![Check mark no](images/svg/check-no.svg) | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -Impede JavaScript and VBScript to launch executables | ![Check mark no](images/svg/check-no.svg) | D3E037E1-3EB8-44C8-A917-57927947596D +Block Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A +Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC +Block Win32 imports from Macro code in Office | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block Office applications from creating executable content | [!include[Check mark no](images/svg/check-no.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899 +Block Office applications from injecting into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 +Impede JavaScript and VBScript to launch executables | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. From 0cb54f4ee924f022cbf79b50d1fbf7f732436311 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 9 Nov 2017 13:53:30 -0800 Subject: [PATCH 47/81] consistency to rule names --- .../attack-surface-reduction-exploit-guard.md | 6 +++++- .../customize-attack-surface-reduction.md | 10 +++++----- .../enable-attack-surface-reduction.md | 6 +++--- 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 7aed2de7ad..9bf3316aeb 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -117,14 +117,18 @@ Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. +>[!IMPORTANT] +>Exclusions do not apply to this rule. -### Rule: Block JavaScript ok VBScript From launching downloaded executable content +### Rule: Block JavaScript or VBScript From launching downloaded executable content JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. +>[!IMPORTANT] +>Exclusions do not apply to this rule. ### Rule: Block execution of potentially obfuscated scripts diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 71d5e72d89..8623e252d7 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -62,13 +62,13 @@ Exclusions will only be applied to certain rules. Some rules will not honor the Rule description | Rule honors exclusions | GUID -|-|- -Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 imports from Macro code in Office | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -Block Office applications from creating executable content | [!include[Check mark no](images/svg/check-no.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899 -Block Office applications from injecting into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -Impede JavaScript and VBScript to launch executables | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D +Block Win32 API calls from Office macro | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block Office applications from creating executable content | [!include[Check mark yes](images/svg/check-yes.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899 +Block Office applications from injecting code into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 +Block JavaScript or VBScript from launching downloaded executable content | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D +Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 7c56eff7bf..c147b811c2 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -55,10 +55,10 @@ Rule description | GUID Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 -Block Office applications from injecting into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D +Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 +Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. From 0cf0214497e8c8f23254dfaf93f1ce9c94267194 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 9 Nov 2017 13:58:21 -0800 Subject: [PATCH 48/81] update imp note about rules that don't allow exclusions --- .../attack-surface-reduction-exploit-guard.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 9bf3316aeb..79d18a0881 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -94,7 +94,7 @@ This rule blocks the following file types from being run or launched from an ema - Script archive files >[!IMPORTANT] ->Exclusions do not apply to this rule. +>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). ### Rule: Block Office applications from creating child processes @@ -118,7 +118,7 @@ This is typically used by malware to run malicious code in an attempt to hide th >[!IMPORTANT] ->Exclusions do not apply to this rule. +>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). ### Rule: Block JavaScript or VBScript From launching downloaded executable content @@ -128,7 +128,7 @@ This rule prevents these scripts from being allowed to launch apps, thus prevent >[!IMPORTANT] ->Exclusions do not apply to this rule. +>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). ### Rule: Block execution of potentially obfuscated scripts From bf4ef40a17d5f93ebcda4b98eff4b2a55fdf5243 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 9 Nov 2017 14:11:17 -0800 Subject: [PATCH 49/81] fix quotes --- .../alerts-queue-windows-defender-advanced-threat-protection.md | 2 +- ...ent-custom-ti-windows-defender-advanced-threat-protection.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md index a89494bfc1..f262dc08a7 100644 --- a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md @@ -80,7 +80,7 @@ The Windows Defender ATP alert severity represents the severity of the detected So, for example: - The severity of a Windows Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred. -- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as Low because it may have caused some damage to the individual machine but poses no organizational threat. +- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat. - An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". - Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. diff --git a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md index 5250f2f639..8003743e5d 100644 --- a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -148,7 +148,7 @@ This step will guide you in exploring the custom alert in the portal. ![Image of sample custom ti alert in the portal](images/atp-sample-custom-ti-alert.png) > [!NOTE] -> There is a latency time of approximately 20 minutes between the the time a custom TI is introduced and when it takes effect. +> There is a latency time of approximately 20 minutes between the the time a custom TI is introduced and when it becomes effective. ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) From 2b2fb10044869a0c20965dc4853a7ae184de79b1 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 9 Nov 2017 14:16:12 -0800 Subject: [PATCH 50/81] update svg files --- .../images/svg/check-no.md | 7 --- .../images/svg/check-no.svg} | 0 .../images/svg/check-yes.md | 7 --- .../images/svg/check-yes.svg} | 0 ...indows-defender-antivirus-compatibility.md | 6 +-- .../customize-attack-surface-reduction.md | 2 +- .../customize-exploit-protection.md | 52 +++++++++---------- .../images/svg/check-yes.txt | 7 --- 8 files changed, 30 insertions(+), 51 deletions(-) delete mode 100644 windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md rename windows/threat-protection/{windows-defender-exploit-guard/images/svg/check-no.md => windows-defender-antivirus/images/svg/check-no.svg} (100%) delete mode 100644 windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md rename windows/threat-protection/{windows-defender-exploit-guard/images/svg/check-yes.md => windows-defender-antivirus/images/svg/check-yes.svg} (100%) delete mode 100644 windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt diff --git a/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md b/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md deleted file mode 100644 index afa7a3d27d..0000000000 --- a/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md +++ /dev/null @@ -1,7 +0,0 @@ - - Check mark no - - \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.md b/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.svg similarity index 100% rename from windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.md rename to windows/threat-protection/windows-defender-antivirus/images/svg/check-no.svg diff --git a/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md b/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md deleted file mode 100644 index 4dd10553c4..0000000000 --- a/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md +++ /dev/null @@ -1,7 +0,0 @@ - - Check mark yes - - \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md b/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.svg similarity index 100% rename from windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md rename to windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.svg diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index 8abaf116d0..ac10f8950b 100644 --- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -67,9 +67,9 @@ This table indicates the functionality and features that are available in each s State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Threat definition updates](manage-updates-baselines-windows-defender-antivirus.md) :-|:-|:-:|:-:|:-:|:-:|:-: -Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | ![Check mark no](images/svg/check-no.svg) | [!include[Check mark yes](images/svg/check-yes.txt)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] -Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] -Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] +Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] +Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)]] +Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] Passive mode is enabled if you are enrolled in Windows Defender ATP because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks. diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 8623e252d7..421eef2058 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -61,7 +61,7 @@ Exclusions will only be applied to certain rules. Some rules will not honor the Rule description | Rule honors exclusions | GUID --|-|- +-|:-:|- Block Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block Win32 API calls from Office macro | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index 40aebba1d3..6b1389f6dd 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -63,28 +63,28 @@ The **Use default** configuration for each of the mitigation settings indicates For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic. Mitigation | Description | Can be applied to | Audit mode available -- | - | - | - -Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] -Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] -Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] -Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] -Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] -Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] -Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.md)] -Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.md)] -Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] +- | - | - | :-: +Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] +Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] +Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] +Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] +Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] +Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] +Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] +Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] +Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] >[!IMPORTANT] >If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: @@ -92,10 +92,10 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi > >Enabled in **Program settings** | Enabled in **System settings** | Behavior >:-: | :-: | :-: ->[!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | As defined in **Program settings** ->[!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | As defined in **Program settings** ->[!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | As defined in **System settings** ->[!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | Default as defined in **Use default** option +>[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings** +>[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings** +>[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings** +>[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option > > > diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt deleted file mode 100644 index 483ff5fefc..0000000000 --- a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt +++ /dev/null @@ -1,7 +0,0 @@ - - Check mark yes - - \ No newline at end of file From 26665db1f0d3fe102af6bad0b9955f24d3d8c86f Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 9 Nov 2017 16:01:16 -0800 Subject: [PATCH 51/81] update to wdav reqs --- ...ile-alerts-windows-defender-advanced-threat-protection.md | 2 +- ...ine-alerts-windows-defender-advanced-threat-protection.md | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index 8101839e92..9d43d529d6 100644 --- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/17/2017 +ms.date: 11/10/2017 --- # Take response actions on a file diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index a7f615af1e..244613a878 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/17/2017 +ms.date: 11/10/2017 --- # Take response actions on a machine @@ -90,7 +90,8 @@ As part of the investigation or response process, you can remotely initiate an a >[!IMPORTANT] >- This action is available for machines on Windows 10, version 1709 and later. ->- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. +>- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). + 1. Select the machine that you want to run the scan on. You can select or search for a machine from any of the following views: From 2a690af06602471d349c67bac4aecc445cc563f0 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 9 Nov 2017 16:12:34 -0800 Subject: [PATCH 52/81] updates --- windows/threat-protection/TOC.md | 2 +- ...ts-windows-defender-advanced-threat-protection.md | 2 +- ...ts-windows-defender-advanced-threat-protection.md | 12 ++++++------ 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index 1646612a6a..e9db3c1bbe 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -60,7 +60,7 @@ #### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md) #### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md) ##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md) -###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package) +###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines) ###### [Run antivirus scan](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines) ###### [Restrict app execution](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution) ###### [Remove app restriction](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction) diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index 9d43d529d6..f5bdb18d2e 100644 --- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -45,7 +45,7 @@ You can contain an attack in your organization by stopping the malicious process The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys. -The action takes effect on machines with the latest Windows 10, version 1703 and above where the file was observed in the last 30 days. +The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last 30 days. >[!NOTE] >You’ll be able to remove the file from quarantine at any time. diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index 244613a878..3ab0892e62 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -29,13 +29,13 @@ ms.date: 11/10/2017 Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center. >[!IMPORTANT] -> These response actions are only available for machines on Windows 10, version 1703 and later. +> These response actions are only available for machines on Windows 10, version 1703 or later. ## Collect investigation package from machines As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker. >[!IMPORTANT] -> This response action is available for machines on Windows 10, version 1703 and later. +> This response action is available for machines on Windows 10, version 1703 or later. You can download the package (Zip file) and investigate the events that occurred on a machine. @@ -89,7 +89,7 @@ The package contains the following folders: As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine. >[!IMPORTANT] ->- This action is available for machines on Windows 10, version 1709 and later. +>- This action is available for machines on Windows 10, version 1709 or later. >- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). @@ -123,7 +123,7 @@ The machine timeline will include a new event, reflecting that a scan action was In addition to the ability of containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. >[!IMPORTANT] -> - This action is available for machines on Windows 10, version 1709 and later. +> - This action is available for machines on Windows 10, version 1709 or later. > - This action needs to meet the Windows Defender Application Control code integrity policy formas and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/en-us/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing). @@ -179,12 +179,12 @@ Depending on the severity of the attack and the sensitivity of the machine, you >[!IMPORTANT] >- Full isolation is available for machines on Windows 10, version 1703. ->- Selective isolation is available for machines on Windows 10, version 1709 and above. +>- Selective isolation is available for machines on Windows 10, version 1709 or later. >- This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine. -On Windows 10, version 1709 and above, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity. +On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity. >[!NOTE] >You’ll be able to reconnect the machine back to the network at any time. From fcb1e46727b19587d0eba8ac2e13e685672c63f4 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 10 Nov 2017 17:43:31 +0000 Subject: [PATCH 53/81] Merged PR 4325: Policy CSP - updated description for AllowCortana policy removed section about Cortana in OOBE from AllowCortana policy in Policy CSP --- windows/client-management/mdm/policy-csp-experience.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index d01dd5566e..646d49acd0 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -175,14 +175,6 @@ ms.date: 11/01/2017

      Most restricted value is 0. -

      Benefit to the customer: - -

      Before this setting, enterprise customers could not set up Cortana during out-of-box experience (OOBE) at all, even though Cortana is the “voice” that walks you through OOBE. By sending AllowCortana in initial enrollment, enterprise customers can allow their employees to see the Cortana consent page. This enables them to choose to use Cortana and make their lives easier and more productive. - -

      Sample scenario: - -

      An enterprise employee customer is going through OOBE and enjoys Cortana’s help in this process. The customer is happy to learn during OOBE that Cortana can help them be more productive, and chooses to set up Cortana before OOBE finishes. When their setup is finished, they are immediately ready to engage with Cortana to help manage their schedule and more. -

      From cd16f707d1385394a0881c5f5d9ae5b201e76e3c Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 10 Nov 2017 11:04:54 -0800 Subject: [PATCH 54/81] topic name updates --- windows/threat-protection/TOC.md | 4 ++-- ...mpatibility-windows-defender-advanced-threat-protection.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index 85aa64621b..5ad254fd49 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -142,13 +142,13 @@ #### [Configure email notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md) #### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) #### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) -#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) +#### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) #### [Enable Security Analytics security controls](windows-defender-atp\enable-security-analytics-windows-defender-advanced-threat-protection.md) ### [Windows Defender ATP settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md) ### [Windows Defender ATP service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) ### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md) ### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md) -### [Windows Defender Antivirus compatibility](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md) +### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md) ## [Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md) ### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md) diff --git a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md index fbef87a600..d216067757 100644 --- a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Antivirus compatibility +title: Windows Defender Antivirus compatibility with Windows Defender ATP description: Learn about how Windows Defender works with Windows Defender ATP and how it functions when a third-party antimalware client is used. keywords: windows defender compatibility, defender, windows defender atp search.product: eADQiWindows 10XVcnh @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.date: 10/17/2017 --- -# Windows Defender Antivirus compatibility +# Windows Defender Antivirus compatibility with Windows Defender ATP **Applies to:** From 0e266d600e3579503c3edad71f4bc7d3461153d5 Mon Sep 17 00:00:00 2001 From: lmasieri <32968351+lmasieri@users.noreply.github.com> Date: Fri, 10 Nov 2017 11:25:18 -0800 Subject: [PATCH 55/81] Update manage-orders-microsoft-store-for-business.md --- .../manage-orders-microsoft-store-for-business.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/store-for-business/manage-orders-microsoft-store-for-business.md b/store-for-business/manage-orders-microsoft-store-for-business.md index 08da797130..5ff6a0ebc6 100644 --- a/store-for-business/manage-orders-microsoft-store-for-business.md +++ b/store-for-business/manage-orders-microsoft-store-for-business.md @@ -43,7 +43,7 @@ Refunds work a little differently for free apps, and apps that have a price. In There are a few requirements for apps that have a price: - **Timing** - Refunds are available for the first 30 days after you place your order. For example, if your order is placed on June 1, you can self-refund through June 30. - - **Avaialable licenses** - You need to have enough available licenses to cover the number of licenses in the order you are refunding. For example, if you purchased 10 copies of an app and you want to request a refund, you must have at least 10 licenses of the app available in your inventory -- those 10 licenses can't be assigned to people in your organization. + - **Available licenses** - You need to have enough available licenses to cover the number of licenses in the order you are refunding. For example, if you purchased 10 copies of an app and you want to request a refund, you must have at least 10 licenses of the app available in your inventory -- those 10 licenses can't be assigned to people in your organization. - **Whole order refunds only** - You must refund the complete amount of apps in an order. You can't refund a part of an order. For example, if you purchased 10 copies of an app, but later found you only needed 5 copies, you'll need to request a refund for the 10 apps, and then make a separate order for 5 apps. If you have had multiple orders of the same app, you can refund one order but still keep the rest of the inventory. **To refund an order** From 9d98852bc4325e260bb113955b63053eb9c26e31 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Fri, 10 Nov 2017 13:08:43 -0800 Subject: [PATCH 56/81] include link to signup and add MSA ocid --- .../windows-defender-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md index 1fbdee219b..29fbde030a 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -52,7 +52,7 @@ Windows Defender EG can be managed and reported on in the Windows Defender Secur - Windows Defender Device Guard - [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md) -You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works. Each of the features in Windows Defender EG have slightly different requirements: From 3bd595bd5b75ce487014cfe5ed6b2e972a1fdd3c Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 10 Nov 2017 13:17:09 -0800 Subject: [PATCH 57/81] fix typo --- ...achine-alerts-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index 3ab0892e62..1e620e9791 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -124,7 +124,7 @@ In addition to the ability of containing an attack by stopping malicious process >[!IMPORTANT] > - This action is available for machines on Windows 10, version 1709 or later. -> - This action needs to meet the Windows Defender Application Control code integrity policy formas and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/en-us/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing). +> - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/en-us/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing). The action to restrict an application from running applies a code integrity policy that only allows running of files that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities. From bd5b31f73f8e4ecf89d47ca7f1b815c8d62bacd8 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 10 Nov 2017 13:17:55 -0800 Subject: [PATCH 58/81] fix typo --- ...achine-alerts-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index 1e620e9791..87f97bcd64 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -180,7 +180,7 @@ Depending on the severity of the attack and the sensitivity of the machine, you >[!IMPORTANT] >- Full isolation is available for machines on Windows 10, version 1703. >- Selective isolation is available for machines on Windows 10, version 1709 or later. ->- + This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine. From e5896f3e4c80c0106743e48ed29d23e0f50d0b29 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 10 Nov 2017 21:19:39 +0000 Subject: [PATCH 59/81] Merged PR 4435: eUICCs CSP - new --- windows/client-management/mdm/TOC.md | 2 + windows/client-management/mdm/euiccs-csp.md | 87 +++++ .../client-management/mdm/euiccs-ddf-file.md | 343 ++++++++++++++++++ .../mdm/images/Provisioning_CSP_eUICCs.png | Bin 0 -> 14272 bytes .../mdm/images/provisioning-csp-euiccs.png | Bin 0 -> 14272 bytes ...ew-in-windows-mdm-enrollment-management.md | 8 + 6 files changed, 440 insertions(+) create mode 100644 windows/client-management/mdm/euiccs-csp.md create mode 100644 windows/client-management/mdm/euiccs-ddf-file.md create mode 100644 windows/client-management/mdm/images/Provisioning_CSP_eUICCs.png create mode 100644 windows/client-management/mdm/images/provisioning-csp-euiccs.png diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index b23dc6e57b..46ae254e64 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -142,6 +142,8 @@ ### [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) #### [EnterpriseModernAppManagement DDF](enterprisemodernappmanagement-ddf.md) #### [EnterpriseModernAppManagement XSD](enterprisemodernappmanagement-xsd.md) +### [eUICCs CSP](euiccs-csp.md) +#### [eUICCs DDF file](euiccs-ddf-file.md) ### [FileSystem CSP](filesystem-csp.md) ### [Firewall CSP](firewall-csp.md) #### [Firewall DDF file](firewall-ddf-file.md) diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md new file mode 100644 index 0000000000..127aa77257 --- /dev/null +++ b/windows/client-management/mdm/euiccs-csp.md @@ -0,0 +1,87 @@ +--- +title: eUICCs CSP +description: eUICCs CSP +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 11/01/2017 +--- + +# eUICCs CSP + + +The eUICCs configuration service provider... This CSP was added in windows 10, version 1709. + +The following diagram shows the eUICCs configuration service provider in tree format. + +![euiccs csp](images/provisioning-csp-euiccs.png) + +**./Vendor/MSFT/eUICCs** +Root node. + +**_eUICC_** +Interior node. Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC. + +Supported operation is Get. + +**_eUICC_/Identifier** +Required. Identifies an eUICC in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID. + +Supported operation is Get. Value type is string. + +**_eUICC_/IsActive** +Required. Indicates whether this eUICC is physically present and active. Updated only by the LPA. + +Supported operation is Get. Value type is boolean. + +**_eUICC_/Profiles** +Interior node. Required. Represents all enterprise-owned profiles. + +Supported operation is Get. + +**_eUICC_/Profiles/_ICCID_** +Interior node. Optional. Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC). + +Supported operations are Add, Get, and Delete. + +**_eUICC_/Profiles/_ICCID_/ServerName** +Required. Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created. + +Supported operations are Add and Get. Value type is string. + +**_eUICC_/Profiles/_ICCID_/MatchingID** +Required. Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created. + +Supported operations are Add and Get. Value type is string. + +**_eUICC_/Profiles/_ICCID_/State** +Required. Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA. + +Supported operation is Get. Value type is integer. Default value is 1. + +**_eUICC_/Policies** +Interior node. Required. Device policies associated with the eUICC as a whole (not per-profile). + +Supported operation is Get. + +**_eUICC_/Policies/LocalUIEnabled** +Required. Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server. + +Supported operations are Get and Replace. Value type is boolean. Default value is true. + +**_eUICC_/Actions** +Interior node. Required. Actions that can be performed on the eUICC as a whole (when it is active). + +Supported operation is Get. + +**_eUICC_/Actions/ResetToFactoryState** +Required. An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset. + +Supported operation is Execute. Value type is string. + +**_eUICC_/Actions/Status** +Required. Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors. + +Supported value is Get. Value type is integer. Default is 0. \ No newline at end of file diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md new file mode 100644 index 0000000000..d3d539c88e --- /dev/null +++ b/windows/client-management/mdm/euiccs-ddf-file.md @@ -0,0 +1,343 @@ +--- +title: eUICCs DDF file +description: eUICCs DDF file +ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 06/19/2017 +--- + +# eUICCs DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **eUICCs** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +``` syntax + +]> + + 1.2 + + eUICCs + ./Vendor/MSFT + + + + + Subtree for all embedded UICCs (eUICC) + + + + + + + + + + + + + + com.microsoft/1.0/MDM/eUICCs + + + + + + + + + Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC. + + + + + + + + + + eUICC + + + + + + Identifier + + + + + Identifies an eUICC in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID. + + + + + + + + + + + + + + text/plain + + + + + IsActive + + + + + Indicates whether this eUICC is physically present and active. Updated only by the LPA. + + + + + + + + + + + text/plain + + + + + Profiles + + + + + Represents all enterprise-owned profiles. + + + + + + + + + + + + + + + + + + + + + + Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC). + + + + + + + + + + ICCID + + + + + + ServerName + + + + + + Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created. + + + + + + + + + + + + + + text/plain + + + + + MatchingID + + + + + + Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created. + + + + + + + + + + + + + + text/plain + + + + + State + + + + + 1 + Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA. + + + + + + + + + + + text/plain + + + + + + + Policies + + + + + Device policies associated with the eUICC as a whole (not per-profile). + + + + + + + + + + + + + + + LocalUIEnabled + + + + + + true + Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server. + + + + + + + + + + + text/plain + + + + + + Actions + + + + + Actions that can be performed on the eUICC as a whole (when it is active). + + + + + + + + + + + + + + + ResetToFactoryState + + + + + An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset. + + + + + + + + + + + text/plain + + + + + Status + + + + + 0 + Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors. + + + + + + + + + + + text/plain + + + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/images/Provisioning_CSP_eUICCs.png b/windows/client-management/mdm/images/Provisioning_CSP_eUICCs.png new file mode 100644 index 0000000000000000000000000000000000000000..a4c67a8b7e6469ecf14d0a29392968d4dad6eed2 GIT binary patch literal 14272 zcmb_@XH=72*JiA!K~T{k0wSP*V(3LcT2P8o6a+D$NRuEXNbj*l6s7neDAJ{aG)d@1 zgCZauLJ7^#L3*!YP6B@O&YEx5yz{R4@vLXva+h=V+2y*fz4Pjpw%XAnXO2K1kfR#v z*K{F}z4suHJ&T9-f`553n_UL}x5rsm4FSn&;1~xN`>mC=lp&DZVCbgV0dRfTQT?7X z1j1BF`)|)rOsXXWBCW4+P5F+8$yD#QGl!Mm@41bc`F(5O^b-S$6aL}-nIyoa;pn-- z$m)N2|K7={_s>Imhr6BP>d(Lrq6`DxNLCqskr0R9YrjzyZf|KPenN~Wn0-F+qyG7N zd7Tw;@!rO|Lus*U6Di((+3RiL$tk1Iv-TBBi(|jAX?r0}U1)AdTx&A|qLi}n1eTSR z)lgp__G{Qyy8Lu3hn21<%iXFUH~D%huviNVm9lWiV<}{TqqFnEaxW?=mw5l;Hq|=2 zTzq!k);h*7ZRRlFsf8Q;p#v9KoYx2DKHdFLESvk~%O?{gL@5*o-<+l*9=QyaHTt>X zN8hS&Z66L@mTAY1`OLi$;IX|1L2F}>D1DV zeUOJd@X|-N>(a3mS)3{nb#)6VT+>nq()db#t`?@~4N()b4CGjg6q&Qqzti8kFnGa$iWA24GMczU9>*cC zxVjD)ZgWq?6)Cn#qIy5p*K8Y4HxP<1m0lS6@Z&R8Vu*nR)43>Z9Nt~osMs$roWCkQ zo)$PUvJ^3O)-cH7aPoNnx9OMJ9^X6Uqb?qJEZarAkt8;G^r2ea*2f-8!qpIFr(x`| zqV(e@5=0-GO|eOtC-;W=#4P+8zE!yiZ)MmDW@fsau~ne4A$51^M`7TY zlt0^7=FP=ap2;b+Vm%aaPL1Sy-@QmfRT?^~ZT)BK zbp|h6dES@pA%?pT3sXyf^HDZzyk6uLIdVP=H1{7<-M%PEu#fz0?@T&duRhL`qOs@P zIn))mqQ%YepLmO5zc+RI=pxuX?V6}I?U41Q^dz1;(QyysSv~}w!C_8(7xRd#Hm-?G zouc?6SbSfk8&XE^Z5TomD^8qpKYdSGmPGW)b+@s(xOyJ)n28@{ct-I2yx@b6dygTX z;~F2Tp1D|MT3PejX}gL&pt~p0Pv3(}W@+F>Yxn6Xwss+@m=w*pif4TY>`>J$^Wpj} zrGqSfg4xH*;|Cc|G9(w2H;`3ze`mb@=%yRH~%#1L#s$(pO37E=%H74Huy6WMW?|4JbX!_f8WT#u&sQGn0$cF2_o~?gDOZK!l9H0RXE-t{KR5V4!x%?UqrGzXKqTM7j@a7T z{+OeX=cl2iKs&^_NqBbrE&6AYYlLQgQc| z%=78kjCKQJ=`yHhEPf_%ZjrahrQMDY^H z)0c<)wCC(A|5qyM9zK}U5tqF zCsZVVPjvZySG=et>pvi)MRtNuV|JD269miI#u9kVUgfrvx;uyB{zrGbe3YN z*3uZQjJuplADa;y@KP_|8<)@E2l+y4*e(y>y?d7gWj;qh#}C5-coVKDfDBou=}=rs z=!u46>f9Ue{@S+|-f@=0Fv~%or0JztDDUh1dAq5Nba;upPaTd#7vZF>vnu@f@?I0O zx+dD~guXNj+UY}$>pN;y4MtO#rGySf*cHeV#D}6yQ7AoO#m6q6aN)F+V!0BHD2lPQ ztcz_ziul+&h;fuw;k#o7)|S>fYKOB)znITOqvPvg0ZUH|FQ9+cx&*xmmksPPET{=2 zU#xFJ<~+(|w6xDX9pl!mCr^(U97fj%OJ&cHjqHJ)&obi418$6(Hn`Q})+?pFE6SUE>1*RVdxoPv5%ew!2hLl=`xvZMV5H7)P4eFQ63X!M&;bx%uGNP;BlsTDL8 zU*1%@{+cEJ;YXyv-4FttLP|8+Cdjgq9lVQ2lgjz4_|-_(5SsC%>_I{(BZ8b`J=lU{kHJc$8Dc*%QcFfch0DC1q_yYd?`7>d4FvJhx_^S*J&TN95@Pp&Wq;09EZ~^jmJ6e2Y2H` zUPc`uUciXQX-g%l?4m8?M-ZY0`kJ2SvQ5L5cb|!FMMNZZMdjZPs)vC% zXOh2B?p=QS+nD}17xIu=6T(mldK7iKtQ$Scv!V%oBCkyQIG#)#d+BX5-C)C>C${s& zIFSW^ZM*oZ-uJxuF~v4Z$yot*QHxHYOOelYywd|G8vX?HD59P9Bh`+tn4X<|${+r8 zh1G_e1HA9s??8r6IIR18`_Dn>+(-xOOliA2Qtp=Q6|aD{pURY{=Wqqv8VHKkX7h}Vc^xlN$u^LBqH@hD$5u2g_s+pj1q-qjRf6ED3wRC%C*u(ix zpF0xocAu3`DgFb?_dVG~tV+0|xVvnH((2XE&FEz59lE*xy{Be3^l_?)~x z;hyp090l)Uq0h|l{R6RBA*iEQAVWc+i31% z4B$98yNI*nO^ElKg?&*dNU^Qo=+7d zkq`moA!r@y5ajSDnxpJhmju^n?#Fi${%@B`cR-O;7yjRG|BQFEva&kNnXH?Z`kw2r z=NcJt2pt`MU8boPC|x@<@`43;s|bc0oAOCK<$HhHWA=Z?d;e>{dy&=O*>_yBDHlHZ zG1H-b1RuEWfyUZIzE(oA$h?e2<`!Jx(5*M2AIW{*9(v+KxgJABLx+DnzA? zncPybx7e}utdo}u{DsotP6fZI!`toCw}O1)?uW6JlbEyRI5~FKcMLx}qtok^JEL8? zR+A=dIxUmIDbO3M3LRe0z8ccub_mYEE4O+SdO*07U$>pC@AUeO=}`VcD+599ZRXJx zu?zpTi;s={ev8)R+?Kh+BthwWM^Bt0D@UI@D%8&2E)+F|>YUGCkABJDG@!t_8?C@& zy%+mH+6tD&+2+kK`J~dmj4rce+G-6;*Ko>A&Tr#0ESA)EQcd=Svi~ZtTGz=J@fsy@ z`Q2H7;F$EkRuq}nN~Ai8MCGopT5CP~K+;Kl;TC#4(C$@_#_X}T z8;j1Td#-7}UdRe!-id%!*EtjG{1DMyTh5OB=73w8GycDZ$6i7BW-x_CcuD@7OWRJw z>|KCmWo8=3lu9Vb)Vj18mCWIG)9DjW=$>=R|88CfVYUMM`II*DDjz0K_*-GnjBJAFL>Kb*914 zuaEc99w>o@k50!3$9TrCJeo?aP4w!kt+-VxQTIx(@EOPzu`xv@taR!=be;MYBQ*+2 zG3$+eE7)y->7QH!i<L!DIHf z9p#Db0sA_w_UWmd8lNRUHa;koSre$7buU_A(aD| z4;aDgU%>Wqx`~3Vq1nsZ>T>4AiWH;ax0bnJ%Q|r9I>pz+~m8ZXE768ykcbgz6b-5Bw%j40gN(D7Gn4GK&9 z;8={XD8o?(YSVg)O1ZE%*I_T`Qy709nFu|sz85&HGW2>)o7Fyms(6!LlXJyR<(a}a zkj(a-|)E0se`9}#H{tws@3l@_zShf{y)alE=iElGjW*AVXeJgU75@*XQ z0U4b3^HnR`q;Dms8}Z2SB!k+N<2ZG)5ce=awuUXBp9v|Tz=Y*WJB@vHvEylApceD! zI-}?4T4tg;jJ}xBvz=?~ne!59(k|fq$;U%$h5%rdaCJqLEh`~_i4GwPb4s&>*f-|e z>kH+8ktMYGwl3YkFQ!Z(5#0DKwK^U)w% zB18iC)^aM22tELi=Qmx2Ky1-dn;2`avwkyqv8Pmp{Yo5l%BucGdJnl2wZAggID!^fS_2k8Dq zI`G}R3>S98YPDtbxkxv!(-l7}7iVX^vWb_k={srgg8t+yrBm-{&E=6^=c0&ghxEIg zk9JnxWl!0qL~%8iPE4^rXaGq@p*>%eY|_x>Lh>gLx%cy+B-Db)=uV1j!|!V zdc>mNeeczg`9U%h^<;6IeXBfX*mQLsc2k9SXPYooVSc{UP;>{=`|)TxnbtO@QSb~9 z?d+`28VKEI%RGm&p1zK#rijZkzgLA$469xK`|K4(MeOE6tgZjAwjiS^63_ccMuu$B zsr=W6`>$?366x*{u>!RwJ1Z-_5i)reSOdF6bw#49&7qhEBkWe)ZIG_WZ;Os-d#qbu zL0ujs+pnZNS{VEJ5FcjlHM*N$WA}8*10Vga90fb`@uTr!DqH<%#rDMOZRY`2kUcVa zb^O8^<_88x^o>QP@;6!wJ!f;nH9foS@UyF(UKv3R(4T1zH`Y+g%yX&dwld0kCVP?6|4V8iKzZ z&1)Z3xmY2We7yiH);bas^>*--*g|Gv6t5&b23!IRxnAl&b^EM2`n(ZaD`}MB98Wh$ z>DrwMDQV6ADB+lU_wL=^-4!}sPi#^A)LZ8d)L^ByzRiV3&x03i3*@~Ps*Mk1)Yz5k z3A~6+69FsO19#D~`5c1lzjmq7Op1rUs?o$Aaly7s-p6_E5ju9PH`$j~wF&H|sU2r? z>AqnsE-l^dOF26AlE$Se2oQ^aM0VIYID`uY&Z=FKHKQ)Irle$Pr?Q^iaW>AO3R{oq z>a=~dEY<>Qjp&TilZr0OAey6&C2v%0Pv_}w14poBxW&i5fS4KNwRlF0%03a0uE7%9 zX*yEpD3C_dI8{L^L#?p_0==2WhXRQ-4kyI&=fx|*L2GDA&=OZmP>SZn2>4ibw5M0K z-1cy0WYihLOZunE8JN#%8b=Fw{_x3N8EW#LVJwX*^P~(_Y&UL8FAMutH04`ctgC4Q zYhDb5W%sU{+uLiEW#v4lJ^cY@ejyi+$LHkSYWQ?_W4NE`&qd!PA?sfQ13VS?9?Z~< zLwO3Mn(w1@NG_IR0Zj99UsL>a6-Yz4XU5;g_>p5xdXn(TNf5Za}bk8Bv8rMKaRT zDSm@&vQ?X#r5;N*+?vgZE5sb!&6_t>ek_nN-yeu69>65(rZpixe8M?C_k;rIHibDa z8WC%zLzTBg9@=@Q<{N-)0NOeZc(^G3m>V5+iirYh%0%Y{d{s?|PGuTFss4T%c}NbB zwztu+k&@925**7{mTbG?RQzE0S%VJO8@q^llJElzntL)1=XlKk`61G-ZS40~r+7i9 zsXpx{V&=m^WgG4skU4^?)uF?ma;}D8$mPO=@3Xz{7v)MM;=Trfuk+meLo`@BZhOsj zKmzZ;BKMx5^mkPHxTYA>(e`De$y`Wv#N z0qzWq?khDYuc9`?YNwV8L~QTkX0DwQ?Npm?I^#&6)xdHzCyZk8?TN3U%}0eP;TeKl1!{_ z^MVzHR#W4btTz6>^A^XAHmh^oY?~2Bx|kL1s0`oCa~1sjKB77eog~{$r@T6p+omYsVKb535Wf%sZr7`+U5ICiRBoKuh|Gi< zv+W*QAguQ5HQS*T-uVY8G?LK7+_GtBR^AuS*?+b8$Rg$f%y9|+7FOFm{RwCPKkX=% zC-hF{w)OE!Xc{u2ZGWImFG3N4^l)=oKtuI6i73l-lKeY{WN3*^{D<&HZVGTFi)m#X zjCkPQRkhm5HL%b}Q;{<^G`Ej9y?Z!lZWfCjFWJAtk~rz^{olAEu@rYb`1qQl^8U@+ z(&BJ5UDWvC2?RZ0!S#ShA~<|eJ4#hm6~Iz+HMf%!Mkbch>g%<37h*?gX=xcv%G+UZ zZ{EFF?d<__1@ZU@ylz1{QWmossr9eX_NLb)83(ciohxz^LzjEoRhIeZyg+VJZ>#_GcK&WO9KB zUgeh?pTbTm=dpmh_-r1NDo(W$yZ$%&D1O=*gp2TN3<)#^wx@rt|FK=vUM;IbKX#V( zFR5O6Cur4nG&+!`{@W^XIv;eL2xF(NF+~J@Y(YQr^^N{ps03be1dzC8Ysut~9^;@$ zMN@m-LFM}!vA30xe~aJ$kC^>mL;D5%^PNk5=)=)fC3nc3opCsk>!6NR!i47BFUdNs z%ANYxNc=bI-mWodo+w_mE#v0hn8~&8L}=j z$F?)QyLWn<{l+tr*=yK~^4>ez-LMzSbNu4{kvC|S_?ndE$|!W0t)U&h$a^=N9Mpk} z0E`i2kuTgg;qUY_erlFKO1;6y%j%aQ+=AHdwx57A&cJ*tL@em;3ZAz!7Vu7PuznHl zvXmE1$RYLJT6B*TO5HCt1=~{4742Fx(A|Au$*6k76g^MAw2Pyw$pFq+?t@R((J>AW zJKD?|NY)@Bb}7;IX8=^H4@Hr=|u+80ub(l5_cbZB;3DX$onDR`-4t<{~Kh0`7ocf+k9VminWwx|&7@>CuV*taI z`yj^l0ZU!{2^!}&l0KQ(ox4q2XDSY8aJ@=%EaA`CVn%fo`JAdJXlPc1zzR1)q1fje zIAvUwu<>?q71 zzJ_Tj;@y$fcHdV*OB|JbaiEI)z+>Vo()C8Qp~i%*A8nWuW%lT8a#a(P{dB!xo0LI8 zc!~4Ul+6dgzPTc2+d!iNXnEl5q2kz851(&73IYw~&7gZJs3%H^sR`CkE@Mg z)?+0r9(ri+Urm_TvpT;677E_cpULJtq2Vn~UGpscDhAX^9H4kI#ccKZ3mC<~_bR zQ{D>m6jl8U?U#>y;+#n6vWG5hC3x4uUc44eal_2VY{AD-=V~z*I4z7{o(JwcutmH- ziFb4dIGmSD)JkS(3vnK}_q$%$k%(1=mi5(N1hQL^&KNriiFcHqVa<<;UTn!-8}1r) z=#9DkU)C02dOh$vl~brU_EsZ4Ew-$!qB2h(ny}F!^}=n|*|4A6(504e-@?MTHzJ%e z3VnNpZaCKP4w99{#jP@N%~DV5qJ_o#wJNsrZ@}l5U`IITH`LigHx+aNEh4sUD~JM} za9$2AZ>tv+2c~GCNqeYvdN1fbX}~589O%!V zCEPMZBG1e>g)3I&YRMA7*Uhen>PB6YT(N@?r21>Ic0V?BYu!R$E-rhnEB zA1MUcsm-JyXZqVS1~7y0n%9Oe1!HNnDSmd#@kVz{L`0#Of})}@Y<*&QzY!3L9`++Y z*msn#nQV%ece<+?AIu4+XCXl}cgQ(lFMQJxR{}{s~*F8WxpwUb~ z@ikxZUZKf=G^$`9zq=Xp;s+V1JQ@2zzxr=ah9?qJ?C<22@Q=`ybo;?RMmQeu4e&7@ zV|bm`ds;+lbsy!AiW=F(ml!BSJd~7}lf4F&1KI5&5@>2CSt@X_7)JOc8ms{we+qw# z5#BSk^Z90kpja~^BGiEYl1exGb(`Eg66~P;FRgTc0p_74+l1iqUTVC*?Hqm>2>*Yi zqmpss^z4oV+%UVZLdfYfCdlu~(qv6682*s|Xs|ZNd)z@kRg^MCB?}%3?)l`l?0$$< zX!FrR`0UU5npCEmv|jsT@GyxY?BL-7pT%k_)mO?3*2TYBIH6G4{p@24@!gIYKA5Jj zZvWHq6x-;rFoaQP2@3O;fFo05PruU$DSHd$v)4-2+3F*cvOI6D4#IR)waEkC@44TI1%5No}qQ%y}2s=%W5=PBL3F^_U=t>-P zIqj#8f_bX+GSU$1vhCS^mWVA>ZG6bgx`sI%Sjw_=XG<;xmqs_Uta$}$ESCFD!u)Ud z3m?>@5Z#q~^w_sBrFIVSr%7S=d0d-Oot>HG)*E0EF1c9GuNjKwmRqb|h36uc(t522 z(_qCzKk*_~bk|m!w1%>&?YL(EO!g_v?e||V0DzZ?1Br&xTxJY#l_!7Qky9Be=ZL1e zFFGEeI0mL&?{j&MrU*AG@B^;e;NwU=O7k?@!!NU~XI^rMMN0u;1`J3Xr1|(Uh2?2U z*F6wj5V+M7T+-K|%&z@+-tRewLvz2mOp|@+DC0S7Z#4vY2s1f(aP(~ z&?*1Yg*9{G&|0t#zN5?UNa;r7pKBn$a2TS z4=3xvzz|4oE;;X5P1|!cpFg90#~4~sEa#l>II-3mY@?>nN8&C2%*Muv9MBQ`3Unk@ z021ydV^_Z6Ows_E!wiYnh?7y%O08rqwvDRH1-etxg+0H0|5g;4_I5sg%?<9UVhe}IJzc%5{R8;#g6Z8Jm zJG02ek6D4*cpRrZX!DKLE+*3YPQX*at%6~-Int?|f~{geY6>Y>XCTbI_tnP^EjRrj zA11+mT_dRYzG6Es#s7(d5oR8GHbvb(`rz5U=>}3kiWzO}aYpyH??Ffnh<+aAYJXqx zdS^*1z>K0%KyC7yzpVi#!z>ZMl#7%;7t}JNGM(qor&k2$3o#nEtz-|297-%k6_xds zR#zrrz@+4@Gf6mgAfUfh{JfQNDBkc4lCF%=r%r_QL?-szINo-%^;^Gh@BR7~!9L!I zg6ns92US*#jc=bQsqt;AOmd{z545As2g8V`Kz~)G&y&_Hd^>vmkM+gM(MwDDX}M&C zsC`3pve}RhThJ*Q7y_X0uAQCT$ugRtUD@_pKXTp4QL!Bt|F&B%yb??mM-_@?DeQX; z%JmgXJEAwO5$rg=ju+6|l1ST(i;-_Gjk6Z>i^n(}PHHx#;Fhze^7CNHpmk>&i_J8m zB0=lU3GjEGU97^ zu;YhUM%_){Y%ioJ(#FK9MuvW@)H=J9ZZe$*h+YPaizUsyUG!x+nl}i%bedc*II(n) zLkUXxw6wI8`)WXL)TBKqUXwfuW-7h^_Ue8g1PT_IlndY;32~=_5KLNPbrX+2e#(c| zsjCv&?bLy0dsKdYz8i?>u~R_9E)}13;v3D(D^jVDSqTmH%dl^(qjeviCHdIk9XF=o zR3vxLHR#*D=7EKUg@z5O-)g#p%YB!+f-$MTB7nwUP+XjDa`USOXtj0z%kbF!e$a(8 z1OG^C(5XV7eE&}`AM_Dv^Lc+7nlx5#R>Nqo8G!?4v-NwEou*WOkxyYLxy}T}eBRLh zW`JC!^+Eg9&A-U=_~V;+0K|C%qXUWS&?nD#z(NT?Kq7Rh49!Yk9t|=~eZnabcL0Vl zSht}r9T23G*6Vb*+T3y^fSAS}+(Mg7X&m{z2|;^t z&Uus}^FP?n1s_z{@{%7DdODrl%B@R8EBu>=_}I6v@J!*d$og_VCo^EGMiB??Wm*G!Y6C@ttC&%`JIf^NtVJl34v|Y)xcip*hz&e`9j4D8dpkwqfew- z7b&z0NHz3@rgfcaMpVl5Y~{Os-uz~xpoaA3uT#|RVA=}oMP3djPj>M=&|>G6e&5kf zY)ZyCZLfE`5_}is4!gbVQ|V?n(two`s_pF9W*^RMOKT>x?jhR@ji}jpd1bn1n6{Pk zbO8l-*CMImd=x1O=|)qTn%9(q`c0dX6t~5@37B_J4rd1pZAsr~_izaO`dm#vvHoyf zwFLniH}=yUv1MC4O0F;*%tBJF54J7~K3m>Kmz+V;4{hYDj4n1w*EG8Nnd|xM=EULI zf>r;SW$*kq&&wZy5^ncq`Q?DjANNmuPRu1}v%%O49C=l%I&stkPpDTTV@(zuy0;dl z&C&6+!~P)Gua+KEJwM2WOsg*5kI5tSIr$fyh~g6Q zIE#$xah>cXhexod*Mkw{|WZ( ze5dVd=VQ{0ZZ8#{XA0j6q)y}k@xqNcaU)kX>=c3h##e=K$hxisPky97d6s!qY&-=xDj5RV+&sL9NLcld)Q=rhiEMdXKOqb6uzOn#q?ZD7Tp^fW3%^Nr;Ypi`iD@?U7 zOml0;KfEH=BaYBSJ9F?Gk+E*A;mItV`DSRYlWv7lBHcJkUzQedUo10GWBxg3i+Z!6 zD!kIkav&FjB$jAGMhRpX1m8>56?3A@IKIL+nNom&-3QnGd7rzpjks9hu1-(I6IS<) z1^$qHmcRI^;tgua>;Y7V)&pT*lY0@P2&nNqvI6(z%Qsb-K%9l_&W754wae%}P}@0x ziDo(o2S(8irekxOZ+qc$_U+!AfaAQfv!b)`$*()7y2O`Ur6?R-&*~k~5D`D%i9{a< zk7w(q0Zt2mNNOVlcol^9n~FWOUs3F({cd7E?Z*{|AY*omC=lp&DZVCbgV0dRfTQT?7X z1j1BF`)|)rOsXXWBCW4+P5F+8$yD#QGl!Mm@41bc`F(5O^b-S$6aL}-nIyoa;pn-- z$m)N2|K7={_s>Imhr6BP>d(Lrq6`DxNLCqskr0R9YrjzyZf|KPenN~Wn0-F+qyG7N zd7Tw;@!rO|Lus*U6Di((+3RiL$tk1Iv-TBBi(|jAX?r0}U1)AdTx&A|qLi}n1eTSR z)lgp__G{Qyy8Lu3hn21<%iXFUH~D%huviNVm9lWiV<}{TqqFnEaxW?=mw5l;Hq|=2 zTzq!k);h*7ZRRlFsf8Q;p#v9KoYx2DKHdFLESvk~%O?{gL@5*o-<+l*9=QyaHTt>X zN8hS&Z66L@mTAY1`OLi$;IX|1L2F}>D1DV zeUOJd@X|-N>(a3mS)3{nb#)6VT+>nq()db#t`?@~4N()b4CGjg6q&Qqzti8kFnGa$iWA24GMczU9>*cC zxVjD)ZgWq?6)Cn#qIy5p*K8Y4HxP<1m0lS6@Z&R8Vu*nR)43>Z9Nt~osMs$roWCkQ zo)$PUvJ^3O)-cH7aPoNnx9OMJ9^X6Uqb?qJEZarAkt8;G^r2ea*2f-8!qpIFr(x`| zqV(e@5=0-GO|eOtC-;W=#4P+8zE!yiZ)MmDW@fsau~ne4A$51^M`7TY zlt0^7=FP=ap2;b+Vm%aaPL1Sy-@QmfRT?^~ZT)BK zbp|h6dES@pA%?pT3sXyf^HDZzyk6uLIdVP=H1{7<-M%PEu#fz0?@T&duRhL`qOs@P zIn))mqQ%YepLmO5zc+RI=pxuX?V6}I?U41Q^dz1;(QyysSv~}w!C_8(7xRd#Hm-?G zouc?6SbSfk8&XE^Z5TomD^8qpKYdSGmPGW)b+@s(xOyJ)n28@{ct-I2yx@b6dygTX z;~F2Tp1D|MT3PejX}gL&pt~p0Pv3(}W@+F>Yxn6Xwss+@m=w*pif4TY>`>J$^Wpj} zrGqSfg4xH*;|Cc|G9(w2H;`3ze`mb@=%yRH~%#1L#s$(pO37E=%H74Huy6WMW?|4JbX!_f8WT#u&sQGn0$cF2_o~?gDOZK!l9H0RXE-t{KR5V4!x%?UqrGzXKqTM7j@a7T z{+OeX=cl2iKs&^_NqBbrE&6AYYlLQgQc| z%=78kjCKQJ=`yHhEPf_%ZjrahrQMDY^H z)0c<)wCC(A|5qyM9zK}U5tqF zCsZVVPjvZySG=et>pvi)MRtNuV|JD269miI#u9kVUgfrvx;uyB{zrGbe3YN z*3uZQjJuplADa;y@KP_|8<)@E2l+y4*e(y>y?d7gWj;qh#}C5-coVKDfDBou=}=rs z=!u46>f9Ue{@S+|-f@=0Fv~%or0JztDDUh1dAq5Nba;upPaTd#7vZF>vnu@f@?I0O zx+dD~guXNj+UY}$>pN;y4MtO#rGySf*cHeV#D}6yQ7AoO#m6q6aN)F+V!0BHD2lPQ ztcz_ziul+&h;fuw;k#o7)|S>fYKOB)znITOqvPvg0ZUH|FQ9+cx&*xmmksPPET{=2 zU#xFJ<~+(|w6xDX9pl!mCr^(U97fj%OJ&cHjqHJ)&obi418$6(Hn`Q})+?pFE6SUE>1*RVdxoPv5%ew!2hLl=`xvZMV5H7)P4eFQ63X!M&;bx%uGNP;BlsTDL8 zU*1%@{+cEJ;YXyv-4FttLP|8+Cdjgq9lVQ2lgjz4_|-_(5SsC%>_I{(BZ8b`J=lU{kHJc$8Dc*%QcFfch0DC1q_yYd?`7>d4FvJhx_^S*J&TN95@Pp&Wq;09EZ~^jmJ6e2Y2H` zUPc`uUciXQX-g%l?4m8?M-ZY0`kJ2SvQ5L5cb|!FMMNZZMdjZPs)vC% zXOh2B?p=QS+nD}17xIu=6T(mldK7iKtQ$Scv!V%oBCkyQIG#)#d+BX5-C)C>C${s& zIFSW^ZM*oZ-uJxuF~v4Z$yot*QHxHYOOelYywd|G8vX?HD59P9Bh`+tn4X<|${+r8 zh1G_e1HA9s??8r6IIR18`_Dn>+(-xOOliA2Qtp=Q6|aD{pURY{=Wqqv8VHKkX7h}Vc^xlN$u^LBqH@hD$5u2g_s+pj1q-qjRf6ED3wRC%C*u(ix zpF0xocAu3`DgFb?_dVG~tV+0|xVvnH((2XE&FEz59lE*xy{Be3^l_?)~x z;hyp090l)Uq0h|l{R6RBA*iEQAVWc+i31% z4B$98yNI*nO^ElKg?&*dNU^Qo=+7d zkq`moA!r@y5ajSDnxpJhmju^n?#Fi${%@B`cR-O;7yjRG|BQFEva&kNnXH?Z`kw2r z=NcJt2pt`MU8boPC|x@<@`43;s|bc0oAOCK<$HhHWA=Z?d;e>{dy&=O*>_yBDHlHZ zG1H-b1RuEWfyUZIzE(oA$h?e2<`!Jx(5*M2AIW{*9(v+KxgJABLx+DnzA? zncPybx7e}utdo}u{DsotP6fZI!`toCw}O1)?uW6JlbEyRI5~FKcMLx}qtok^JEL8? zR+A=dIxUmIDbO3M3LRe0z8ccub_mYEE4O+SdO*07U$>pC@AUeO=}`VcD+599ZRXJx zu?zpTi;s={ev8)R+?Kh+BthwWM^Bt0D@UI@D%8&2E)+F|>YUGCkABJDG@!t_8?C@& zy%+mH+6tD&+2+kK`J~dmj4rce+G-6;*Ko>A&Tr#0ESA)EQcd=Svi~ZtTGz=J@fsy@ z`Q2H7;F$EkRuq}nN~Ai8MCGopT5CP~K+;Kl;TC#4(C$@_#_X}T z8;j1Td#-7}UdRe!-id%!*EtjG{1DMyTh5OB=73w8GycDZ$6i7BW-x_CcuD@7OWRJw z>|KCmWo8=3lu9Vb)Vj18mCWIG)9DjW=$>=R|88CfVYUMM`II*DDjz0K_*-GnjBJAFL>Kb*914 zuaEc99w>o@k50!3$9TrCJeo?aP4w!kt+-VxQTIx(@EOPzu`xv@taR!=be;MYBQ*+2 zG3$+eE7)y->7QH!i<L!DIHf z9p#Db0sA_w_UWmd8lNRUHa;koSre$7buU_A(aD| z4;aDgU%>Wqx`~3Vq1nsZ>T>4AiWH;ax0bnJ%Q|r9I>pz+~m8ZXE768ykcbgz6b-5Bw%j40gN(D7Gn4GK&9 z;8={XD8o?(YSVg)O1ZE%*I_T`Qy709nFu|sz85&HGW2>)o7Fyms(6!LlXJyR<(a}a zkj(a-|)E0se`9}#H{tws@3l@_zShf{y)alE=iElGjW*AVXeJgU75@*XQ z0U4b3^HnR`q;Dms8}Z2SB!k+N<2ZG)5ce=awuUXBp9v|Tz=Y*WJB@vHvEylApceD! zI-}?4T4tg;jJ}xBvz=?~ne!59(k|fq$;U%$h5%rdaCJqLEh`~_i4GwPb4s&>*f-|e z>kH+8ktMYGwl3YkFQ!Z(5#0DKwK^U)w% zB18iC)^aM22tELi=Qmx2Ky1-dn;2`avwkyqv8Pmp{Yo5l%BucGdJnl2wZAggID!^fS_2k8Dq zI`G}R3>S98YPDtbxkxv!(-l7}7iVX^vWb_k={srgg8t+yrBm-{&E=6^=c0&ghxEIg zk9JnxWl!0qL~%8iPE4^rXaGq@p*>%eY|_x>Lh>gLx%cy+B-Db)=uV1j!|!V zdc>mNeeczg`9U%h^<;6IeXBfX*mQLsc2k9SXPYooVSc{UP;>{=`|)TxnbtO@QSb~9 z?d+`28VKEI%RGm&p1zK#rijZkzgLA$469xK`|K4(MeOE6tgZjAwjiS^63_ccMuu$B zsr=W6`>$?366x*{u>!RwJ1Z-_5i)reSOdF6bw#49&7qhEBkWe)ZIG_WZ;Os-d#qbu zL0ujs+pnZNS{VEJ5FcjlHM*N$WA}8*10Vga90fb`@uTr!DqH<%#rDMOZRY`2kUcVa zb^O8^<_88x^o>QP@;6!wJ!f;nH9foS@UyF(UKv3R(4T1zH`Y+g%yX&dwld0kCVP?6|4V8iKzZ z&1)Z3xmY2We7yiH);bas^>*--*g|Gv6t5&b23!IRxnAl&b^EM2`n(ZaD`}MB98Wh$ z>DrwMDQV6ADB+lU_wL=^-4!}sPi#^A)LZ8d)L^ByzRiV3&x03i3*@~Ps*Mk1)Yz5k z3A~6+69FsO19#D~`5c1lzjmq7Op1rUs?o$Aaly7s-p6_E5ju9PH`$j~wF&H|sU2r? z>AqnsE-l^dOF26AlE$Se2oQ^aM0VIYID`uY&Z=FKHKQ)Irle$Pr?Q^iaW>AO3R{oq z>a=~dEY<>Qjp&TilZr0OAey6&C2v%0Pv_}w14poBxW&i5fS4KNwRlF0%03a0uE7%9 zX*yEpD3C_dI8{L^L#?p_0==2WhXRQ-4kyI&=fx|*L2GDA&=OZmP>SZn2>4ibw5M0K z-1cy0WYihLOZunE8JN#%8b=Fw{_x3N8EW#LVJwX*^P~(_Y&UL8FAMutH04`ctgC4Q zYhDb5W%sU{+uLiEW#v4lJ^cY@ejyi+$LHkSYWQ?_W4NE`&qd!PA?sfQ13VS?9?Z~< zLwO3Mn(w1@NG_IR0Zj99UsL>a6-Yz4XU5;g_>p5xdXn(TNf5Za}bk8Bv8rMKaRT zDSm@&vQ?X#r5;N*+?vgZE5sb!&6_t>ek_nN-yeu69>65(rZpixe8M?C_k;rIHibDa z8WC%zLzTBg9@=@Q<{N-)0NOeZc(^G3m>V5+iirYh%0%Y{d{s?|PGuTFss4T%c}NbB zwztu+k&@925**7{mTbG?RQzE0S%VJO8@q^llJElzntL)1=XlKk`61G-ZS40~r+7i9 zsXpx{V&=m^WgG4skU4^?)uF?ma;}D8$mPO=@3Xz{7v)MM;=Trfuk+meLo`@BZhOsj zKmzZ;BKMx5^mkPHxTYA>(e`De$y`Wv#N z0qzWq?khDYuc9`?YNwV8L~QTkX0DwQ?Npm?I^#&6)xdHzCyZk8?TN3U%}0eP;TeKl1!{_ z^MVzHR#W4btTz6>^A^XAHmh^oY?~2Bx|kL1s0`oCa~1sjKB77eog~{$r@T6p+omYsVKb535Wf%sZr7`+U5ICiRBoKuh|Gi< zv+W*QAguQ5HQS*T-uVY8G?LK7+_GtBR^AuS*?+b8$Rg$f%y9|+7FOFm{RwCPKkX=% zC-hF{w)OE!Xc{u2ZGWImFG3N4^l)=oKtuI6i73l-lKeY{WN3*^{D<&HZVGTFi)m#X zjCkPQRkhm5HL%b}Q;{<^G`Ej9y?Z!lZWfCjFWJAtk~rz^{olAEu@rYb`1qQl^8U@+ z(&BJ5UDWvC2?RZ0!S#ShA~<|eJ4#hm6~Iz+HMf%!Mkbch>g%<37h*?gX=xcv%G+UZ zZ{EFF?d<__1@ZU@ylz1{QWmossr9eX_NLb)83(ciohxz^LzjEoRhIeZyg+VJZ>#_GcK&WO9KB zUgeh?pTbTm=dpmh_-r1NDo(W$yZ$%&D1O=*gp2TN3<)#^wx@rt|FK=vUM;IbKX#V( zFR5O6Cur4nG&+!`{@W^XIv;eL2xF(NF+~J@Y(YQr^^N{ps03be1dzC8Ysut~9^;@$ zMN@m-LFM}!vA30xe~aJ$kC^>mL;D5%^PNk5=)=)fC3nc3opCsk>!6NR!i47BFUdNs z%ANYxNc=bI-mWodo+w_mE#v0hn8~&8L}=j z$F?)QyLWn<{l+tr*=yK~^4>ez-LMzSbNu4{kvC|S_?ndE$|!W0t)U&h$a^=N9Mpk} z0E`i2kuTgg;qUY_erlFKO1;6y%j%aQ+=AHdwx57A&cJ*tL@em;3ZAz!7Vu7PuznHl zvXmE1$RYLJT6B*TO5HCt1=~{4742Fx(A|Au$*6k76g^MAw2Pyw$pFq+?t@R((J>AW zJKD?|NY)@Bb}7;IX8=^H4@Hr=|u+80ub(l5_cbZB;3DX$onDR`-4t<{~Kh0`7ocf+k9VminWwx|&7@>CuV*taI z`yj^l0ZU!{2^!}&l0KQ(ox4q2XDSY8aJ@=%EaA`CVn%fo`JAdJXlPc1zzR1)q1fje zIAvUwu<>?q71 zzJ_Tj;@y$fcHdV*OB|JbaiEI)z+>Vo()C8Qp~i%*A8nWuW%lT8a#a(P{dB!xo0LI8 zc!~4Ul+6dgzPTc2+d!iNXnEl5q2kz851(&73IYw~&7gZJs3%H^sR`CkE@Mg z)?+0r9(ri+Urm_TvpT;677E_cpULJtq2Vn~UGpscDhAX^9H4kI#ccKZ3mC<~_bR zQ{D>m6jl8U?U#>y;+#n6vWG5hC3x4uUc44eal_2VY{AD-=V~z*I4z7{o(JwcutmH- ziFb4dIGmSD)JkS(3vnK}_q$%$k%(1=mi5(N1hQL^&KNriiFcHqVa<<;UTn!-8}1r) z=#9DkU)C02dOh$vl~brU_EsZ4Ew-$!qB2h(ny}F!^}=n|*|4A6(504e-@?MTHzJ%e z3VnNpZaCKP4w99{#jP@N%~DV5qJ_o#wJNsrZ@}l5U`IITH`LigHx+aNEh4sUD~JM} za9$2AZ>tv+2c~GCNqeYvdN1fbX}~589O%!V zCEPMZBG1e>g)3I&YRMA7*Uhen>PB6YT(N@?r21>Ic0V?BYu!R$E-rhnEB zA1MUcsm-JyXZqVS1~7y0n%9Oe1!HNnDSmd#@kVz{L`0#Of})}@Y<*&QzY!3L9`++Y z*msn#nQV%ece<+?AIu4+XCXl}cgQ(lFMQJxR{}{s~*F8WxpwUb~ z@ikxZUZKf=G^$`9zq=Xp;s+V1JQ@2zzxr=ah9?qJ?C<22@Q=`ybo;?RMmQeu4e&7@ zV|bm`ds;+lbsy!AiW=F(ml!BSJd~7}lf4F&1KI5&5@>2CSt@X_7)JOc8ms{we+qw# z5#BSk^Z90kpja~^BGiEYl1exGb(`Eg66~P;FRgTc0p_74+l1iqUTVC*?Hqm>2>*Yi zqmpss^z4oV+%UVZLdfYfCdlu~(qv6682*s|Xs|ZNd)z@kRg^MCB?}%3?)l`l?0$$< zX!FrR`0UU5npCEmv|jsT@GyxY?BL-7pT%k_)mO?3*2TYBIH6G4{p@24@!gIYKA5Jj zZvWHq6x-;rFoaQP2@3O;fFo05PruU$DSHd$v)4-2+3F*cvOI6D4#IR)waEkC@44TI1%5No}qQ%y}2s=%W5=PBL3F^_U=t>-P zIqj#8f_bX+GSU$1vhCS^mWVA>ZG6bgx`sI%Sjw_=XG<;xmqs_Uta$}$ESCFD!u)Ud z3m?>@5Z#q~^w_sBrFIVSr%7S=d0d-Oot>HG)*E0EF1c9GuNjKwmRqb|h36uc(t522 z(_qCzKk*_~bk|m!w1%>&?YL(EO!g_v?e||V0DzZ?1Br&xTxJY#l_!7Qky9Be=ZL1e zFFGEeI0mL&?{j&MrU*AG@B^;e;NwU=O7k?@!!NU~XI^rMMN0u;1`J3Xr1|(Uh2?2U z*F6wj5V+M7T+-K|%&z@+-tRewLvz2mOp|@+DC0S7Z#4vY2s1f(aP(~ z&?*1Yg*9{G&|0t#zN5?UNa;r7pKBn$a2TS z4=3xvzz|4oE;;X5P1|!cpFg90#~4~sEa#l>II-3mY@?>nN8&C2%*Muv9MBQ`3Unk@ z021ydV^_Z6Ows_E!wiYnh?7y%O08rqwvDRH1-etxg+0H0|5g;4_I5sg%?<9UVhe}IJzc%5{R8;#g6Z8Jm zJG02ek6D4*cpRrZX!DKLE+*3YPQX*at%6~-Int?|f~{geY6>Y>XCTbI_tnP^EjRrj zA11+mT_dRYzG6Es#s7(d5oR8GHbvb(`rz5U=>}3kiWzO}aYpyH??Ffnh<+aAYJXqx zdS^*1z>K0%KyC7yzpVi#!z>ZMl#7%;7t}JNGM(qor&k2$3o#nEtz-|297-%k6_xds zR#zrrz@+4@Gf6mgAfUfh{JfQNDBkc4lCF%=r%r_QL?-szINo-%^;^Gh@BR7~!9L!I zg6ns92US*#jc=bQsqt;AOmd{z545As2g8V`Kz~)G&y&_Hd^>vmkM+gM(MwDDX}M&C zsC`3pve}RhThJ*Q7y_X0uAQCT$ugRtUD@_pKXTp4QL!Bt|F&B%yb??mM-_@?DeQX; z%JmgXJEAwO5$rg=ju+6|l1ST(i;-_Gjk6Z>i^n(}PHHx#;Fhze^7CNHpmk>&i_J8m zB0=lU3GjEGU97^ zu;YhUM%_){Y%ioJ(#FK9MuvW@)H=J9ZZe$*h+YPaizUsyUG!x+nl}i%bedc*II(n) zLkUXxw6wI8`)WXL)TBKqUXwfuW-7h^_Ue8g1PT_IlndY;32~=_5KLNPbrX+2e#(c| zsjCv&?bLy0dsKdYz8i?>u~R_9E)}13;v3D(D^jVDSqTmH%dl^(qjeviCHdIk9XF=o zR3vxLHR#*D=7EKUg@z5O-)g#p%YB!+f-$MTB7nwUP+XjDa`USOXtj0z%kbF!e$a(8 z1OG^C(5XV7eE&}`AM_Dv^Lc+7nlx5#R>Nqo8G!?4v-NwEou*WOkxyYLxy}T}eBRLh zW`JC!^+Eg9&A-U=_~V;+0K|C%qXUWS&?nD#z(NT?Kq7Rh49!Yk9t|=~eZnabcL0Vl zSht}r9T23G*6Vb*+T3y^fSAS}+(Mg7X&m{z2|;^t z&Uus}^FP?n1s_z{@{%7DdODrl%B@R8EBu>=_}I6v@J!*d$og_VCo^EGMiB??Wm*G!Y6C@ttC&%`JIf^NtVJl34v|Y)xcip*hz&e`9j4D8dpkwqfew- z7b&z0NHz3@rgfcaMpVl5Y~{Os-uz~xpoaA3uT#|RVA=}oMP3djPj>M=&|>G6e&5kf zY)ZyCZLfE`5_}is4!gbVQ|V?n(two`s_pF9W*^RMOKT>x?jhR@ji}jpd1bn1n6{Pk zbO8l-*CMImd=x1O=|)qTn%9(q`c0dX6t~5@37B_J4rd1pZAsr~_izaO`dm#vvHoyf zwFLniH}=yUv1MC4O0F;*%tBJF54J7~K3m>Kmz+V;4{hYDj4n1w*EG8Nnd|xM=EULI zf>r;SW$*kq&&wZy5^ncq`Q?DjANNmuPRu1}v%%O49C=l%I&stkPpDTTV@(zuy0;dl z&C&6+!~P)Gua+KEJwM2WOsg*5kI5tSIr$fyh~g6Q zIE#$xah>cXhexod*Mkw{|WZ( ze5dVd=VQ{0ZZ8#{XA0j6q)y}k@xqNcaU)kX>=c3h##e=K$hxisPky97d6s!qY&-=xDj5RV+&sL9NLcld)Q=rhiEMdXKOqb6uzOn#q?ZD7Tp^fW3%^Nr;Ypi`iD@?U7 zOml0;KfEH=BaYBSJ9F?Gk+E*A;mItV`DSRYlWv7lBHcJkUzQedUo10GWBxg3i+Z!6 zD!kIkav&FjB$jAGMhRpX1m8>56?3A@IKIL+nNom&-3QnGd7rzpjks9hu1-(I6IS<) z1^$qHmcRI^;tgua>;Y7V)&pT*lY0@P2&nNqvI6(z%Qsb-K%9l_&W754wae%}P}@0x ziDo(o2S(8irekxOZ+qc$_U+!AfaAQfv!b)`$*()7y2O`Ur6?R-&*~k~5D`D%i9{a< zk7w(q0Zt2mNNOVlcol^9n~FWOUs3F({cd7E?Z*{|AY*o[Firewall CSP](firewall-csp.md)

      Added new CSP in Windows 10, version 1709.

      + +[eUICCs CSP](euiccs-csp.md) +

      Added new CSP in Windows 10, version 1709.

      + [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) New CSP added in Windows 10, version 1709. Also added the DDF topic [WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md). @@ -1394,6 +1398,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
    • Defender/ControlledFolderAccessProtectedFolders - string separator is |.
    + +[eUICCs CSP](euiccs-csp.md) +

    Added new CSP in Windows 10, version 1709.

    + [AssignedAccess CSP](assignedaccess-csp.md)

    Added SyncML examples for the new Configuration node.

    From 353aa363d5ff7b69c31b71b6e44d75ed6216e95d Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 10 Nov 2017 13:31:57 -0800 Subject: [PATCH 60/81] trial link --- ...s-non-windows-windows-defender-advanced-threat-protection.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md index 39feb6c290..706db3ef71 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md @@ -20,6 +20,8 @@ ms.date: 11/08/2017 - Linux - Windows Defender Advanced Threat Protection (Windows Defender ATP) +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-nonwindows-abovefoldlink) + [!include[Prerelease information](prerelease.md)] Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products’ sensor data. From 89d2753d20867bf12dcf0dd2d0c5ae9c0a9f49b5 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Fri, 10 Nov 2017 15:12:44 -0800 Subject: [PATCH 61/81] toc typo --- windows/threat-protection/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index 85aa64621b..986357c45a 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -165,7 +165,7 @@ #### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md) ##### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md) #### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md) -##### [Troublehsoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md) +##### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md) #### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md) ##### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md) ##### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md) From 3376e1f446ce841b7812d015712de96ecbd972dc Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Sat, 11 Nov 2017 00:13:54 +0000 Subject: [PATCH 62/81] Updated .openpublishing.publish.config.json --- .openpublishing.publish.config.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index c1e7bc502b..96e3566542 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -466,8 +466,7 @@ "branches_to_filter": [ "" ], - "git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/windows-itpro-docs", - "git_repository_branch_open_to_public_contributors": "master", + "git_repository_url_open_to_public_contributors": "https://cpubwin.visualstudio.com/_git/it-client", "skip_source_output_uploading": false, "need_preview_pull_request": true, "resolve_user_profile_using_github": true, From 05ceee53de2ed82268817fbc854756e75275cb3f Mon Sep 17 00:00:00 2001 From: Jan Pilar Date: Sun, 12 Nov 2017 09:46:43 +0100 Subject: [PATCH 63/81] Update response-actions-windows-defender-advanced-threat-protection.md Sentence "These response actions are only available for machines on Windows 10, version 1703" is no longer valid since these functions and many more can be used with Windows 10 1709. I suggest to add "or higher" into sentence. Thanks! --- ...ponse-actions-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md index 6f30bcb438..b43fb54643 100644 --- a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md @@ -31,7 +31,7 @@ ms.date: 10/17/2017 You can take response actions on machines and files to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization. >[!NOTE] -> These response actions are only available for machines on Windows 10, version 1703. +> These response actions are only available for machines on Windows 10, version 1703 or higher. ## In this section Topic | Description From 8a7b99b26494f0d2709a03593cd7f7b0c86e97d7 Mon Sep 17 00:00:00 2001 From: joscon <33638761+joscon@users.noreply.github.com> Date: Mon, 13 Nov 2017 12:45:53 -0800 Subject: [PATCH 64/81] Update remotewipe-csp.md --- windows/client-management/mdm/remotewipe-csp.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index ed973594ca..5ccfa7b0e4 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -42,6 +42,9 @@ The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which Supported operation is Exec. +**doWipePersistUserData** +Added in Windows 10 Fall Creators Edition. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. + ## The Remote Wipe Process From 28cd6a63ef61f7b59b5437280ae75143bb7e0fbd Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Mon, 13 Nov 2017 21:32:37 +0000 Subject: [PATCH 65/81] Merged PR 4481: DeviceLock/MinDevicePasswordComplexCharacters in Policy CSP Added clarification to improved discoverability --- windows/client-management/mdm/policy-csp-devicelock.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 457a2e4d0e..f4face45fd 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -793,8 +793,8 @@ The number of authentication failures allowed before the device will be wiped. A - 1 - Digits only - 2 - Digits and lowercase letters are required -- 3 - Digits, lowercase letters, and uppercase letters are required -- 4 - Digits, lowercase letters, uppercase letters, and special characters are required +- 3 - Digits, lowercase letters, and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts. +- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop.

    The default value is 1. The following list shows the supported values and actual enforced values: From ca774be030b4f5f274d2255ca8790d94a2c79370 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Mon, 13 Nov 2017 21:42:53 +0000 Subject: [PATCH 66/81] Merged PR 4483: Update to Policy CSP --- ...ew-in-windows-mdm-enrollment-management.md | 13 ++++ .../policy-configuration-service-provider.md | 21 +++++ .../mdm/policy-csp-authentication.md | 43 ++++++++++ .../mdm/policy-csp-search.md | 48 ++++++++++++ .../mdm/policy-csp-storage.md | 43 ++++++++++ .../mdm/policy-csp-update.md | 42 ++++++++++ .../mdm/policy-csp-wirelessdisplay.md | 78 +++++++++++++++++++ 7 files changed, 288 insertions(+) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 6588fa7acf..b3c6da87b5 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1026,6 +1026,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s

    Added the following new policies for Windows 10, version 1709:

    • Authentication/AllowAadPasswordReset
      • +
    • Authentication/AllowFidoDeviceSignon
    • Browser/LockdownFavorites
    • Browser/ProvisionFavorites
    • CredentialProviders/DisableAutomaticReDeploymentCredentials
      • @@ -1080,9 +1081,11 @@ For details about Microsoft mobile device management protocols for Windows 10 s
    • Education/PrinterNames
    • Search/AllowCloudSearch
    • Security/ClearTPMIfNotReady
      • +
    • Storage/AllowDiskHealthModelUpdates
    • System/LimitEnhancedDiagnosticDataWindowsAnalytics
    • Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork
    • Update/DisableDualScan
      • +
    • Update/ManagePreviewBuilds
    • Update/ScheduledInstallEveryWeek
    • Update/ScheduledInstallFirstWeek
    • Update/ScheduledInstallFourthWeek
      • @@ -1102,6 +1105,8 @@ For details about Microsoft mobile device management protocols for Windows 10 s
    • WindowsDefenderSecurityCenter/EnableInAppCustomization
    • WindowsDefenderSecurityCenter/Phone
    • WindowsDefenderSecurityCenter/URL
      • +
    • WirelessDisplay/AllowMdnsAdvertisement
      • +
    • WirelessDisplay/AllowMdnsDiscovery
    @@ -1397,6 +1402,14 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  2. Defender/ControlledFolderAccessAllowedApplications - string separator is |.
  3. Defender/ControlledFolderAccessProtectedFolders - string separator is |.
    4. +

    Added the following policies for Windows 10, version 1709:

    +
      +
    • Authentication/AllowFidoDeviceSignon
      • +
    • Storage/EnhancedStorageDevices
      • +
    • Update/ManagePreviewBuilds
      • +
    • WirelessDisplay/AllowMdnsAdvertisement
      • +
    • WirelessDisplay/AllowMdnsDiscovery
      • +
    [eUICCs CSP](euiccs-csp.md) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 94698ad811..c44db4c35b 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -334,6 +334,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    Authentication/AllowFastReconnect
    +
    + Authentication/AllowFidoDeviceSignon +
    Authentication/AllowSecondaryAuthenticationDevice
    @@ -2397,9 +2400,15 @@ The following diagram shows the Policy configuration service provider in tree fo
    Search/AllowSearchToUseLocation
    +
    + Search/AllowStoringImagesFromVisionSearch +
    Search/AllowUsingDiacritics
    +
    + Search/AllowWindowsIndexer +
    Search/AlwaysUseAutoLangDetection
    @@ -2616,6 +2625,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    Storage/EnhancedStorageDevices
    +
    + Storage/AllowDiskHealthModelUpdates +
    ### System policies @@ -2792,6 +2804,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    Update/IgnoreMOUpdateDownloadLimit
    +
    + Update/ManagePreviewBuilds +
    Update/PauseDeferrals
    @@ -2955,6 +2970,12 @@ The following diagram shows the Policy configuration service provider in tree fo ### WirelessDisplay policies
    +
    + WirelessDisplay/AllowMdnsAdvertisement +
    +
    + WirelessDisplay/AllowMdnsDiscovery +
    WirelessDisplay/AllowProjectionFromPC
    diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 156a32f2f5..14c360f83a 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -28,6 +28,9 @@ ms.date: 11/01/2017
    Authentication/AllowFastReconnect
    +
    + Authentication/AllowFidoDeviceSignon +
    Authentication/AllowSecondaryAuthenticationDevice
    @@ -171,6 +174,46 @@ ms.date: 11/01/2017

    Most restricted value is 0. + + +

    + +**Authentication/AllowFidoDeviceSignon** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark3check mark3check mark3check mark3cross markcross mark
    + + + +

    Added in Windows 10, version 1709. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. + + +

    The following list shows the supported values: + +- 0 - Do not allow. The FIDO device credential provider disabled.  +- 1 - Allow. The FIDO device credential provider is enabled and allows usage of FIDO devices to sign into an Windows. + +

    Value type is integer. +

    diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 40fd5ccca0..29d698f38d 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -28,9 +28,15 @@ ms.date: 11/01/2017
    Search/AllowSearchToUseLocation
    +
    + Search/AllowStoringImagesFromVisionSearch +
    Search/AllowUsingDiacritics
    +
    + Search/AllowWindowsIndexer +
    Search/AlwaysUseAutoLangDetection
    @@ -195,6 +201,15 @@ ms.date: 11/01/2017

    Most restricted value is 0. + + +

    + +**Search/AllowStoringImagesFromVisionSearch** + + +

    This policy has been deprecated. +

    @@ -243,6 +258,39 @@ ms.date: 11/01/2017

    Most restricted value is 0. + + +

    + +**Search/AllowWindowsIndexer** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + + + +

    Allow Windows indexer. Value type is integer. + +

    diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 8556b25018..3a559d0f2c 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -22,6 +22,9 @@ ms.date: 11/01/2017
    Storage/EnhancedStorageDevices
    +
    + Storage/AllowDiskHealthModelUpdates +
    @@ -85,6 +88,46 @@ ADMX Info:
    + +**Storage/AllowDiskHealthModelUpdates** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark3check mark3check mark3check mark3cross markcross mark
    + + + +

    Added in Windows 10, version 1709. Allows disk health model updates. + + +

    The following list shows the supported values: + +- 0 - Do not allow +- 1 (default) - Allow + +

    Value type is integer. + + + +

    Footnote: diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 574859ea7b..9edfd3e3e2 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -94,6 +94,9 @@ ms.date: 11/01/2017
    Update/IgnoreMOUpdateDownloadLimit
    +
    + Update/ManagePreviewBuilds +
    Update/PauseDeferrals
    @@ -1453,6 +1456,45 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego 3. Verify that any downloads that are above the download size limit will complete without being paused. + + +
    + +**Update/ManagePreviewBuilds** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark3check mark3check mark3check mark3cross markcheck mark2
    + + + + +

    Added in Windows 10, version 1709. Used to manage Windows 10 Insider Preview builds. Value type is integer. + +

    The following list shows the supported values: + +- 0 - Disable Preview builds +- 1 - Disable Preview builds once the next release is public +- 2 - Enable Preview builds +

    diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index 9371a1d8c2..5a32e0b066 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -19,6 +19,12 @@ ms.date: 11/01/2017 ## WirelessDisplay policies
    +
    + WirelessDisplay/AllowMdnsAdvertisement +
    +
    + WirelessDisplay/AllowMdnsDiscovery +
    WirelessDisplay/AllowProjectionFromPC
    @@ -39,6 +45,78 @@ ms.date: 11/01/2017
    +
    + +**WirelessDisplay/AllowMdnsAdvertisement** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark3check mark3check mark3check mark3check mark3check mark3
    + + + + +

    Added in Windows 10, version 1709. This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS advertisement. + +- 0 - Do not allow +- 1 - Allow + + + +

    + +**WirelessDisplay/AllowMdnsDiscovery** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark3check mark3check mark3check mark3check mark3check mark3
    + + + + +

    Added in Windows 10, version 1709. This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS discovery. + +- 0 - Do not allow +- 1 - Allow + + +

    **WirelessDisplay/AllowProjectionFromPC** From 0cafdd362fd6068fc6596784706802b61d0c4b9d Mon Sep 17 00:00:00 2001 From: joscon <33638761+joscon@users.noreply.github.com> Date: Mon, 13 Nov 2017 15:25:01 -0800 Subject: [PATCH 67/81] Update remotewipe-csp.md --- windows/client-management/mdm/remotewipe-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index 5ccfa7b0e4..2a5bad77e5 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -43,7 +43,7 @@ The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which Supported operation is Exec. **doWipePersistUserData** -Added in Windows 10 Fall Creators Edition. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. +Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. ## The Remote Wipe Process From a914b58b9bb5accf09141024cb5885443695e0f4 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 13 Nov 2017 16:52:51 -0800 Subject: [PATCH 68/81] typo --- windows/threat-protection/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index cc891f0d7d..e1120ad955 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -25,7 +25,7 @@ ### [Onboard endpoints and set up access](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) #### [Configure client endpoints](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md) ##### [Configure endpoints using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md) -##### [Configure endpoints using System Security Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +##### [Configure endpoints using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) ##### [Configure endpoints using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) ##### [Configure endpoints using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md) From 390d696b42009bfca3f5594eb56d37e203d0b10d Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 13 Nov 2017 22:57:08 -0800 Subject: [PATCH 69/81] fix product name --- .../windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index ec8c9e2244..56df91f582 100644 --- a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -106,7 +106,7 @@ Topic | Description [Windows Defender ATP service health](service-status-windows-defender-advanced-threat-protection.md) | Verify that the service health is running properly or if there are current issues. [Troubleshoot Windows Defender Advanced Threat Protection](troubleshoot-windows-defender-advanced-threat-protection.md) | This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP. [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)| Review events and errors associated with event IDs to determine if further troubleshooting steps are required. -[Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) | Learn about how Windows Defender works in conjunction with Windows Defender ATP. +[Windows Defender Antivirus compatibility with Windows Defender ATP](defender-compatibility-windows-defender-advanced-threat-protection.md) | Learn about how Windows Defender Antivirus works in conjunction with Windows Defender ATP. ## Related topic [Windows Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/Article/Content/854/Windows-Defender-ATP-helps-detect-sophisticated-threats) From 289e3c6fadf04a8b8d64a8dab7b478338b0ac819 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 14 Nov 2017 12:42:56 -0800 Subject: [PATCH 70/81] updates --- ...indows-defender-advanced-threat-protection.md | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index 17f7fa36ee..761f4e11dc 100644 --- a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Windows Defender ATP data storage and privacy description: Learn about how Windows Defender ATP handles privacy and data that it collects. -keywords: Windows Defender ATP data storage and privacy, storage, privacy +keywords: Windows Defender ATP data storage and privacy, storage, privacy, licensing, geolocation, data retention, data search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -17,23 +17,19 @@ ms.date: 10/17/2017 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP. > [!NOTE] -> This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information. +> This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender Antivirus and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information. ## What data does Windows Defender ATP collect? Microsoft will collect and store information from your configured endpoints in a database specific to the service for administration, tracking, and reporting purposes. -Information collected includes code file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as GUIDs, names, and the operating system version). +Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version). Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578). @@ -42,11 +38,11 @@ Microsoft uses this data to: - Generate alerts if a possible attack was detected - Provide your security operations with a view into machines, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network. -Microsoft does not mine your data for advertising or for any other purpose other than providing you the service. +Microsoft does not use your data for advertising or for any other purpose other than providing you the service. ## Do I have the flexibility to select where to store my data? -When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation. +When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not under any circumstance, transfer the data from the specified geolocation into another geolocation. ## Is my data isolated from other customer data? Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides. @@ -69,7 +65,7 @@ No. Customer data is isolated from other customers and is not shared. However, i You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. There’s a flexibility of choosing in the range of 1 month to six months to meet your company’s regulatory compliance needs. **At contract termination or expiration**
    -Your data will be kept for a period of at least 90 days, during which it will be available to you. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration. +Your data will be kept and will be available to you while the licence is under grace period or suspended mode. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration. ## Can Microsoft help us maintain regulatory compliance? From 79360b257dabaa55fa2a2b6e1325ce9f93bf7b19 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 14 Nov 2017 20:51:39 +0000 Subject: [PATCH 71/81] Merged PR 4480: Added activation detail to VDA topic Added activation detail to VDA topic --- windows/deployment/vda-subscription-activation.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index fc38a3df22..25d0f04961 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy localizationpriority: high ms.sitesec: library ms.pagetype: mdt -ms.date: 09/05/2017 +ms.date: 11/14/2017 author: greg-lindsay --- @@ -25,7 +25,15 @@ Deployment instructions are provided for the following scenarios: - VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later. - VMs must be Active Directory-joined or Azure Active Directory-joined. - VMs must be generation 1. -- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx). +- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). + +## Activation + +The underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. + +Procedures in this topic provide a Windows 10 Pro Generic Volume License Key (GVLK). Activation with this key is accomplished using a Volume License KMS activation server provided by the QMTH. Alternatively, a KMS activation server on your corporate network can be used if you have configured a private connection, such as [ExpressRoute](https://azure.microsoft.com/services/expressroute/) or [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/). + +For examples of activation issues, see [Troubleshoot the user experience](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#troubleshoot-the-user-experience). ## Active Directory-joined VMs From 449f2e1b61fe4b625af1b122ddd182007ec38f91 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 15 Nov 2017 00:14:48 +0000 Subject: [PATCH 72/81] Merged PR 4525: Device update management article - updated link Server Sync Web Service --- windows/client-management/mdm/device-update-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index 68de7f9bb2..f5b94518b9 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -54,7 +54,7 @@ This section describes how this is done. The following diagram shows the server- MSDN provides much information about the Server-Server sync protocol. In particular: - It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](http://go.microsoft.com/fwlink/p/?LinkId=526727). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development. -- You can find code samples in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://sws.update.microsoft.com/ServerSyncWebService/serversyncwebservice.asmx. +- You can find code samples in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx. Some important highlights: From 25d8e138a802f1ae9859842b92ae8114a52b58a6 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 15 Nov 2017 17:49:12 +0000 Subject: [PATCH 73/81] Merged PR 4524: Add wired authentication to Surface Hub --- devices/surface-hub/TOC.md | 1 + .../surface-hub/change-history-surface-hub.md | 7 +++ .../enable-8021x-wired-authentication.md | 61 +++++++++++++++++++ ...anage-settings-with-mdm-for-surface-hub.md | 2 + devices/surface-hub/manage-surface-hub.md | 1 + ...repare-your-environment-for-surface-hub.md | 2 +- 6 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 devices/surface-hub/enable-8021x-wired-authentication.md diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md index 82f4db6262..69c603b84d 100644 --- a/devices/surface-hub/TOC.md +++ b/devices/surface-hub/TOC.md @@ -37,6 +37,7 @@ ### [Save your BitLocker key](save-bitlocker-key-surface-hub.md) ### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) ### [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md) +### [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md) ### [Using a room control system](use-room-control-system-with-surface-hub.md) ## [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) ## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index 6643499b80..4f7d71f0d7 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -16,6 +16,13 @@ ms.localizationpriority: medium This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md). +## November 2017 + +New or changed topic | Description +--- | --- +[Enable 802.1x wired authentication](enable-8021x-wired-authentication.md) | New +[Manage settings with an MDM provider (Surface Hub)](manage-settings-with-mdm-for-surface-hub.md) | Added settings for 802.1x wired authentication. + ## October 2017 New or changed topic | Description | diff --git a/devices/surface-hub/enable-8021x-wired-authentication.md b/devices/surface-hub/enable-8021x-wired-authentication.md new file mode 100644 index 0000000000..c7a55bf866 --- /dev/null +++ b/devices/surface-hub/enable-8021x-wired-authentication.md @@ -0,0 +1,61 @@ +--- +title: Enable 802.1x wired authentication +description: 802.1x Wired Authentication MDM policies have been enabled on Surface Hub devices. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: surfacehub +author: jdeckerms +ms.author: jdecker +ms.date: 11/14/2017 +ms.localizationpriority: medium +--- + +# Enable 802.1x wired authentication + +The [November 14, 2017 update to Windows 10](https://support.microsoft.com/help/4048954/windows-10-update-kb4048954) (build 15063.726) enables 802.1x wired authentication MDM policies on Surface Hub devices. The feature allows organizations to enforce standardized wired network authentication using the [IEEE 802.1x authentication protocol](http://www.ieee802.org/1/pages/802.1x-2010.html). This is already available for wireless authentication using WLAN profiles via MDM. This topic explains how to configure a Surface Hub for use with wired authentication. + +Enforcement and enablement of 802.1x wired authentication on Surface Hub can be done through MDM [OMA-URI definition](https://docs.microsoft.com/intune-classic/deploy-use/windows-10-policy-settings-in-microsoft-intune#oma-uri-settings). + +The primary configuration to set is the **LanProfile** policy. Depending on the authentication method selected, other policies may be required, either the **EapUserData** policy or through MDM policies for adding user or machine certificates (such as [ClientCertificateInstall](https://docs.microsoft.com/windows/client-management/mdm/clientcertificateinstall-csp) for user/device certificates or [RootCATrustedCertificates](https://docs.microsoft.com/windows/client-management/mdm/rootcacertificates-csp) for device certificates). + +## LanProfile policy element + +To configure Surface Hub to use one of the supported 802.1x authentication methods, utilize the following OMA-URI. + +``` +./Vendor/MSFT/SurfaceHub/Dot3/LanProfile +``` + +This OMA-URI node takes a text string of XML as a parameter. The XML provided as a parameter should conform to the [Wired LAN Profile Schema](https://msdn.microsoft.com/library/cc233002.aspx) including elements from the [802.1X schema](https://msdn.microsoft.com/library/cc233003.aspx). + +In most instances, an administrator or user can export the LanProfile XML from an existing PC that is already configured on the network for 802.1X using this following NETSH command. + +``` +netsh lan export profile folder=. +``` + +Running this command will give the following output and place a file titled **Ethernet.xml** in the current directory. + +``` +Interface: Ethernet +Profile File Name: .\Ethernet.xml +1 profile(s) were exported successfully. +``` + +## EapUserData policy element + +If your selected authentication method requires a username and password as opposed to a certificate, you can use the **EapUserData** element to specify credentials for the device to use to authenticate to the network. + +``` +./Vendor/MSFT/SurfaceHub/Dot3/EapUserData +``` + +This OMA-URI node takes a text string of XML as a parameter. The XML provided as a parameter should conform to the [PEAP MS-CHAPv2 User Properties example](https://msdn.microsoft.com/library/windows/desktop/bb891979). In the example, you will need to replace all instances of *test* and *ias-domain* with your information. + + + +## Adding certificates + +If your selected authentication method is certificate-based, you will will need to [create a provisioning package](provisioning-packages-for-surface-hub.md), [utilize MDM](https://docs.microsoft.com/windows/client-management/mdm/clientcertificateinstall-csp), or import a certificate from settings (**Settings** > **Update and Security** > **Certificates**) to deploy those certificates to your Surface Hub device in the appropriate Certificate Store. When adding certificates, each PFX must contain only one certificate (a PFX cannot have multiple certificates). + diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md index 12a1d052f8..a1a99dd250 100644 --- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md +++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md @@ -87,6 +87,8 @@ For more information, see [SurfaceHub configuration service provider](https://ms | Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes
    | Yes.
    [Use a custom setting.](#example-sccm) | Yes | | Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes
    | Yes.
    [Use a custom setting.](#example-sccm) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. +| Set the LanProfile for 802.1x Wired Auth | Dot3/LanProfile | Yes
    [Use a custom policy.](#example-intune) | Yes.
    [Use a custom setting.](#example-sccm) | Yes | +| Set the EapUserData for 802.1x Wired Auth | Dot3/EapUserData | Yes
    [Use a custom policy.](#example-intune) | Yes.
    [Use a custom setting.](#example-sccm) | Yes | ### Supported Windows 10 settings diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md index bd66726afe..ec0bfbb284 100644 --- a/devices/surface-hub/manage-surface-hub.md +++ b/devices/surface-hub/manage-surface-hub.md @@ -38,6 +38,7 @@ Learn about managing and updating Surface Hub. | [Save your BitLocker key](https://technet.microsoft.com/itpro/surface-hub/save-bitlocker-key-surface-hub) | Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.| | [Connect other devices and display with Surface Hub](https://technet.microsoft.com/itpro/surface-hub/connect-and-display-with-surface-hub) | You can connect other device to your Surface Hub to display content.| | [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md) | You can use Miracast on your wireless network or LAN to connect to Surface Hub. | + [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md) | 802.1x Wired Authentication MDM policies have been enabled on Surface Hub devices. | [Using a room control system]( https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.| ## Related topics diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index d5fdb07a74..613ec77311 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -29,7 +29,7 @@ Review these dependencies to make sure Surface Hub features will work in your IT | Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.

    If screen sharing on a Surface Hub fails and the error message **An error occurred during the screen presentation** is displayed, see [Video Based Screen Sharing not working on Surface Hub](https://support.microsoft.com/help/3179272/video-based-screen-sharing-not-working-on-surface-hub) for help. | | Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. | | Microsoft Operations Managmement Suite (OMS) | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. | -| Network and Internet access | In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. 802.1X Authentication is supported for both wired and wireless connections.


    **802.1X authentication:** In Windows 10, version 1703, 802.1X authentication for wired and wireless connections is enabled by default in Surface Hub. If your organization doesn't use 802.1X authentication, there is no configuration required and Surface Hub will continue to function as normal. If you use 802.1X authentication, you must ensure that the authentication certification is installed on Surface Hub. You can deliver the certificate to Surface Hub using the [ClientCertificateInstall CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/clientcertificateinstall-csp) in MDM, or you can [create a provisioning package](provisioning-packages-for-surface-hub.md) and install it during first run or through the Settings app. After the certificate is applied to Surface Hub, 802.1X authentication will start working automatically.
    **Note:** Surface Hub supports 802.1X using PEAP-MSCHAPv2. We currently do not support additional EAP methods such as 802.1X using PEAP-TLS or PEAP-EAP-TLS.

    **Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.

    **Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. Proxy credentials are stored across Surface Hub sessions and only need to be set once. | +| Network and Internet access | In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. 802.1X Authentication is supported for both wired and wireless connections.


    **802.1X authentication:** In Windows 10, version 1703, 802.1X authentication for wired and wireless connections is enabled by default in Surface Hub. If your organization doesn't use 802.1X authentication, there is no configuration required and Surface Hub will continue to function as normal. If you use 802.1X authentication, you must ensure that the authentication certification is installed on Surface Hub. You can deliver the certificate to Surface Hub using the [ClientCertificateInstall CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/clientcertificateinstall-csp) in MDM, or you can [create a provisioning package](provisioning-packages-for-surface-hub.md) and install it during first run or through the Settings app. After the certificate is applied to Surface Hub, 802.1X authentication will start working automatically.
    **Note:** For more information on enabling 802.1X wired authentication on Surface Hub, see [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md).

    **Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.

    **Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. Proxy credentials are stored across Surface Hub sessions and only need to be set once. | Additionally, note that Surface Hub requires the following open ports: - HTTPS: 443 From badd69bcd45e1475fa50c1a188355a841d53834a Mon Sep 17 00:00:00 2001 From: Nicholas Brower Date: Wed, 15 Nov 2017 17:49:37 +0000 Subject: [PATCH 74/81] Merged PR 4513: RemoteWipe CSP updated with new 1709 node: doWipePersisUserData; image + ddf RemoteWipe CSP updated with new 1709 node: doWipePersisUserData; image + ddf (text added via external contribution) --- .../provisioning-csp-remotewipe-dmandcp.png | Bin 6785 -> 22533 bytes .../mdm/remotewipe-ddf-file.md | 23 ++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png b/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png index 2fc6da33fcceb32d083ecde96781ca81c8710235..fdbeb278abe4ce801f674ee5c5fe60c3081f193e 100644 GIT binary patch literal 22533 zcmag_b8s$Q^eqaeq z!M2pw?swm6N3pj>i2z`8O`QWcX=q;Q_%*zANn zY-FIlJ6=NdxB-(r7hXCnP_J)ZVC^90jZFC+tR)MLm`BtcOt>(SYGeK}H!V!G)X?06 zWHAMrrmPz3BQvsbGOv>sk!FYzqC7fo@b{9tg+_Lvkg4 z^f&b2uqaG6#d*~RUWykkN7&8mu>8*7_O_UY{IlHA=iU8wN39eecewNqYf+f5$@rck zW$JVYpq+UUoNxN6_isy*CuI_jn*E z;YxynvmQzd_3l&Rdz6~_R7bwTnM3J^!**npKkHj%vmcDB9zciW&)50R2r+Da3hQ7@ zvK|0I2#sevPo#6t0>*@t@pfjQirwg!gzrV>jiF|+Y8k^fn`ca~kunmz2Q6@D0VcP^of*U z%3H;9`@w;7;MJ*63ORH|RP2I@#nwZQ)wg1W?ONkt3& zR!Cv)(h1=@O*c=smCc%AiZ1KclVs%D<`+k-nF_X&Rvm^aJRmY_=T9#Z&s&4wfeV3k zb2*u$C~de&HhiiBtJf&pPqkNpY{bPAxje**Q*!O1w;sv){cU2x*I#@229~bSNqwcH z>rY|PUmqWKjvLg(>mcIuRlO|}obJW-WiR$ff0iOhffBhmyoV7iO`XVAdXI}%gPoqS z=9t9jzD&UZ1oVxf4&0LT`+ALv6bb(0;la_0pl`VU4c3FDLKC)-8e9Sm@;J_AFf?*; z|5UE(i<8H`5!=6d_zoBQEsG}!#Ed0Xw;%6F4gpJ=;;eN|9%r9j^^c7+VrX86UVJKAQ(@SED8M6Ze;L*oqYW3F2dl&KZAtRCiZ2Ff z34>aeFqAgKf+620muY$-ehH7BS6L%EK68d{64b0N#d_#@95$oC_W&z3MEe;g_PdV) zM8-+#8r=g^J$5B}%l3VS&@T9wIoQvB_(gDY&?7OyEHVg65 zA*}8G_fmHwKIAn$Un+oY0o_KX-u$sgFUyU^WjzK_z8>Ct73sH4%Y?SWcPMU!0>4hj z>ryd=+%G6cm+k19?eFzS9z3=RThA|rvbxF=oasw{ zxQkw2xqON$$@AJbHakPPO?J%A?};q7@7s}{$C^7b(A6U`#lKnj>_LFGN7%v?HBC@QD%bE5aTh|5( zb&btOa5ikHj-GzrDX|7sD|#n}L^Ni6EZf%ZVvk~-q1c~){8K!Lp<9?#DzMS055k+_ zNbBx?O}zWE^D@ju-M71p8b;52zo<(%(4tABA9;8mV>2rRrLj;;y3a{s z?QK#{QCGH}v82D&f1JS{=jaigKhOCtQGe&1aB+Mv=R*Sl@iWr}%Q_f9Dw`t(&VQB&hv18Ud24;r7*@r>0UKMyKdf*c}wmd99{6h_ULwHyQhtRS# zNv`Y0+|UmCmHxb-M%b%FSw}YBm)F7!Eya|&ng4K@5+S`cZ~IKs z`>W89xIqA(W;`f%J&#tm0{lmiqoaK2lho7FC~W&`P> z`p)tP!_g#1J^6-4@x1tmq#9i3$Fvdj;#io-;go{YZzyb;0mCpllHo*KLIZ4L6Vt%K zfOKl056HF9Dl<_MB`vW!MY_cBul-fm(7RG;bhdt>u+NKei>@%iKIIWrSQT0t^o3fW zot}ra+Q&mpuTI50RU16>$alMa3?LwVh?xmsAi;6JT5ur0WMD&BARv0s{+|ol5JB`n zK#g!v03aZ9Y@}u&pcxh-Yha*U6Tuabp9h?oqzR_tB>(9UwB)kL5bb>)11xlD*p2J_wWuGQ|mD^-v{U!aV^RUyT1>%Yvh7xa;7 zTFo(LkZGb%tG4;(+H&~Uk^X}?P96l!XE^2GQd?=$60VsLTfy{`Zn4vB(S7fi;6DJY zC&+cQ%gl)Ud2*imDumF0`l zr|UuvJ?~6kSUDh|8!aNkin6j(rAc!1hictx+o#Bup`7)F>xUzsV+>b-q44YSI=35~ zL1wD-HbJ$1 zz6bnDMXHgVE#-1F^Pvu6(y&ystY0y{mOKET1biXeK|Tj|IUAW2g`Aqy+7UPG4ubvY*DJf zTdAJ4jXVlP5K2$M3Mg6bmil7Na>1*j6Q92DAyXzC<;ZOqbqC4XGp{!G3lt#=`A|Di z_`C?Dcfs5L;GBRuL6oS-AJR#$?rA43!!$6=j&mu+vcjAYoiqKTN2VnN-UH1)q!ReP z65I=kL|)o4p6S82^m@V#p&gTkQI{Pe5>$}P?Wr6--9&vKs^zP45H&5FMUR6zj zwMh*X%^2#J$GeAt81--USTi}|FZa)L&=}4ODIQrv(K%?O@!Vr5r@iisf@ccf=jE#1 z;Yh~-yrDAHh>A1`TJrph&T9n9Z*7tQYu)CC*Kh0A=9ij->u!Y=vBhgCQltn=0$OTU zJQV!=wT?ZH)%eWHbW431yO&U$I-SBt4S-&mC`(zqZ?)X&(?JJ)i+b|z#TypUBZu#C zQIyztcSqORG~~9eEbqA`K^gT&bWntP@ZM*6#g8$WD);y@LUCZkOyn0o9lOJ5j$uT3 zxgZ1UW{DFz@s_79+l_6P3IAkh&BJfZa%jp}2BTH~rHV|CcMfq2n$7ycgs-%E=H{er68f2MN!WVL;f@ z7{VyfRNIakr$5g3DbufrhkI!7xR3QRj$oAII@f=EV6-K5ql29SPUwHjh0?Q$+K z`U|mpuBnt~TK>c6$zha+%-4Keg4LxSn$AaFcS8Wj5~1q2Gh4bB&vob9-G?g9xaD@* zz$3j?T2)LR)->S&e{)GzMfkwJ5p))|TM#a~#KenP9k27rn&WJOBw7qX#m%aK3#efz z+UCewex=f&yK@yNcb*WvOxnDcIRJ#J;fQ-{Iruh*myMM6TYht7OuDC!5WeR&=cXX}dW-iLNdi`s%@ zYg}ifh+xcE%8alvW5vH8(@gz?3M185f)Hh#D&;<~($T=M>pyPJB!_F{km`g3AAgOS zNJ(ldCg$Z1a}VCOdPv@>{q@tMu!o1upB?Z@o#d2`Br0VtXkQv97T%nUVKUJ!khmU- zH4h)?F)V}t0wP3BmM`+GGujFBH|?ZM+i|T!I=4cGC_5-&LB!Rr)Wq)amOo&WDOdt@ z16JbMwpUWJ);8U~<3}!?{t&PPWM_|am;6f5NI1asGMArdw$}{QcU~pmCOP}SG&ez1+KjI%vp0;~C930fwCyaU( zI;5wxG$XMZSZw4tk+@Z!ewslIE2})=d(^ehTTGMC{KS3?7D{GPo=f|!w<#uXoB~$c zEKU!LetEV}W<~o6!zUSDo!H|a9l{Gja(-yFZ!!tLTnhAhJQ)3A&yOSOhgibJ)&>vk z_FKPU$8Ob_6ej&PS%tsmB;1*NkUBEt`0VQk`~VO>{njH3pF97*Nib@V3b%d;hC~;d zEp~i(A2Vz}YZ$z*CD$0amuZ+fx~Rf9wsQ32WFlFAaLK$dfL`JP_nW@-SeYxWtoG9M zI<6v-lbV)V(Dt)T@yh`W**wLC1vN~ygQUBhrSNgl z2=xciWATByhmqoBHcnht$mlp`0!W%4V6%NfWNp#=N)jhYhfa(3?T~eTGoW1rgF|2t zHt4gnQy&8otwKhUCYL)ADCti;_t52{?d6txQ5{^7syj^7DJsT2*JBof;1dN=rBo! z>3%6i2;%{$UowcH%=<3B=_AkV`pfE&Oy%yTeC0L!{i;txv3i4sSXI9m$Q1=C^%3R zc>fY+{(;YsAUwwQZ-vKMD(j5?J&5UE_{+sNjUG(M_opoE4*a39KM!eI4_@iSk~ zIkqdG1})+DN_V&5xuC1Y`!p z+?Q^=#Q1W)4w9e+^7doJS5#CY%0KoQ*!1P?X#~!fy>e*0aL9>_Iurgq|2pegvwi-Z z3obzB$l2t2?Z0twy7^>MEZatU)xbSszPU&*T@f`d*O0vV4$44?+c@57GR^pl+TP|o zBee{YQGq@VY8SCUW~ZC#VzSEO8B_E-@#VKELnfpU!_vIS&9OSU?q@u1l7XYb@q&~U zfQ7s;sQbXolAA5Qva$|Cj_-J~SS^Ju4?0*GxaZ;YC{{XEZ`mOKT)J2Lyga*j$tfuS zRW8WZhfcdNOTtkL<}C!1+Jv4a_)SuMK~s!m#sSNl7vl{3W}s5?0Nwc1ujr&}fg9Y9 z5j0i$(79x)NVZ z;o>kZ-&(2{eE&{p=y!xw_l`B^Q%uEe8!xiXSJ9gKLr_kQtX*9H@-QUC#d&l`6Z>Uf zz{w+}9h~HHHuO<$^Wrc6?kdIvsw&>mWvgz!@u>|aFGF`bkTunPvt@KJNU#0gde$Wu z1gFfuR{V(&!*r=HQfV7rsS@Tsy43Ni)N{Dfo0X7C2WfI7WTs6LOj;Zv-{Oq zpHApBw%<{iMZk7$J61`H9vmCsc{5c=V;z%*ynZA~|7dz%?Dsk1&xm49<|@s|j?#qn zGmy`1{vQTZp%P#C;pOd60aqynZ%&TX%uSwDD7KLMvG)!Mlq>T8&w>7jG@W*W63L@~ zQ>nwu{Om`2mq%dj!3EH{^CyLd70uPfbxi~Ty=y9KQDU4-N2$60bK!?(U4p;;AEfI4 zp0H5&E{PqzGkL20W8j+f620(X87{q$k$ zG19wy$s0BwNw~Wj6H-hBvT9U%?d666DJK%!^mu^$)Qz<0qB>)Q$pSj*t?^ee$Ak0( zqf{T&`{8?$m)|L}4)tU2)EowgpYvyLz?w8!QYYnekxWk{U>%ueSp#fKCj=3tr^pdX zYQh*o{g$M5zn0qhjeB1`#HGboqfEkix^8leCR%m=-GTom z1Jp|i+`p6}oF`pntG0r(Vi9j0m`mZ)6sqM%0UfugbFz^r&P*n``E1}+_9BwJL0uu$ zn(lexes+c${JeQ#8ZY1sxQdV0e=5?Mz2fr)vIzk+S)%`WDQZvNtW*}7Ww53@Du`My zFRK`{?xxl7zT+d3oiLL{%)&OG?Mji;@J^>z%Jy#I#jU1xm>5=o*IHT32jt#A2u8bz z3|vxR|6_x4GBCK(C?vMwZt3%g@nLO@DQEn(oa;w72?@q@a12{B64pI##Cepgk1=9m zJvEVL`=y>7xPJ-x{)A_dT*z=c9qMY<7Om~GN71*nm+;qUXvhFTlhU|m>P zC+H@Tef|ps*?bV5gv(Kr^q&G*XyzxzTXpO-iwVf22UIKQ#388|l3kqU>ErUf*A=I! zTKT_+7deaRx<6BjE@K(U!ukogdxw56x9w)w%C7%8wlh0ERCmrVW{NWUJ<(V{^9;r2 zT3y;rrX)-zzRY~pH*71b<7>S3CX=Cg#M-%vCTEC?;eEWC4LeP*aw^eYo77<|zv1XI zb_e+GY#nIwm(OiMzJCt71ysxFX4}^`UhQQU_K=OG8$TCcN^VSPU;xjMH1n5RjaOEwC?9Q=m zE>=!WL#&n#pGBL}Vkc$iHrl$p_%h^~son-7u_7ifevIesh|eqSt!)u;hpgsTq|9C` z-~nxcPtaI_2h5v~L>aapHFNT$Jbx(P(iT;GHeJ*HF8R%+=R&?Itb+QzoI(g+9K0wo za~7>zBVBPWVgXoRl;Vs!Na6YzZzZR3VAO~X*T#V)%$cE$uK^ ztvTawsO_}<03V$V@0L^As1CEU@|aCb?XQ~kuNn~3=!bV(i)VcuJ?v-`3l>YmXZ_uZ zK1NCVZlS+N18|RTj3-~~RNrYLpBjqfoHW6)lIr9tCr>x}+*Ae}sJ0s*y_7)NWIoFE z0dp1bj_C5E(=@AYRcsPO<#cv7ie(34hr>8QFyP{JXuNId&9n)OqT59K_h|i{cmFDv zXk0=fXv>gcB2>z+ZV%7Yam9;N?Zp_62j9g7cLxAFc~gG*A@ zUXP!r5_;Rl_0UQZMh1>&XVc|*c;WKGv0a1_EfVWIQdg3v&XEX0)48fD81-$TQiJ)W zBTzX+{hQZET1w@y2xh-Qm|GW$vMRmcKMDE8n-Z6$JRLsUH`D8(J;JeGElY_I}c`omtSlVx$8#qCx?( z5-@_Q#J-Mn{R^(;kgW7gWhew$7WCU zC+8A4)i{q@a>G+b0hZ}7IJ5sKg;|*G)f`!O^(niU*JD||940V^%_?eKdmUY`N&D=6 zs3{@j&wN^P`}_a)oHQI=Gih4)4SoejgxYhl07nk)Q~l=Ex_213zk>4Z; zoJOge{>BjHMNeBE?sBC#jyF~1fd~v_U9=-6x!&32OYlw(&9?Mq2MZDG-(}VW$wd6# zIDVD%0Fm;hCeZ809KsJd;;?)^P3j_q3;K@%?9%?LLvRO5eY{_M4h_^3@x=k&8 zviGPfpb`pIL(bgXxA=N|Mojh3cv7=Ria`9!kO9>juJYdMikrtS(^{exkX@1uzyGV} z`MEs3!6Ybe8$x1>O8iJQ)U)z!%&ZWXvalk{({)ytxa)gt2ADI_cA!L z#UI^^Jr0GWc4+eU(!`F3ZG|qsHC$ zwkBgbGVkalS8Iy5ok|F`e6mLioec2l3-|Et7{d|lEKH7KHCzLJ62KuJ+GrTECd`T8 z#A2zcp{rt1kXVKY!pLD!`N`M?hmOZ$bPv1M^-u$tuy zD|>aCDQI&}I-dtvJ@af$cY|kkVW8m&mPH97A{AL5&SL=9kvdIeh6`L)7H~@SeaYyzjf?iA+(#+^K>D_d&!=y z(?PQeSa*~2ZaQ}&da=a&eaeu^u-;AMblD7O;N<5uHY1Q2CV^MiSZ~9-t&7qqvF_q` z(g)_8V}McM_#R^?V|ChZ&R|WU^wO_NwA%VAS9hS-sme!5wZBx299m9QsRL7emEBb3FwRT; zl+T0$6VNZ1i-lGMh0Kn_jaxdQry$Jyi@JJ11+2+>P4D$6I@b=dd zPYH9B#lFQp-mqT+q8bOYl}=niBIeLstdV>lcfMjS?moUhQ`;Fji!)ALm#*E)0Ev^q zUahmvBlOd)^R3}E)~9kjv##6e7g#L@*bTFP?PDBy5krnIi|yAUG-5jU$Cq&!SEcal zT&^!jG~B54*BJdn!$a|@c84KT8a?<)8^Zj%Z=cjewF#x`sqBLTKSNvA!^hWch9f@Gll8_Nz@>Ib7PlI&o&mf7M0gW z;hk&MM?%diqB9MVwYTY9=Npc4$-otJrliznw9yu9 zq&D%xDp_gn+0ZHvY6My}0=GGX4$oLs1^bN4LZx-EhCV%J+uHd;3VUSQOZmhYkHwjW zk_xqkI*l3@7V`q;V21t4bj=qCT+}JnE*1dL-Xl(DridR^I{71N%2deGA@f_Q!W>GI zAXjPB;ZNWZlw3+uwcR&TsN6ySY4V$b3#yu~sy7fLW^lB)2!{sVp19~9M%K44V}qU2 zD4na&9?fF_4p*4&QU2wCz5O|@6}SC2ocl_S-d!>DsGkP5o4Vgccj>(K$nvT6W4vhO zh_5CgzF~Cc>b*>6{x3u|C{yZai%rixbJf=S5h`ub{_s~djBao~yYnee=$?vf04 zbY%(_;@x;hjDQ8pf9 z0Sw^nF@>7=dYjU{5|<+BFjKo(u}xBlG9ool&VmTQJ6*Q2GjFB~9C1=(Wpi)Pq;$<_ z5NjD5tp*yWN5c8ECanD}&o>1xkdD)U`d_?mxvLM$~YprzG3g5=@*d|IpMk`*6 z(pX>aBzH6YkbS{noa^iG=;*IoJ`9b~SaP8avB-|or(6a^f0jYISky6AkPm%*Q)q}f6IBxapO zi@55ZpCwjT?=ima>FEH1QTk^CJgo0yV-gOba9`Lc1f2Na<~C^)&hy; zG7@(0Zymi7bSktZM4kZ@?*cBDJH^?|0}Ogydb1nNfPhw0Ij`QFGWlEMA@{fhVGs!Z zYH!a8$e)BTcW$B#g204+r)lKbQe#Qdw8U7cDomW;^f4^?9VV_GO_^laf%M^Jx`r}y z{Pb}o+L)P{DoZ#NHC?jn3`W68)rYI`x1daGswP$JD0(_=Sm7n0;0kz?$V5mFyM5*P zHW7r=EnyXx!MwVRjw?$BAyVCrf7$IKfV|-2#y&%p1Z6zYu?(v_cc&<)IzD2tg)FYi zT}C=smP*hE5GVOJnoCjgm4vOb6pf`@Fn1wSu`K9jvmDSe?PKzKudlVgR^8*Mu+cG5 z$h+;w@P6SYa5#rZsLgKkaN^>Nha)S!?Y8IgxPJVT*7ie?jBn;Q{hP{9V$@l1HiQ1# z*gmQ!IY|5D1u-I`AtuasCSYlR1tHp@=>cznajTEg`M&IUyFGKDf$#Do9|HbvnHdrP zJJ8haI$vh{&w2+u9@oe?r_s{W_~kG{#JM;Rz{jl(E1pCCp_!1+)yU5?Mkp`uh@eix za+ZWjBxBVzBBM;~Ow`39ZnTnJA9)&|PS{r3@z1{c@fM%l;_=hu8EWS#zn8uJZ10wn zx>&0Od_=gRmd977Vm?3OVUE^?#W9EZ4v|~VjhLsMIm;k>nnRqA9x`&^AGap9mYm0X z53-iS#83;n$t^{bxrn(qZ|E(!pZWmzq?=_sb%hMp5Gjr?*T)&w;Tm)95N%r< zf}V;)QI)Zx!VIZ(jJd^uuiuY9cJgt$>cj1}#PoKmQp1aKR>sH5eR#7f zJm=j9xxzLz@9rr+BWFR*=$(y(OmWFM_Zw%M-^&c?0gQj_KSvRttM#R2y*k$%w$cT5 zA`+B0xE)6Md!#yc0W_U%RE?L((UsV7p=ozJQ~NT|F)Sz?nVS61bUJnOxO0PFTMCqM zS+l6s8x1oBgo?x6$pJlM^r5az7?+y0Y?cFrH#J`5th?ueu#ZXE1N%A44Q$foXHeE6 zyf~pZ5XC_uM=WxC@c((2Mk3|3G}*(Gn_`)&IH*P)LG>3O_Nb5Zb6%7gqc2XqKf^HR zKe%_R~#tRn5S0>SUlcFz586Dl!{rU=h!fR=e=SXO(~U0 zRL(kXxH~rnD1~^}D=wGwKPc}<|CZ34{POBedFP?q0wy!N0hb(^iV`rf;Ml*DZ>Uhu z*}tLB%WcES`}8D-)p?2oF~Lt%c0li2{r|W`RoQ3A$7`qzzFJDV9W++EY|k2w0INDZ ziw`bj={LmH$L6h=_q1M#t$dhoNUd?zsoZ z@ASCV)qHo#xc$yg$Lcq4yZ%`dDU&9f&!GOoa}Zi5xBuI2uK$jsb8tKw%NrX7t8VUw zkkh1k#?fgYH8S4bhIJlw)NSSTs=z#~hYi-0OBEXKGU8eyXzF1tV?kT>j13F?#=P2} z@XMEKBw9Q0e-hgBoHPo5DzA#;7m5lKJ5{m{*qOLCkT^?tB)&d6{0}evM5*Ot>H>l) zBx-bUIo;UgR8DMezyQg54$?StSAqZ7PZiklmDPQA%YB~;!xj`kf*zL>B5S<^;yhHB zkR7@M`eBEk4XybeRxv;?4tl)a_iaW-$H$-;ULFjavwSZW=sT`u)w6nPR*UcD0@~l% zmUU@&Nj5*`hU&Y(U9N=m(pBt$ej-h0<=I@g>Qsb39viffuIbdHq(>vGhUu!EE$>k^ zIIYo8ufO>$#W`i6Aujn`q@KFkqhHLIr}Zj#bsne(&?I$})i^7JdYq z!8UmISSIFi1KX14P@_dOhaS&5_rFla6_@9C#h#T^Y-30)z@ziWTc{zz*^kp$6g-sB z@#7<7!tSPdd)9xwTGd>g*iFVVY4wmV@Qeuf42@hNXGp)hS#3*iHd+t;ea#3m8r<%{ znAB{Ir;SY=q|>`fIW$B0h8y1k<&iU91^E~`y(fvV0i#??%1gK8dsWsv|uf~JV>b}GD+gc!pL z4Qcn(y2zuRQo7rVxhlfS8W-cNkoQ%Rg>LH8W4cq=`Tm8vYiEmq;@^6S{OsqSS52nf zi}Hzo>+ElV9lsi59P{r`C92~<+K1cHEm*Sk_;RKKA)cei_hx;!eubwvS?GQ8M%^V; z^OLs@dy*n+(NOU^H0Akz3los7G4?&vt5 zTBno5SDEiqC?(52#1kvoeo_9~dP#LsWDyzc`Pc5QYXADV@(;^VwL<_P8NQkG?Cr-B z*0cL^@6FA+He-F|_l)5z+zt*;8x`hRe+8dy2^Bl*jmOFMd4Ae->d2YCqSh4MCV_Pp zG%*zA**-oNyAjZY;|eSQ-`CpfOLf?8a}FS!92;mTJ#HqrZBl)YBLaF;5ZO=!C|Aqa z@>*N~msthI(Mm|Ss?pI$JyKX2pu)PSDCJZ9rMw^6%rYVjDcLd>T$!p3U#iqw6I2hE z##O+A?>p*M+Q9@qWz{B}1ML0gm>d}QvosQmO^-1Z#A$b=I9a}8+08IJ7{rkr4IQtNZmwY+eL!ybvaF0bCI3e2kbT;Nu_xiBN5%(xHAfipl(8SH z6aWXBbcTvRJf{wFd5Y|vp*CWKO4u2YfD@LHeNcF#4LGAJ>R|Q{ig4-SpeCjv z>(~U_8X{0%4u&R8BL9J0V$xo$_V}s57-lR-1v_zZQ{yr$oYeu2slO`%6ON^jO+;C= ztn+|{0lF?j|N8-2=t7i|7^9_E5 zr%lSOgO=yNJIThlri5Brdh*J2CYm{;o5*lj%7mV{--PujG)#`o8%sl_7T9@ z?i!_kM`xB5^~Gz>Q$cRJV^W05&-wqubPB$N^!7y(K+Ob)v@HP6igaZ|u>urPw3Gc5 zW`NZJrZ5utrAe7dCZ1?nzd8q+=-oH`^p-xcy(ZXw~KJ5myf4fm;RR2wG1m^5LO)sBjGjwwW??-hS{xs zoVRBcG96rl{{Xmx9i=E3_tRB7Mi=j%j{Dy68ICD zZ0_#^r)!b7XJI2jz)Hx4oI^-P^kMQ|={qEVKtRL29Kz$uc$fl%ZB*ZyEZ!w8;|=HX zt%OOUluV^;dkCP{8t>Tw-od?9P0`{g0fU$yfBe|wjKUruPI6;sE<~)lwG#DUtR>HaGcGT@xuy)1g>Y%S^^xN`}fZ)gQ#pzu@jw z>QAnBYEV*eN>3h#1^W)DxiUE=wbb;eyINhWcRJfm1t&b24Fk)(a3IEEt46;+vG*fx zhTTpDGNaIozK+z{cK0Jq@*C8ggC620OOlS?2>M5-DWvkQ#{>z>ts5Txz#g#8KBtiq z9b5@Nf(D`#TIn8Jqjw}o)t&OKw1+-ZW+Ab{@*Bk$%kp{N{ypZgenv$=;1#PD>m*65 znu!;>W~XJ4sZ|_y7!HLcSjgiS;Gj1z&KwTk$BLUUT5Q7-cyK{F`V(dw7A+| z>~ET?Si*HE)OI3h(isam`)kJ2CZA;nudy(+2T_9KjmE_7<_E(_(4+<>{ZvNL>=oxX zYRVg>fJYBC7MDZymmS*VWN$uvu~De4`NZ;Q#K1dmKQIQ zHz;1zi%78h6eT`U>$o_IE>S`J5W(9IzUlMeaPW*Q^Ca$^W^qk|QE60L8e$n<)#(h~ zF^$b2W|xxr766<)WfwY0rfR5dZNWl_R{cc_LnM#Avh;5 z{Bz_AM30Wkk9Er~%w!(F>PY`eN?a#nw$KD|bCY(iBH-nNhO*a35?8cQcRdy{ykdH+ z)LD3a1!|L-OOrd+5qK72jwj1IJ9AuE$+Ww7Jy0V;1Acp}>vPgX$~7e1TqWIPZOTHn zo@k!M_2WP6dq32}WSqIfBxm{PL$>25;9;1fiNBwPfeZqlQkY2(7X zE!S}n{Q;c7BeIxN+0mhvj)+eH6VP!4vi0Wd=LZtgkmbsJfi5m_%$}ZE1Z3f0wLD%M zPE@*lYPr{mdXdXu?aKP54h9ckOe`o4PbY>AQsJHjBhrXY!TKeGSblIv1imlehtv8fuGn4M&?70|8zU`7C)kd-<7Ks+laL4b=J|$Ws3# z0r)uB@uMcx9-Y#S{GqVUv+Tsi#C0E1QdVj0HaKVHW`Y4Q_vv%5GrqfL1``9>cvmG7sLS}|x09h3>dUGhJ*ZIq4&$lk#vzdswv77u&4o{U; zj|K9Hb{FNN?cINFmV5Zs2?v4>52GRx$Zhbhwlkd#4j$+|X!3chwrt+&MFixHgcawm z0o|{L60FI(tD5L*Ze!Jx;}50ZmWAJtKWW$TVral{ggbr}6{H_!__fp@ulDWC@#N^@ z$6vY}jloqZjlZ+a+Ti))wAY67i8ubSo^||dV*Ma0C0Uy4Gxu2gVtxvJwsVTeIvwzD z9rbk-KKe{bN4_pi(|maKi-rJtX?&u;;(5fXKY$f3%4DuQpLUBSm&&-ip2j)>#qBxK zaMl)+xm&IiIlotcyFQ)wd<7>4%lh`9Q0_N7*{T?f6>fBJ-hRY{Wj6tL8QhM>2F;0# zIP+{#{nTeyI!xT@1;os8OyPhXPYb-A1w7C+bZ?uPX8rZ>F75HQ6gX(3>fg*I;kgZ; zu-LJmx7t^B>b12Fr!u<)z*8#`^QKGzUgGUG6WFu@#J${Evv&TXKj>P(ibD-xvfdQH4r-?2OGb6`sf4LKKGg z`Zz}onomNi@l~sLdm|h8r}M9>D8To8<%~Q7WBOD(KFwz-)}4PK%v+Bd(X}TJ$Ua zcPLBA?``CbohyEO*cvW{$CDWHYMkBuyP!RoNo|im+(IV>!h3#lW+b`y^0q$2`t3s@{JY>?NI)R;BvZcZbOi|J%?`h*$EH`c6; zM-cqs=7DgV#;^J`V!utuu=FzoT$kw^|CxdP5J4{^u0Zsjs?LY=@PCvoXL9}h8+1fr zx#L3*nePDha;d?|>-^`jb|2Y$JH(Ajd0u>)b~fubZZ=f^hR0k^PRv|tNp)?-{ommX zI`@4z@yh}z;&M1Ul~ODZvdk;Ek0(QdigWu$`1cHjm`mN9Y>(&5Sx$#}rXqi*VSXfn zmxB=kC!L@kI&Dvuvy4xUkvpxz+3yVRubsTgAqxJS?TroR=Z`*(r&8etwhAwAi~{rMZg7s}9b=dm$#P_RrOufrb7{bF6$&8r7#a_J^L)!p@|oH+zRUY@vX+3Wp0tA_MqM#ZlG-H_-5G^?8@UGIL~ z{Keq*`b5uC4Ei`4DQuvl4}OIM!WJ9Rr)GnFerU9h+xnna|B3{ZnCPCrJHo%OFIryS zCyv$Fm%H7QO`GREv$yp>q22+Ig<5L!|LfxUf2zj*Yx|k^=r~|J949{+&=&*@{!#(i zVDESa&XS~r2mI9gQh6PBwfZrlhl}RVpPGaGFD?G356IKM`~PSY%4)Q$DE;X*Q7?Vb z%peE(MwUQWoLU3W}Lu2 zu#Xq((WeyZL-g0S$EwR_pwQN)!&h|r>z7QK1?4Q=xtBRm8{6=zn)|&=X!E^}A`94K_6fheLC>)I5k2lF*UbVlKm%|7INO4noK!sG)T&3nq{tPjcuDAT* zf{s~tseqgG&;8o~=*PRv^!BDNo!am2xnX#Q{$FA}_4ob?X^syl!8AbcONrylSAttT zcyUAbJ5n^E=9q9%La&{%0c;a+JhdpBpZ{=-N}ob1pVn9}lI+b4=u<}F(WUwJxZqFuOt{o|T^>z{<_i0uNci30vv%WMcGH(e&zh1=)7|Mw?A152 zx_+L+X>#tX&oMeZ?K`tJ5M_>#zt>mi&&+JU%WSN!Zk1ji)AAnmsqPKtkdu9Pj+3Gh z`5_pb>!7-QBch<4$TIq6x3}8@1}4{?yj@7WDqiQfyc(1sL&a##_ZIXgiFl>POH0i&z(Mp zPPN)FmDG7X@K=Y5ROIpZH2?QXJN@y3Slm>N+~=lzqNgmN)7?GSTu}7l^H1w(*&3f! zZ+>7BEG9idJlSM=ZOP}Jl(fg}e4}MGnDVF$%lz?Fc0v@qF0X^pTCu~vJYP&UloZlnKlNa_Q`x^t^E_BBn6mB*5?$3bCt@5-=I^;9NBT8=Y*i8 zkWbxT*dBs1QJ4eX&esFIy+;%>JXnv_aBNvb%CSju!}SE4U44%)Dup-Lj)XF1zOK!+ z!$T9*84H5n@qfU`LoW8jY%R*way(G~3s2|~@lBB`W-(y_M9Mjb;UuE=*t3BKQR{$^;&*`XJvTe(tVZ&B$Kd^aTZ=@&$72Q6# zHnDZ}>N)Yz(PNf>H_*6c$LSQ6O7iEK`xAfOGkEZzMVoj0wQmx-SN&`Bp1Nk++9`u3 zPo6u>|NL)PUhelH^;x#?$zNxyAV_>_o2p9}UwfZOLQQ&pm8zj~Yk|nivx7Z#F!oda z{AJ0YF=MuUKlSPH>u?~I3Y-7DkT!k$&Ow6*FWvIXuRngJE~q^8)8emB-Cs9r>Yx$h zcOH4{!Q1`&JvheNx_DzY@4Kynp!3)7jU3r$=b?v6xVCv_OSNB5H=5*Wa;|63m_fbz z4Vf`5$m;F;?6-KD<{jwBGZwR2w&ge?GQuP!C=D5T0bbL6}4zWe@ooleWK zHGk*9`Smq?13gc|%Ugp<#MLsXyMvW3nr_2wZW6aP#sxbgTs`+C6$q;9RH{+|&(_bw z5H0jJy80~50h^_#Id~D)dZ?A~%&mOUpSuqY?Gp}BO~>@cpS^mowkk_3j*JTIV8d5} zjk%@@hBvp+^mZu~WkP|2r;ENi^-NCseUr%G=gm2$u0cX_I(*Q#TX^%OQ#^U?(@OS) zMS~g-oh*TPC;q&=aC|geYU;te#B=|1^9+if{Zn)M#}ysWV=yGy&pHofHI*_Qh7p>2 zJrK44puLMnel-ahEN(3;LDbk=StcJmpin^+8c`-|YBwDYkEdaA^`cjXJdnr~s;=LI zJapq}u~>F;c@GT4BoJHpA8C964sQ_bYI5k0KQ~`hdfQvUL220Bd6^HBpWZudwqU6f z87=l^7%Y=OXntkUOfzfOri|=oP1sf*SLkJjZ1NZy7bh(|S91IJYCZ2TGk*uh#j{5) z@5^8fKz7@PNG9%kuH>Zsvt2J~TND^y4JsI!Z?N$pLM|I*&K-lUS z7K^13KgJwL4E%rpF);D+{V2=Moy=Zw;NT9_&ixz4XJudKOBJErdspNoKB%e}^7(fT zuesjX3K!QibTriC{e9wwP#|c@*t_DVOPb5Lc!fcdtgBBl`F!{cFZ<@9DP_kzLp>SCF=^SeT9xPv9qVub>~HqSmabNjik`nju1yd8;b zYHdx}zyGvQDCFk;J$?Qmbv84mZ}j@mN!e9Ap@5%yYRN@u+^k+mjgsct{VNOZs-HJF z`bFaC`con~`{r)s8;rL$r9x2Y|GLd6spXUG-Fw^A@P+NGTVjz=C=$bAUn&s^MI!h= z08#x0wB+CYE3=3%{GR2dICO!mtJo;N$%dh7 zehl-+|q@Q?nf%oq8|GUbP+F{<{0Dy$3e5Mu%BC+Pja~DLH%O2NTT+ zh&^~l-1(E-z;GY<%{>Q1WmG@uwSKnx%VIcoFso;vyQ7`g7Qx1?)4Qt6KT|z8*wHbl zPpd$>`l|>>-|kPFg^)wPN0*oU6%}IZXd66j`}Y^0#=XPt+F%8Uj&UrFHv~a*{;qya z_aJfMC>!qWykE*RTAm zvFtSm3ya=yj5$~VqO$_Et(Rc27(5Pxevx~p@$KdkBSF)Nwdq zKQG*N1vm%3nkFC4gZ~HrAfyZyNka9_`;(eAF$+$^q5s(_O?k~5-}>*M{bgUdng()= z(PU~el#jBS;a}vR`_*et7YOxq2fH#fCy)!m#gLB_c{lPdRNU)TqBHjVZZS0__wNS>mOG`GUZDbG&Er?i#3a|W5#;0-1JC#1lh$* zK3p@zBfx{x--QVWf&u{q*Mq`6m=B(|@RgWuLB{gD20n*DE^R6ht5_`B zKo{Eihjn#I!lEH|x;%bfivnV@H^v%SS?G*%W5swFL|al)%XtDhWa?nNq6ep&B_l4B z6Q~O%7YpI4hP}0}IZm2TD1@tSEG9k5fpjaau|Wp0Ee)3UG>)}q#&j_XHzXt%BDWV2 zU^&5#9NooikcUo9MoV~v<%B>ze;b_vE~KPvzKCV8JBD#K7a6t_7i>Nw)F8l$+1Hht zQzo6z&BTgDGS{aCI?yXBT17Z&vFLq zN7;NK1PzL?oD!@LU#-8dzL8RrUN2Ko=o^PxS(-4v3N((ff^O%^BYfzY$<3Nk&nl%# zqQi(X!e7YcK`iR@9_9nRbh0%$33uUh~4E#)R7Mut?Tf&Yv>*T=^|USGfZWbxdS<+*L&5F8P|Ak?5J zuX6U8l2u1@PUK66^s+R>L8bKq35H^>i-+)pP!n8wL+hPlS*#oKOj%clPHb)|;J5#h z(RE0;lG^zvi)WuHSLrk2j7elBeNm{+u}j4Z&XmmBUnpSf_pm^_I>;ovgAv8moF3!H zZY-=T5khz}ac-F2{rhEe&Xmmgtso!I9OZyMpEj|iA3B>q`Cwr>fgE5({PRrVs?){) zJ5lrUAZ%iY9p%`Wf|X}VW*@IA5lA*)sH~L8FD8_%I#ZGV#%Ei294XL>co4qqnUb06 z%j#L1hU-d}9YU_Q?oO+pn;}hoF9b5qTG+DqVAibD^{;N|R@5M2YKBOwaD{2r3lGB| zX~D4y%;Z33b$QdzcbgO{$==H)TNCOfN=Vf#-g7c<<>`{;m+P&pSS$+ow+f)ZKZR!q z7A)xYqZVXbp;VTTF3>#UArnYUiXu4={SH24QLb~Q31Le|D; zPb$ZVy|j<@;xH3QUgeUTEpV+$hekFeV%_Zw;li`J89PxR8*8R!3=X%j_9+j!Ux{2& z%fpQCV`|oZ6cJ2X(x@8U*W6zJy(_J9rKF}6Gp>)RIXa36+tr(i!BD!iQ5}F492rUR(3Z<$^ zAm4ncY~#h!kM%m4hiTVB)Ohvz1QvtEVieLBC)27sk|0QS_>m~Yfu^rZ#Z)&{N})T`u?xGO2E8@n%S^r5`Ja^a@r zGxFRjwD6hK+JjH|?I-yvls{f5*_AAeiL~F;*VOLiuls@PCEFhIg1Xpl>2K!J@t__Y zMH2|sbg6j0SRK8Us-G_v?|dwXj&RuA*VJBpSuRhgxs%7G&Aac^RJ1kWUik>0!FZaH zYmf*GnOYib8)$9Ekiu`zX>I>YXpHV|yCIa7UB!P~E$Zlb0?>JBLD(V@u<$pbv{78r z@X=n?d`SJs??ti(KGxQRfCMuf&elME06}88m@gsOo1o9`?G303iL_aWe3|Q>)=La% z-OXtCGg{zpo>U;qm8yK5*le-1THaCEBH&$FNSy>vAO;#?^6I3G0vQH_FRA9;E8xPf zN9BUjX7wzRjtHePnF8O?#McylSjsP`QwP5n;IMcGMxK`6{M(rVK80cb(g+T`ECmwC0AmIZ3CeN5*|-X^0Pr#3ZOCRJ*_cMYmocFV(?6?BCVk1_tW_; zWQL=zGNW2f#wZ@C?*x9OR*89v*T*Xu7Gr2kk1-~s6(f%=ZOm!>2Ht@*_`R(aBJ_<) zCH&i9+a7ul>^ZoT*Q;*jbCatjZ@e_n>1e?K2$@2qRH-_s8vP5Y8QJ?%+Yf;7@iLk1 z!$>LTv-PM(3Mr(LF8l`>0O1p8J%aZ)hh3rdp$N-370)OR|hIUaYDBOOsEv~qM*T5%uTas^I%lWec ziVU>uPiUNd7wL4Tkaaf==Tz77ctnOjg}>lPMZK=UFX6aJr)waH`Tf@>E%m%696gXG zT5`CoN(D{s=jch3WbmP++a-@%APaZ%wf=OWOj*xUnXquO#`-yD8{nuyBP{}{GwLDD>dZK6}IG} z@0ZP2d5&2yA^^?#K+S(_{4UdB%%*tFG#X{f(Ji~LzqA@+j|ofS{gDy3HxF$*a;q4E ztVYb86yd0OXv4bIuFO6DSIVDEZO<%*)=EAzUgCs zVSeb8v!=tRMM|!mIgq0|mvkk>ko3>$fn)!uT`;y!b!p;-zaRdYlo8?FZW{I{2g26p z0>aiO02+z!sd%bMaMam^-0fq2;cRFNTQ4cNxx+r{Kt}Te!-|VG-hKW^Y8c=R*QXR4 zhK8KsEWY!TZ>(k5kZbu9>#`n)lzjCp2?h+jA>=?54cpB31Znzy{V!eJsZ$}G^b+?~*MVEU9 zc-sdD2Rnw$`Smd*7fcVdn|3HueI@A9?s@K}rar;JUY5H3$IdS0LXe<1nns>AeP)Dr zNU)uqebl6s_H)y$H|ORJ_H`sZUy!Dq)<3`B)MeE#4!YR-%1nu(pQrlS4FusloGk0^ zT^7j;>dI&w1N9RsEY2-7EbaWw7Z*hRJV4k2fKMy5XWz0v*OaKcJDUzID-4-D!IRc< zcmDU+8Mh0v?22`OqLoRo+bS&Au<6M4WVcye}r%!URX+<3@E&Yjs zumu30mYsj3voQH|QXT}=uAP2%!r*QYBs{X}Ckm_lhh>Og?>5v{*A@uXQ_S@&&-^q- zJp+}{e|Wz;2e(hz^iYbRZ(7cpyzT^h=GyzTdZ7F3tS=R>ipG z6EsPtu?bdEiA<4IE6l86GQvqji0v45DKnGL0^z?%i z^R5x37XpT``N6X3mnIJmM$?}W2wMQ~$&tw6_HISrE!Ph_3PDc)XojgTk3>zGy#P9_IrL%MF>WvEwXe6Y23Cjow4Wba>_&|yr8cTq<^*l`I(2Xmn zM!=OZr4q9933BAnAOfY=(6J1LK-i+>xDDTVXq&qM@^nxE5j?{qO>~hNrz)jF-_||A z$?%1L<)V`Nw~AYpX3lPbCi+UHQqRW6Mcp^mQeOeF&A%Qpkp65^Di-e(Kh>Eo<+ez4 zx^~~YX_YAh`4MIu!NB{r;nX;0c4gi3ci2MKj z2L9zY%}Wm451yNjqAcKD&)pT=0fFsP^``(pbsXvG3qss6@jpsNZUDfoua_UZcIQ$n z0Dyr;S?;Nxx7m8uy7OIq_?silA<^R3K%x`(bdW{pn{QLv z;LPTy~Ea7mFK<0l};B*kc!;mEVV-D%!JY#>4G| zrh!-qF-de&lT#HhAeZF{Y$~le;8b?AIq+DM-1c2wCP8H8=e-Z8ohBoSMs?! zFu^-KF|Vs=-{b>?AXl~$Jrw)gYIagJ=dAXdxZIJJSCoj8naC(TK#QpYlx)C_k!uo) zXj?8o^ncBN|Ak9Bu*ATScS!vptj*|jf(4-e6pI}jql1~)?ST+qcOh|$e#=X*rn8aU zW&;{Y@L0%opkonlnXPAR=h5*SUt0Z$*tFLm#k*GSko8T~{=M$@4@vvMLmK@JXdwHuSUC_O8q= zUB5TBFGkZ-HhY=0Im&{?$ZG%z416VV|Vl-nnR{V4djm+XrQnfy+lUN73zbTccv=*WaCBK7tHMf9nOh~sC z7oqZ~*3UPhIwwJx9EulM{uF3z)xG9>Qlo<0OBrXT? z02z8Ehy!izK0Zsgp%y-75*)#>Su)$Fyb+N4iKf`v<24$oyY|DgWO418z7tnsSQeK& zq=VYEzV8uZBs3~^%E4ZLB<~|8Jd>O05I_K+mc=^kyXY1py2z4xe72QukW7g*Jd1vu zR0Oi+nM#b!LhISNrG+n~_JOe^lJyVomEFOBc!VN9sQbWv9{2%D?+n0aCpO<*^wM?@ z@}I!VA^D^RrRPBp2Snd&h5&N8E78ItBJKRKk53Ndf>MTJ`eS(fFS?pC>YP%4-2`yO z4Z|%wJoeTOnVTFdu!p;!Hu(Z1?fD-8a!D*;4+2fh81DXRA05@B?lhW9QNXdp+8!Z5 zFQf$2Iu&&4j&>oLVKEm-I-Zd@%W=pdw8hgB(}9q9)QJiSK6>owf6*~D=7VCWV)8pa z6FgDm?3p<}FK)~Q1gj|b!(UiiFRY??<|r*~+cdbtJoHb?oafDNnI6rrE#>>STUwo- z&KGUh*Gr69;q{3LpccFjxAJrh4YpNg>NJ6;i?em#_dh~EmD~l4T~CKrkov5*z={wR z(x;BScmNN4EIxqXI+74@LCNOrj`5*11&F3cBS=zJ?_V)HLShtx3K*m;Sbfm4VEhb~M zowMzATkJgs|GBKsqh`|Ej<|-J7iaYcacA3yyZQb^bKN1d!(qpEhd;vFw&vaErW^hC zb?^b@9P*IeD7OO2r5PYL${AtLzt0q8^L*YCMF?qk24CyLD@4DW%3N>W!VA@x8lrKu z+PRw@b35$-t=Uzgt9kEjfbKhJHSZqcd_g=-X+}b7^GGYZIevIrqDJ- z=s;GJ6L4~*cjV-P0^8mLtA z#tw)?9QUY(_3Toq(>+M-s(bm+G}Z27lOCTxmA-ZFP6jPQfi}Oxvy;jXq1Rm`_{|{> zd{7>Sn3#AeRi5pY`U7}MO1C@_ASnbXBqi2RvZjCU6gsqOOUxMG}aikJ` zHA8tHc$K%Zhyi4r%uPP=?gKq=$&SYjKD*t&^|`2s{V(IHcdLC2oHfFY`~_ngTu8_|1%w-u+(mZyP2fMgkL!}>##L2;C z4#SyRp;5ve?7*rEBc&xCZFOS0{deJ7;L#yB%iiHTm(O+f*{==gETO{b3@q z35U-vbYr3{|7sX^a`J8lolpHHae|`|X#q&vQ2j20?;K`gCY=YT0L1pH)$bq9`0c}R zm!mZ7RnIPD&dl+0ga|J=jOy)ROk;Zv`2&NJYP<~p)4UbWVWBd|~$fnjlCKNRNmW`7n_ z*V%%zAxv~fbSJz3@sJ_-mnUf3LYIwiDMZ*4ItSRZDT__%`jeq$Tb#Ms{;2~Hmy1N- z{PpWsR8*9%Amv=-bxEH}KZ_ry)#tTmB??wYx7zC4=o_>s3k<4E>w_+u8p8p>x8ln{ zJ&TKrDk9sTk2cN3clM5)Y1VvbgEc>0dk>=;0M~8zY<Kj0?X<0tG6Nhd@#de*eHC=>?d~3L7Sm$P1w{WL73vsA|< zxx7x!zAL%dAAijJj)W%{;foJbemMgp+v9WUCc9Oin4N||C`M46F+=P~35b#G#1|Y1 zR!Gs4Ovzyyh+5LaD8jpaU`b*fNF${*Hw<{P%IRnJz_bKZ6OH9t0S@wx!l!x0%eyeL z4Yrw^kEGQ>Kt)vlRK7U4;6X|nA}yO|-*{0@g6XOc#S(ZjdYV4F`S@#Za(hR0)KnoT z@Sbg^Ma$>!sDKYzv+DFh1pzb@#bs?yOAAm{G7DJiH1jUUZ0E1n!RS@xc&zW<7^n!* z)4F@lpJl+ZU3Rih?Bp9p{=hR?RG+BWuO?L1j>kGQ$*c2l!!{%5TE&JO{@sXhBDJf?mVqSlou{<)e|29IHo}^4=uC4QJZ@1rWCGPsxLR^Z zG;Ar1jpOEsTY{Ct~Z9m7zAwx^=Je0weS zu!%nynej>dugP7e1vmuv|8PJ5GLtxwMFo25~yxrTPuOPWfV^))L;e1_O9ykw# zPUU*gEVjcwt2g#J7%iiZOL8QNT3XlF=^r>$byM9@f6?^*`m061E=^t4c5M)42!nck z<%(d@Ttp2j8EYn#%IKInN`mv`&Dy~=}iNtDpx34MKA5Qajd>RyNPz^Bv_WSCT8zKx01^&Bf zpRP7cp8j2Wb$7y;XKVMes3OEfld9OLK~7+T6J<^6!B{LSQCztL<@pc5#$e-^+OMm& zNlP6R)M;4P-Oef9yW?0DSWY>DYk5JdD(O)Hx5rIbNcjyzh-6Ms(B7LIp15;T+6(Vf zp9H4$>(-b?(;7y4OP)sh2-nmdF|7Xh`oXRkbvG1s2cNat;^(9k zBXL}?6ou&Xx!uiVv^Z_^88k;JZl864%qKKU(w}xk;F66g9UpKF6^qlovsKy-ZGy?-n3l&G- z^uxJM_by9fYZ_iS+Y5u~%0O}zWFQoFJh@k;L#zuCBE!LipbXIgxt)YQhc3rTR#9DD z$I(Xvj(AicRaqZky*z|i60WOU=OTh}%*ojYC-}EhD#S;sNmCS82(?DaH&0Pqn2}zP zWeDU2O>peeTHqFdq!@G|R6eGh_4E(ilZL@ocg{|_l2a>AkgdgoG|(LZ`4p0Ce+DV! zh6x>wguZ8iK+tRl6~J7O7N`$icnzyV6v1yHf?>OmQe6yUBXu_9juu~SJ1>0jHT_HU z=9~AZ2)v7rr0E@9nx;sE%f1_c?NIs^DQ7 zp$sJxwr_hsLXKulZg>6N@SZ_FxZ>1Z1JM{ikHD)%CXaMMwRo>m?+Jz^;FC-$ z^fR+X4PY%W+_d>m3?OQHx0D&nZ!Px}2iDioTCDASP<`-HtFGJlHU$ooWpTTNAcYr&O36%FtC- z7WpN5MKfL8F&6EJU>uwYmuGkHLQ;#sqe>8O5d#QmyPf{*!ZjD{~_EPI*{+TN0QNI z%Z*O|@7o{ckx&nk&$~mg0GKjgpvO@W zt9ivX`P99W6aJr!%nmq@fr~dX)(-l7)G}_J;XS96n0^@&8+fvEPF;)#Q^p}b9|+UV zUo3WLM|oJz%*nq|7B0GfZ^r9uHo0RWjRG2Z9ElBEOrTsDHa3P_yXsFES+rw2`fk#s zyJH^w_DN#^k82)!Qb+uZlD+@=R2it&CQO7pS)uCHJzBg!zD52!Hvc2I!}3Cjlk+V^ zeFr>I^21LxM>3ns{{9>xb>(|vu(Ab9^%{*i;nfIWl>B&}TRYHjd2;KpDWHQu6%ol3 ziHeKR8LNER<9LGnh_bJWQzzQhrCp{Nsp|WtN1rU>Cx3qE58AfscL|lw2onK^54QM7 zT@|(Q5M0^DYk5Gmqyq8qXi0#pA~I$7v+L`~2vXBPk7Hsv&)@?6k`c`%Ab0aBz!9W;*-xFYg$O13?B_=M0^jw*q`K)N z$*FaJeGo5rR1t2Y{GeKndYsi35np$I(r5B1a0QrY-&T^_HZ7ibIHzmtEM8s7am8JB z$`EmVf3^JZ=!Fs^{RfsSk(qgP+K+lqyV^(~1?S-c6HFWpa)jfoQG6SEx2SUzEz6`= zZtK73rC1lD-yxr~)ifZmQ^ki7QX%Yk66lh=#oH%CLPWaCDHdY?^n{A75Ma93hI7!Tx3fBsLAlPC`{oK7VB}iiL+`var_D;c?hk1 zLRbeDnrFWqVUV0 z>H}Jbl2rp3P^j$4CQva;qOO-Ms3(V{YZmAC>drMGDwad@KdxC(38&VPh;n8Ms%aUj z%z3GQC$Q)XS(cco?#m%~zO(PqkNSHp3T260s0r?P@8%pcO4zMQtgm~}(Lw(F$fPcj z^Y0lEA{YJb+^1-h%Do^KMt4(p9mtPSxl-)v-J&mg8 zR1Xd7|-t2^28+vt~nJjvs~p2Q6j^}6xt zqIy!^lO{lu5@nj|0;`oK8zw{2^jE-JQs`ekL)feSG0rEzx^eQ7)lcr4aIN?AB{wzc zpH6GHO`(EKKD2&_$p2V zz2kW-3(2L!Nnq;%nyX_SqMa1#aPI|0T&L-@&Mid@HzT_GVS;&LA9(Np?M*cd-q$&^ zwpE``uHdWQNk8ar@Rk27tn#qdhP8B972nt|w&G6#ULX@;mGJUyNCt*fKC~>CEqxfWrye z6{Fue1($X@a-bMo9rS@^`l+2eAf}I!$0!2U5;A`4DL2k4)YMDxSAn?q;9Mh_dlWlM zSiZjjg`wT~PRw=Hlyl%y^~(3sUJB(u8x7H@R91mT#Zdo5h;0-`&b>COf?{xGblEvO zcEE^l$H>+@x=fX;#XVXH+G2coyp`cyz;Iek{VoU|ptH2ouDpV}_BVVQSjalzzwVg1 zU}u{h50Y<(Z^RXpaONQxaQVf(SJC4L)-p6TMFqL#3jf>V$A5cHspSYelkP55SNy^7 T@c{SQ2%s#lA@@%9`OE(TfyM&L diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md index e9e79fbfaa..51f0a550f0 100644 --- a/windows/client-management/mdm/remotewipe-ddf-file.md +++ b/windows/client-management/mdm/remotewipe-ddf-file.md @@ -17,6 +17,8 @@ This topic shows the OMA DM device description framework (DDF) for the **RemoteW You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip). +The XML below is the DDF for Windows 10, version 1709. + ``` syntax Exec on this node will perform a remote wipe on the device and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code shows whether the device accepted the Exec command. + + doWipePersistUserData + + + + + + + + + + + + + + + text/plain + + Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. + + ``` From b64f62d2754cab063e219af551c3873c84e76faa Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 15 Nov 2017 19:30:15 +0000 Subject: [PATCH 75/81] Merged PR 4537: Added Connectivity/DisallowNetworkConnectivityActiveTests to Policy CSP --- windows/client-management/mdm/euiccs-csp.md | 2 +- .../policy-configuration-service-provider.md | 3 ++ .../mdm/policy-csp-connectivity.md | 38 +++++++++++++++++++ 3 files changed, 42 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index 127aa77257..1ea5fdf102 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -12,7 +12,7 @@ ms.date: 11/01/2017 # eUICCs CSP -The eUICCs configuration service provider... This CSP was added in windows 10, version 1709. +The eUICCs configuration service provider is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, re-assign, remove) subscriptions to employees. This CSP was added in windows 10, version 1709. The following diagram shows the eUICCs configuration service provider in tree format. diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index c44db4c35b..7a0a83df92 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -573,6 +573,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards
    +
    + Connectivity/DisallowNetworkConnectivityActiveTests +
    Connectivity/HardenedUNCPaths
    diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 8eeb5e4585..a0ecb34a40 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -52,6 +52,9 @@ ms.date: 11/01/2017
    Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards
    +
    + Connectivity/DisallowNetworkConnectivityActiveTests +
    Connectivity/HardenedUNCPaths
    @@ -634,6 +637,41 @@ ADMX Info:
    +**Connectivity/DisallowNetworkConnectivityActiveTests** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + + + + +Added in Windows 10, version 1703. Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. This policy disables the NCSI active probe, preventing network connectivity to www.msftconnecttest.com. + +Value type is integer. + + + +
    + **Connectivity/HardenedUNCPaths** From 57735ecc03ef763ff1b1996c775fd2b4cab2f0e4 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 15 Nov 2017 20:44:44 +0000 Subject: [PATCH 76/81] Merged PR 4538: Fixed broken link --- .../customize-windows-10-start-screens-by-using-group-policy.md | 2 +- ...indows-10-start-screens-by-using-mobile-device-management.md | 2 +- ...s-10-start-screens-by-using-provisioning-packages-and-icd.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 7c62a1cfd4..929bea684c 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -47,7 +47,7 @@ Three features enable Start and taskbar layout control: - The [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkID=620879) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. >[!NOTE]   - >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet. + >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet. - [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `` or create an .xml file just for the taskbar configuration. diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index 544462e2ea..1447c25de9 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -40,7 +40,7 @@ Two features enable Start layout control: - The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. >[!NOTE]   - >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet. + >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet.   diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 18f215ad22..cae45faff6 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -35,7 +35,7 @@ Three features enable Start and taskbar layout control: - The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. >[!NOTE]   - >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet. + >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet. - [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `` or create an .xml file just for the taskbar configuration. From 4326be2928ff024ce3ca39f443f39f6e7b866517 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 16 Nov 2017 17:12:54 +0000 Subject: [PATCH 77/81] Merged PR 4541: Fixed formatting issues Fixed formatting issues --- windows/deployment/windows-10-poc.md | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index b7d72b7783..9e55510904 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -92,7 +92,7 @@ Harware requirements are displayed below: **OS** - Windows 8.1/10 or Windows Server 2012/2012 R2/2016* + Windows 8.1/10 or Windows Server 2012/2012 R2/2016\* Windows 7 or a later @@ -129,7 +129,7 @@ Harware requirements are displayed below: -*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide. +\*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide.

    The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows. @@ -229,7 +229,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below. - +
    ![VHD](images/download_vhd.png)
    @@ -262,7 +262,7 @@ w10-enterprise.iso >Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network. -
    +
    If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM:
      @@ -292,7 +292,7 @@ When creating a VM in Hyper-V, you must specify either generation 1 or generatio
      - +
      @@ -363,7 +363,7 @@ The following table displays the Hyper-V VM generation to choose based on the OS
      -
      Architecture
      +
      @@ -372,8 +372,8 @@ The following table displays the Hyper-V VM generation to choose based on the OS - - + + @@ -384,7 +384,7 @@ The following table displays the Hyper-V VM generation to choose based on the OS - + @@ -395,8 +395,8 @@ The following table displays the Hyper-V VM generation to choose based on the OS - - + + @@ -407,7 +407,7 @@ The following table displays the Hyper-V VM generation to choose based on the OS - + @@ -513,7 +513,7 @@ Notes:
      ### Resize VHD -
      +
      **Enhanced session mode** **Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer. @@ -524,7 +524,7 @@ To ensure that enhanced session mode is enabled on the Hyper-V host, type the fo >If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. -
      +
      The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images. From c747cb2cbd24f202492274dc8eecb15fd65b9b1a Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 17 Nov 2017 15:17:39 -0800 Subject: [PATCH 78/81] minor updates --- ...requirements-windows-defender-advanced-threat-protection.md | 2 +- ...cs-dashboard-windows-defender-advanced-threat-protection.md | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index 283ce4a02b..e8200e9584 100644 --- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -66,7 +66,7 @@ The hardware requirements for Windows Defender ATP on endpoints is the same as t > Endpoints that are running mobile versions of Windows are not supported. #### Internet connectivity -Internet connectivity on endpoints is required. +Internet connectivity on endpoints is required either directly or through proxy. The Windows Defender ATP sensor can utilize up to 5MB daily of bandwidth to communicate with the Windows Defender ATP cloud service and report cyber data. diff --git a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md index 7eaf489912..f8b9b55c33 100644 --- a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md @@ -29,6 +29,9 @@ ms.date: 10/17/2017 The Security Analytics dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines. +>[!IMPORTANT] +> This feature is available for machines on Windows 10, version 1703 or later. + The **Security analytics dashboard** displays a snapshot of: - Organizational security score - Security coverage From 5691d0bd08fb3b3c11fb4b17bc40f26dd3b6a7dd Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 17 Nov 2017 23:20:02 +0000 Subject: [PATCH 79/81] Merged PR 4582: Experience/AllowManualMDMUnenrollment in Policy CSP --- windows/client-management/mdm/policy-csp-experience.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 646d49acd0..df796d96ca 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -314,7 +314,7 @@ ms.date: 11/01/2017 -

      Specifies whether to allow the user to delete the workplace account using the workplace control panel. +

      Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e.g. auto-enrolled), which is majority of the case for Intune, then disabling the MDM unenrollment has no effect. > [!NOTE] > The MDM server can always remotely delete the account. From b6b450b02fbe7bd578d22c4cf6105ae6f895e3a6 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 17 Nov 2017 23:20:56 +0000 Subject: [PATCH 80/81] Merged PR 4581: Updated Policy CSP --- ...ew-in-windows-mdm-enrollment-management.md | 51 +++++- .../policy-configuration-service-provider.md | 15 ++ .../mdm/policy-csp-authentication.md | 9 +- .../mdm/policy-csp-cellular.md | 167 +++++++++++++++++- .../client-management/mdm/policy-csp-start.md | 38 ++++ 5 files changed, 267 insertions(+), 13 deletions(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index b3c6da87b5..c74bbd6838 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1029,6 +1029,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s

    1. Authentication/AllowFidoDeviceSignon
    2. Browser/LockdownFavorites
    3. Browser/ProvisionFavorites
      4. +
    4. Cellular/LetAppsAccessCellularData
      5. +
    5. Cellular/LetAppsAccessCellularData_ForceAllowTheseApps
      6. +
    6. Cellular/LetAppsAccessCellularData_ForceDenyTheseApps
      7. +
    7. Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps
    8. CredentialProviders/DisableAutomaticReDeploymentCredentials
    9. DeviceGuard/EnableVirtualizationBasedSecurity
    10. DeviceGuard/RequirePlatformSecurityFeatures
      11. @@ -1081,6 +1085,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
    11. Education/PrinterNames
    12. Search/AllowCloudSearch
    13. Security/ClearTPMIfNotReady
      14. +
    14. Start/HidePeopleBar
    15. Storage/AllowDiskHealthModelUpdates
    16. System/LimitEnhancedDiagnosticDataWindowsAnalytics
    17. Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork
      18. @@ -1377,6 +1382,44 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware ## Change history in MDM documentation +### November 2017 + +
      OS Partition styleProcedure
      Windows 7MBRWindows 7MBR 32 1 [Prepare a generation 1 VM](#prepare-a-generation-1-vm)[Prepare a generation 1 VM](#prepare-a-generation-1-vm)
      GPTGPT 32 N/A N/A[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)
      Windows 8 or laterMBRWindows 8 or laterMBR 32 1 [Prepare a generation 1 VM](#prepare-a-generation-1-vm)[Prepare a generation 1 VM](#prepare-a-generation-1-vm)
      GPTGPT 32 1 [Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)
      ++++ + + + + + + + + + + + +
      New or updated topicDescription
      [Policy CSP](policy-configuration-service-provider.md)

      Added the following policies for Windows 10, version 1709:

      +
        +
      • Authentication/AllowFidoDeviceSignon
        • +
      • Cellular/LetAppsAccessCellularData
        • +
      • Cellular/LetAppsAccessCellularData_ForceAllowTheseApps
        • +
      • Cellular/LetAppsAccessCellularData_ForceDenyTheseApps
        • +
      • Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps
        • +
      • Start/HidePeopleBar
        • +
      • Storage/EnhancedStorageDevices
        • +
      • Update/ManagePreviewBuilds
        • +
      • WirelessDisplay/AllowMdnsAdvertisement
        • +
      • WirelessDisplay/AllowMdnsDiscovery
        • +
      +

      Added missing policies from previous releases:

      +
        +
      • Connectivity/DisallowNetworkConnectivityActiveTest
        • +
      • Search/AllowWindowsIndexer
        • +
      +
      + ### October 2017 @@ -1402,14 +1445,6 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
    18. Defender/ControlledFolderAccessAllowedApplications - string separator is |.
    19. Defender/ControlledFolderAccessProtectedFolders - string separator is |.
      20. -

      Added the following policies for Windows 10, version 1709:

      -
        -
      • Authentication/AllowFidoDeviceSignon
        • -
      • Storage/EnhancedStorageDevices
        • -
      • Update/ManagePreviewBuilds
        • -
      • WirelessDisplay/AllowMdnsAdvertisement
        • -
      • WirelessDisplay/AllowMdnsDiscovery
        • -
      diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 7a0a83df92..4c4c7bab91 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -532,6 +532,18 @@ The following diagram shows the Policy configuration service provider in tree fo ### Cellular policies
      +
      + Cellular/LetAppsAccessCellularData +
      +
      + Cellular/LetAppsAccessCellularData_ForceAllowTheseApps +
      +
      + Cellular/LetAppsAccessCellularData_ForceDenyTheseApps +
      +
      + Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps +
      Cellular/ShowAppCellularAccessUI
      @@ -2584,6 +2596,9 @@ The following diagram shows the Policy configuration service provider in tree fo
      Start/HideLock
      +
      + Start/HidePeopleBar +
      Start/HidePowerButton
      diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 14c360f83a..6a21929f0c 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 11/01/2017 +ms.date: 11/16/2017 --- # Policy CSP - Authentication @@ -204,16 +204,17 @@ ms.date: 11/01/2017 -

      Added in Windows 10, version 1709. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. +

      Preview release in Windows 10, version 1709. Supported in the next release. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. This policy enables the Windows logon credential provider for FIDO 2.0 +

      Value type is integer. + +

      Here is an example scenario: At Contoso, there are a lot of shared devices and kiosks that employees throughout the day using as many as 20 different devices. To minimize the loss in productivity when employees have to login with username and password everytime they pick up a device, the IT admin deploys SharePC CSP and Authentication/AllowFidoDeviceSignon policy to shared devices. The IT admin provisions and distributes FIDO 2.0 devices to employees, which allows them to authenticate to various shared devices and PCs.

      The following list shows the supported values: - 0 - Do not allow. The FIDO device credential provider disabled.  - 1 - Allow. The FIDO device credential provider is enabled and allows usage of FIDO devices to sign into an Windows. -

      Value type is integer. -

      diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index 250e605bc9..b070a9305e 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 11/01/2017 +ms.date: 11/16/2017 --- # Policy CSP - Cellular @@ -19,11 +19,166 @@ ms.date: 11/01/2017 ## Cellular policies
      +
      + Cellular/LetAppsAccessCellularData +
      +
      + Cellular/LetAppsAccessCellularData_ForceAllowTheseApps +
      +
      + Cellular/LetAppsAccessCellularData_ForceDenyTheseApps +
      +
      + Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps +
      Cellular/ShowAppCellularAccessUI
      +
      + +**Cellular/LetAppsAccessCellularData** + + +
      [eUICCs CSP](euiccs-csp.md)
      + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark3check mark3check mark3check mark3check mark3cross markcross mark
      + + + +Added in Windows 10, version 1709. This policy setting specifies whether Windows apps can access cellular data. + +You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting. + +If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device. + +If you choose the "Force Allow" option, Windows apps are allowed to access cellular data and employees in your organization cannot change it. + +If you choose the "Force Deny" option, Windows apps are not allowed to access cellular data and employees in your organization cannot change it. + +If you disable or do not configure this policy setting, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device. + +If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.” + +Suported values: + +- 0 - User is in control +- 1 - Force Allow +- 2 - Force Deny + + + +
      + +**Cellular/LetAppsAccessCellularData_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark3check mark3check mark3check mark3check mark3cross markcross mark
      + + + +Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. + + +
      + +**Cellular/LetAppsAccessCellularData_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark3check mark3check mark3check mark3check mark3cross markcross mark
      + + + +Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. + + +
      + +**Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark3check mark3check mark3check mark3check mark3cross markcross mark
      + + + +Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. + +
      **Cellular/ShowAppCellularAccessUI** @@ -61,6 +216,16 @@ ms.date: 11/01/2017 +This policy setting configures the visibility of the link to the per-application cellular access control page in the cellular setting UX. + +If this policy setting is enabled, a drop-down list box presenting possible values will be active. Select "Hide" or "Show" to hide or show the link to the per-application cellular access control page. + +If this policy setting is disabled or is not configured, the link to the per-application cellular access control page is showed by default.” + +Supported values: + +- 0 - Hide +- 1 - Show > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 8ab24a2ad2..d3392ef73f 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -67,6 +67,9 @@ ms.date: 11/01/2017
      Start/HideLock
      +
      + Start/HidePeopleBar +
      Start/HidePowerButton
      @@ -901,6 +904,41 @@ ms.date: 11/01/2017 1. Enable policy. 2. Open Start, click on the user tile, and verify "Lock" is not available. + + +
      + +**Start/HidePeopleBar** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + + +

      Added in Windows 10, version 1709. Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. + +

      Value type is integer. +

      From 9dc799cdab92c2a9364a3bdee644b0aa27f82463 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Fri, 17 Nov 2017 23:24:26 +0000 Subject: [PATCH 81/81] Merged PR 4397: Merge ms-whfb-staging to whfb-staging Updates and then please push to master --- .../access-protection/hello-for-business/hello-features.md | 6 +++--- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 4 ++-- windows/access-protection/hello-for-business/toc.md | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-features.md b/windows/access-protection/hello-for-business/hello-features.md index 2e4ae4c446..af73b147d6 100644 --- a/windows/access-protection/hello-for-business/hello-features.md +++ b/windows/access-protection/hello-for-business/hello-features.md @@ -19,7 +19,7 @@ Consider these additional features you can use after your organization deploys W * [Conditional access](#conditional-access) * [Dynamic lock](#dynamic-lock) * [PIN reset](#PIN-reset) -* [Privileged workstation](#Priveleged-workstation) +* [Privileged credentials](#Priveleged-crednetials) * [Mulitfactor Unlock](#Multifactor-unlock) @@ -142,14 +142,14 @@ On-premises deployments provide users with the ability to reset forgotton PINs e >[!NOTE] > Visit the [Frequently Asked Questions](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-identity-verification#frequently-asked-questions) section of the Windows Hello for Business page and watch the **What happens when the user forgets their PIN?** video. -## Privileged Workstation +## Privileged Credentials **Requirements** * Hybrid and On-premises Windows Hello for Business deployments * Domain Joined or Hybird Azure joined devices * Windows 10, version 1709 -The privileged workstation scenario enables administrators to perform elevated, admistrative funcions by enrolling both their non-privileged and privileged credentials on their device. +The privileged credentials scenario enables administrators to perform elevated, admistrative funcions by enrolling both their non-privileged and privileged credentials on their device. By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, Allow enumeration of emulated smartd card for all users, you can configure a device to all this enumeration on selected devices. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 0bd7c0a3b1..552c519832 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -81,7 +81,7 @@ Organizations using older directory synchronization technology, such as DirSync
      ## Federation with Azure ## -You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated envionments, key trust deployments work in environments that have deployed [Password Syncrhonization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated envirnonments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. +You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. ### Section Review ### > [!div class="checklist"] @@ -91,7 +91,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat
      ## Multifactor Authentication ## -Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor. but needs a second factor of authentication. +Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor, but needs a second factor of authentication. Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provides by Windows Server 2012 R2 or later Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS. diff --git a/windows/access-protection/hello-for-business/toc.md b/windows/access-protection/hello-for-business/toc.md index 5a8d5dd5c3..81267549c1 100644 --- a/windows/access-protection/hello-for-business/toc.md +++ b/windows/access-protection/hello-for-business/toc.md @@ -43,4 +43,4 @@ ##### [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md) #### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) -## [Windows Hello for Businesss Feature](hello-features.md) \ No newline at end of file +## [Windows Hello for Business Features](hello-features.md) \ No newline at end of file